Professional Documents
Culture Documents
(Lecture Notes in Computer Science 330) Rainer A. Rueppel (auth.), D. Barstow, W. Brauer, P. Brinch Hansen, D. Gries, D. Luckham, C. Moler, A. Pnueli, G. Seegmüller, J. Stoer, N. Wirth, Christoph G. G.pdf
(Lecture Notes in Computer Science 330) Rainer A. Rueppel (auth.), D. Barstow, W. Brauer, P. Brinch Hansen, D. Gries, D. Luckham, C. Moler, A. Pnueli, G. Seegmüller, J. Stoer, N. Wirth, Christoph G. G.pdf
Computer Science
Edited by G. Goos and J. Hartmanis
330
Advances in Cryptology -
EUROCRYPT '88
Workshop on the Theory and Application
of Cryptographic Techniques
Davos, Switzerland, May 25-27, 1988
Proceedings
Springer-Verlag
Berlin Heidelbera New York London Paris Tokyo
Editorial Board
D. Barstow W. Brauer P: Brinch Hansen D. Gries D. Luckham
C. Moler A. Pnueli G. Seegrnuller J. Stoer N Wirth
Editor
Christoph G. Gunther
Asea Brown Boveri, Corporate Research
CH-5405 Baden. Switzerland
This work is subject to copyright All rights are reserved whether the whole or part of the material
IS concerned specifically the riglts of translation reprinting re use of illustrations recitation
broadcasting reproduction on microfilms or in other ways and storage in data banks Duplication
oi this publication or parts thereof IS only permitted under the provisions of the German Copyrtght
Law of September 9 1965 in its version of Junr 24 1985 and a copyright fee must always be
paid Violations fall under the prosecution act of the Germdn Copyright Law
S Springer Verlag Berlin Heidelberg 1988
PrintPd in Germdny
Printing and binding Druckhaus Beltz HemsbachIBergstr
2145/3140 5432 10
PREFACE
The International .4ssociation for Cryptologic Research (1.4CR) organizes tmo in-
ternational conferences every year, one in Europe and one in t h e 1-nited States.
EUROCRYI’T’88. held in the beautiful environment of t h e S \ ~ i s bmountains in
Davos, was t h e sixth European conference. T h e number of contributions and of
participants at t h e meeting has increased substantiall!.. which is an indication of
the high interest in cryptography and system security in general.
T h e interest has not only increased but has also further moved towards au-
thentication. signatures a nd other protocols. This is easy t o understand in view
of th e urgent needs for such protocols, in particular in connection with open in-
formation systems, and in view of t h e exciting problems in this area. The equally
fascinating classical field of secrecy, 2.e. the theory, design and analysis of stream
or block ciphers a n d of public key cryptosystems. was however also well represented
and several significant results mere communicated.
T h e present proceedings contain all contributions which were accepted for
presentation. T h e chapters correspond to the sessions at t h e conference.
I a m grateful t o all authors of these contributions for t h e careful preparation
and prompt submission of their papers. O n behalf of the General Chairman, it is
a pleasure t o t h a n k t he authors and the members of the Program Committee for
having made t h e conference such a n interesting a n d stimulating meeting. 1f-e a r e
indebted t o t h e sponsors for their generous donations a n d t o t h e members of the
Organization Committee, who have so perfectly organized the meeting.
Thomas Beth
Vlll
Rainer A . Rueppel
Crypto AG
6312 Steinhausen
Switzerland
Abstract:
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 3-10, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
4
g: y=Frn(x)
h: y = F " ( x )
h ( g ( x ) )= g ( h ( x ) )
This commutativity is also the basic requirement in the DH-protocol.
Hence, using the number of steps an FSM has taken from a specific
starting point as the individual user's secret, we can implement a key
agreement as follows:
A sends s(l) to B.
s ( 2 )= S"* = F"'( s o )
B sends s ( ~ to
) A.
(2) A loads the received state s ( 2 ) into its FSM and steps it nl
times to obtain
B loads the received state s(1) into its FSM and steps it "2
times to obtain
5
(3) Since every state has a unique successor the resulting states
. ( I 2 ) and ~ ( 2 must
~ ) be identical and could serve as a common
secret between A and B.
In fact, the combination of the above protocol with any linear FSM is
insecure. Let A be the state transition matrix, i.e.
?,+I 'A.5,
Now the following attack will recover ~ ( 1 2 )efficiently.
(1) compute
A computes
Note that at this point the attacker has not yet succeeded in
deriving the individual secrets n1 and n2 of parties A and B. To
obtain, say "1, he will have to take discrete log's mod p-1,
whose factorization may be difficult to find.
ExamDle 3 : (due to
C . Thome and R. Schwarzenberger) Suppose we use a
nonlinear feedback shift register with next-state function
7
a = g e ' (modp)
b = g e 2 (modp)
g"(x) = hZm(X)
Therefore, the above protocol could be modified as follows:
(3) The resulting states s12 and s21 are identical and could
serve as a common secret between A and B.
Example 4 : Let the next state function be F(x) = ax (mod p), and
suppose SO = 1. Then
(a
s(I2)= n ' ) n (2m o d p )
x"=q(x)g(x)+r(x)
where the degree of r(x) is smaller than k. Consequently,
A" = r(A)
since g ( A ) = O . Thus, any linear map A used in the second protocol leads
to the following problem: given two polynomials r(x) and g(x) over F.
Find the least positive exponent n such that
x n = r ( x ) mod g(x)
If g(x) is irreducible, this is the discrete log problem in an
extension field. Thus, when used with a linear elementary function F,
the second protocol is equivalent to the original Diffie-Hellman
protocol.
g , ( x ) = xen' = x e ' ( m o d p )
2 xe2 (modp)
g 2 ( x )= x e n =
Summary:
Acknowledcrment:
I wish to thank Kjell-Ove Widman and Jim Massey for their helpful
comments.
References:
Abstract
1. Introduction
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 11-19, 1988.
0 Spnnger-Verlag Berlin Heidelberg 1988
12
key distribution system (ICKDS). Protocols in ICKDS were shown for three
configurations: ring (Type-1), complete graph (Type-2), and star (Type-3).
Yacobi [7] has made a n impersonation attack on the Type-3. His attacking
method can be generalized to Type-2. This paper proposes improved identity-
based key distribution protocols to counter his attack. The previous protocol
can detec‘t a uni-directional attack and it cannot detect a bi-directional at-
tack. However, the new protocol can detect both the uni-directional attack
and the bi-directional attack. In Section 2, revised protocols of T y p e 2 and
Type-3 axe described, clarifying the difference between the previous and new
versions. In Section 3, Secllrity for these protocols is discussed. Details of the
attack by Yacobi are stated, and it is shown that our improvement resolves
the problem.
2. Improved ICKDSs
All ICKDSs are implemented in two phases: the first phase is carried out at
a trusted center, and the second phase at each user’s location. During the
first phase, the trusted center generates a secret system key, a public system
key, and secret user keys with users’ identification information. The secret
system key is known only t o the center. The public system key is common t o
all users. Each secret user key, which is transmitted through secure channel
such as smart card, is known only to each user and the center. Once the first
phase is carried out, the second phase can be repeated to generate a different
conference key. In the second phase, no further interaction with the center is
required either t o generate a key or to verify proofs of identity.
For simplicity, only improved protocols in a complete graph (Type-2) and
in a star (Type-3) are shown in Subsections 2.1 and 2.2, respectively.
During the first phase of Type-2 and Type-3, the center generates three
large primes p , q, and r, and the partial product n = p q . It determines
integers (el d ) in a way similar to that of the RSA cryptosystem [S]:
ed G 1 (mod L ) , L = lcm ( ( p - 1), ( g - l), ( r - l)), (2-1)
where e is a prime such that n r / 2 < e < nr. Note that every integer in [l, nr]
except e is coprime to e. The center also determines an integer g which is
a primitive element over GF(p), GF(q), and G F ( T ) . Note that g is easily
generated while the factors of ( p - 1), (4 - l), and ( r - 1) are known. For
user i whose identification information is I;,the center calculates integer S;:
Si = If mod nr. (2.2)
13
Note that Ii = Sf mod nr. As a result, the center generates a secret system-
key (p, q , d ) , a public system-key ( n , T , g , e), and a secret user-key Si for
user i.
During the second phase of Type-2, the conference key is generated and si-
multaneously distributed among m users. Users are connected in a complete
graph network so that they always send messages to all other users. The key
generation algorithm is the same for each user. For convenience, the proce-
dure for two typical users, labeled i and j (1 5 i, j 5 m, i # j ) , can be
described as follows:
[Protocol]
step 1: User a' chooses a random number Pi that is coprime t o ( r - 1). He
computes P;:
Pipi E 1 (mod ( r - l)), (2.3)
to user j .
step 2: User j receives (Xi,Y;). He checks whether the following ( m - 1)
congruences hold:
v e
--
xx' -- Ii
xi (mod n r ) ,
If (2.6) holds, user j can verify that the message came from user z.
User j chooses a secret random number Rj. He then sends ( A j i , Bji):
to user i.
14
Remarks:
(1) The exponent terms Xi in (2.5) and (2.6) and Aji in (2.8) and (2.9) in this
version were expressed by a constant c in the previous version [6].This
improvement makes Yacobi's attack on Type-2 and Type-3 ineffective.
Details will be discussed in Section 3.
(2) Since e is chosen such that nr/2 < e < nr, X i and Aji are coprime to e
with the probability l-l/nr (= 1). This property in the improved version
inherits from the previous version, where c is coprime to e. This property
has effect of countermeasure on some attacks other than Yacobi's attack.
(3) The previous protocol [S]contained check congruences such as Zij
X iU'. (mod n), Cij E A; (mod n),and related computations. The pur-
pose of such congruences was to detect a uni-directional impersonation
attack [6] other than Yacobi's attack. These check congruences and re-
lated computations are omitted in the new protocol because the new
protocol can detect such attack in addition to Yacobi's attack.
loss of generality, this “center user” caa be arbitrarily selected horn among
m users.
The values of K; (2 5 i 5 m) and K1 are the same for all users, because
Note that the value of conference key in Type3 is dependent on only user 1’s
secret key R1,while the value of conference key in Type-2 is equally dependent
on each user’s secret random number Ri.
3. Security
and sends the modiiied message (zi,$) to user j . For step 2, user j verifies
I
Yi"
- -= I ;
- (mod nr).
Xf
- -cR
B,, = S j X , ' mod nr.
and sends it to user i. The attacker intercepts this communication. He chooses
some random number E j . Using the Chinese remainder theorem, he computes
( i j i , Sjj) modulo TLT satisfying:
17
and sends the modified message (&, gjj)to user i. For step 3, user i verifies
K1 = geZR1mod T . (3-9)
Using Fl, attacker creates the session key:
--Ti
K ; = Ali mod r = geZR1mod r. (3.10)
Note that the exponent terms X i and Aji in this improved protocol were
expressed by a constant c in the previous protocol [S]. This improvement
18
(3.11)
Ge
'i
I f Ii (mod nr). (3.12)
27
Note that a check congruence modulo r in (2.6) is satisfied because
- -
-y;-
--- - 1 =- Ii
( I i g X i e P ' Be
(mod r ) . (3.13)
Z? g X ; e P'
(3.14)
4. Conclusion
Security has been improved in the new protocol with the variable exponents.
That is, the improved protocol counters Yacobi's attack. The change of ex-
ponent terms has the same effect as the additional check congruences in the
previous version. By deleting such additional check congruences, transmis-
sion eEciency is also improved in the new protocols. This is a side effect of
improving security.
19
Acknowledgement
We would like t o thank Dr. Yacov Yacobi for his nice attack on our previous
version.
References
[l] SHAMIR, A. :“Identity-based cryptosystems and signature schemes”,
Proceedings of Crypto’84, Lecture Notes in Computer Science no. 196,
Springer-Verlag, 1985, pp.47-53.
[2] FIAT, A. and SHAMIR, A. :“How to prove yourself: Practical solutions
to identification and signature problems”, Proceedings of Crypto’86, Lec-
ture Notes in Computer Science no. 263, Springer-Verlag, 1987, pp.186-
194.
[3] OKAMOTO, E.:“Proposal for identity-based key distribution systems”,
Electron. Lett., 1986, 22, pp.1283-1284.
[4] DIFFIE, W., and HELLMAN, M. E. :“New directions in cryptography”,
IEEE Trans. 1976, IT-22,pp.644-654.
[5] INGEMARSSON, I, TANG, D. T. and WONG, C. K. :“A conference key
distribution system”, IEEE l h n s . 1982, IT-28, pp.714-720.
[6] KOYAMA, K. and OHTA, K. :“Identity-based conference key distribu-
tion systems”, Proceedings of Crypto’87, Lecture Notes in Computer
Science no. 293, Springer-Verlag, 1988, pp.175-184.
[7] YACOBI, Y. :“Attack on the Koyama-Ohta identity-based key distri-
bution scheme”, Proceedings of Crypto’87, (presented at the rump ses-
sion), Lecture Notes in Computer Science no. 293, Springer-Verlag, 1988,
pp.429-433.
[8] RIVEST, R. L., SHAMIR, A., and ADLEMAN, L.:“A method for obtain-
ing digital signatures and public-key cryptosystems” , Commun. ACM,
1978, 21, pp.120-126.
[9] LENSTRA, Jr. H. W. :“Factoring integers with elliptic curves”, preprint,
May 1986
[lo] COPPERSMITH, D., ODLYZKO, A. M. and SCHROEPPEL, R. :“Dis-
crete logarithms in GF(p)” Algorithmica 1986, 1, pp.1-15.
SUBLIMINALFREE AUTHENTICATION AND SIGNATURE
(Extended Abstract)
Yvo Desmedt
ABSTRACT
I. INTRODUCTION
ever the last system is less practical. The reader not familiar with the terminology
used in modern cryptology, will find a brief introduction to it in Section 11..
Such numbers n are known as Williams integers, due to there first use in cryp-
tology by Williams [21] and are also known as Blum integers. The functions
fa,,, = x 2 (mod n ) and f ~=, 4x2 ~ (mod n) form permutations over the set of
quadratic residues modulo n and are claw-free [15] (remark that these functions
were slightly modified in [14]). It is essential to know that the Jacobi symbol
(217~)= -1 if n is a Williams (Blum) integer, so 2 is a quadratic nonresidue
modulo n. If there is no doubt about n we will shortly say fo instead of f ~ , ~
and f1 instead of fl,,,. For authenticity and signature one does not only need
claw-freeness for two permutations but a family of permutations which are pair-
wise claw-free. Hereto fi is defined as fi(z) = f i d ( f i d - - l ( . . . f i l ( f i 0 ( 2 ) ) - ..)), where
. ..
z = Zdzd-1.. .ilia in binary. We define lil = d+ 1. One has to read f;’ as (fi)-’ so
that fy‘(fi(z)) = x. In order to exclude that anyone else could compute fj-’(y)
from a given f;’(y) ( j # i) Goldwasser, Micali and Rivest use prefix-free map-
ping (.). A prefix-hee encoding satisfies the property that ( j ) is never a prefix of
(i) ( j # i). Finally, to avoid chosen text attacks and forgery, an authentication
tree is used [15]. Different authentication trees have been presented, but their
differences are not important in this context. We will not discuss these trees in
detail, because they are only partially important in order to understand this pa-
per. The motivation for an authentication tree is to make random “signatures”
that can be used later on t o sign real messages. In order to obtain the security
one uses f-claw-free permutations and g-claw-free permutations (for more details
see [9,14,15]).
Commitment originates from Blum’s ideas [2]. It allows A to randomly choose
a number R and t o commit herself to this number, e.g., to B. Hereto A encrypts
R and sends the result C = hk(R) to B. If a good encryption system, e.g., a
probabilistic encryption system as [12], has been used no information is revealed
about R. Later on A is able to reveal R, As a consequence of her commitment
A is unable to lie or pretend that her choice was R’ instead of R. B is able to
verify if R is correct when A reveals it together with k. A s&cient condition for
commitment is that:
scheme, which was briefly explained in Section 11.. We also use some methods
which were developed in [7].From now on we assume that the message M and
i are encoded with a prefix-free encoding [15]. Remark that no authentication
tree is necessary, because the scheme is not a signature system and because our
protocol is zero-knowledge. The need to use two different claw-free pairs (f and
g ) also disappears. The authentication mainly consists in proving that A knows
fcl(R), where f is based on claw-free permutations, as explained in Section 11..
Let us explain the details of the protocol.
-
n = p q a Williams (Slum) integer together with R1, R2,. ..,R k form the
public key of the sender (A). The Rj are chosen randomly such that the Jacobi
symbol of (Rj I n) = 1. p and q are secret.
Before that A uses the system, W (the active warden) asks A to “prove” that
n is indeed the product of two primes, which satisfy the above conditions. This
can be done using a zero-knowledge protocol (see e.g., [lo]). This zero-knowledge
protocol has only to be used once, because W can store n and label it as being
verified.
To authenticate a message M our public key authentication system follows
the following protocol, where Steps 2-7 are repeated I times:
Remark that A would be able to send one bit of information (the fact that the
protocol could be halted) in Step 3 or in Step 6, however the warden is then able
28
to arrest A (if appropriated). The fact that this one bit of information, that A
could send, is detectable by the warden implies that it is not a subliminal bit.
Indeed subliminal as defined by Simmons implies undetectability by the warden.
If necessary the warden can ask A to sign all her messages, so that the warden
is able to prove later on that A tried to use a subliminal channel. However it
is also possible that the warden (or an active eavesdropper) has tried to inject a
fake message M and is unable to answer B’s questions, and therefore stops the
protocol. So B has no guarantee about the authenticity of this bit.
To discuss t h e security of the above protocol we need to remind what the
mafia fraud is [6]. Suppose that A proves statement S to B using zero-knowledge
for example, then A will answer questions from B. If C is able to claim to D
that she is proving S, using B as dishonest verifier of A’s proof, then the proof
system is not secure against the mafia fraud. Several zero-knowledge protocols
allow this fraud in real-time. Hereto B and C have to communicate questions and
answers respectively horn D to A and vice-versa. The mafia fraud is important to
evaluate the security of authentication, signature and identification. Let us now
discuss the security of our subliminal-free authentication system.
Theorem 1 If one ezcludes the mafia fraud, the real sender will convince the
prover and a fake prover will fail. This protocol is a zero-knowledge proof.
Proof (sketch): Consider that the warden is not active, so t‘ = X‘ = 1, then the
proof is similar as in [7, pp. 214-2151. 0
Step 4.a W chooses a random Boolean vector (3'1). . . ,Fl;) and ran-
dom K and sends h ~ ( F 1 ,...,Fl;) to B , where h satisfies
condition (1).
Step 4.b B sends a (random) Boolean vector (El,,.. ,EL.)to W .
Step 4.c W sends (Gl,. . . ,Gl;) = (El 3 Fl,.. . ,Ek Fl;) to A, and
reveals (8'1). . . , Fl;) and K to B.
. ,Fl;) and the protocol continues if correct.
Step 4.d B verifies (Fly..
However, if W is able to break the security of E this time, then W can im-
personate A by sending messages M and B will believe they originate fcom A.
So, depending of how the protocol is used, the assumption that E is secure has
Merent consequences.
The reader could correctly remark that A is able to send subliminal informa-
tion at the moment of publication of n, Rj (her public key) by choosing them
specially . However these keys are constant, so the subliminal information that
they can contain is strongly limited. In case the warden nevertheless worries
about it, he is able to eliminate this danger in a similar way as we proceed in
Section V. (for more details see [4]).
V. SUBLIMINAL-FREE SIGNATURES
The first protocol discussed in Section IV. is easy to set-up. In case of verification
of treaty or international bank communications, the host country can be the
warden. The example of international bank communications is important from a
commercial point of view. Indeed several banking organizations with international
activities frequently face the problem that they are not allowed to use encryption
to protect the privacy of their messages. Subliminal-free authentication would
make their communications more secure without security objections from the
corresponding countries where the banks operate. Subliminal-free authentication
can be used in identification systems. By authenticating messages as: “I, A , a m
at the moment in Town, Street, House Number, Floor, .. .”, describing the exact
location of A and B, more secure identification systems can be made [5, pp. 154-
1551. Making authentication systems subliminal-free, makes the use of it for
identification more attractive. Many other applications exist.
It is easy to adapt the first protocol in order to work with two wardens, not
trusting each other. This d o w s the phone companies to act as warden in national
and in international communications. The other protocols can also be adapted to
have two wardens, but the protocols become then more involved.
The speed of the protocols can be compared with the speed of RSA, if several
tricks are used. Ideas as described in [9] can be used. Remark in this context that
the Rj are constants, so A can significantly speed up the calculations of f i l ( f R j ) ,
nevertheless that M is not constant. Hereto she has to store some values (more
details will be given in the h a l paper). A also can speed up the calculation of X
using her knowledge of + ( n ) .
Much faster subliminal-free authentication and signature systems can be made
partially based on [7,8].However these schemes have also disadvantages. F’ull
details will be given in find paper.
VII. CONCLUSION
REFERENCES
[l]J. A. Adam. Ways to verify the U.S.-Soviet arms pact. IEEE Spectrum,
pp. 30-34, February 1988.
[2] M. Blum. Coin a p p i n g by telephone - a protocol for solving impossible
problems. In digest of papers COMPCON82, pp. 133-137, IEEE Computer
Society, February 1982.
[3] M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its
applications. In Proceedings of the twentieth ACM Symp. Theory of Com-
puting, STOC, pp. 103 - 112, May 2-4, 1988.
[4] Y. Desmedt. Abuses in cryptography and how to fight them. August 1988.
To be presented at Crypto’88.
[5] Y. Desmedt. Major security problems with the “dorgeable” (Feige-)Fiat-
Shamir proofs of identity and how to overcome them. In Securicom 88, 6th
worldwide congress on computer and communications security and protection,
pp. 147-159, SEDEP Paris France, March 15-17, 1988.
[S]Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the Fiat-
Shamir passport protocol. In C. Pomerance, editor, Advances in Cryptology,
Proc. of Crypto’87 (Lecture Notes in Computer Science 293), pp. 21-39,
Springer-Verlag, 1988. Santa Barbara, California, U.S.A., August 16-20.
[7] U. Feige, A. Fiat, and A. S h e . Zero knowledge proofs of identity. In
Proceedings of the Nineteenth ACM Symp. Theory of Computing, STOC,
pp. 210 - 217, May 25-27, 1987.
[8] A. Fiat and A. Sbamir. How to prove yourself: Practical solutions to identi-
fication and signature problems. In A. Odlyzko, editor, Advances in Cryptol-
ogy, PTOC.of Crypto’86 (Lecture Notes in Computer Science 263)) pp. 186-
194, Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August
11-15.
[9] 0. Goldreich. Two remarks concerning the Goldwasser-Mid-Rivest sig-
nature scheme. In A. Odlyzko, editor, Advances in Cyptology, PTOC.of
Cypto’86 (Lecture Notes in Computer Science 263), pp. 104-110, Springer-
Verlag, 1987. Santa Barbara, California, U.S.A., August 11-15, 1986.
[lo] 0. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements
in zero-knowledge and a methodolgy of cryptographic protocol design. In A.
Odlyzko, editor, Advances in Cryptology, PTOC.of Cypto’86 (Lecture Notes
in Computer Science 2631, pp. 171-185, Springer-Verlag, 1987. Santa Bar-
bara, California, U. s. A., August 11-15.
[ll]0. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but
their validity and a methodology of cryptographic protocol design. In The
Computer Society of IEEE, 27th Annual Symp. on Foundations of Computer
Science (FOCS), pp. 174-187, IEEE Computer Society Press, 1986. Toronto,
Ontario, Canada, October 27-29, 1986.
[12] S. Goldwasser and S. Micah. Probabilistic encryption. Journal of Computer
and System Sciences, 28(2), pp. 270-299, April 1984.
33
Abstract
There are two equally important, related, functions involved in the control of
assets and resources. One of these is the verification of a potential user's iden-
tity and authority to use or have access to those assets. The other is to provide a
record (receipt) of each access so that in the event of a later dispute as to
whether an illegitimate use was made of the assets, or of the extent of the liabil-
ity incurred in a Legitimate use, etc., the authenticity and specifics of the access
can be demonstrated in a logically compelling (and hence eventually legally binding)
manner to an impartial third party or arbiter. Elaborate, and legally accepted,
document based protocols to accomplish these functions are central to all commercial
and private transactions. When the resources are remotely accessible, however, as
in the case of computer data files, electronic funds transfers (EFT), automated bank
tellers, and even in many manned point-of-sale systems, no satisfactory counterpart
to the established document based protocols for verifying individual identity and/or
authority to use a resource have been found, nor has a fully satisfactory means been
devised to provide unforgeable transaction receipts. In this paper, we show how a
public authentication channel can be used to certify private (user unique) authen-
tication channels in a protocol that both "proves" a potential user's identity and
authority and also provides certified receipts for transactions whose legitimacy can
later be verified by impartial arbiters who did not have to be parties to the orig-
inal transaction.
We also introduce an authentication scheme to be used in this application based
on the legitimate originator of information being able to extract square roots
modulo n - pq, where p and q are primes of a special form. We show that these
protocols provide a zero-knowledge proof of identity and of veracity transaction
receipts, and that they are therefore very secure. We also show how the legitimate
owner of the authentication channel can give a zero-knovledge proof that the modulus
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 35-49, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
36
n has the correct form, thereby eliminating the possibility of the existence of
several known subliminal channels.
Introduction
There are two parts to the problem of verifying the identity of an individual
whom we will refer to as the user, whether remotely or face-to-face. First, the
party or device making the identification (the verifier) must have identifying
information available to match or check against the information submitted to support
a claimed identity. Clearly, the confidence that the verifier has in any particular
identification can be no greater than his confidence in the integrity of the cor-
roborating information on which the identification is based. Consequently, the
first part of the identity verification problem is to devise means by which the
verifier can have access to identifying information whose integrity he can trust.
This information may either be intrinsic to the individual being identified, such as
physiognomy, fingerprints, voice prints, retinal prints, dynamics of a written
signature, etc., or else it may be extrinsic, i.e., a private (secret) piece of
information such as a computer access password, a telephone credit card number, a
personal identification number (PIN), etc., not intrinsically associated with the
individual, but whose possession is equated with the mer's identity. The second
part of the identity verification problem for extrinsic identification is to devise
means to protect this identifying information from forgery or fraudulent use,
especially to insure that as a consequence of someone eavesdropping on repeated uses
by the legitimate user that they cannot improve their chances of impersonating him.
Assuming that there are many users whom a verifier may have to identify, the file of
identifying information that he uses for this purpose may take the form of an actual
trusted directory, perhaps hidden behind a one-way function [8,12,20]to protect the
users against the verifier or his agents impersonating them to other verifiers, or
it may be an implicit directory in which the user produces trusted ( ? ) identifica-
tion credentials, such as drivers licenses, photo ID'S, major credit cards, etc., in
support of his access request at the time it is made. It should be pointed out that
in transactions where significant liability is involved, these user supplied creden-
tials are often themselves verified by querying a central file; telephone verifica-
tion of credit cards at the point of sale, etc. This defeats the main purpose of
having user-suppliedmeans of identification, i.e., to make identification a purely
local protocol, but is made necessary by the low level of confidence achievable in
conventional user-supplied means of identification. In either case, whether the
directory is actually in the possession of the verifier or is merely remotely
accessible by him, trust in the directory is derived from trust in the integrity of
the issuer of the directory.
In the first reported application of public key crypto techniques (fielded by
the Sandia National Laboratories in 1978). an authentication channel based on the
37
RSA cryptoalgorithm was used to create trusted credentials that users could carry
with them and present to the verifier at the time they requested access, in this
case to the very sensitive Zero Power Plutonium Reactor at Idaho Falls, Idaho
[7,16]. The public authentication channel (a publicly known RSA modulus n and
decryption exponent d) was used by the issuing office.of the Atomic Energy Commis-
sion to authenticate (certify) a text that included physical descriptors for the
individual being identified is well as the details of the nature, type, duration,
etc., of the access authorized. The object of this scheme was to make it possible
for each user to carry with him what would have effectively been his entry in the
verifier's trusted directory (a trusted credential in this case), that could be
authenticated by the verifier, but which would be of no assistance to anyone wishing
to produce a fraudulent credential. In this particular application, the identifica-
tion information was intrinsic to the user (hand geometry, body weight, etc.), how-
ever, in other applications [16] the same basic technique has been used with extrin-
sic information in a manner similar to the protocol to be described here.
The essential concept in the protocol to provide verifiable proof of identity
and unforgeable certified receipts is to use a public authentication channel to
create trusted credentials which users will keep in their possession which certify,
along with various identifying information, the public part of a user-unique
authentication channel: the private (secret) part of which is known only to the
legitimate user identified in the credential [19]. These credentials need not be
kept secret and consequently avoid the necessity of generating, distributing and
protecting local trusted directories or of establishing secure communications
(authentication) channels to permit access by the verifiers to centralized trusted
directories. At the time a user presents a credential (not necessarily his om) the
verifier can first establish locally, via the public authentication channel that the
credential is valid, i.e., that it was created by the issuer, and secondly, that the
user identified in the now authenticated credential knows the private part of an
authentication channel whose public part is described there. The applicant can then
"prove" (in probability) that he is the individual to whom that credential belongs
by demonstrating that he can authenticate challenge messages submitted by the veri-
fier whose authenticity the verifier can establish using the (certified) public part
of the authentication channel described in the credential.
The Protocol
one we will use to illustrate the protocol is based on the computational equivalence
(in probability) of extracting modular square roots and of factoring a composite
modulus. To set up such a channel, the issuer first chooses a pair of primes p and
q; p = 3 (mod 8) and q = 7 (mod 8). p and q must satisfy the same conditions
required to construct a "good" RSA modulus, i.e., p and.q must be chosen so that it
-
two reasons for requiring that p -
3 (mod 8) and q -
is computationally infeasible for anyone to factor the modulus n pq. There are
7 (mod 8). The first, which is
simple to explain, is to make it easy for anyone who knows the factors to extract
the modular square root of a square with respect to n.' The second reason is harder
to explain in detail, but basically it is to guarantee that there is a unique, but
publicly determinable, square associated with every message, u, that may need to be
authenticated. The explanation of why we want this to be true we will defer for the
moment. This restriction on the choice of p and q represents no significant
increase in the computational difficulty of finding suitable primes during the ini-
tial set up of the authentication channel. The issuer keeps the factorization of n
secret; in fact, the security of the system against fraudulent claims of validated
identity is no better than the lesser of
a) the quality o f protection provided p and q by the issuer
or,
b) the difficulty of factoring n.
The issuer must also have available a polyrandom function f that maps arbitrary
strings of symbols to the range [O,n). By polyrandom, we mean that f cannot be
distinguished from a truly random function by any polynomially bounded computation.
f will be a publicly known function, and need not change over the lifetime of the
identification protocol. Many strong, single-key cryptographic functions, such as
the DES when used with a fixed publicly known key in a block chain encryption mode,
appear to adequately approximate this condition. n and f are the public part of the
issuer's authentication channel. The private (secret) part of the channel, known
only to the issuer, is his knowledge of the factors p and q. Since taking modular
square roots is computationally equivalent (in probability) to factoring n, the
issuer can prove that h e is who he claims to be, i.e., prove that he knows the fac-
torization of n, by being able to produce square roots modulo n. The issuer cannot
simply authenticate arbitrary messages submitted to him by public receivers
(i) x
2
- Y (mod P) ,
(ii) x '')f
'"(y (mod p)
where the - indicates the complement (mod p). Exponentiation is only an O(1Og p)
computational task using the well-known square-and-multiply algorithm [ 6 1 .
39
(either users or verifiers), since each time he responded with a square root to a
square chosen by someone else he would potentially compromise the factorization of
n, and hence the capability to fraudulently authenticate messages in his stead, with
probability 1/2. Similarly, a receiver can't accept an arbitrary square and match-
ing square root as proof of the identity of the party possessing them, since anyone
could choose an arbitrary x and square'it to calculate a matching square with res-
pect to the issuer's publicly known modulus, n. Consequently, the squares that the
issuer will authenticate, i.e., whose square roots he will extract, must be indeter-
minate to both the issuer and the receiver in order for the public authentication
channel to be secure; both against the receiver being deceived as to the identity of
the originator of a message and to the issuer against having his identity usurped.
The primary purpose of the polyrandom function f is to provide this indeterminacy.
It's secondary purpose is to map strings of symbols (whose length may vary) into the
range [O,n), i.e., into the principal residues of n.
In the usual communications usage of an authentication channel, a transmitter
wishes to send a message, m , to public receivers and to "prove" to them that the
communication came from him and not from someone impersonating him, and also that a
message hasn't been altered after he signed it. To do this with the authentication
channel just described, the transmitter would, if necessary, introduce additional
redundant information, typically a field of the message filled with a publicly known
- -
symbol, say a terminal block of k zeros, to form an extended message, m. m will be
a square modulo n with probability 1/4, in which case the transmitter can extract a
square root, s, and send the couplet (m,s) as the authenticated (signed) message.
There are four square roots for m modulo n, one of which is chosen with a uniform
probability distribution. The computational algorithm (modular square root) takes
care of this random choice automatically. The transmitter need only communicate the
-
message, m, not the extended message, m , since the redundant information is publicly
known so that the receiver can construct m from m in the same way that the transmit-
ter did. The receiver(s) will accept (m,s) as an authentic communication from the
transmitter if and only if
(1)
-
m - s2 (mod n) .
that could occur if m was chosen (or could be sufficiently influenced) by the
receiver and the receiver from deception by someone impersonating the issuer and
presenting an arbitrary pair m and s satisfying (l), etc. If log(u) >> k, i.e., if
the number of bits in u is much larger than k, then the probability of a randomly
selected u actually being the image of some extended Bessage with the proper k bits
of redundant information will be 2-k. The probability that u will be a square with
respect to n is 1/4 as mentioned earlier, in which case the issuer can sign u by
extracting the square root, etc. If u isn't a square, however, since f is a poly-
random function there is no evident way to manipulate m so as to catse u to become a
square. In fact, if there were any way to influence the quadratic residuosity of u
through f then f would not satisfy the definition of a polyrandom function, and the
authentication channel would not be cryptosecure. Therefore, since it is computa-
tionally infeasible for the issuer to cause u -
f(m) to be a square, and since being
able to extract modular square roots is the only means the issuer has of proving
that he knows the factorization of n and hence of authenticating messages, we need a
simple and publicly known, means of associating a unique, but publicly determinable
square with u, for all residues u.
At this point, we remind the reader of two simple facts from elementary number
theory: the product of either a pair of quadratic residues or of a pair of quad-
ratic nonresidues is a quadratic residue, while the product of a quadratic residue
with a quadratic nonresidue is a quadratic nonresidue. A quantity, u, (u,n) - 1, is
-
a quadratic residue with respect to a composite modulus n pq, if and only if it is
a quadratic residue with respect to both p and q individually.
We also need tvo further number theoretic results ( 2 1 :
a)
-
2 is a quadratic residue of all primes of the form P = 1 or 7 (mod 8 ) and
a quadratic nonresidue if P 3 or 5 (mod 8 ) .
b)
quadratic nonresidue if P -
-1 is a quadratic residue of all primes of the form P = 1 (mod 4 ) and
3 (mod 4 ) .
The important thing to note is that 2 is a quadratic residue of q but is a quadratic
for any choice of a residue u, (u,n) - 1. The square residue is the product of u
with the multiplier having the same classification as u. It is easy for the issuer
to determine the class that u belongs to since he knows the factorization of n and
hence easy for him to determine which of u, -u, 2u or -2u is a quadratic residue
with respect to n. The issuer can therefore extract a (random) square root, s , of
the unique quadratic residue associated with u and sign u with s. In the protocol
described here, he also appends two additional bits b2b-l so that an authenticated
message is of the form
to inform whoever wishes to validate the authenticated message which one of the
residues u, -2u, 2u or -u, respectively, he should expect to recover from the quad-
ratic congruence,
(3)2 s2 = 7 (mod n) .
It isn’t essential that the issuer append the two bits that tell which of the four
cases to expect, since the verifier could compute t and then check to see whether t
is one of u, -2u, 2u or u. If it is, then m would be accepted as an authentic mes-
sage. It is simply computationally more efficient to append the two bits to the
authenticated message than to have the verifier make the four tests. No extra
information, i.e., no information not otherwise available, is conveyed by the
appended pair of bits. By the convention used here (in arranging the entries in the
-
array ( 2 ) ) . b2 1 says multiply u by 2 while b-l - 1 says to multiply by -1 to form
the expected residue.
2. The reader may recall a digital signature scheme proposed by Ong, Schnorr and
Shamir [9,10]which superficially resembles the scheme described here. In their
scheme, a composite modulus n and a residue k were made public. A signed
message, in, was any triple (x,y;m) such that
x and y were easy to calculate if one knew the factorization of n, but thought
to be as hard as factoring otherwise. Pollard and Schnorr [ll] have shown this
not to be the case however. The problem is that in this signature scheme each
message m has on the order of n signatures, i.e., pairs of integers x and y
satisfying (i), hence it is computationally feasible to find some one out of
these many pairs. In the scheme described here there is a unique signature for
each message, s o that the cryptographic weakness arising from having multiple
signatures does not occur.
42
The probability that an opponent can find a u and s that satisfy (3) and have
the required redundant information present in the preimage of u under f without
knowing the factorization of n is 2-k as has already been pointed out.
In the protocol, user i's identity is completely specified in an identifier
(string of symbols), IF, consisting of such information as his social security num-
ber, his bank account or credit card number, his military ID, etc., which could also
include intrinsic physical descriptors, as well as any limitations on the authoriza-
tion conveyed in the signed identifier, such as credit limits, expiration date,
levels of access, etc. Host importantly, Ii must include the public part of the
(4)
is given to user i. No part of this credential need be kept secret. However, the
user must keep secret his private authentication function: the factors pi and qi.
His security against impersonation is totally dependent on him protecting this
information, since his proof o f identity in the scheme is equated to knowing the
factorization of n
i-
The public part of the (issuer's) authentication channel is the issuer's modu-
lus n, the polyrandom function f and a knowledge of the redundant information
present in all of the Ii, which, as has been noted, must be sufficient to prevent a
foward search cryptanalytic attack [15] on the polyrandom function f. In other
words, the redundancy must be adequate to prevent someone wishing to fraudulently
validate an identity from simply calculating s2 -t for randomly chosen signatures
sj until he finds a match with an sJ - j
f ( 1 ) for some usable I - - this is the forward
search attack. By making I contain sufficient redundant information, the probabil-
ity of success of this sort of attack can be made as small as desired.
When user i wishes to prove his identity to a party A , say to gain access to a
restricted facility or to l o g on to a computer or to withdraw money from an A M .
43
i Ii;si:(b b ) ):t A
2-1i 1 STEP 1
(5) (mod n)
is satisfied. At this paint in the protocol, if the test in (5) has been satisfied,
A is confident that the credential was issued by the issuer and
that user i identified in Ii can authenticate messages using the private authentica-
tion channel described in Ii, in other words, for the example of an authentication
channel being used here, that user i knows the factorization of ni. The remaining
question to A is whether the applicant who submitted the credential [Ii;si:(bb )
P P i
is actually user i. This question can be answered by using the, now validated,
1
private authentication channel.
A replies to the access request with a string of symbols, T that describe the
1'
transaction from his standpoint: terminal ID, transaction number, confirmation of
withdrawal amount, etc.
i
LA STEP 2
Both user i and the verifier A form the concatenation of t. and T1, vj
J
- tj;Tj. and
calculate the polyrandom function f(v ) of the resulting string
1
(mod n.)
will be satisfied. However, if he is not user i, so that he doesn't know the fac-
torization of ni, then in order for him to be able to impersonate i, he must find a
number x such that
(7) (mod n )
i
[ i l J j I
A keeps the &-tuple (I ;s.):(v.;r ) as his certified receipt for the trans-
action. Anyone can later verify all aspects of the transaction: first by validat-
ing the credential (Ii;si) in exactly the same way that A did using the public part
of the issuer's authentication channel, and then by validating the receipt (vj,rj)
using the public part of user i's authentication channel. This proves, in probabil-
ity, that the complete description of the transaction, v. was endorsed by user i,
3'
or at least by someone knowing the factorization of ni. As has already been men-
tioned, the missing B2B-1 and (b b ) . can be (effectively) calculated when needed,
2 -1 1
and since the frequency of arbitration is expected to be very low compared with the
frequency of authentication and retention of receipts which must occur for every
transaction, it is more efficient to not store the bits indicating which of the four
test residues should be a quadratic residue.
If both communicants require a certified receipt the one-way protocol described
above can be easily modified into a two-way protocol between two parties, i and k,
both of whom must possess identification credentials validated by the issuer. The
exchange in this case is of the form
45
I.;s.:(b
1
b ) :T.
2 - 1 1 1 STEP 2
i' STEP 3
k' STEP 4
Lj 1
where user i would keep the 4-tuple (I.,s ):(v r ) as his certified receipt, etc.
j ' k
We will next prove that the protocol just described is secure. As a matter of
fact, we will prove rather substantially more. A number of authors [3,17,18]have
devised schemes for embedding a sublfminal channel into digital signature or iden-
tification schemes. Consequently, for some applications (such as treaty verifi-
cation) where a subliminal channel could be exploited by one of the parties to cheat
the other, it may be essential for a scheme to be acceptable that a means be avail-
able to prove that no subliminal channel has been concealed. In (41 van de Graaf
and Peralta present a scheme for proving that a modulus n is a B l u m integer, and
this provides some protection against subliminal channels in identification schemes
using B l u m integers. We present a zero-knowledge scheme for proving that a modulus
n is of the form used here. This will eliminate the possibility of those subliminal
- 2
channels arising from the modulus n being of either of the forms n p q, r n pqr-
- 2
or n p pqr. A great advantage of the identification scheme described here over
schemes based on B l u m integers is the avoidance of computing Jacobi symbols. Our
proof that a modulus n is of the correct form also avoids computing Jacobi symbols.
Since one of the authors is from Texas where the effete Alice and Bob of cryp-
tology fame haven't gained acceptance, and the other is an engineer accustomed to
using the notation Tx and R x to indicate the transmitter and receiver, respectively,
in a communications channel, the communicants here will be called Tex and Rex (pro-
nounced with a nasal Texas drawl). With this explanation of the change in notation,
we start by assuming that Tex wishes to establish his identity to Rex. A simplified
description of the protocol described above is:
1) Tex chooses a string of symbols x and sends it to Rex.
2) After receiving x , Rex chooses a string y and sends it to Tex.
3) -
They compute z f(v), where f is a polyrandom function, and v - x;y is
the concatenation of the strings x and y.
4) Tex determines which one of the four'numbers z , -2, 22, -22 is a square.
Let's say that uz is a square. Then Tex calculates and chooses at random
one out of the four possible square roots of uz, say s. He gives s to Rex
along with a two-bit suffix (b2b-1) indicating which of the four numbers
46
is satisfied.
As pointed out earlier, there is a potentially troubling aspect to this scheme:
Every time that Tex uses it, Rex might conceivably learn something about n pq. If -
Tex identifies himself k times to Rex, or if k different people to whom Tex has
identified himself pool their knowledge, then Rex obtains 2k bits of information
about p and q which -- we might naively assume -- have required 22k guesses in order
for him to simulate for himself. That is, if we postulate that he had a procedure
for factoring the modulus which required these numbers, and he didn't have them,
then he would have had to run his algorithm qk times, once for each guess. Instead
the algorithm is a zero-knowledge proof, and contrary to intuition, Rex can, on his
own, come up with number triples (z,s,u), where z is random, u is in the set
S - [1,-1,2,-2},and s2 - uz. In other words, we show that he gains no information
by Tex's responses that he couldn't get for himself. Acting purely on his o m . with
no participation by Tex, Rex carries out the following sequence of steps.
1) Pick a random s,
pick u randomly in S, and
-
2)
3) define z by z u"s2 (mod n).
These steps can be carried out without knowing the factorization of the modulus n.
Rex can form as many such triples (z,s,u) as he wishes, and they come from the
same probability distribution as the ones he obtains from Tex. Hence they don't add
to his knowledge, and the protocol is a zero-knowledge proof. We required that the
square root s be chosen at random from among the four possible square roots o f UZ.
This is necessary in order that the zero-knowledge argument will hold. It does have
the one annoying feature that we must arrange that the probability that Tex chooses
the same x twice be negligibly small, since a repetition of z would enable Rex to
factor the modulus with probability 1/2.
n is of the form n
process requires two steps.
pq, p -
We next prove that the protocol permits a zero-knowledge proof that the modulus
- 3 (mod 8) and n .
I 7 (mod 8), as claimed. This proof
The first protocol proves that n is square-free by
'
demonstrating Tex's ability to take n-th roots. Simmons [18] has embedded a sub-
liminal channel into a digital signature scheme devised by Brickell and DeLaurentis
[l] using a modulus of the form n
2
-
p q, which shows that even a modulus with only
two distinct prime factors can be a problem.
The second protocol then establishes that the modulus n is indeed of the
claimed form: n - pq. This is needed, of course, to eliminate the first known
47
subliminal channel (due also to Simmons [17]) which requires a modulus that is the
product of three primes: either n -
pqr or n 2 -
p qr. At the same time, a new sub-
liminal channel based on n - pq, where p and q are not of the right form, is
eliminated also.
Protocol for Drwine n is of the DroDer form, Using the following protocol,
Tex convinces Rex that n - pq, where p is a prime - 3 (mod 8) and q is a prime - 7
(mod 8 ) :
4a
References
xz + ky2 -
11. J. M. Pollard and C. P. Schnorr,
, --
m(mod n),"
pp. 702-709.
"An Efficient Solution of the Congruence
V. IT-33, No. 5, Sept. 1987,
12. G. P. Purdy, "A High Security Log-in Procedure," C u , Vol. 17(8), Aug.
1974, pp. 442-445.
13. G. P. Purdy, "A Zero-Knowledge Proof Scheme Showing that n - p q , " preprint.
14. M. 0. Rabin, "Digitized Signatures and Public-key Functions as Intractable as
Factorization," M.I.T. Lab. for Computer Science, Tech. Report LCS/TK-212,
1979.
15 G . J. Simmons and D. B. Holdridge, "Forward Search as a Cryptanalytic Tool
Against a public Key Privacy Channel," proc. of the IEEE Comuuter SOC. 1982
SYUID. on Securitv and PrivacY , Oakland, CA, April 26-28, 1982, pp. 117-128.
16. G . J. Simmons. "A System for Verifying User Identity and Authorization at the
Point-of-Saleor Access," CAT toloviil, Vol. 8(1), Jan. 1984, pp. 1-21.
17. G . J. Simmons, "The Subliminal Channel and Digital Signatures," Eurocrypt'84,
Paris, France, April 9-11,1984, in Advances in Cmtology, Ed. by T. Beth, et
al., Springer-Verlag,Berlin, 1985, pp. 364-378.
18. G . J. Simmons, "A Secure Subliminal Channel ( ? ) , " Crypto'85, Santa Barbara, CA,
Aug. 19-22, 1985, in Ldvances in Crmtoloq, Ed. by H. C. Williams, Springer-
Verlag, Berlin, 1986, pp. 33-41.
19. G. J. Simmons, "An Impersonation-ProofIdentity Verification Scheme," Proceed-
ings of Crypto'87, Santa Barbara, CA, August 16-20, 1987, in Advances in
Cmtolori, Ed. by Carl Pomerance, Springer-Verlag,Berlin, to appear.
20. J. Stein, "Computational Problems Associated with Racah Algebra," J. Como.
&I Vol. 1, 1967, pp. 397-405.
21. M. V. Wilkes, Time-Sharine ComDutinF Svstems, ElsevierflacDonald. New York,
1968; 3rd ed., 1975.
(Extended Abstract)
Ernest F. Brickell*
Sandia National Laboratories
Albuquerque, NM 87185
+&
Doug R. Stinson
Dept. of Computer Science
University of Manitoba
Winnipeg, Manitoba
Canada R3T 2N2
The Model
We will be using the same terminology and the same model of authentication with
arbitration that was used by Simmons [Sill, [SiZ]. The system that will be used must be
known to all players, i.e., transmitter, receiver, opponent, and arbiter. This includes a
fixed set of source states that the transmitter might send to the receiver. The receiver
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCs 330. PP. 51-55, 198*.
0 Spnnger-Verlag Berlin Heidelberg 1988
52
and arbiter secretly agree on which messages the receiver will accept as authentic for
each source state. Then the arbiter gives the transmitter one message for each source
state that the receiver will accept as authentic, The arbiter will no longer be used
unless there is a dispute.
There are five types of cheating that this system is designed to protect against.
Opponent cheating:
Impersonation: Without waiting to see any communication, the opponent sends a
Oo
message to the receiver. He wins if it is accepted as authentic.
Receiver cheating:
The receiver, without receiving any message from the transmitter, tries to convince
Ro
the arbiter that he did receive a message.
The receiver, after receiving a message from the transmitter, tries to convince the
R1
arbiter that he received a different message.
Transmitter cheating:
T The transmitter, after sending a message to the receiver that the receiver
authenticated, tries to deny that he sent a message.
The model does not attempt to protect against all types of cheating. For example,
the transmitter could claim that he sent a message that he did not send or the opponent
could disrupt communications between the transmitter and receiver. For cheating of type
X, let P be the probability that the cheating will be successful. Let PR
x - max[PR,’ p
R,
1
and P
0
- max
The problem presented here cannot be directly solved by the general multi-party
protocols of [CCD] and [BGW] because in those protocols, it is necessary for all parties
in the protocol (transmitter, receiver, and arbiters) to play an active part in acy
communication.
53
MultiDle A r b i t e r s
Simmons showed how t o c o n s t r u c t a u t h e n t i c a t i o n with a r b i t r a t i o n codes, which he
2
called A codes, f o r any q a prime power such t h a t the p r o b a b i l i t y of s u c c e s s f u l c h e a t i n g
t r a n s m i t t e r a s i n g l e message, m c M t h a t t h e a r b i t e r A. w i l l v a l i d a t e as an a u t h e n t i c
ij ij'
transmission o f s When t h e t r a n s m i t t e r wants t o send a source s t a t e , s t o the
j. j'
r e c e i v e r , he must send m.. f o r 1 I i I n . The r e c e i v e r u i l l only accept such a
1J
communication a s a u t h e n t i c if and o n l y i f m c M. f o r 11 i 5 n. I f a d i s p u t e a r i s e s , a
ij ij
judge w i l l accept a communication pl, . . . , p as an a u t h e n t i c transmission of s o u r c e s t a t e
n
so PT - [<] 1 n-d-t+l
.
To achieve PR < 1 and P
T
< 1, we must have t < .; If t - Pi1],
- and if d -
then for fixed n, q can be chosen large enough to satisfy any desired level of confidence.
since this assumption provides the worst case (i.e.,maximizes) P and P,. Since
R, ' 'R, '
the criterion for the judge's decision is unchanged from the previous model, PRO, PR, , an*
P are a l s o unchanged.
T
55
To compute Po, assume that the opponent knows M.. for 1 5 i 5 t. To deceive the
1J
transmitter, ?'iemust successfully cheat on at least a-t of the other n-t independent
u > n-a or u 2 a. In the case -n2 -> u b a , the bad arbitors could deceive the transmitter
into sending a message that, according to protocol, the receiver would accept as
transmitting two different source states.
d - -
Q p+], then for fixed n, q can be chosen large enough to satisfy any desired level
of confidence .
References
Michael Ben-Or,Shafi Goldwasser and Avi Wigderson. "Completeness Theorems for Non-
Cryptographic Fault-Tolerant Distributed Computation,"to appear in Proceedines of
the 20th ACM S m o s i u m on the Theorv of Comuut 1988. u,
David Chaum, Claude Crepeau and Ivan Damgard "Multiparty Unconditionally Secure
Protocols," to appear in Proceedines of the 20th ACM SGuosium on the Theory of
Comuutinv, 1988.
Marijke De Soete
ABSTRACT
1 AUTHENTICATION-SECRECY
It is the aim to deal in this paper with codes having unconditional se-
curity, which means that the security is independent of the computing
power. Analogously to the theory of unconditional secrecy due to Shan-
non [12], Simmons developed a theory of unconditional authentication
~41-
2 A MATHEMATICAL AUTHENTICATION
MODEL
In this model (see [14], [15], [16], [17], [lS]) there are three participants:
a transmitter, a receiver and an opponent. The transmitter wants to
communicate some information t o the receiver. The opponent wanting
to deceive the receiver, can either impersonate the receiver, making him
accept a fraudulent message as authentic, or, modify a message which
has been sent by the transmitter.
Let S denote the set of k source states, n/r the set of ZI messages and E
the set of b encoding rules.
A source state s E S is the information that the transmitter wishes to
communicate to the receiver. The transnitter and receiver will have se-
cretly chosen an encoding ruZe e E E beforehand. An encoding rule will
59
For any i, there will be a probability on the set of i source states which
occur. We ignore the order in which the i source states occur, and assume
that no source state occurs more than once. Also, we assume that any
set of i source states has a non-zero probability of occurring. Given a set
of i source states, we define p ( S ) to be the probability that the source
60
states in S occur.
A=
s2
s1
s4
s3
s 2 s4
s3
\
I
and X =
Y
1 0 0 1
0 1 1 0
This is the "best" authentication system possible for k = 2, b = 4, since
we have Pd,, = P d l = 112 = I/&.
3 BOUNDS O N Pd,
H(X) = - cP(4
2 EX
* klP(Z)*
The first bound for P d l , found by Gilbert, MacWilliams and Sloane [6]
using an uniform source distribution, is given by
They called a system with this bound perfect. Examples of such a sys-
tems are included in [6], [2].
UG = rnaxC(P4,pdl) 2 2-+H(E)
4 SECRECY
Considering the secrecy properties of a code, we desire that no informa-
tion be conveyed by the observation of the messages. A code has perfect
L-fold secrecy (Stinson [17]) if, for every set MI of at most L messages
observed in the channel, and for every set S1 of at most IMII source states,
we have p(SI/Ml) = p(S1). This means that observing a set of at most
L messages in the channel does not help the opponent to determine the
L source states.
On the other hand, a code is said to be Cartesian ([4],
[IS]) if any mes-
sage uniquely determines the source state, independent of the particular
encoding rule being used.
In terms of entropy, this is expressed by H ( S / M ) = 0. Hence in a Carte-
sian authentication code there is no secrecy (it has O-fold secrecy).
b> (1).
Theorem 5.3 If a n authentication system without splitting achieves per-
< +
fect Lt-fold secrecy and i f it i s L-fold secwe against spoofing, L' L 1,
then
b> ( L L )
* ( ;[)-
(L:J
Proof. Let M I be a set of i 5 L messages which are permitted under
a particular encoding rule. Let 2 be any message not in MI. Let us
suppose there is no encoding rule under which all messages in MI U {z}
are valid. Then it follows from the proof of 3.4 in [17] that we would
obtain Pd,> (k - i ) / ( v- i), a contradiction. Hence, it follows that every
+
(L 1)-subset of messages is valid under at least one encoding rule.
k - L'
occurs in exactly (I,+ 1)-subsets. Hence counting L'-
subsets of messages we obtain:
65
or
1. Each point is incident with 1+t lines ( t 2 1) and two distinct points
are incident with at most one line.
st 1 k
payoff(m) = C p(e) = - =
s2t
-
s
= -.
U
eEE(m)
E{eEE(m,m’)} P ( s = fe(m’)) -
- -
-
1
-
C{eEE(mf)} P(S = f e ( m ’ ) ) st s’
since there are t encoding rules for which both m, m‘ occur. Hence
payoff(m, m‘)=I/s.
Remarks 1. Using the same set of source states and messages we can
define an
+ +
AC(t 1,( t l)s,ts2(t+ 1))with P4 = l/s, pd, = l/s, which is 0-fold
secure against spoofing and which has perfect 1-fold secrecy. From each
+
encoding rule of the preceding theorem we d e h e t 1 new encoding rules
in the following way. Let M(ey) = My = {zl,..., then we define
for each 0 5 i 5 t
This illustrates the influence of the secrecy of the code on the number of
encoding rules b.
l t + 1, Vy E P ,
2. If the point z is regular, this means that I { ~ , y } ’ - ~=
y # z (see [lo]), the foregoing code can be improved to an AC(t +
+
1, ( t -t l ) s ,(t 1)s’) with Ph = l/s, pd, = l / s , which is 0-fold secure
against spoofing and which has perfect 1-fold secrecy. Therefore we take
+
M(ey)= {z,y}”, Vy E P , y 2. Since we have s2 different sets Me, the
number of encoding rules (using the same procedure as in 1.) now equals
s2(t + 1).
with zi+k,It the unique point on the line Li+k which is collinear with X i , j
(where i + k is taken (mod s t f l ) ) . In this way we obtain b = ( l + s ) ( l + s t )
encoding rules.
Theorem 6.2 If there exists a GQ of order ( s , t ) containing a spread R,
t h e n there is a n optimal 1-code f o r s t + 1 sowce states and ( s t 1)(s +
1) +
messages.
=)
~a~off(m C p(e) =
st +1 --
k
1 - -.
eEE(M) (S+l)(St+l) s+l z1
So the system is 0-fold secure against spoofing. The code has perfect
1-fold secrecy since each message occurs exactly once in each column of
the b x Ic matrix. Since b = v , equality is valid in 5.2 and we have an
optimal 1-code.
m,k E GF(q).
The source states are the lines of the spread [[m,k]],
Denote them by L ' L + ~ .
The messages are the points ( m , g , k ) , m , g , k E GF(q), which will be
denoted by zk+mq,g.
ek+mq,g(Lj) = zk+kt+(m+m/)q,gt
Consider a t-(v,Ic, A) design 23. For X = I, these are the so called Steiner
systems (see El],[3], [S]).
b=
+
21 * (v - 1) * - * (21 - t 1)
. k ! = v!(k- t)!
k . (k - 1 ) * * - ( - k t + 1) (v - t ) !
eqcoding rules, which we shall use with probability l / b .
We first verify that the code is ( t - 1)-fold secure against spoofing.
Let M' C M , IM'I = i , i 5 t - 1,rn E M\M', then we obtain:
70
there are exactly (k-i)! encoding rules e k such that M' C M(eA,), resp.
M ' U {m}C M ( e A ) and f e ( M ' ) = S' c S with JS'l= i.
There results
k-i
A,: - -.
P& = -
A' v-2
The authentication code has perfect t-fold secrecy since p(S'/M') = p(S'),
for every S' C S, M' cM with IS'\ = JM'J
=t . ~
v7 k!)
k . (k - 1). . . (k - t + 1)
which has perfect t-fold secrecy and for which Pk = (k - i ) / ( v- i - n ) ,
for 0 5 i 5 t - 1.
Moreover the code is ( t - 1)-fold secure against spoofing if and only if
n = 1, in which case we have a t-(v,k,A) design.
71
P T O O ~Stinson
. [18] proved the theorem for L = 0 , l . We procede by
induction.
Suppose that the system is ( L - 1)-fold secure against spoofing, then for
every i, 0 5 i 5 I, - 1, and for every M' C M , IM'I = i 1, +
k k-1 k-i
c
eE E (M')
P(4 = ; * ~ * * * ~ ~
v v-i
* +
(k - t‘) (k - t‘ 1) - (k - t + 1 ) ’ * *
/E(M‘)I = A;, = x * +
(v - t‘) * . (v - t 1) -
(k - t’) (k - t + 1)
*
* * *
k.(k-l)--*(k-t’+l)
b.
21 (v - 1).
1 (v - t’ 1)* * +
73
Acknowledgement
References
Thomas Beth
Universitat Karlsruhe
Fakultat fur lnformatik
lnstitut fur Algorithmen und Kognitive Systeme
Haid-und-Neu-Str. 7
Technologie-Fabrik
D-7500 Karlsruhe
ABSTRACT:
In this paper we present a Fiat-Sharnir like authentication protocol for the El-Gamal Scheme.
1. Introduction
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT ’88, LNCS 330, pp. 77-84, 1988.
0 Spnnger-Verlag Berlin Heidelberg 1988
78
Suppose Alice (A) wants to authenticate herself to Bob (B). For this
purpose A has visited a trusted authority, which for obvious reasons we
shall call the Secure Key Issuing Authority (SKIA).
Initiation Phase
Setting-up Phase
name
A b SKIA
r + ak.
The SKlA also determines rn signatures sj as solutions of
A 1 SKIA
*) see sect. 5
79
name, r
A b B
and pj Yjr
The following procedure is iterated for i=l to h:
Do
zi + r-ti
and sends it to B
'i
A e B
A computes
and sends it to B
'i
A + B
6 computes vi + b.:I D.
IJ 1
i
80
3.3. Remark
For arbitrary q and h, with fixed m and IRI E O((1og q)w) for given w E N
the Protocol Auth is a Zero-Knowledge Protocol.
The system (ID) gives m linear equations for (m+l) unknowns (w.r.t. the
assumption that the discrete log problem is unfeasible). As consequences
we note:
5 ~ Implementation Aspects
In view of the demand for low cost designs of security processors for chip
cards we suggest considering the following case for practical
implementation :
q = 2n,
*) Choose the random string only from binary words of weight less than
w, i.e. choose bij equally distributed in
5.1.1 .Corollary
is reduced considerably.
10-8 for w =1
10-15 for w =2
10-22 for w = 3.
5.2. Conclusion
Acknowledgement
The author is grateful to Dr. Ivan DamgArd for his helpful critical remarks.
6. References
Fiat, Shamir: How to prove yourself: Practical solutions to identification and signature
problems, Proceedings of Crypto 86, Santa Barbara, Springer LNCS 263, 186-194,
1987
Goldwasser, S.: Micali, S.; Rackoff, C.: The Knowlege Complexity of Interactive Proof
Systems, Proc. 17th ACM Symp. on Theory of Computing, 1985
Berger, Kannan, Peralta: A Framework for the Study of Cryptographic Protocols, Proc.
CRYPT085 Springer LNCS 218,87-103
A Smart Card Implementation of the
Fiat-Shamir Identification Scheme
Hans-Joachim Knobloch
Abstract
This paper describes results and experiences gained from the test implementation of an interactive
identificationscheme. It was intended to exploit the feasibility of an asymmetric crypt0 protocol for a state-
of-the-art smart card environment. For that reason the identification scheme proposed by Fiat and Shamir
was implemented between an actual smart card microprocessor and an industry standard personal computer
with a smart card interface. The limits of a current smart card processor in terms of volatile and nonvolatile
memory capacity and insmaion set turned out to be a rather smct linritation for the choice of the algorithm
used. The most time consuming task during the protocol is modular multiplication. Due to the processor
structure it is performed as separate multiplication and reduction, where reduction is I d back to integer
multiplication. The current implementation allows the authentication of a 120 byte idenaficadon smng at a
security level of 2-20 within an average time of about 6 seconds. The experiences gained during this
implementation led to a set of requirements for a future specidised prccessor for asymmetric cryptographic
protocols that will be needed to increase this performance by some orders of magnitude.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 87-95, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
0a
I. Introduction
During the last years, with the forthcoming of the commercial use of smart cards, some cryptographic
protocols based on asymmetric ciphexs have been proposed to use smart cards for identification, signatures,
as elecnonic wallet etc. One may note that nearly all commercially available smart card systems use, if at dl,
only symmetric block ciphers, as asymmetric protocols are considered too complex for current smart card
processors.
The F i a t - S h a d identification scheme is one of the simplest of the above mentioned asymmemc
protocols as it does not need large amounts of stored data nor extensive communication or many protocol
steps and it is therefore one of the most suitable for a test implementation on a smart card system.
The smart card used in OUT project has an 8-bit microprocessorwith 256 byte RAM and 2K byte E'PROM
(Electrically Erasable Programmable ROM) on chip for nonvolatile storage of data and program Therefore
the processor could be reprogrammed by the personal computer which was also its partner for the protocol.
Thus several algorithms could be tested without having to wait for the production of a new ROM mask
The I S 0 draft standard on identification cards [3] requires that all communication is done serially using
only one contact pin for both input and output. Since the processor doesn't have a serial UO unit the
communication had to be implemented in software and thus needed code space and computing time. The
mentioned draft standard includes a parity-generation-, parity-checking- and error-retry-protocol for the
bidirectional UO line. In order to save space for the protocol code and data, only a simple 9600 baud serial
communication without parity generation was implemented.
The chip card processor's instruction set is similar to that of any conventional 8-bit microprocessor.
Relevant details are an &Eimes-&to-l6-bit multiplication instruction, requiring about 5 times the execution
time of an 8-bit addition, whereas the instruction to program one byte into the E2PROM, requires about
3300 times the execution time of an 8-bit addition. To gain better performance the latter fact implies that
intermediateresults have to be stored in RAM, but not in E2PROM.
89
For a detailed discussion of the Fiat-Sharnir identification scheme the reader is referred to the original
publication [l], we will give a short review of this technique with emphasis on the particularities of the
implementation.
The center issueing the cards chooses a public modulus n as the product of two secret primes p and q.
For reasons explained below the implementation requires
2512 > n 2 2512 - 2256.
Now be
I a 960 bit (120 byte) ID-smng of a user applying for a card,
j E [0,216) and
ei the ith 48 bit unit vector.
The center forms for i = 1 , 2, ..48
ti = 2976ei + 2161 +j ,
ui = Lri / 25'21 (tj mod 2512)
(where @ means bitwise addition modulo 2),
Vi = Lui I 2256.! @ (ui mod 2256)and
wi = f ( v i )
(whereffk) means enciphering a fixed 512 bit plaintext with a block cipher with key k).
The term j is used to ensure that wj is a quadratic residue mod n for at least 20 distinct values of i. For
simplicity of notation from now on it will be assumed that these d u e s of i are 1, ... ,20.
For i = 1, ... , 2 0 the center computes a
square root sj of wj (mod n)
using the knowledge of p and q and applying the Chinese remainder theorem.
The card is personalized by storing
Si for i = 1, .__
, 20 and
20
P = 2976( C e i + 2 16 I + j
i = l
The identification protocol between a smart card S and an identification device P c is:
1. S sends P to PC.
2. PC computes the wi's-
3. S picks a pseudo random number r' E [0,2256),sets r = 2 x 6 ~and sends x = rz mod n to Pc.
.. ,cu)).
4. PC sends to S a (pseudo) random binary vector c = (q,
5. S sends to PC:
y = r n s , modn.
ci = I
ci =1
ci = 1
instead of x in step 3 and r instead of the product in step 5. The probability that PC accepts P if S doesn't
know the Si'S is 2-z0 (assuming equidistribution probability for c), if S performs only polynomial time
computations and cannot compute in polynomial time a square root mod n of any product of some wi'S or
their reciprocals. The proof for this statement is almost identical to the proof in Fiat's and Shamir's
publication.
Remarks:
1. Since its inversion includes a known plaintext attack on the involved block cipher, the function used to
compute the wi's from the ID-smng I should be strong enough to prevent a potential attacker from
computing an ID-smng out of known square mots moddo n.
2. Fiat's and Shamir's o r i b a l protocol requires to use the multiplicative inverse of the sis on the smart
card side. The check on step 6 of the protocol would then be, if
x = y 2 n w i modn
c =I
91
Using the sis rather than si-1 makes it possible that PC performs only one modular multiplication at step 6
of the protocol instead of two. The other multiplication can be done while the smart card still computes y .
As the smart card will usually be the slower partner in the protocol, this fact slightly speeds up the overall
execution time. However, if the inverse sis have to be used on the card side for some other reasons, only
changes of the PC's program, not of the smart cards would be required
3. The original protocol also requires a full 512 bit pseudo random number r. But since r must be
stored somewhere in the card while it's squared modulo n, and since it cannot be stored in E2PROM for the
above mentioned reasons, the available amount of RAM only allows to use a 256 bit pseudo random value.
4. Fiat and Shamir allow r to be taken from the range [0, n). Obviously, if r might be 0, all 10 do for a
foreged identification were always to send x = 0 in step 3 of the protocol. The implemented pseudo random
generator also may produce r = 0 with 3 very small probability, but the PC program prevents a successful
identification with x = 0.
In addition to the virtually 'mvial' tasks like communication or managing the protocol itself there are two
subroutines in the protocol runtime programs that have to be carefully considered, namely the pseudo
random number generator and the modular multiplication.
The pseudo random number generator consists of 12 cascaded cyclic shift registers implemented in
software. Gollmann 121 p v e d that the linear complexity of the sequence generated by cascaded cyclic shift
registers grows exponentially with their number. The initial state of some of these registers is derived from
the uninitialized RAM immediately after power-on or from the value of a free running on chip timer. The
statistical properties and the possibility of physical manipulation of these physical or pseudo-physical
random processes are not yet further examined. However, the remaining pseudo random generator should
be strong enough to prevent tampering even if they could be made deterministic.
The modular multiplication is done as a full integer multiplication with successive reduction. Owing to
the shortage of RAM space, recursive multiplication algorithms like Toom-Karatsuba seem not 10 be
feasible. Thus a bytewise multiplication and addition using the processor's built-in multiplication instruction
92
is performed. As the architecture of the smart card processor enforces to use this algorithm, the optimization
of this arithmetic was a main goal. As a result some self-modifying code was developed, that must be
executed in RAM.However this code does not require as much space as the data of a recursive algorithm
would.
In a first version of the implementation the reduction was done bitwise. This solution had two major
disadvantages. Firstly, considering time, the bitwise reduction dominated over the bytewise multiplication.
Secondly, as the lack of RAM prevented the modulus being shifted bitwise during the reduction, it had to be
stored eight times, each time shifted by one bit, and so occupied space that c o u l d better be used for more
signature values Si. Although the protocol may be repeated several times to increase its security, every
repetidon has a considable communication and computation overhead. Thus it is desirable to store as much
signature values as possible to gain an acceptable security with only one protocol pass.
The final implementation uses a method to lead back reduction to multiplication published by Mohan and
Adiga [q.Let Qo be the value to be reduced modulo n, with
Qk = 2512zk iRk for k = 0, 1, ... and
Z k . R k E [o,2512).
Obviously for
Qk =- Qt+i (mod 4.
Hence all to be done is to multiply the "upper half' of Q k by d = Z512 - n and add the result to the
"lower half' of Qk.This is a rather straightforward extension of the widely known method for performing
reductions modulo 2m-1 (cf. [4] p. 272). Let #X denote the length of the binary representation of X in
bits. We get
#Qk+l 5 #d i#Zk if # z k 2 #Rk or #d 2 #Rk and
#Qk+l I m a x ( # d + # Z k + l , # R k + l ) if#Zk<#Rkand#d<#Rk,
what implies that if
#d 5 256
#Q2 S513.
This means that after two iterations of multiplication and addition there are at most two additions of d to
be done to obtain a result rwfuced to be less than 2512. The complete reduction eventually necessary may be
left to the superior computing capabilities of the PC. Due to the simple multiplication algorithm used, the
addition of d z k to Rk can be combined with the multiplication to have no extra cost in computing time.
The greatest advantage of this reduction algorithm is however that only one 256 bit value d instead of eight
512 bit values n have to be stored within the cards scarce memory.
Concerning the precomputation programs, the condition #d I 2 5 6 leads to the above mentioned
condition 2512> n 2 z5I2 - 2256.The remaining problem is to find p and q so that R satisfies this interval
condition. Mohan and Adiga propose to use a modulus that has not only two large but also some small
prime factors. During the implementation of the reduction it med out that enough prime pairs can be found
which satisfy this condition, so that no additional small primes are needed.
Trying to combine two primes out of a precomputed set of large primes could be shown to be
impractical. The simple but effective method implemented is to find a suitable prime p , perform a large
integer division to compute a factor q so that p q is within the desired range and to test whether 4 is also
prime. In detail:
Given
p < 2256, p prime and chosen at random
then
satisfies
2512 > p q 2 2512 - 2256
The prime number theorem tells us that randomly chosen value p of a magnitude of order 2256 is prime
with a probability of about 1 / In 2256 = 0.0056 (cf. [6] p. 64).Chosingp to be less than 2256ensures that
at least one multiple kp of p falls into the interval [2512-2256 , $'12) of length 2256. q is the least such k.
All integers within a small interval around q are slightly larger than 2256. Thus the probability for any of
V. The Implementation
The smart cards part of the scheme is implemented in its processor's assembly language. The complete
program including serial communication and programming of the data (xi, P,d)into E2PROM, excluding
this data itself, consists of less than 700 bytes of code. As the data programming routine is used only once,
it is transfered to and executed in RAM and reprograms itself with data. All 256 bytes RAM are needed for
data or code storage or as stack
The personal computer as the smart cards counterpart is programmed in C. Due to its greater
performance it can use the same modular multiplication algorithm as the card without effect on overall
execution time. The primality testing was done as background job on some SUN-3 computers.
The current implementation allows the authentication of a 120 byte identification string at a security level
of 2-;sowithin an average time of about 6 seconds from card initialisation to acceptance of the identification
string.
The goal of specialised processor architecture must be to implement the most time and space consuming
tasks in silicon. So a cryptographic protocol processor for asymmetric protocols should include:
- a 512 bit modulus register and at least two 512 bit registers
- instructions for loading and storing these registers and mcddar arithmetics
- a buffered serial VO unit, working independently from the CPU
- a physical random number generator or at least a hardware pseudo random number generator
VII. Acknowledgements
I would like to thank Dr.L Schaumiiller, W. Schlapak and H. Eilmsteiner (VOEST-ALPINE AG) as well
as Prof. Dr. Th.Beth, Dr.M. Clausen, Dr.D. Gollmann and H.-P. RieD (University of Karlsruhe) for the
support, ideas and discussions coniributing to this project.
VIII. Bibliography
[I1 A. Fiat, A. Shamir: How To Prove Yourself: Practical Solutions to Identification and
Signature. Problems, Roc. of CRYPT0 86, Springer LNCS 263, pp. 186 - 194,1987
131 ISO: Draft International Standard ISODIS 7816-3, Identification cards - Integrated
circuit(s) cards with contacts - Part 3: Electronic signals and exchange protocols, 1987
151 S. B. Mohan, B. S. Adiga: Fast Algorithms for Implementing RSA Public Key
Cryptosystem, Electronics Letters Vol. 21 No. 15, p. 761, August 1985
[61 H. Riesel: Prime Numbers and Computer Methods for Factorization, Birkhauser 1985
MANIPULATIONS
AND ERRORS,
ABSTRACT
I. INTRODUCTION
manner (i.e. with protection against active attack). We will restrict ourselves to
systems which do not require the sender and the receiver to share a secret key K .
are based on linear computations which are well known for their cryptographic
weakness.
When designing an integrity signature scheme without secrete key, a basic need is
to dispose of a one-way function 6. In contrast with well known public key
algorithms such as RSA, there is no necessity here to invert $J with the help of some
hidden trap door information. Then we can consider purely random generated
knapsack :
For instance if k =220 (message with 128 Kbyte) and M = 2loo, an attack needs
about 20.106 additions.
Proof : After sorting, we can assume ai-1 Iai for 1 < i Ik . We derive a new
sequence of length k : bl=al and bi =ai -ai-l for 1<i S k. There exists an element a;
100
in { bi } such that u', I M/k. If = bj , we then discard from the sequence {Ui 1,
the two elements uj and u,-l involved in u ) . Then we determine an other element u'2
such that u'2 I M / ( k - 2 ) . Iterating the process k'=k/4 times, we then obtain k'
elements a']. a'2. ...,u',,, such that a'i < M/(k-2i)I 2Mlk.
Assuming than k = 2 U ,M=2', we have at our disposal a new sequence {a'i 1 of
length k'=2"-' wjth elements bounded by M'=2-+'. We consider the recursion :
u('+') = uc!, - 9
vO+V = Vet) - -@) + 1, with uCOJ = and do) = v,
then we obtain :
u(')= u - 2t and
d')= v - tu + tz.
Note that vW reaches its minimum vmin for r=tdn=u/2, then vmin= v-u2/4 . If
v-4 all the elements of the sequence { ui(tmid } vanish. This occurs if v<u2/4 or M
Ik 1 0 d W . Each step of the algorithm requires kW2 = 2u(') -1 additions and a sorting,
that is O(kcrjZog(kct))) additions. Then the total complexity is less than k Zogk +
(2k/3)(k+Zogk) c 4 k Zog(k) additions ; that is O(k Zogk). The algorithm needs no
more than O(kZog(k)Zog(M)) binary operations.
Notice that this algorithm is not probabilistic : at each step, the worst case is
considered. To perform attack of type (a), algorithms which require more
computational effort exist. A probabilistic algorithm will appear as a consequence of
proposition 2.
We present a scheme combining one way function and error correcting code :
... ,xk) , then use a one way injective function &(.) from F; to F' (e.g. IF'I =q =
101
212*).For instance @(xi) can be written as $;(xi)= $(i hi), where "I" stands for
concatenation. We therefore obtain k symbols n = $jjlxi) in F . Encode (yj,B, ... ,
yk) with a [n,k,d 1 error correcting code over F . The n-k (e.g. n-k = 4)
redundancy symbols %+I, %+2, ... , yi form the signature s.
Localization or correction
Using Berlekamp-Massey algorithm, it is possible to localized errors in O(n.d)
operations over F. But, due to the presence of the one way functions &, the error
evaluation on the can not be exploited to correct errors on the xi. . However, for
some type of messages, errors can perhaps be corrected by try and error procedures
for instance, by exploiting natural redundancy of a language.
The error correction algorithm can be carried out only if it is possible to invert
each q5i for each position i in error using some (secret) trap door information.
102
where n and HW are respectively lxv and vxv(n-k) binary matrices. The binary
image of the [n,k]MDS code over F is then a [nv,kv] code over F2 with parity
check matrix H = [ZW,...,IN].
Let J the set of position used to adapt the fraudulent message to the desired
signature, we consider the cheating procedure :
- For the legitimate message, compute y(iJ = for i.s [k]
and then a = Xi, ikl y(i) .
- For a fraudulent message x', choose randomly {x; ] forjgJ,
compute similar quantities, y'i = $i(x'i) ,y'(j) = y 'i ;
0' = E i E i k ] Y'(i) *
- Find { Ej ; E ~ EF2, j E J } such that U-U' = CjE, Ej (y(jj-y'(j,) ;
this is possible if the vectors (yo)-y'o)), j g J , generate F;(n-k),
Problem A :
Given a finite set of indices J , an integer a<M, and a function T(.,.) from X X J
into 2, fiid a sequence in Xm, X = ( X , ) , ~ J which satisfies
EjEl T(xj,j) = a (1)
Remark : Notice that solving problem A reduces to solving the following knapsack :
z(xj, J f l &,j) T(xjj) = a
subject to
v k.j7, &,j, E {O,1}
Vj, xx E X { ( x , j ) = 1.
When we exhibit a sequence x for a set of indices J which verifies (l), we say that
set J is a support for a . The goal is to find an algorithm to resolve the problem for
small or medium support size V 1.
In [4], this kind of problem has been studied in a algebraic structure different
from the additive group (Z,+) of integers. The considered structure G is the group
of invertible 2x2 matrices with entries in the field Fp . The algorithm proposed in
[4] supposes the existence of a chain of subgroups Hi,G I,Hp-l 2 H p - z z ! ... a HI
such that the indexes [ H , :H,-1] are not too large. The method can be applied to
commutative groups with small prime exponent. When G contains a (cyclic)
subgroup Z l P Z with large prime P , a similar method can be used embedding Z l P Z
in Z and using the Chinese remainder theorem.
104
J = v 4).
SE [ul-.]
The algorithm has p steps. The principle is to determine for each step I and each
set J’ = .(’,
s E [2’-7, a set of K ( P , ~ )solutions to the equation
Basic procedure : It consists in determining from 2 sets V1 et V2, each with O(P)
elements of the form (T(xil, il), ..., T(xi,, it,)), t = 2‘-’b, for r 1 1, a set V’, VI XV2 2
V’, and IV’I = O ( P ) in which every 2%-tuple’s components add up to 0 (or a )
modulo P i , i <r. If a l l the numbers are specified modulo P , this procedure requires
essentially a sorting and then O(PlogP) additions. Indeed V I (resp. V2) is sorted
according to the value of the component’s sum of its elements modulo P,. After the
two sortings are performed, then selecting the matching couples needs O ( P )
comparisons. More precisely, if IVI I = alp and IV2 I = a2P , finding out all
+az)P
matching couples need (a] comparisons since two elements have been
compared, the smallest is dropped.
For a fixed step r of the algorithm, this procedure is applied 2C1-7 times for
determining 9 - r sets Each set V‘I’, SE[D-r],contains O(P) elements with
105
support J y .
Algorithm complexity :
The basic procedure is applied W-1+2@+ ...+20 = 3 times. If we assume that the
complexity of computing one value T(xjj) is O(l), the overall complexity is K = 2P
P log(P)p = p2 D + p for a number U I=%b of symbols used to adapt the signature.
If, we set K I=2a, M =2m, P =D,we then get : m =pp, & =2p.
For a = 1, we obtain b = 2p = 2 m / p , K = ~ J J + ~ (/ m
P /p)2 which reaches its
minimum for p - 6 , we then have K = 2 2 G m and = U 1=2&+1 G&.
If we consider larger blocks (e.g. a =loo) we can choose b =I, and we obtain the
same type of result : @ 2 2 G m and = UI = 2 G .
If the signature domain is sufficiently large (say m=1000 bits) this attack is
clearly ineffective. The security of the scheme proposed in 9 III remains an
open problem when the field F is Z/qZ where q is a prime such that Zog(q) = 128,
and C is a [n,k]code with n-k =8, leading to a signature which is m = (n-k)log(q)
= 128.8=210 bits long.
106
REFERENCES
[l] D.W. Davies and W.L. Price, "Security for computer Networks", John Wiley and
Sons, Chichester 1984.
[2] R.R. Jueneman, "A High Speed Manipulation Detection Codes", Proceeding of
crypt0 86, Springer-Verlag 1987, pp.327-346.
[3] M. Campana and M. Girault, "How to Use Compressed Encoding Mechanisms in
Data Protection", Securicom 88, March 15-17, pp.91-110.
[4] P. Camion, "Can a Fast signature Scheme Without Secret Key be Secure?", in
AAECC, Lecture Notes in Computer Science, n"228, Springer-Verlag.
PRIVACY PROTECTED PAYMENTS - REALIZATION OF A PROTOCOL
THAT GUARANTEES PAYER ANONYMITY
Svein J-Knapskog
Division of Computer Systems and Telematics,
University of Trondheim, The Norwegian Institute of Technology
N-7034 Trondheim
Introduction
The basic idea for this new way of using known systems and assets
is first presented by David Chaum at CWI, Amsterdam (1). It is
based upon the usage of home terminals (personal computers) and POS
- terminals in the different shops, much in the same way as we
already are exposed to and getting familiar with in our everyday
life today. This new concept, however, will be dependent upon a
smart card with an order of magnitude more memory available on it
than todays technology permits, and in addition it will rely
heavily upon online data communication between shops and banks. The
remaining prerequisite is that banks, shops and customers can agree
upon a public key algorithm that is considered safe and
operationally acceptable to carry out the necessary mathematical
operations underlying the new protocol. Banks must also build and
maintain the necessary data bases to support the system. With these
assumptions accepted, it will be demonstrated that a practical,
smoothly operating system is feasible.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 107-122, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
108
C = MeMod m
M = C%od m
(Md)e = M
M = SeC
< 1>=Mire
The signed coin is returned to the customer, and at the same time
the customers account is debited f o r the amount of money that the
coin represent. The customer is now able to remove the envelope and
check if the transmission and the banks routines have worked
properly :
(2)"r-l = * r) r-1 = Md
( d e = M ?
M )
The coins created are valid for use in shops which are customers of
the same bank as that of the payer, or another bank that has direct
data communications with the payers bank. Generally, the latter is
the case. When a payer presents his money (electronic coins) in the
shop, the shop sends to the bank:
110
The bank searches the database to check if the money has already
been used. I f not, it request the seed, S, from the shop (stored in
the customers smart card and read by the shops terminal). S is used
to check the validity of the money:
Sec = (Md)e ?
The money generated as change is stored in the card and can later
be used in the same way as the ordinary money in the card.
The protocols
Sequence 1.
a) the card is empty (new) and is filled with money for the
first time.
b) A used card is refilled with "fresh" money, discarding
earlier loaded coins that are getting old o r
having impractical values. These coins will be returned
to the bank and the account balanced accordingly.
Sequence 2.
This is the protocol for the normal use of the card. The
transaction is completed without any malfunction or error.
Two different banks may be involved in the data-
communication, and change will be given if appropriate.
Sequence 3 .
Sequence 4 .
One can imagine that the check for used money could give a
positive answer even if there where no intention of fraud
from the user, for instance some kind of off-line
transaction that has taken place without properly updating
the card. In this case, there will probably also be valid
money in the card that can be correctly used after the
first attempt has failed.
Sequence 5 .
Sequence 6.
Protocol operations
A1 - The user activates his home terminal and decides what amount
of money he wants in his card by typing it on his terminal. If
the card already contains money, he will have to give his PIN
- code to get access to the card.
A2 - The user is notified that his card is filled and ready for
use.
C3 - Transfer of seed.
D5 - Request f o r seed.
S2 - "valid-money''.
S3 - Transfer of seed.
Implementation
L
I
a) c
b, c
r
L-J
I
I I 1 61
I
-
chcbc
r
]-IL CPRD
I
c
SEOP =
L
JSHOP ' S
Ll
USER'S
i -r
paying-finished
A PRACTICAL ZERO-KNOWLEDGE
PROTOCOL FITTED T O
SECURITY MICROPROCESSOR MINIMIZING
BOTH TRANSMISSION AND MEMORY
ABSTRACT
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 123-128, 1988
0 Spnnger-Verlag Berlin Heidelberg 1988
124
1 INTRODUCTION
0 Shadow: One fist completes a short message (half the length of the
public modulus n) with a similar-sized redundancy, named shadow,
then extracts the dh root of this element in the chosen ring based
on the composite integer n. The composition of these two consec-
utive operations is the secret operation S. The dhpower of a ran-
dom element has a negligible probability of being shadowed. This
method with shadow produces credentials, the most compact signa-
tures. Due t o multiplicative properties of RSA, the shadow must
not be expressed multiplicatively in terms of the message.
0 Imprint: Rather than signing long messages as chained blocks, one
first uses a hash function to compute an imprint (shorter than n>of
message M , then extracts as appendix H the vth root of this imprint
h. The composition of these two consecutive operations now is the
secret operation S. The hash function must be one-way, such that
it is infeasible to construct collisions of equivalent messages.
125
T - B d mod n
0 The verifier computes
J d . tv mod n
and compares with the given bits of T .
In this version, there are only one exchange between the prover and
the verifier (after the sending of the witness) and only one authentication
127
Proof of security
By hypothesis, 0 5 d" < d' 5 v - 1
Let us write the equation:
Let us notice that d' - d" is a positive integer, smaller than v , and
prime with v (because v is prime). So, there exists a unique pair of
positive integers k and m, in the range from 1 to 21 - 1, currently named
Bezout coefficients of v and d' - d", easily computed by the Euclidean
algorithm, such that
Q.E.D.
At each use of the procedure, a cheater has exactly one chance on v to
fool the verifier. The verifier has exactly 21 - 1 chances on v to defeat a
cheater. After the procedure, the verifier has essentially learned nothing
about the authentication value B because he cannot distinguish between
an honest user and a very very lucky cheater.
128
REFERENCES
SEPT )
CNET Paris-A
TIM
38-40 rue du G6n6ral Leclerc
92131 Issy-Les-Moulineaux, Paris, France
ABSTRACT
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 129-156, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
130
INTRODUCTION
9ih(a)= C
k=O
A”
e-’ -
k!
1 . 2 CALCULATION OF PROBABILITY
r-i s-i
=cc p( I E r n Ee I =i/ I Er I =r-k,I Es I =s-1) IP( I Er I =r-k,I E, I =s-l)
k=O 1=0
r-i s-i
-c
-
k=O 1=0
I?( lErn Es I=i/lErI=r-k, IE, I = s - 1 ) P ( IErI=r-k) IP( IES I = s - 1 )
r - i s-i
P(n,r,s,i) = ck=O c1=0Q(n,r,k) H(n,r-k,s-1,i)Q(n,s,l)
where :
- Q(n,r,k) = P(IErl=r-k) denotes the probability that k
coincidences occur in the sample with replacements of r
drawings from a population of size n,
- H(n,r-k,s-1,i) = P ( IErn Es I=i / I E r I=r-k Ti IE, I=s-l) is the
probability that exactly i distinct elements have been drawn in
the two (independent) samples (drawn with replacements, of
respective sizes r and s ) with respectively r-k and s-1
distinct elements: in other words, H(n,r-k,s-1,i) is the
probability that the intersection of two independent samples
drawn without replacement of respective sizes r - k and s-1 is
made up of exactly i distinct elements.
Remarks :
K
More precisely, one can prove that, for - < -1*
N 2’
KZ K
-- + - - - K3
e 2N 2N 3N2 2 N
rs
If {n + u , r,s,n -+ +m), it is well known [9] that the
limit distribution of H(n,r,s,.) is a Poisson distribution:
rs
Wi fixed, if -
n
-+ “ for r,s,n + +m, then H(n,r,s,i) -+ F’,(i)
Remark :
I f f ( a )- F,(a)l -
I(r+s1 a2
rs
-
+ 3(r+s) a
n
+
sr2+rs2
n2
k
where 5$ = { ( al , . ..,ak) E { 2, . . . ,c+l
Jk ;c
j= 1
a .=c+k, and a , 5. .<a,
J
. 1-
- n! 2= c
nr ( n-r-c)! 2c c!
with
140
Q(n,r,c) - nr
n!
(n-r+c)t. -
r2
2c c! (1 + Z)
I
r2
Wc fixed, if -
2n
-+ X for r , n -+ +w, then Q(n,r,c) + F,(c)
Remarks :
n! r! Y
- 5 -
r3
c=l nr(n-r-c)! (r-2c)! 2'c! 6nZ
W e c a n e v a l u a t e t h e p r e c i s i o n of approximation of f r e q u e n c y
distribution F of the Q distribution by the frequency
distribution FA of the Poisson d i s t r i b u t i o n with parameter
IF(&) - F , , ( ~ r ) lI
5
-
r
a2+ -
3r
n
a+-
r3
3n2
1 ) Using ( 1 ) we o b t a i n t h e f o l l o w i n g bounds f o r H ( n , r - k , s - 1 , i ) :
- -k - -k2 - -1 - -1 2
where * ( r , i , k ; s , j , l ) = e r-i (1 - $)k e '-j (1 - $',
and :
k2
- k
+ - +k -
where ? ( n , r , i , k ) = er-i r-i n-r.
142
P(n,r,s,i) 2 c c
k=O 1=0
Q(n,r,k) H(n,r-k,s-1,i) Q ( n , s , l )
a P
1 H(n,r,s,i) vi(n,r,s,i,a,P) 1
k=O
Q(n,r,k)
1=0
Q(n,s,l)
Taking t h e L - l i m i t :
L - l i r n P ( n , r , s , i ) 2 L - l i r n H ( n , r , s , i ) F A ( = )F + ( P )
By t a k i n g t h e L - l i m i t , we g e t :
143
rs
If we add to I: the condition -
n
- v of I .3.1, we get:
r2 S2 rs
tli fixed, if - A, - w, --+ v for r,s,n + fa
2n 2n n
-+ -+
I
I
then:
P(n,r,s,i) -+ 9,(i)
I
I
Remark:
!
H, = random
H.
J = EM . -
(Hj 1 l l j l n
3
RSA-Sign( H, ,Hn )
even more).
/
H, = random
H, = E,. ( H j v l 1 l l j l n
J
<
Hn+j = EMj(Hn+j-1) l l j l n
RSA-Sign( H, ,H, )
\
H, ,HA = random
H. = EH ( H j - l )
J
<
Hi - (HJ-l)
J
EM ( A i ) = Bi l l i l p
where :
151
up = 2.1op-1
for p = 1
236 (3p-2+ 4 . 1 0 ~ - 2
Q, 2 1 -- 3p
2.104
where :
3p
Q i Z l - -
2.104
Comments :
Proof: by induction on p .
so :
u1 = 2
t, = 235 t; = 238
Q, 2 1-10-4 Q; I 1-10-4
So for p 2 2 :
t,= P - 1 + 237up-l
= 236
[
3 p - 2 + 4 . 1 o p - 2
[1+-:” [1-[&3)p-1]))
155
Q, 2 q * Q2 2 q4 * Q3 2 q13...
-
3” -1
More generally : Qp 2 q 2 > I - -3P-1 10-4 2 1 - -.3 p
2 2.104
Note that Q, 2 0.995 f o r p = 4.
CONCLUSION
REFERENCES
Introduction
In the following paper, we propose a protocol for interactive data exchange.
An interactive data exchange session can be divided into three phases as shown in
Fig. 1:
i)a Session Key Exchange/User Authentication phase
ii)a Data Exchange Phase, and
iii)a Resynchronization phase (for error recovery).
The cryptographic system proposed for this system is based on discrete exponen-
tiation, that is, all operations (though not shown) involve reduction modulo p for
a large prime p. T h e security of the system is based on the difficulty of determin-
ing logarithms in a finite field GF(p) [l]. We also assume the existence of a
trusted Public Key Notary (PKN). The PKN provides a certification service for
each of the users' "public" keys and is not required to be on line.
a-* = p k n * a m + w2'
for a random vaIue w (pkn is the private information of the P K N ) . This
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 159-166, 1988.
0 Spnnger-Verlag Berlin Heidelberg 1988
160
procedure and the key exchange protocol are described by ElGamal [Z]. This is
shown in Fig. 2. The procedure begins when user A initiates a call t o user B
(initiator/respondent respectively). The protocol proceeds as follows:
i)User A generates a random injtial key I<, and a random value r.
ii)User A obtains the pair [~2-~,,5~) in a .public manner (e.g., from a
iv)If the verification passes, user A applies the ElGamal protocol to form
the message
It can be seen that user A can also form this key from its secret and authenti-
cated data. This completes the Key Exchange phase of the protocol. In the next
section, we examine a "conventional" cryptographic system based on discrete
exponentiation.
respondent respectively).
Before any data is exchanged, each user verifies the correct exchange of the
initial keys. To do this, user A calculates the pattern
and forwards this t o A. Each end verifies that the correct image has been
received from the other user (see Fig. 3).
Once verification has been performed, the actuaI data exchange may begin.
Ciphertext blocks are formed as
where j = I or Ir' depending on the direction of data flow, and i indicates the
message block number. The key, I{; used for each block is unique and is derived
from the appropriate sub-session key as
(this can be done in many ways). Using this technique, plus some error detection
bits added t o the plaintext, will allow for the detection of inserted, deleted or
modified blocks.
Rendezvous Phase
The data exchange protocol will now proceed until the end of the session or
until an error occurs. If an error cannot be corrected by simple retransmission, or
if synchronization is lost, then a "Rendezvous" must be executed (see Fig.1). In
this phase, the receiving user (B in Fig. 4) must notify the sending user that syn-
chronization has been lost. The sender then determines the last correctly
received message block (we assume that a communication protocol is present on
the link to provide acknowledgments for correctly received blocks). The sender
then increments t h e state of the key by a value n such that
where 1 is the last correctly received block. The sender then calculates the image
162
and sends this t o the receiving user. The receiving user increments its key state
K;
by an amount n--q and calculates successive values of LY until the pattern is
matched (note: since synchronization has been lost, the state of either end is unk-
nown, thus the "hunt" process must cover a sufficiently large number of
exponents as to make resynchronization highly probable). Once resynchroniza-
tion has been established, the data exchange phase may proceed once again.
As shown in Fig. 1 and 4, a provision has been made to try the rendezvous
procedure only two times, if resynchronization is not established in this time, then
the session is considered unusable and a key exchange phase is started once again.
(It is also possible that the key exchange phase may fail a number of times,
though not indicated, and provisions must be included to limit the number of
tries for key exchange. If this occurs, then the channel must be deemed unus-
able.)
Conclusions
In this paper, we have described a protocol for interactive data exchange
which provides strong mutual authentication of the users and data integrity. The
protocols used are baaed on a cryptographic system using discrete exponentiation
for public key exchange and conventional data exchange. The protocol is robust
to data/protocol errors and active attacks. While it has been shown as an
interactive protocol, a one-way data exchange protocol (for email or file transfer)
can easily be derived from this protocol.
References
1. W. Diffie, M. Hellman, "New directions in cryptography", IEEE Trans. on Info.
Theory, Vol. IT-22, pp.472-492, 1976.
PROTOCOL
EXCHANGE
PHASE
DATA
E XC HA NGE
PHASE
PHASE
; MANY TRIES
Figure 2 - KEY EXCHANGE PHASE
Ibl
t K= (~z')~.(a-~
) ~-K
Kb
*\K
KZJ
165
USER A USER 8
KR
Q O
I
/
0
0
0 I
/ QKO
166
USER A USER 8
[ S Y N C LOSS]
[oK!]
ly
RESYNC
ESTABLISH ED
ANONYMOUS AND VERIFIABLE
REGISTRATION IN DATABASES
Jorgen Brundt
Ivan Bjerre Dumgdrd'
Peter Lundrock
Dept. of Mathematics and Computer Science, Aarhus University
Ny Munkegade,
DK 8000 Aarhus C ,
Denmark.
Abstract
Methods are given by which personal data about a large number of individuals
can be registered in a large central database without having to trust this register not to
give away information linked to a given individual. Personal information arriving
from many different sources can be placed correctly in the register. The registration is
done in a verifiable way: Each individual can be given access to the register to check
that his information is correct, and can even, if he chooses to do so, prove to anyone
that he is or is not identical to a given person in the register. This can all be done
without compromising the anonymity of any other individual.
1. Introduction
Consider a set of institutions D . . . ,D,, which collect information on a large
number of individuals. Examples could be tax authorities, banks, hospitals etc. The
institutions would like to set up a large common register C , which is to contain all
information from all institutions. There may be numerous reasons for this, C may be
convenient for economical or practical reasons, or it may be just a temporary register
which is set up for statistical purposes.
This raises of course some security problems: the individuals may be willing to
trust each of the D i,but unwilhg to accept a new central register, since
1) Outsiders can now get access to a complete set of personal data about anyone, just
by breaking into one database; and
2) The D i's, who have legal access to C may now read data about any individual,
including those that they have had no contact with before.
'This research was supported by the Danish Natunl Science Research Counnl.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 167-176, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
168
How can we make C secure against unwanted use of the information? It is well
h o w n that preventing access, physical or otherwise, to a database is very hard and
expensive. A cryptographic solution, however, can make the information useless to
intruders, and therefore seems a better alternative.
Recall that in this case the personal information itself is not secret, the
confidential part is the linking of names to particular records in the register. What we
need is therefore a system by which the D i’s can send information to C in such a way
that data arriving from M e r e n t places concerning the same person can be identified as
such, but without this giving away the true identity of the individual involved. In other
words, we want the registration to be anonymous: given an individual and a person
registered in C , it should be hard to tell whether they are identical. Moreover, it is
desirable that the system is verifiable, i.e. an individual i can be given access to C to
check that his data are correct, and even more important: if needed, i can produce a
proof that he is or is not identical to a given person registered in C. Of course, this
must all be done without compromising the anonymity of anybody else.
2. Related Work
Other researchers, in particular Chaum [Ch], have designed systems to prevent the
linking of a large amount of personal data. Cham’s system is based on each indivi-
dual having different pseudonyms with each organisation they talk to. This makes the
infomation unconditionally unlinkable. On the other hand, data which is to be
exchanged between organisations must travel through the individual they apply to.
With a nationwide database, this may not be a practical solution. In our system the
individuals are known by their real name in the institutions we have to begin with
(D1, . . . , O n ) . This means of course that the individuals must trust the Di’s and that
we loose the unconditional unlinkability. On the other hand, information can now be
sent to the new register directly, and since our system is identity based, it can be
verifiable. This is much harder to acheve with a system where individuals choose
their own pseudonyms at random: how can person i prove that he did or did not
choose this particular random number?
3. Our Solution
We assume that each person is known to each D, by some unique piece of mfor-
mation, like name, address, ect. For person j this wlll be called ID (j). Consider now
a solution where data will be sent to C such that information about the individual j is
accompanied by an “encryption” of ID (j), i.e. the image of ID (j) under some suit-
able function F . We let J denote the set of all possible individuals. We assume that
this set is very large, so that the set of individuals registered in C at any given time is
of negligible size compared to I J I .
169
from J.
The independence condition is meant to protect against the case where an enemy
knows the identity of some registered individuals. The condition says that this does
not help him to find other identities. Note, however, that since we assume that the
given identities are randomly distributed in J , the condition does not cover the case
where an enemy can choose freely individuals for which he would like to see
corresponding F-values (c.f. known plaintext versus chosen plaintext attacks on a
crypto system).
The verifiability condition assigns to each individual a unique wimess, which can
thought of as a certificate of the connection between corresponding ID and F -values.
This allows an individual to prove to anyone that he is or is not identical to a given
person registered in C . More details can be found in Section 5.
The anonymity condition is as restrictive as possible: it says that even when given
that an unhown person registered in C is identical to one out of two individuals, it is
still hard to tell w h c h one. This and the independence condition means that some of
the more obvious solutions will not work:
Consider for example using as F a publicly known one way function. This means
at least that one cannot compute j from F (ID 0’)). But since it is mvial to test from
ID (j’) and F (ID0’)) whether j = j ’ , the anonymity condition is violated. One way to
repah this could be to use a function depending on some secret parameter, like a
pseudo random function [GGM] or a conventional cipher, i.e. setting F = f K , where K
is secret. This may satisfy the anonymity condition, but the only way we can get
verifiability is by setting w (ID (j))= K for all j , which clearly violates the indepen-
dence condition.
The solution we suggest can be informally described as follows: Select a trapdoor
one way permutation f and a one way function g with the same domain as f . By
redefining ID , we make sure that ID (j) E domain cf ) for all j .
We describe one way of doing this in the following: To be specific, let ID 0’) con-
sist of a number of fields, such as firstname (j), secondname (j), srreef (j), city 0’),
etc., where Prstnarne 0 ) beIongs to some set FIRS7iVAMES , and similarly for the
other fields. This makes ID (j) an element of
170
we may represent the set of possible ID ‘s as binary strings of length k. The parameter
k should be chosen such that domain cf ) = (0,l } k. In practice, k will be a security
parameter, and the number of fields in ID must be chosen accordingly. Also, we must
of course admit that the cardinality of domain c f ) will not in general be an exact 2-
power, so we have to content ourselves with approximations in practice.
With this scheme, choosing a random person in J and applying c produces an
(almost) uniformly distributed element in dumain (f ). Moreover, it is a reasonable
assumption that choosing a random set of strings corresponding to persons registered
in the data base gives a good approximation to a uniform choice from all of J , where
“good” is defined relative to the behavior of polynomial time algorithms using the
strings as input. More specifically, we are assuming that no feasible algorithm is able
to exploit the fact that the individuals in C are not really uniformly chosen, but are
selected by some specific (incredibly complicated) random process.
Wethenset F(IDG))=gCf-’(ZDCi)))andw(IDO’))=f-’(ID0’)).
Actually this definition is a bit too restrictive. It is clearly sufficient that both
ID 0’)and F (ID0’)) are easily computable from w (ID (j)),and with some choices of
f and g ,there are other ways to meet this condition.
Theorem 3.1
With F , w and ID defined as above, the verifiability and independence conditions are
satisfied.
Proof.
Given w (ID G)), one can directly compute F (ID0’))= g (w (ID (j))). Thus the
verifiability condition is satisfied. With the definition of ID given above, we may
assume that selection of a random individual i will produce an element ID (i) uni-
formly distributed in the domain of f . Therefore a randomly chosen set
[(ZD(i),w(ID (i))} can always be produced without knowing the identity of any indi-
vidual, just by starting with a set of randomly chosen wimesses and computing f on
each of them. Therefore an algorithm which would break the anonymity condition
given a set of corresponding identities and witnesses can easily be modified to do
without ttus just by producing the required set from schratch as above.
171
Theorem 3.2
Suppose F is constructed using randomly and independently chosen trapdoor permuta-
tions f and g . Suppose also that it is infeasible to compute f -1 and g-' for more than
a negligible fraction of the possible choices o f f and g . Then both F =gf-' and
F-' =fg-' are infeasible to compute for more than a negligible fraction of the possible
choices of pairs (f ,g )-
Proof.
Suppose we have an eficient algorithm for computing F. Then this algorithm can be
used to compute f-' for a randomly chosen f with &own trapdoor as follows:
select a g with known trapdoor at random, and run the algorithm on F constructed
from f and g . By assumption, the algorithm can compute F -images with nonnegligi-
ble probability, and €or each x for which it tells us what F (x) is, we can use the trap-
door forg to computef-'(x) = g-'F ( x ) . The case with F-' is symmetric. 0
There is a price to pay in order to be able to prove that F and F-' have the
claimed properties, namely the assumption that g is trapdoor, which introduces the
risk of having the trapdoor revealed to an enemy. One can do away with this by
developing systems, where g , and therefore F is a one way function with no (known)
trapdoor. This would mean that even organisations with maximal information on the
system would be unable to "decrypt" randomly chosen identities in C , although
knowledge of the trapdoor for f would enable them to test given identities against F -
values. This would be of little use to an enemy, however, if C was only willing to
release data on an individual to Di, if D ihad previously provided data on that indivi-
dual. This could be implemented by including a protocol by which any D i could
indent* itself to C before getting access to any data.
One way to implement the system in practice is to assume a trusted center which
selects f and g together with the trapdoor information for f ,computes and sends
secretly f -'(ZD Cj)) to each j , then forgets the trapdoor information and stops func-
tioning. Alternatively the center can be made permanent if new persons have to enter
the system later. The individuals can venfy that they have correct information from
the center, can compute their own F -value, and later convince each D jthat this value
>>
is correct. This can be done simply by showing w (ID (j to Di . In any case, no w -
values have to remembered by the D i' s . This solution protects optimally against the
D j's reading data they should not have access to: each Di can find data about indivi-
dual j , precisely if j has given F (100') to)Dj.For all other individuals, Di is in
exactly the same position as an outside enemy, by the independence condition.
Another way is to make the trapdoor for f known to all Di ' s , but not to C . Then
the D;'s can have their information stored in clear, and compute F -values as needed
when they communicate with C . This removes the need for a trusted center, but on
173
the other hand all Di' s are now faced with the security problem of safeguarding the
trapdoor of f . Also the protection against the Di's themselves is reduced: since
knowledge of the trapdoor for f implies abihty to compute F-values, the D j * s can
check if a given individual is identical to a person registered in C ,but they are not able
to find the identity of a randomly chosen person in C ,by the one way property of g .
At this point we must address the ultimate disaster for the proposed model: the
disclosure of both trapdoors to an enemy. Obviously, the enemy may then calculate
ID 0') from F (ID 0')) and vice versa, and the entire database is seriously comprom-
ised. It therefore seems natural to introduce some messure that would make this
impossible. One scheme is to apply a one-way funtion h to ID 0 ) and then use the
above model on h (ID 0')).If h is uuely one-way this makes it impossible for anyone
to get from F ( h (ID 0'))) to ID u) except by exhaustive search which, by the very
nature of the problem, we can never prevent if the trapdoors are revealed. There are
many choices for practical implementations of h . It could be a hash function from a
set of long ID'S to a much smaller set of binary strings. Here one should take care to
ensure injectivity on the set of actual ID'S.
4. Concrete Constructions
1) F ( x ) = (G mod n ) 3 mod n'.
The function F can be constructed from
f ( x ) = x 2 mod n and g (x) = x 3 mod n I,
where n and n ' are products of two large and strong primes, chosen independently of
each other. Moreover n and n ' must be of compatible size (to prevent F ( x ) = x !).
Also f in only injective on the elements of odd order in Z,*, which, as mentioned ear-
lier is compensated for through the definition of ID.
Obviously, f and g do not commute and Theorem 3.2 indicates that F and F-'
are infeasible to compute for a non vanishing fraction of choices of n and n '. Note
that if the factorization of n ' is known, mod n and hence probably x can be com-
puted from F ( x ) . But as mentioned earlier, the trapdoor for g is never used in an
application, so the factorization of n ' can be deleted immediately after choosing n I.
Note that using squaring for both f and g will not work: given a consistent pair
(ID ,F (ID )), the witness can be computed using the Chinese Remainder Theorem and
without knowledge of the factorizations! The generalization of this attack by Hastad
[Ha] does not seem to work with our choice of exponents, since there is o d y 2 equa-
tions involving the witness, and this is insufficient to make the attack work. The
number of equations needed to compute the wimess becomes much larger, when the
exponents get large, and therefore better security may be achieved by choosing random
RSA-exponents in stead of 2 and 3.
174
2) F (x) = aG mod n ’.
F can also be constructed from
f ( x ) = x 2 mod n and g ( x ) = CS mod n ’
where n is chosen as above. n ’ can be chosen as n or as a large prime, it is important
that a is chosen such that it generates a large subgroup of Z,**, whence discrete log’s
base a is (presumably) hard to compute. The same remarks as those relevant to case
1) applies here, except the fact that g is not trapdoor in this case. This means that
Theorem 3.2 does not apply, on the other hand there is no risk of accidental release of
a trapdoor for g .
For convenience, it might even be reasonable to choose n = n ‘, except for the fact
that f and g will then not be independently chosen.
3 ) F ( x ) = x IC;rnodn modn.
Here, it is not so transparent how to choose f and g . However if we set
f ( x ) = x x mod n and g ( x ) = x 2 mod n
then
r
F(x)=x mod n = G2(” n , mod n = gfg-’(x).
So F is conjugate to f under the action of the symmetric group on the elements of odd
order in Z,* - on which g is a bijection.
The function{ is not one to one. In fact it has some of the properties one would
expect from a “typical” random function from 2: to 2:. Indeed, as is well known:
Lemma 4.1
Consider the set of functions from a set A into itself, where A has cardinality n . Then
the average size of Zm (f ) is
(1 - e-’)n = 0.63n 0
F (ID (’j I)). The proof can be executed using for example the general protocol from
[BrChCr].
With the solution from this section, the above protocol does not work, simply
because it is not possible to check the correctness of a witness, and without this check,
the protocol does not prove anydung.
The only way to repair this is to ensure that j is committed, also to his choice of
w (ID 0’)). This can be done by introducing a public directory, containing entries for
all individuals. For person j , the entry is BC (w (ID(j)),r3. This entry can be com-
puted and proven correct by j himself initially, We can now make the above protocol
work once again, since a witness can now be checked by testing whether the appropn-
ate entry in the public file contains a commitment to the witness in question.
Thus this solution is of theoretical interest because it shows the existence of sys-
tems that provably satisfy the anonymity condition, but it is not of great practical
importance, because we must introduce additional complications to get a complete
solution.
Conclusion.
We have shown a practical solution to anonymous and verifiable registration in
databases, and we have pointed out 3 basic conditions that such a solution should
satisfy. We have also shown the existence of solutions that satisfy all 3 conditions.
References.
G.Brassard, D.Chaum and CCrepeau: “Minimum Disclosure Proofs of
Knowledge”, tech. report PM-R87 10, C W , Amsterdam 1987.
G.Brassard and C.Crepeau: ‘ “on-Transitive Transfer of Confidence: a
perjfect zero-knowledge Protocol for SAT and beyond”, Proc. of FOCS
86, pp.188-195.
D.Chaum: “Security Without Identification: Transaction Systems to make
Big Brother Obsolete”, CACM, vol28, 1985.
I. Damghd: “The Application of Clawfree Functions in Cryptography;
Unconditional Protection in Cryptographic Protocols”, Ph.D-thesis,
Aarhus University, 1988.
J.Hastad: “On Using RSA with Low Exponent in a Public Key Net-
work”, Proceedings of Crypto 85, Springer.
M.Boppana and L.Lagarias: “One Way Functions and Circuit Complex-
ity’’, Information and Computation, vol74, pp.226-240, 1987.
Elections with Unconditionally-SecretBallots
and Disruption Equivalent to Breaking RSA
David Chaum
Centre for Mathematics and Computer Science
Kruislaan 413 1098 SJ Amsterdam
introduction
The first multi-party secure election protocol in the literature [Chaum 811 could not
prevent someone able to break RSA from tracing ballots back to particular voters,
although some properties about it could be proved under reasonable assumptions [Merritt
831. A subsequent proposal did not at all protect the confidentiality of ballots from those
conducting elections [Cohen & Fischer 851. An extension [Cohen 861, similar in nature to
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 177-182, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
the original [Chaum 811 proposal, divides the “government” into parts, in such a way that
all parts must cooperate to violate participants’ privacy. Using such a protocol to obtain
the optimal privacy protection obtained here, however, would allow any single participant
to disrupt the entire election. Also, it has security against cheating that is only linear in
the effort required of each participant, in contrast to the.exponentia1security proved here.
The present work draws on two previous basic results. One is a “sender
untraceability” system detailed in [Chaum 88b]. It provides unconditional security
against tracing the senders of messages and limits the disruption that can be caused by
participants. The second is the notion of “blind signatures,” which serves as a basis for
untraceable payments and credentials, as introduced in [Chaum 851 and detailed in
[Chaum 88c] and [Chaum & Evertse 871.
The protocol defined in this section in essence allows an applicant y to gve very
high certainty to z that the ballot provided byy is of a form that allowsy only to cast a
single vote.
Consider the following protocol between an applicant y and organization z :
(1) Once, and for all applicants, z broadcasts: a small integer security parameter s; a
second integer parameter n; an RSA modulus N ; a prime d > N ; and n distinct
random units of the ring of residue classes modulo N (called units modulo N for
short), denoted v j , where j E { 1, ..., n } throughout. (In ths protocol “random” is
used to mean uniformly distributed and independent of everythmg else.)
(2) y-t: (read ‘) sends to 2”) M=(mi,,), mi,, -vfl,(;)r& (mod N ) , where i E { 1, ..., s},
with q random permutations of { 1, ..., n } , and with ri,, random units modulo N .
(3) z-y: C, a random nonempty proper subset of { 1, ..., s}.
(4) y-z: k ~ { l ..., , ~FC;
, SI-C; ~ = ( p i , ; ) , p , , , = ~j ~) ,( for i E C ; p i , j = r L 1 ( r l ( j ) jfor
Q=(qi,j), qi,, Eri,, (mod N ) , for i E C; and qi., ~ r k . ~ ; l ( ~ , ( , ) )(mod r G * N ) , for i 9 C.
d
(5) t verifies that every row of P is a permutation of { 1, ..., n } ; that mi,; G vp;,, ql,;
(mod N ) , for i E C; and that qf, = mkg,,,mG1 (mod X ) , for i $ZC.
Theorem: For y following the protocol, Tk is statistical@ independent of the messages
transmitted.
Pro08 (sketch) Without loss of generality, fix k. The tuple ( P , Q,M j defines the
messages transmitted in an instance of the protocol. and A denotes the set of all possible
such tuples. Similarly, B is the set of all possible tuples (q,
ri,,) with l f k , 1CiGs and
179
1 G j G n . It follows easily from the protocol that each ITk defines a one-to-one
correspondence between A and B. Moreover, by the mutual independence and uniformity
of all the IT; and r,,,, the conditional probability distribution of B given ITk is uniform for
each instance of the protocol. Therefore the conditional probability distribution of A
given ?rk is always uniform and hence independent of ITk. 0
Theorem Assuming y cannot form dth roots of random units modulo N,then when z reveals
dth roots modulo N of h distinct mk,j, with k j x e d and 1<j<n, the probability of allowing y
to learn dth roots of other than exact4 h of the vi does not exceed 1 / (2s - 2).
Proof (Sketch) It is sufficient to show that, with probability 2 1 - 1 / (2s- 2), there exists
exactly one permutation 7~ such that for each j , l<j<n.y knows an rj such that
mkJ = v 4 ) r f . With probability 2 1 / (2s- 2) there exists at least one permutation d such
thaty can express each entry M k J as mk,j 'vnr(iy;d (mod N ) , since otherwise only one c
allowsy to succeed. (Notice that for y to successfully cheat, the mi,,'s must be properly
constructed for each i E C and improperly constructed for each i C. But this implies
that only one C allowsy to cheat.) It remains to be shown that there cannot be two
permutations IT' and ?r" such that y knows r'k,, and r"+ with mk,, = vdvy'i,, =
v,qf'jf,,(mod N ) for j E { 1, ..., n } . If there were two such permutations, theny would
have been able to learn the dth root of a quotient v ~ u ~ v ; ' z for
. ~ some j with d(j)#ta'(j).
But it is easy to see that the ability to compute roots on random quotients is polynomial
time reducible to the abilty to compute roots on random units.U
the b’s to be resolved at this point without revealing anything about the votes.
Voting: The voting phase is begun by z broadcasting the dth roots of all of the bl.
(Naturally, if this is not carried out properly, everyone w i l l know.) Then, the I t h voter
recovers the dth root on a vi, simply by dividing the dth root of bl by the corresponding
rh,j. Each voter then broadcasts, under the sender untraceability protocol mentioned
above, the root of the single v i recovered. Finally, each voter can venfy that the root of
the vi sent by that voter was in fact available from the broadcast channel. The number of
votes for a particular outcome is just the number of distinct dth roots of vi’s
corresponding to that outcome.
The election protocol can be used to directly realize untraceable payments: each vi
stands for, say, one dollar; registration is withdrawal from a bank account; payment is
made by providing a shop with a dth rood on a vi that has not yet been accepted for
deposit by the bank.
A variation on the election protocol can also be used to implement a “credential
mechanism” [Chaum 85 and C h a m & Evertse 871. The vi serve as unique personal
identifiers, one selected by each individual. Let di be distinct primes, with dkld and
(dk,@((N))= 1, for suitably many k’s. Each individual participates in an instance of the
election protocol with each organization, using a dk unique to that organization. (see
[Shamir 831 for why such use of the d, is secure.) If not all m votes are cast in any
organization’s “election,” at least one participant is cheating. In this case, people reveal
all their rk,, and 7rk, and those who are unable to show that their b1 corresponds to a Vj
that was broadcast are revealed as cheaters and excluded from the protocol. This is
repeated with different vi until no cheating is detected.
The remaining unused k‘s each correspond to a type of credential. An organization
issues the kth credential to a person by providing the dk th root of the person’s selected
element, br; then and only then can the dkth root of the person’s selected element with
any other organization be shown.
5. Discussion
It has been assumed that n was large enough to make the possibility of the same Vi
being chosen accidentally by two voters acceptably small. This might require something
like n =loom2, which might be impractical for large m. Another approach allows n =m.
It is based on the idea that voters will be able to reserve vi’s anonymously. One way to
do this by is using the “slot reservation” protocol of [Chaum 84a], which has been
181
improved by [den Boer 871. A simple variation allows reservations to be made and
confbmed one at a time, using any sender untraceability system. (Reducing from 2m to
m could be accomplished by elections using one dk for each type of vote.)
If less than m disjoint roots of vi are broadcast, z could form and broadcast extra
votes. Thus people who register and do not vote, in effect, allow t to steal their vote.
Someone might entrap z, however, by allowing a vote to be stolen and latter broadcasting
the real (different) vote, possibly untraceably.
The essential requirements of the communication channel are that z must not be
able to provide inconsistent or incomplete messages to different voters, and that voters
must be able to broadcast the messages required to untraceably submit votes. The lint
property could be achieved in some cases simply by z making digital signatures on all
messages including some kind of hash or (even all previous messages) and a time stamp,
since if inconsistent messages become known, z would be incriminated.
The requirement that d be prime and > N ensures that (d,NN))= 1. To get
certainty that a small d has this property seem diE6cult in general. It is easy, however, to
modify the protocol presented to give exponential certainty that (d,+(N))= 1 using the
idea that y and t can “fip coins by telephone’’ [Blum 821 to develop t mutually trusted
random units, after which z is required to reveal their dth roots. The probability that t
can cheat is then t2-‘, assuming that z cannot cheat during the coin tlipping. This can
be ensured if, for example, z provides the modulus used in coin flipping and is then
required to reveal its factorization afterwards.
A natural extension is to divide among several entities various functions of t , such
as: creating the random vi’s; making the registration (withdrawal) decision; and signing
the hi's.
References
Blum, M., “Coin flipping by telephone,” Proceedings of IEEE Compcon, 1982, pp.
133-137.
Boer, B. den, private communication.
Chaum, D., “Untraceable electronic mail, return addresses and digital
pseudonyms,” Comm ACM 24, 2 (February 1981), pp. 84-88.
Chaum, D., “Security without identification: transaction systems to make big
brother obsolete,” Comm. ACM 28, 10 (October 1985), pp. 1030-1044.
Cham, D., Evertse, J.-H., “A secure and privacy-protecting protocol for
transmitting personal information between organizations,” Advances in Cryprology:
Proceedings of C R Y P T 0 86, A.M. Odlyzko, Ed., Springer-Verlag,pp. 118-167, 1987.
Chaum, D., “Blinding for unanticipated signatures,” Advances in Cryptology:
Proceedings of Ewocrypt 87, D. Chaum and W.L. Price, Eds., Springer-Verlag, pp.
227-233, 1988a
C h a w D., ‘The dining cryptographers problem: unconditional sender and
recipient untraceability,” Journal of Cryprolog, Vol. 1 No. 1, pp. 65-75, 1988b.
Chaum, D., “Privacy protected payments: unconditional payer and / or payee
untraceability,” to appear in Smart Curd 2000, North-Holland, 1988c.
Cohen, J. and Fischer, M., “A robust and verifiable cryptographically secure
election scheme,” Proceedings 26th FOCS, 1985, pp. 372-382.
Cohen, J.D., “Improving Privacy in Cryptograhpic Elections,” Yale University
Computer Science Department Technical Report YALEU / DCS / TR-454,
February 1986.
Merritt, M., Gyptographic Protocols, Ph.D. Thesis, Georgia Institute of Technology,
GIT-ICS-83 / 06, 1983.
Shamir, A., “On the generation of cryptographcally strong pseudorandom
sequences,” ACM Transactions on Computer Systems, Vol. 1 No. 1. pp. 31-44.
February 1983.
PASSPORTS AND VISAS VERSUS IDS
(Extended Abstract)
ABSTRACT
Most of the proposed cryptographic based electronic IDS are not adequate when
used in international identification protocols. In this paper we extend the concept
of a cryptographic electronic ID to a system of electronic passports and visas that
surpass existing paper versions.
I. INTRODUCTION
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT ’88, LNCS 330, pp. 183-188, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
184
In the next section it will become clear that a normal ID can not be used for
international purposes. An electronic version of passports and visas is necessary
to have higher security than existing systems (see Section 111.).
From now on we assume that a secure simple identification system exists. We will
use such identification system to come up with the passport, but it will be clear
that more is necessary.
The main idea behind electronic passports is the use of a tamperproof de-
vice which uses an ID-card technology which additionally contains a n area (spe-
cial memory) where data can be appended and read by everybody. This special
memory, which we call an Append and Read Only Memory (AROM), is mainly
intended for stamping activities (see Section 11. for a description of stamps). The
stamp can contain information other than the date, such as a sequence number,
and may include the entire history of visits by the passport holder. The stamp
itself can be signed by the host country. It is the discretion of the host country
to make entries and to determine which data it wishes to append in this area.
Appending data to the AROM can be controlled to prevent the abuse of
the passport by other organizations which may want to write information that
is not relevant to the proper use of a passport. This can be accomplished by
encapsulating in the passport a list of public keys of organizations authorized
to write into the electronic passport card. The passport card first checks to
determine if the candidate writer is allowed to write. If so, the writer presents
a signed message. The passport-card checks the signature before appending the
data. If finally there is no room left over for new stamps, the carrier of the
passport goes back to his country issuing center and asks for a new passport.
The center can then read and record all this information, if it wishes, and deliver
a new passport. The issuing country can compress the data and leave it in the
original passport or issue a new one.
The tamperfreeness of the passport-card is necessary to guarantee the AROM
properties. Because tamperfreeness is used, identification systems that are simple
to implement can be used [4].
Let us now discuss how visas are included in the system. Because tamper-
freeness and trustworthiness of the passport are a function of the issuing country
and its technology, a visa being created as a separate ID device by the host coun-
try is better than (the current paper system of) placing visas in issuing countries
passports. We therefore propose physically separate visa devices, which are is-
sued by the host country. The visa is a special crypto ID-card, using the host
country preferred identification system. The information written in such a visa
can depend on all the passport data of relevance, on a sequence number, history
of the carrier related to previous visits and other visas and even on the carrier
physical description. The idea of including in the visa-card information about the
I a7
passport (e.g., number, name, country) increases dramatically the security of the
whole system. Indeed the rental problem of crypto ID cards, due to inadequacy
of checking the physical description [3], can then be significantly reduced. Other-
wise, use of passports independent of visas, can lead to the possibility of two users
simultaneously presenting the “same” passport at different locations. Advantages
of renting passports are discussed in [3]. Additional methods to dramatically re-
duce the risk that IDS can be rented are discussed in [l].It is important t o point
out that the separation that we propose is physical and not logical The idea of
logical link between IDScan be generalized. Evidently all this information caa be
signed by the host country.
The visa proposed here is not to be considered a stamp, which is appended to
the above AROM. If the host country wishes to leave a trace in the passport, then
it can create the visa, give it a sequence number and append the following message
to the AROM in the passport: “The carrier of this passport possesses a visa with:
number, type, issuing date, location and issuing country”. However such a trace
is not necessary. In fact in some cases it is even recommended not to use such a
trace. Indeed, because these passports are electronic and tamperfree the passport
issuing country may b e able t o restrict its citizens hom visiting certain countries.
If, however, a citizen obtains a visa for such a country, the passport could destroy
itself before the carrier reaches the host country. This, for example, would prevent
the carrier from asking for political asylum. A visa issuing country that wants
to cooperate with the carrier could choose to not leave a trace of the visa in the
passport. This, however, still leaves the visa issuing country free to use passport
information in the visa itself. Therefore the proposed scheme again contributes to
improvement of functionality of passports and visas. Again, the tamperfieeness
of the visa device is important in this scheme.
We finally remark that our system is compatible with actual passports and
visas. Visa issuing centers can, independently from the passport issuing centers,
decide t o use electronic visas, while the passport can still be a paper document.
To allow countries that do not have adequate technological means to use electronic
systems, a paper version is attached to the electronic one.
IV. CONCLUSION
Recent crypto based ID schemes do not have the functionality necessary for in-
ternational use. Ln this paper a new scheme for electronic passports and visas is
presented that is as functional as current schemes but more secure.
188
REFERENCES
Harald Niederreiter
1. INTRODUCTION
The zero sequence O,O, ... is viewed as a shift regrscer sequence of order 0. A
kth-order shift register sequence is uniquely determined by the recursion (1) and by
the initial values s1,s2, ...,s k'
Definition 1. Let S be an arbitrary sequence s1,s2, ... of elements 3f F
4
and
let n be a positive integer. Then the linear complexity L (S) is defined as the
least k such tharr st,s2, ...,s form the first n terms of a kth-order shift
reg ist e r sequence.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 191-209, 1988.
0Springer-Verlag Berlin Heidelberg 1988
192
for randomness and set up the following stochastic model. Let n be fixed and con-
sider L ( S ) for random sequences of bits. Since L ( S ) just depends on the first
n terms of S, it suffices to consider the linear complexity for all choices of
s1,s2, ...,s from F2. Then the linear complexity can be viewed as a random vari-
able on F;, where each string s1,s2, ..., s is equiprobable. It turns out that the
expected value of this random variable is 22 + cn with O & c n L -
5
18
and its vari-
ance is roughly -.
86
81
This suggests that Ln(S) should be close to
n
7 for a random
sequence of bits.
To arrive at a statistically meaningful use of the linear complexity profile,
the following question has to be answered: for a randomly chosen and then fixed se-
quence S, what is the behavior of Ln(S) as n varies? We settle this question
for sequences S of elements of F and also discuss related questions. The nec-
9
essary background and basic results on continued fractions and dynamical systems are
established in Sections 2 and 3 . These results yield, first of all, the probabilis-
tic limit theorems for continued fractions in Section 4 . Exploiting the connection
between continudfractions and linear complexity, we deduce the probabilistic limit
theorems for linear complexity in Section 5. These limit theorems describe the as-
ymptotic behavior of Ln(S) as n 3 m and the deviations from the asymptotic be-
havior for random S. In Section 6 we scudy frequency distributions associated with
the linear complexity for random S. The detailed information on the behavior of
L (S) S is used in Section 7 to set up new types of randomness tests
for random
f o r keystream sequences.
2 . CONTINUED FRACTIONS
For S E H we write Ln(S) for the Linear complexity of the sequence which corre-
sponds to the generating function S. The following is a special case of a result
in [a].
V(S1 - S 2 )
With the metric d(S1.S2) = 2 for Sl,S2EH, the set H is a compact
ultrametric space. Since H is also an additive subgroup of G and addition is a
continuous operation in this metric topology, i t follows that H is a compact abe-
lian group. Let !B be the 6-algebra of Bore1 sets in H. Then there exists a
unique Haar measure h on H, i.e. a translation-invariant probability measure de-
fined on B. If D(SO;r): ={SEH: v(S -
S o ) < - r), S o E H , r = 0,1,..., is a disk,
then the translation invariance of h implies that
h(D(So;r)) = cj-r. (4)
We write P for the set of polynomials over F of positive degree.
q
Then
-Z(deg(A1) + ... + deg(Ak))
h(R(A lr...,%)) = q
Proof. For any S € R(A l,...,A we have the same value of Pk(S) = Pk and Qk(S) =
k)
Qk, thus
v(S - k-)=
'
- 2v(Qk) -
vCA,+,(S)) < - 2v(Qk)
k'
by ( 3 ) . Conversely, if v(S - Pk/Qk) < - 2v(Qk), then v(Qk S - Pk)<
by [a, Lemma 31 we get Q, = CQn(S) and Pk = CPn ( S ) € o r some n2 1
3 . DYNAMICAL SYSTEMS
Proof. We have to prove h(T-l(B)) = h(B) for all BE&, where T-'(B) is :he in-
verse image of B under T. By [l, Theorem 1-11 i t suffices to show this for every
disk D = D(S 0 ;r). For X f 0 we have X E T-l(D) if and only if v(X-l - So - p)<- r
1
€ o r some PEP. The latter condition can only be satisfied if v(X- = v(So + p),
1
and from this we see that for fixed p~ P we have v(X- - So - p)< - r if and on-
ly if X€D((SO + p)-';r + Zv(p)). If D(Wil;r + 2v(p1))nD(Wj1;r + 2v(p2)) f 0
with W 1 = S0 + PI' ,J2 = so + p2, and p1 f p2 in P , then v(W 1 ) = V(~~),~JI'J~) =
v(p2), and
v(w-'
1
- w-'2) = v (
2
-
~ w1) - V(W
1
) - v(w2)2 - 2 nin(v(vl),v(W2)),
where the last inequality is seen by distinguishing the cases v(Wl) f v(W2) and
v(W = v(FIz). This conrradiction shows that the disks D((So + p ) - ' ; r 2v(p)) are +
1
-r-2v(p)
pairwise disjoint as p ranges over P. Since such a disk has h-measure q
by ( 4 ) and since for fixed d2 1 there are exactly (q - l)qd polynomials pE P
195
-
+
morphic if there exist sets R0 in 3 and n o in 3 of measure 1 and a bijec-
tion 4 of no onto 'R, with the following properties:
(i) If A & no and = @(A), then A C T if and only if a€!?, in which case
m(A) = m"(l);
(ii) 't(no)G no and ? ( ? i , ) C a,;
(iii) @ ( ~ ( w ) =
) 5($(0)) for all ~ E R
0'
-
n -
Proo€. We use Definirion 3 with (fl,F,m,T) = (Pm,6(D,~"D,T1)and (fl,F,S,?) =
(H,Q,h,T). We take n o= P m and no = I, the set of irrationals in H. Since
there are just countably many rationals in H, we have h(I) = 1. The mapping @
from P m onto I is defined by
@(p1,p 2,...) = !p1,p2 ,... ] E X for (p1,p2 ,... )EP.
It follows from the uniqueness of the continued fraction expansion chat 4 is a bi-
ject ion.
To prove ( i ) in Definition 3 , we first show thaE if AEG'~, then
,.,
A€@% and pm(A)
= h(z). It suffices to prove this for cylinder s e t s A =( (pl,p2,...)EPm: p. = A.
1 1
for I L j k], where k 1 and A1 ,...,% E P are fixed. But then
..,%) . ,%)
= R(Al,.
is a disk, we get
f l
-
I, and since we have shown in the p r o o f of Lemma 2 that R(A1,.
A€@. Furthermore by Lemma 2 ,
*
196
pw(A)=
k
j=1
p(Aj) =
k
q
-2 deg(A.)
' = h(R(A1, ...,% ) ) =
N
h(A).
j=l
Now we have to show that if
u
A C_ I and x€@, then A = $-'(x)Ep*. It Suf-
fices to prove this for sets that are intersections of I with a disk. We first
consider the special case where
%
v(AkCl k n
a countable union of cylinder sets and so in p m . Now we consider the general case
where = DnI with a disk D = {SEH: v ( S - So) L - r), SO€ H, r 2 0 . Since any
element of D can serve as the center of D (H is ultrametric!), we can assume
*
that So is irrational. For every UEA and every integer k 2 0 with
v(Qk(U)) t v(Q~+~(U)) 2 r we define
Every disk Dk(U) is contained in D. We claim that the family of all Dk(U) COV-
ers D. For this it suffices to show that every rarional SED lies in some Dk(U).
Let S = [A1(S),A2(S) ,...,At(S)] and SED (if S = 0, p u t t = 0 and Q0 ( S ) = 1
in the following). If v(Qt(S)) 2 ri2, put
u = [A1(S),A~(S),.-.,At(S),x,x ,... 1.
Then
Pt (U)
v ( S - U) = v(- Qt(U) - U) = - v(Q,(U)) - v(Q,+,(L'))
We have
hence SEDt(U) and VEX;. Thus we have shown that the closed (and also open) disks
Dk(U) form an open cover of the compact set D , and so finitely many of the sets
Dk(U), say El, ...,Eb, already cover D. Therefore
b b
ub
i=l
1
@-'(EiflI)€ Prn as a finite union of elements of 6". Property (ii) in Defini-
tion 3 is trivially satisfied and (iii) follows from an easy calculation using the
algorithm €or the A.(S) and B.(S) in Section 2 . n
J J
It follows from Theorem 1 that (H,&h,T) inherits all dynamical properties of the
one-sided Bernoulli shift on Pa (compare with [ l , Ch. 2 1 ) . In particular, since
every one-sided Bernoulli shift is ergodic (see [ 3 , Sec. 1.41, [ 4 , p . 183]), we ob-
tain that T is ergodic with respect to h, i.e. T-'(B) = B for some B€& im-
plies that h(B) = 0 or 1. The individual ergodic theorem, in the form given in
[ 4 , p . 1831, yields the following result. Here and in the following we say that a
stated property holds h-almost everywhere (h-a.e.) i F che property holds for a set
of SE H of h-measure 1.
lim
n-m
'> n- 1
n j.= O
f(TJ(S)) = ,( fdh h-a.e.
H
We note that since Tj denotes the jth iterate of T (w'ith To the identity
mapping), we have TJ(S) = B.(S) for all j 2 0 and SEI. Rational S can be
J
ignored since they form a set of h-measure 0.
198
Proof. We apply Theorem 2 with f(S) = g(Pol(S-')) for S 6 O,f(O) = 0. For S€I
we have then f(TJ(S)) = f(B.(S)) = g(A. (S)) for all j5 0 . In particular
J J+1
f(S) = g(A1(S)), hence
Proof. This follows from Theorem 3 with g(p) = deg(p) for P E P . We also use ( 2 )
a,
and the identity dzd = z(l - z ) -2 with z = q -1 .0
d= 1
Proof. We apply Theorem 2 with f being the characteristic function of the set
R(A1, ...,\ ) and use Lemma 2. Since there are just countably many choices for
A1 ,...,\, the result follows.
X1, ...,% are independent, it suffices to show that the events A1(S) = A1,...,%(S) =
4, are independent for any A1, ...,Ak E P , and this follows from Lemma 2. n
Theorem 4 (Law of the Iterated Logarithm for Continued Fractions). Let g be a non-
constant real-valued function on P with ~ ( p q-2
) ~ deg(p) < m. Put
PEP
Then h-a.e.
PKOO€. Let the random variables X. be as in Lemma L. Then E is the expected Val-
3
ue and G the standard deviation of X., and the conditions on g guarantee that
J
the second moment of X . exists and 6 >O. The result Follows then from the
J
Hartman-Wintner law of the iterated logarithm in the f o n given in Bingham [2]. 3
Proof. We apply Theorem 4 with g(p) = deg(p) for PEP. Then E = q/(q - 1) by the
00 -3
identity in the proof of Corollary 1. The identity d2 zd = ( z 2 + z)(l - 2)
-1 d= 1
with z = q yields
62 = q 2 + q
(9 - l)*
-*=
- 1)
(q
2
( 9 - 1)
+-
Together with (2) the result follows. n
lim h({SEH:
n+ m
a 6 G L
n
j=1
g(A.(S)) - nE
.I
L bG&/;;j.) = -1
fi
1a
e-t2i2 dt.
Proof. We proceed as in the p r o o f of Theorem 4 and use the central limit theorem for
200
independent and identically distributed random variables (see [9, pp. 22-23] ). 0
j.
by Lemma 2 . Since
m
ql-k(J) converges (resp. diverges) if and only if
9 q - f ( j)
j=1 j=1
converges (resp. diverges), the theorem follows from the Bore1 zero-one law (see [ 6 ,
p. 2281). 0.
Because of the connection between continued fractions and linear complexity expressed
in Lemma 1, the results in Section 4 have implications for the linear complexity
Ln(S).
Ln(S)
Theorem 7. lim -- - h-a.e
n+w
Proof. If n and j are related as in Lemma 1 , then from this result we get
20 1
Corollary 1 yields
n
The deviation of Ln(S) from its asymptotic expected value is described
more precisely by the following results.
Proof. Theorem 6 shows that h-a e. we have deg(A.(S))L f(j) for all sufficiently
J
large j. For such an S we deduce from ( 5 ) that
n 1
)s(,LI - ?IL f(j + 1) for all sufficiently large n.
L,(s) 4 + 71 f(n)
> for infinitely many n,
L~(s)< 4 - -jf(n)
1
for infinitely many n.
for infinitely many n. The second part is shown similarly, using that h-a.e. we
202
have deg(A. (S)) > f(5j + 5 ) + 1 for infinitely many j and taking
J+1
n = deg(Q.(S))
J
+ deg(Q. (S)) - 1.
J+1
n
-
1im
Ln(S) - (n/2) - - 1
*m log " - 2 log q'
Proof. We use Theorem 8 with f(n) = (1 +€)(log n)/log q for arbitrary E 7 0 and
Theorem 9 with f ( n ) = ( l o g n)/log q. U
1im Z(N;c;S) -
- q - 1 for all integers c.
N - (1/2)1 + ( 1 1 2 )
N+ m 2ql
h({SEH: deg(Q.(S))
3
= n) = ->
dl,...,d.hl
h({SE H: deg(Am(S)) = dm for 1 L m & j])
3
.
dl+. .+d .=n
3
d. -2(dl + ... + d.)
= 7
..
dl,. ,d 2 1
(q - l)q dl ...(q - 1)q 3 9 3
J
dl+...+d.=n
J
which shows in particular that the Yn are identically distributed. To prove that
Y1, ...,Yk are independent, we choose E1,...,EkE{O,l) arbitrarily and let
1 L rl 4 r2 < . .. < rt L k be exactly those indices for which
'ri
= 1. By the
204
m=k-r + l
t
= ( q - 1)
t+l -r t -k
=k-r +1
t
On the other hand, it follows from ( 7 ) that
Theorem 12 (Law of the Iterated Logarithm for Perfect Linear Complexity, First Ver-
sion). For c = 0 and c = 1 we have h-a.e.
g2 2
Y
(
= dh - (*)2 = & - (fi)2
= fi.
9 q 2
H q q
It follows from Lemma 5 and the Hartman-Wintner law of the iterated logarithm that
Putting n = L(N + c)/2J, where LtJ denotes the greatest integer L t, and using
Theorem 13 (Law of the Iterated Logarithm for Perfect Linear Complexity, Second Ver-
sion). If W(N;S) is the number of n, 1I n & N, with L ( S ) = or 7,
nsl then
2
205
h-a.e.
where
-
lim
Wm
h(%(a,b,c)) & i%
N+ m
h(BN(a - & , b + E , c ) ) = -
v%
I
b+E
a-E
e -t " dt.
With E +O+ we o b t a i n
-
lim h(%(a,b,c)) L -
w m fi
Using B (a
N
+ E,b - E,c) & AN(a,b,c) f o r a l l s u f f i c i e n t l y large N, we g e t s i m i l a r l y
206
and t h e d e s i r e d r e s u l t follows. 0
Theorem 16. We h a v e h - a .e .
-
1i m
1
1/2 (B(r;c;S) - r q 1-c ) = 1 h-a.e.,
r+oo 6(2r l o g l o g r)
whe re
B(j(N,S);c;S) - j(N,S)q
1-c L (1 + E ) 6 ( 2 j ( N , S ) l o g l o g J ( N , S ) ) 112 (13)
for a l l sufficiently large N. 9 y C o r o l l a r y 3 w e c a n assume t h a t t h e SEH under
consideration s a t i s f i e s
Z(N;c;S) - (q - 1)N L_
2qC
From Lemma 1 we see that a linear complexity pro€ite always has t h e following form:
0 , ...,O,dl,,.., dl,dl + d2, d l + d2, ..., (15) ...,
with 0 repeated d ? - 1- times and z
i=l
.I
di repeated d. + d.
J J+I
times for all
Algorithm
Initialization: Q, = 1 (considered as a polynomial over F ).
q
Step 1: Choose a polynomial A1 over F with deg(A l ) = dl and let Q, = A l -
9
Calculate the terms s. with 1 L- i & q + q2 - 1 by the linear recursion with
characteristic polynomia 1 Q, and initial values s . = 0 for 1& i L 91 - 1,
-1
si = c for i = q , where c is the leading coefficient of Q,.
1
Step j (for j 2 2): Suppose the polynomials Q,,...,Qj-l and the terms s. with
14 i L q. + q . - 1 have already been calculated. Choose a polynomial A. over
J-1 1 J
F with deg(A.1 = d. and let Q . = A . Q . + Qj-2. Calculate the terms si with
J - ~
q J J
qj-l + qj & i & q. + q . - 1 from the previously calculated terms by the linear re-
J J-1
cursion with characteristic polynomial Q..
J
Lemma 4 as the basis for a randomness test. These types of randomness tests may be
called continued fraction tests.
Other types of randomness tests may be based on the independent and identically
distributed random variables Y = )
'
(
Y in Lemma 5 for which the probability dis-
n n
tribution is given by Prob(Yn = 0) = l/q,Prob(Yn = 1) = (q - l)/q according to ( 7 ) .
REFERENCES
The author gratefully acknowledges support for this research project by the Austrian
Ministry for Science and Research.
A PROBABILISTIC PRIMALITY TEST BASED ON THE
PROPERTIES OF CERTAIN GENERALIZED LUCAS
NUMBERS
Abstract
In this paper, after defining the generalized Fibonacci numbers V , and the generalized
Lucas numbers V , (Set-1), the Fibonacci Pseudoprimes of the m th kind are
characterized (Sec.2).
In virtue of the scarceness of the pseudoprimes which are simultaneously of the m*
kind for distinct values of m , a method for finding probable primes is proposed in
Sec.3 (for a definition of probable primes see [ 11).
In Sec.4 some theoretical aspects concerning the above said pseudoprimes are
considered.
Let m be an arbitrary natural number. The generalized Fibonacci numbers U,(m)
(or simply U, , if there is no fear of confusion) and the generalized Lucas numbers
V,(m ) (or simply V , ) are defined (e.g., see [2])by the second order recurrence
relations
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 211-223, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
212
Un+2= + U, ; UO= 0, Ul = 1
and
Vn+2=,mV,+1 + V , ; Vo = 2, Vl = m ,
respectively. These numbers can also be expressed [2] by means of the closed forms
(Binet forms)
where
A =(m2+4)ln
a=(m+A)/2 (1 - 5 )
p =(m-A)/2.
The notations %,&, and A, will be employed whenever the meaning of a,p and A
can be misunderstood (e.g., see Lemma 2). By (1.5) it can be seen that a/3 = -1 and
a+ p = m . Moreover, it can be noted that, letting m = 1 in (1.1) and (1.2), the usual
Fibonacci numbers F, and Lucas numbers L, turn out, respectively.
A further interesting expression for V , is [3]
In121
where
Rewriting (1.6) as
[n / 21
V, = mn+ n C
i= 1
noting that, if n is a prime then C,t, / n is ;in integer and using Fermat's little
theorem, the following fundmenial propcriy of [lie numbers V , is established
Observing (1.9), the following question arises spontaneously: "Do odd composites exist
which satisfy this congruence?" The answer is affirmative..
We define as Fibonacci Pseudoprimes of the m th kind ( m-F.Psps.) all odd
composite integers n for which Vn(m) = m (mod n ) and denote them by sk(m) ( k
= 1, 2, ...). The corresponding sets will be denoted by S , , while the sets of all
m-F.Psps. not exceeding a given n will be denoted by Sm,n . For example, we found
) 169 = 132 and ~ i ( 3=) 33 = 3 * 11 .
that ~ l ( 1=) 705 = 3 * 5 * 47, ~ l ( 2 =
The numbers sk(1) have been analyzed in previous papers [4], [5]. In particular,
we found that all composite integers belonging to Sl, (for n = 108) are square-free
and most of them are congruent to 1 both modulo 4 (82.3 S)and modulo 10 (63.2 %).
Moreover, we noted that this behavior seems to become more marked as n increases,
but we were not able to find any justification of these facts.
Now, another question arises:"Do odd composite integers exist which are
m-F.Psps. for distinct values of m ?" Once again, the answer is affirmative. For
example, the number 34,561 = I7 - 19 . 107 is the smallest number belonging to both
S1 and S2 .
A computer experiment was carried out essentially to determine the cardinality of
the intersections
The fact that Gn, 3 and Gn, have the same cardinality will be justified by Theor.6
(Sec.4). The numbers (below 108) belonging to these two sets are
~89(l)= 1,034,881 = 41 * 43 * 587
~ ( 1 ) = 13 - 197.853
~ ~ ~= 2,184,533
~ 3 ~ ( = 1 )15,485,185= 5 . 7 9 . 1 9 7 * 199
s561(l) = 39,002,041 = 13 .19 * 269 .5S7
~ 8 0 2 ( l )= 87,318,001 = 17 * 71 . 73 .991
of which the latter belongs also to Gn,,besides being a Carmichael number [I I .
Let o,(n) = I §m, I be the rn-F.Psp.-counting function. The behavior of ol(n)
vs. n is shown in fig.1, while the behavior of I Gn I is shown in table 1.
214
1200
1000
800
600
400
200
0
0 20 40 60 80 100
n (millions) +
Table 1
107 18 6*107 39
2.107 27 7.107 41
3*107 30 8*107 44
4*107 36 9*107 45
5*107 38 108 48
is
CONJECTURE I : “There exists a positive constant c not exceeding 1 such that cT~(n)
asymptotic to c ~ ( . l n ) . ~ ~
The numerical evidence that turns out from the experimental results suggests a
method for obtaining probable primes .
Let c a >b denote the remainder of a divided by b. For given integers n (odd)
and M ( n > M ), let us calculate
215
P,=1-2c/dn. (3.2)
In this section several properties of the m-F.Psps. are demonstrated . We hope that
they can lead to the discovery of further properties of these numbers. In particular, a
formula which gives the minimum value of M ( or an upper bound for this value)
for which I G,, I = 0, once n is given, would be greatly appreciated.
First, let us state some theorems concerning the case rn = 1.
F2h 0 (mod L, ) .
whence, by (4.1),
L - l = 5 - 0 . F u t + l =O(modL,).
Ln
Case2: L n = 4 h - 1 = 1 ( m o d n )
whence, by (4.3),
L - I = ~h-O'o(mOdL,). Q.E.D.
4
From Theor.l we can derive the following corollaries.
Proof:
If n is not divisible by 3 and belongs to S,, then the number L , fulfils the same
conditions. Therefore, we can claim that
Consequently, since there exists at least a number sk( 1) not divisible by 3 (the smallest
among them is ~ ~ ( =12,465)
) the following proposition can be stated
THEOREM2 : For k E N,
Proof :The statement holds clearly for k = 0,l. In fact, we have L1 = 1 (mod 1) and L3
= 1 (mod 3). Hence, let us consider k 2 2. It is known [ 9 ] that
b k + 1 = 0 (mod 2k ), (4.5)
L - 1 =O(modL;?k) (4.8)
L2k
it suffices that the left factor on the right-hand side of (4.7) is divisible by Gk,
that is, it
218
suffices [7] that h2k-1 is an odd multiple of 2k. Equivalently, we can say that the
fulfilment of the equality h = 2(21 + 1 ) ( t E N ), that is of the equality (see (4.6))
It is known [6] that L4.3'+1(6Ml) = 1 (mod 3). Then, by (4.13) and hypothesis we
obtain the congruence 4 . 3 r + 2 ( 6 f i l )= 0 (mod 3'+3 ). Q.E.D.
Proof: Since we have necessarily (see (4.11)) n = 6(2h + 1) and, therefore [6]
L, = 4k + 2 ( k E N ), from Lemnia 1 we have Ln = 4k + 2 = 0 (mod 18(2h + 1))
( h E N), that is
whence
(4.16)
(4.17)
Since, by (4.16) and (4.14). we see that L , - 1 IF9(2h+l)and [71 F,(,h+,) I Fzk+l,
from (4.17) we obtain
Proof: Let Pi be a repetition period (not necessarily the shortest period) of the Lucas
sequence reduced modulo the prime pi and let A = l.c.m.(PI, P 2 ... Qk ).
A sufficient condition for n to belong to Sl is that
M+l=n ( h N).
~ (4.18)
In fact, the fulfilment of this condition implies that LhA+l 5 L, = 1 (modpl p2 ...pk ).
On the other hand, it is known [6] tliat if pi = 5hi k 1, tlicn Pi = pi - 1. Therefore, it is
immediately seen that A equals the Caniiichael A function [l]. Since ,by hypothesis,
A I n - 1, from (4.18) the theorem is proved. Q.E.D.
The smallest Carmichael number of the above type which is also a l-F.Psp. is
s44(l) = 252,601 = 4Z - 61 - ZOI, while the absolutely smallest Carmichael number
which is also a 1-F.Psp. is s2( 1) = 2,465 = 5 . I 7 * 29.
Now, let us state some theorems concerning the case m 2 1.
Proof: On the basis of the periodicity of the sequence ( U,,) reduced modulo 4 [ 6 ] ,it
can be readily proved that, if p 2 5 , then Up has the form 4h + 1 ( h E M ). Since we
have [121 Up = +1 (modp ) (except for the case A2 = 0 (modp ) which implies Up 3
0 (modp )), we can write Up = 4h + 1 E 51 (mod p ).
(4.20)
V -m I Az.0-U2h+l=O(rnodUp).
UP
The proof is analogous to that of Case 1 and is omitted for brevity. Q.E.D.
It must be noted that, for m = 1 and p = 5 . the statement of Theor.5 is true even
though A2 = 5 = 0 (mod 5). In fact, we have
LFs = L5 = 11 3 1 (mod F ).
5
In order to prove the last theorem, we need to prove the following two lemmata.
(4.22)
2k+ 1 2k+l
= {% + p:k+'+ (a,,2k+' -pm2k+')} /2 =% . (4.23)
(4.24)
The statement of the lemma follows directly from (4.23),(4.24) and (1.4). Q.E.D.
222
(4.25)
THEOREM6: If an odd composite n passes the m thtest, then it passes also the
Va+l(m)thtests ( k = 1,2,...).
5. Conclusion
required by the method proposed by Solovay & Strassen [ 141 for finding numbers that
are prime with probability greater than or equal to 1 - 1/ 2M' .
The authors offer a prize of 50,000 Italian Lire to the first person who
communicates to them an odd composite (below lo1(@)which is an rn-F.Psp. for m =
1, 2, ... , 8. Of course, at least one of its factors is also requested. A decuple pnze is
offered to the first person who sends to them a proof that no such number exists.
A table of l-F.Psps to 10s was compiled by the authors. It will be sent, free of
charges, upon request.
References
[l] H.Riese1, Prime Numbers and Computer Methods for Factorization . Boston:
BirWuser Inc., 1985.
[2] M.Bicknell, "A Primer on the Pel1 Sequence and Related Sequences", The
Fibonacci Quurteriy , vo1.13, pp. 345-349, no.4,1975.
[3] O.Brugia, P.Filipponi, "Waring Formulae and Certain Combinatonal Identities",
Fondaz. Ugo Bordoni Techn. Rep. 3B5986, Oct. 1986.
[4] A.Di Porto, P.Filipponi, "More on the Fibonacci Pseudoprimes", Fondaz-Ugo
Bordoni Techn. Rep. 3t0687, May 1987. The Fibonacci Quarterly (to appear).
[5] A.Di Porto, P-Filipponi, "Un Metodo di Prova di Primalit3 Basato sulle Propnet3
dei Numeri di Lucas Generalizzati", Proc. of the Prim0 Simposio Nazionale su:
Stato e Prospertive della Ricerca Crittograjica in Italia , Roma, Oct. 1987, pp.
141- 146.
[a Bro. A.Brousseau, A n Introduction to Fibonacci Discovery . Santa Clara (Cal.):
The Fibonacci Association, 1965.
[A L.Carlitz, "A Note on Fibonacci Numbers", The Fibonacci Quarterly, vol. 2, pp.
15-28, no.1, 1964.
[81 D.Jarden, Recurring Sequences, 3rd ed., Jerusalem : Riveon Lematematika, 1973.
[9] V.E.Hoggatt, Jr., M.Bicknel1, "Some Congruences of the Fibonacci Numbers
Modulo a Prime P ", Math. Magazine ,vol. 47, pp. 210-214,no.3, 1974.
[ 101 V.E.Hoggatt, Jr., Fibonacci and Lucas Numbers, Boston: Houghton Mifflin Co.,
1969.
[ 111 V.E.Hoggatt, Jr., G.E.Bergum, "Divisibility and Congruence Relations", The
Fibonacci Quarterly ,vol. 12, pp. 189-195,no. 2, 1974.
[ 121 P.Filipponi:"On the Divisibility of Certain Generalized Fibonacci Numbers by
Their Subscripts", Proc. XIII Congresso Unione Matematica Ztaliana, Torino,
Sept. 1987, Sezione VII-18.
[13] Jin-Zai Lee, Jia-Sheng Lee, "Some Properties of the Sequence (W,(a, b ;p , q )I",
The Fibonacci Quarterly , vol. 25, pp. 268-278,283, no. 3, 1987.
[ 141 RSolovay, V.Strassen, "A Fast Monte-Carlo Test for Primality", SIAM Journal
on Comput., vol. 6, pp. 84-85, no.1, 1977.
O N T H E C O N S T R U C T I O N O F RANDOM NUMBER GENERATORS
A N D R A N D O M FUNCTION GENERATORS
C. P. S c h n o r r
U n i v ersi tE t F r a n k f u r t
Fachbereich Mathematik/Informatik
6 0 0 0 F r a n k f u r t , West G e r m a n y
I
Let I, = (0,l)". H, = 1; = " t h e set of a l l f u n c t i o n s f : I, -, I,". A random function
g e n e r a t o r i s a n e f f i c i e n t a l g o r i t h m F t h a t generates f r o m n a m e s x E I, a function
Fm,x E Hk(,) f o r s o m e f u n c t i o n k(m); when given f o r i n p u t m,x.y the algorithm
c o m p u t e s F m , J y ) . W e a s s o c i a t e w i t h f E H, a f u n c t i o n F,,f E H2, d e f i n e d b y
T h e f u n c t i o n F,,f r o u g h l y c o r r e s p o n d s to a l a y e r i n the D E S - a l g o r i t h m . We c o n s i d e r
$1 = Fn,f F,,f Fn,f as a r a n d o m f u n c t i o n g e n e r a t o r f o r the f u n c t i o n s Fg1 i n H z n a n d
with names f E H,. T h e f u n c t i o n s F g i a r e permutations, a n d F g l i s c a l l e d a r a n d o m
permutation generator. L u b y a n d Rackoff h a v e considered t h e r a n d o m f u n c t i o n
g e n e r a t o r F n , f g F n , f 2F n , f l w h e r e i n d e p e n d e n t r a n d o m f u n c t i o n s f l , f 2 , f s E H, a r e used
a t e a c h stage. We o b s e r v e t h a t t h e a n a l y s i s of L u b y a n d R a c k o f f r e m a i n s v a l i d f o r
the case t h a t f l = f 2 = f s . T h i s y i e l d s t h e following version o f t h e m a i n t h e o r e m i n
L u b y , R a c k o f f (1986).
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 225-232, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
226
f o r e v e r y s t a t i s t i c a l f u n c t i o n test T t h a t is l i m i t e d t o a t most m o r a c l e q u e r i e s .
A r a n d o m f u n c t i o n g e n e r a t o r i s c a l l e d p e r f e c t if i t passes a i l s t a t i s t i c a l f u n c t i o n
tests w i t h p o l y n o m i a l t i m e b o u n d no(11. T h e f u n c t i o n s g e n e r a t e d b y a perfect
random f u n c t i o n g e n e r a t o r a r e called pseudo-random.
A r a n d o m number g e n e r a t o r is a n e f f i c i e n t a l g o r i t h m w h i c h t r a n s f o r m s s h o r t r a n d o m
seeds i n t o long p s e u d o - r a n d o m s t r i n g s . E v e r y random f u n c t i o n g e n e r a t o r g i v e s rise
to a c o r r e s p o n d i n g r a n d o m n u m b e r g e n e r a t o r a n d vice-versa. T h e r e is a n a t u r a l
b i j e c t i o n 0, : H, + InZn w h i c h m a p s f u n c t i o n s f E H, i n t o the c o n c a t e n a t i o n @,(f) =
f ( x ) w h e r e x r a n g e s o v e r a l l s t r i n g s x E I, in a l p h a b e t i c a l o r d e r . B Y t h i s
XEI,
b i j e c t i o n t h e a b o v e f u n c t i o n FCI y i e l d s a f u n c t i o n
We g i v e a m o r e c o n c r e t e d e s c r i p t i o n of t h e r a n d o m n u m b e r g e n e r a t o r
227
We w r i t e t h e i n p u t s t r i n g x E I n a s c o n c a t e n a t i o n of 2n s t r i n g s i n I,, a n d we
n2
e n u m e r a t e these 2n s u b s t r i n g s o f x u s i n g i n d i c e s i n I,:
We l i k e w i s e p a r t i t i o n t h e o u t p u t s t r i n g y E I an :
ant
F o r e v e r y s t r i n g y E I z n let L ( y ) , R ( y ) b e t h e l e f t a n d r i g h t h a l f s t r i n g i n I,:
Ian 3 Y = L(Y) R ( Y ) €(In)' .
Algorithm f o r G n
input X = n K i .
iEI,
0
1. yi := i f o r all i E 12, .
2. F o r j = 0,1,2 do
yi+' := R ( y i ) ( L ( y i ) @ XR(,,:)) .
output ys = y;
iE12,
E a c h i t e r a t i o n s t e p s w i t c h e s t h e l e f t a n d r i g h t p a r t of y E I z n a n d a d d s t o t h e n e w
r i g h t p a r t t h e s u b s t r i n g X R ( ~ )o f t h e i n p u t x; h e r e @ i s t h e v e c t o r a d d i t i o n m o d u l o 2.
A c c o r d i n g t o t h e b i j e c t i o n s 4,,.@za T h e o r e m 1 t r a n s l a t e s i n t o T h e o r e m 2.
Theorem 2 . The r a n d o m n u m b e r g e n e r a t o r ( G n ) n ~ G,
~ , : I
n2
n - Izn2zn, passes all
A statistical number t e s t T is a p r o b a b i l i s t i c a l g o r i t h m w h i c h t a k e s f o r i n p u t a
binary string, a n d gives a 0,l-output ( Y a o , 1982). O n e associates w i t h T a n d a
r a n d o m n u m b e r g e n e r a t o r G t h e f o l l o w i n g p r o b a b i l i t i e s . L e t pkI ( p kG , resp.) b e t h e
probability that T o u t p u t s 1 when given for input a random string x E Ik with
u n i f o r m d i s t r i b u t i o n (a s t r i n g y E Ik chosen a t random f r o m G , resp.). T h e n u m b e r
g e n e r a t o r G passes t h e t e s t i f
l p i - pFl = O ( k - t ) f o r a l l t > 0 .
A r a n d o m n u m b e r g e n e r a t o r i s called p e r f e c t i f i t passes a l l p o l y n o m i a l t i m e
statistical number t e s t s . T h e b i t s t r i n g s generated by a p e r f e c t r a n d o m n u m b e r
generator a r e called pseudo-random.
Proof. We h a v e f o r a l l r , 1 E I, :
Fn,dLr) - (r,l @ f(r))
Fi:f(l,r) = ( r @ f(l),l) .
This i m p l i e s t h a t f o r a l l Y t 1
F&)(l,r) = Ftf" ( r @ f ( l ) , 1) ,
and t h u s
L Fgl(1.r) = R F g ) (r @ f(l), I) . (2)
A s t a t i s t i c a l test f o r v e r i f y i n g t h e r e l a t i o n ( 2 ) f i x e s r a n d I a n d tries f o r f(1) E In
all b i t s t r i n g s y E I,. O n c e f(1) has been f o u n d the relation ( 2 ) holds f o r a l l r. T h e
229
The a b o v e s t a t i s t i c a l t e s t d o e s n o t r e j e c t f u n c t i o n generators
Fn,fS Fa,fZ Fn,r1
where d i s t i n c t f u n c t i o n s f l . f 2 , f S a r e used a t each stage.
g e n e r a t o r (G,),EIN,
function generator
: I,
-
-
G o l d r e i c h , G o l d w a s s e r a n d M i c a l i (1984) show t h a t every p e r f e c t r a n d o m n u m b e r
c, Izn, can be transformed i n t o a p e r f e c t r a n d o m
(F,),SN, F n a xE H, w i t h x E I,, such t h a t f u n c t i o n s F,,x E H n
have n a m e s x o f l e n g t h n a n d c a n be evaluated using O(n2) p s e u d o - r a n d o m b i t s
generated by Gn. We i m p r o v e t h i s construction via the Luby, R a c k o f f p e r m u t a t i o n
generator.
passes a l l s t a t i s t i c a l f u n c t i o n t e s t s w i t h t i m e b o u n d no(*’. 0
3 . New e f f i c i e n t a n d p e r f e c t p s e u d o - r a n d o m number g e n e r a t o r s
P e r f e c t r a n d o m n u m b e r g e n e r a t o r s h a v e been established f o r e x a m p l e b a s e d o n t h e
d i s c r e t e l o g a r i t h m b y B l u m , M i c a l i (1982), based o n q u a d r a t i c r e s i d u o s i t y b y B l u m ,
Blum, S h u b (19861, b a s e d o n o n e w a y f u n c t i o n s by Yao (1982), b a s e d o n RSA
e n c r y p t i o n a n d f a c t o r i n g b y A l e x i , C h o r , G o l d r e i c h a n d S c h n o r r (1984). A l l these
RNG’s are less efficient than the linear congruential generator. The
RSA/RABIN-generator is t h e most e f f i c i e n t of these generators. It successively
g e n e r a t e s log n p s e u d o - r a n d o m b i t s b y o n e m o d u l a r m u l t i p l i c a t i o n w i t h a m o d u l u s N
t h a t i s n b i t s long.
t h e d i s t r i b u t i o n o f x d ( m o d N ) f o r r a n d o m x E [I,NZ’dJ.
the u n i f o r m d i s t r i b u t i o n o n [1,N].
T h i s h y p o t h e s i s is c l o s e l y r e l a t e d t o t h e s e c u r i t y of t h e RSA-scheme. U n d e r t h i s
hypothesis the t r a n s f o r m a t i o n
[l,N”d] 3 x - x d ( m o d N ) E [1,N]
231
d
stretches s h o r t r a n d o m s e e d s x E [ l , N a l d ] i n t o pseudo-random n u m b e r s x ( m o d N ) in
the i n t e r v a l [l,N]. Various random number generators can be built on this
t r a n s f o r m a t i o n . T h e s e q u e n t i a l p o l y n o m i a l g e n e r a t o r generates f r o m r a n d o m s e e d x E
2/d
[1,N ] a sequence of n u m b e r s x = x l , x z ,..., x, ,... E [l,N"']. The n(l-2/d) least
s i g n i f i c a n t b i t s of t h e b i n a r y r e p r e s e n t a t i o n of x!(mod N ) a r e t h e o u t p u t of xi a n d
t h e 2 n / d most s i g n i f i c a n t b i t s f o r m t h e successor x i + l of x i .
I t f o l l o w s f r o m a g e n e r a l a r g u m e n t of G o l d r e i c h , Goldwasser, M i c a l i (1984) a n d t h e
a b o v e h y p o t h e s i s t h a t a l l t h e s e g e n e r a t o r s a r e p e r f e c t , i.e. t h e d i s t r i b u t i o n of o u t p u t
s t r i n g s is i n d i s t i n g u i s h a b l e , b y p o l y n o m i a l t i m e s t a t i s t i c a l tests, f r o m t h e u n i f o r m
d i s t r i b u t i o n of b i n a r y s t r i n g s o f t h e s a m e length. T h e s e q u e n t i a l g e n e r a t o r i s n e a r l y
as e f f i c i e n t a s t h e l i n e a r c o n g r u e n t i a l g e n e r a t o r . U s i n g a modulus N , t h a t i s n b i t
long, i t Outputs n ( l - 2 / d ) pseudo-random b i t s p e r i t e r a t i o n step. T h e costs o f a n
i t e r a t i o n Step x - x d ( m o d N ) w i t h x E [1,N2'd] corresponds to t h e costs of a b o u t o n e
f u l l m u l t i p l i c a t i o n m o d u l o N. T h i s is because t h e e v a l u a t i o n of x d ( m o d N ) o v e r
n u m b e r s x 5 N21d c o n s i s t s a l m o s t e n t i r e l y of m u l t i p l i c a t i o n s w i t h small n u m b e r s t h a t
d o not require modular reduction.
T h e p a r a l l e l g e n e r a t o r i s b a s e d o n a m e t h o d t h a t has been i n v e n t e d by G o l d r e i c h ,
232
References
I. INTRODUCTION
The basic element of the NCUBE computer is a 32-bit VLSI processor of the
super-minicomputer range (106 integer operations per second). These
processors are interconnected in the configuration of an N-dimensional
cube. That is, an NCUBE of order k has 2k nodes, k = 0,1,2 and one of ...
order k + 1 is formed by connecting two cubes of order k at corresponding
nodes. There is no common memory shared among the processors: each has
one-half megabyte of local memory. Each node operates on its own stored
program and data. They achieve cooperation by passing messages to one
another. A very slow host board controls input-output and subcube
allocation.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 235-243, 1988.
0Springer-Verlag Berlin Heidelberg 1988
236
order confiuuration
0 a
If Tx,
+ 5 T p A a j
PjiB '
x; is
we have factorization; otherwise another
The sieving and searching described above constitutes the lion's share
of the computation. After the set of residues that factor is identified,
the actual functional values are calculated in multiple-precision and
decomposed into the primes by division. The final step is to determine a
binary dependency by Gaussian elimination.
238
As one increases the size of the integers to be factored the size of the
prime base must grow in order to have significant probability of factoring
residues. Thus a larger number of factored residues is needed; hence a
larger interval must be sieved. The functional values of X2 - N increase
almost linearly as the distance between X and J N , and as the magnitudes
increase the frequency of factorization decreases. At Sandia we were able
to factor integers of size about 1055 with the basic algorithm, but for
larger numbers computing time was becoming intolerable.
We were able to modify the algorithm such that the size of the
residues to be sieved was periodically reduced and hence our factorization
success rate remained relatively constant. The means by which we obtained
these sequences of smaller residues was by identifying large primes which
divide a residue, then sieving on the subsequences guaranteed divisible by
the primes. That is if q I X2 - N, then q I (X + kq)2 - N for all integer
k. If more than one factorization is obtained in the subsequence, the
large prime can be eliminated and we have quadratic residues factored
entirely into the prime base, B.
V. FALSE STARTS
Another approach that was implemented was to apportion the prime base
among a ring of processors, all sieving the same polynomial. Each
processor in the ring would sieve with the set of primes it was given, then
pass these to a neighbor. When each prime had visited each member of the
ring, the sieving would be complete. After searching for and saving
successful factorizations, a new polynomial would be started.
The above and other plans that would have used memory efficiently at
the expense of increased interprocessor communication were programmed, but
stymied by the traffic.
VI. CURRENT I M P L ~ A T I O I
choice of much smaller coefficients forces the roots to be very far apart;
hence we sieve over a pair of disjoint intervals each about a root of the
polynomial. The magnitudes of the residues to be factored are not affected
by this choice.
(X + [JN])’ - N
Sondia Interval
The final stages of the algorithm are the set-up and solution of the
matrix used in the Gaussian elimination. Because of the very large matrix
that must be processed, we must use memory more efficiently. Each
processor is allocated identifiers f o r a certain set of the factored
residues and a certain portion of the factor base. The functional values
are calculated at each node and the available set of primes divided out.
Results are then transferred to a neighboring node which operates on the
residues with its assigned primes. When the residues have passed through
all nodes, factorization is simultaneously completed. Each residue that
Completely factors forms a row, as does each large prime which repeats in
another factorization. The abundance of large prime factorizations and
hardware limitations on array size introduce complications into the
matching algorithm. These we overcome by asymptotic estimation of the
frequency of occurrence of large primes of various sizes and assigning a
large Prime to a given block according to its magnitude. Then, the
matching algorithm needs only operate within a bin without crossing
boundaries.
VII. Results
References
[BLSTW] J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman, S. S.
Wagstaff, Jr., Factorization of bn k 1 up to Hish Powers, American
Math. SOC., 1983.
TOSHIBA CORPORATION
RESEARCH AND DEVELOPMENT CENTER
-
1. INTRODUCTION
---
2. BASIC RULES
The basic idea for table lookup is very simple. If one wants
the following rules are applied for the table reduction. Bold
printing represents pre-computed terms.
U u *'
b b
(2) (A1*2 + A 2 ) mod N z (A1*2 mod N) + (A2 mod N) (mod N)
U U
(3) (A*2 + B) mod N f (A mod N)*2 + B (mod N )
Rule ( 1 ) means that in making the table, one may ignore the
lower portion of X which is less than N. Rule (2) means that the
b
table should be divided into some segments. The table for ( A 1 * 2
-
3. TABLE-LOOK-UP
reduction ,condition;
247
Eq. ( 4 )
and Definition 2:
&-I
2'1
Definition 3:
-
4. NUMBER OF ITERATIONS
PROCEDURE( 1
JJ
read b ,s :
ReSlW
Tabla j Rn
I
B <- b ; 5.
S ~‘Zn
I +Rn
0
0
500
1 KEY LENGTH = 512 bits
b.4
be6
: lb.6
4
ss <- ss + 2; E
0
ss <- SS*(u/s): p:
W
m
write SS: z
3 I I I I
2 100 IK IOK lOOK 1M
-
5 . DISCUSSION
3). For example, the parameter set (b,s)=(4,4) can reduce the
fact that the t w o cases require about the same processing time.
6.CONCLUSION
This paper proposes a fast modular arithmetic which can
[References]
(4lY.Nagai,T.Takaragi,F.Nakagawa,R.Sasaki:'iDevelopment of trial
production for electronic contract authentication system"(in
Japanese),Proc. of Workshop on cryptography and information
security, pp.109-121(Ju1.1987).
1. I n t r o d u c t i o n
In this article we will be concerned with arithmetic operations in the finite
field GF(2"). In particular, we examine methods of exploiting parallelism to
improve the speed of exponentiation.
We can think of t h e elements in GF(2") as being n-tuples which form an TL
P,P2,pQ, * - j
/32--1
is a basis for this space then we call it a normal basis and we call p a generator of
the normal basis. It is well known ([I]) that GF(2") contains a normal basis for
every n 2 1. For a E GF(2") let (u,,lall...,an~l) be the coordinate vector of u
relative to the ordered normal basis N generated by p. It follows that a2 then has
coordinate vector (un-l,a0,ul,...,an-2), so squaring is simply a cyclic shift of the
vector representation of a. In a hardware implementation squaring an element
takes one clock cycle and so is negligible. For the remainder of this article we will
assume that squaring an element is "free".
2. Discrete e x p o n e n t i a t i o n
Suppose that we want t o compute ae E GF(2'")where
n-I .
e = CU~Z', ai E {O11},
i=o
Then
"-1 a,2'
ae= n a
1 4
n-1
and this requires A = ( C a , ) - I multiplications. 011average for randomly chosen
1 4
n n
e, A will be about - and so we require - multiplications to do the exponentia-
2 2
tion. We now examine ways of doing better.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 251-255, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
252
r+1
or
e = ( 210+28+24) ( 1 + ( 0 ) 2 ) + 2 ~ ( 0 ( 1 )+2)+(z6+z0)(1+2)
r p
If we let X(w) = C Ci,w 2ki then
i d
n
On average X(w) will have - nonzero terms in it and, hence, will require
k 2k
n
-- 1 multiplications t o evaluate. Since w is represented by a binary I;-tuple, w
k2k
k k
will have on average - non-zero terms and require --1 multiplications t o evalu-
2 2
k
ate p". u ' need t =
Therefore, t o evaluate a x ( w )we [$+T-Z] niultiplications.
multiplications.
If we use 2'-1 processors in parallel to evaluate each simultaneously
then the number of multiplications is on average
n k
T ( k ) = -+ - + 2 k - 4
k2k 2
6 293
5 244 37
4 254 30
3 315 4I3
10 10638 11!31
9 9055 527
8 8924 :m
7 9605 201
6 10877 234
M ( k ) is minimized by k = 8 an d T ( k ) by k = 7
254
Summary
In this paper, we have examined techiques for exponentiating in GF(Zn).
These techniques take advantage of parallelism in exponentiation and use
processor/time tradeoffs t o greatly improve the speed. A more complete study of
this problem and other techniques for exploiting parallelism in operation in
G F ( 2 R )is presented in [2].
References
[l] 0. Ore, On a special class of polynomials, Trans. A7n.e~.Math. SOC.35
(1933) 559-584.
[2] G.B. Agnew, R.C. Mullin, S.A. Vanstone, Arithmetic Operations in GF(Zn),
Submitted t o the Journal of Cryptology
255
Appendix
Table 1 below lists t h e values of k which minimize M ( k ) and T ( k ) for vari-
ous values of n. where n. is a power of 2. Table 2 below is similar for values of TI
in increment of 100.
k for Min Min value
n &I( k) A,I( k) W )
64 21 a
128 39 10
256 74 16
512 134 22
1024 243 30
2048 442 43
4096 797 56
8 192 1469 a1
Table 1
CRYPTECH NV/SA
Av. Lloyd George '7
1050 Brussels, Belgium
ESAT K.U.LEUVEN
K. Mercierlaan 94
3030 Heverlee Belgium
ABSTRACT
I. INTRODUCTION
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 257-264, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
258
11. ALGORITHMS
During the first development phase, different calculation methods were anal-
ysed. Very soon it appeared that hardware knowledge had to be integrated
in the algorithmic study in order to obtain an optimal calculation scheme.
Therefore, cooperation with IMEC [3] was set up to get necessary input from
hardware engineers. The result was that an arithmetically simple calculation
scheme evolved into an arithmetically complex calculation scheme in order to
allow faster and more compact hardware implementation.
The original simple calculation scheme partitions the exponentiation with
the well-known square-and-multiply algorithm [9] into subsequent multiplica-
tions. Then these multiplications are divided by the shift-and-add algorithm
in subsequent additions and shifts. The additions are done according to the
carry-save principle so that the addit,ion is not delayed by the length of the
numbers. The entire exponentiation must be calculated modulo n and this is
performed by doing after each shift-and-add operation a reduction modulo n.
The basic principle of that reduction is summarised in following algorithm.
259
Reduction algorithm.
Given modulus n, multiplicand A , multiplier B , intermediate result
R, intermediate quotient q.
111. IMPLEMENTATION
- -
- RESET
CLK - vcc
INAC
-
UCS
....
R W
6E-1
-I
__I
PQR6-
- GND
MODULE
ADDRESS BUS (13)
1. Powerful tasks can be done without external aid. E.g. a complete RSA
calculation.
2. A self-kill instruction destroys all internally stored keys in case of detec-
tion of an intruder.
3. Keys can be entered and during this process, the keys can be read out
in order to check proper hardware functioning. After the entering is
completed, the key can never again be read out or can’t even be changed
partially.
4. Up to 16 complete keys (e and n ) can be memorised by the module.
5. The external interface of the module is very similar to the interface of a
standard RAM. Therefore it can be coupled with almost every micropro-
cessor bus (fig. 1).
262
IV. PERFORMANCE
The following table gives-an overview of the datarates which have been achieved
with the RSA hardware. The speed is linearly dependent on the exponent
length, so that the use of very short exponents (e.g. 3, 65537) can boot
up the speed [9,11]. By putting modules in parallel, a supplementary speed
gain factor up to 10 is possible. The module is completely built in the latest
CMOS technology (1.5pm) and consumes about 400 mA at maximum speed.
A total of about 200,000 transistors are incorporated in a 6 chips module
(maximum 712 bit modulus) which has the size of an actual pocketcalculator
(13.9 x 6.4cm2) (fig. 2 ) .
V. CONCLUSIONS
In the paper it is shown that a compact and fast (17 Kb/s for 512 bit) gate ar-
ray chip design is feasible. The actual chip development is in the commercial
phase. Testsamples are already tested and fully approved. Mass production
quantities of the chips are available and the first RSA security systems using
these production chips are actually under test (BISTEL [8]). An evaluation
package including a 712-bit module, an interface card for the IBM PC, sources
of driver software (C-language) and Hot-line problem support, is now avail-
able.
Future actions are on one hand the support of these RSA chips and de-
rived products (PC-encryptors, key generators, high-speed encryptors, . . . ).
On the other hand the availability of fast RSA implementations should stim-
ulate the research and development of public key cryptography, which was
forced too long in the past to proceed without actual fast hardware.
263
References
ABSTRACT
The work reported in this paper is directed towards the mathematical proof of the
existence of a consistent structure for the Euler totient function +(n)given n. This
structure is extremely simple and follows from the exploitation of some of the very
interesting properties relating t o the integer 24 as demonstrated in the proofs.
This result is of particular concern to cryptologists who are either attempting
to break the RSA or ascertain its cryptographic viability. Furthermore, it is
stipulated t h a t t h e methods and properties relating to the integer 24, taken as
a modulo, may have strong implications on the different attempts t o solve the
factorisation problem.
I . INTRODUCTION
Rivest et. al. [l](RSA) have presented a method for public-key cryptosystems,
whose security depends predominantly on being able to factorise large numbers.
This has stimulated research on the factorisation problem which would ultimately
threaten the security of the RSA and has resulted in numerous papers being
published on this work, such as Williams' overview of factoring procedures [2].
However, the validity of the different cryptanalytic attacks of the RSA has always
been contested [3,4] and a fast algorithm for factorising large numbers has not
yet appeared.
This paper does not set out to break the RSA, but approaches the factorisation
problem from a n original viewpoint and consequently raises some doubts about
its security. T h e approach taken is the development of a mathematical proof of
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 267-274, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
268
the existence of a structure for the Euler totient function d(n) in terms of the
argument n. This structure could enable the computation of the decryption key,
which is secret in the RSA cryptosystem, from a knowledge of the encryption key
and the parameter n which both reside in the public directory. The derivation
of the structure for t h e Euler totient function and its interesting implications is
based on the extremely simple, but powerful, number theoretical properties of
the integer 24.
In this section, we prove the existence of some extremely interesting properties re-
lating t o the integer 24. T h e most important of these properties may be expressed
in terms of the following theorem:
Proof The congruence given i n (1) can be expressed in the form of the Diophan-
tine equation:
p 2 - 1 = 24k (2)
for a particular value of k .
Hence,
( p - l)(p + 1) = 24k
= 4!k
where ”!” denotes t h e factorial operation. The proof for (1) then consists in
+
proving that ( p - l ) ( p 1) is divisible by 4, 3 and 2.
Since p is a prime? then its negative and positive differences about 1 c a n be
expressed in the form:
( p - 1) = 2m,
(p + 1) = 3 m + 2
where m is any positive integer.
Hence,
(p- l)(p + 1) = 2m(2m + 2)
= 4m(m + 1)
269
( p - l)(p + 1) = 4.2711,’‘
which establishes t h e fact t h a t 2 and 4 are indeed factors of p 2 - 1.
either 3 I ( p - 1)
or 3 I ( P + 1)
n = PQ
where p and q a r e the two primes involved in the encryption process.
The security of t h e RSA is based on the fact that a knowledge of, b o t h , n and
the encryption key. e (chosen at random from the interval [2, + ( n )- 11 such that,
gcd(e, $(n))= l ) ) ,does not allow the straightforward deduction of the decryption
key, d, where d is t h e multiplicative inverse of e modulo d ( n ) :
ed 1 (mod d ( n ) )
since, due to t h e factorisation problem and the nature of p and q , it is impossible
t o compute the value of d(n) given n.
270
Then, for n = p q ,
n2 = p2q2 =1 (mod 24) (3)
4b') = P(P - 1)
2
= P -P
or,
4(p2) = 1- p (mod 24) (4)
However,
44 = ( P - l)(q - 1)
=
$ ( n 2 ) +(n) (mod 24) (7)
d(n2)= + ( p 2 ) 4 ( q L )
= P(P - 1) q ( q - 1)
= P d P - l ) ( q - 1)
Thus,
4 ( n 2 )= n 4 ( 4
271
On the other hand, congruence (7) may be written in its Diophantine equation
form:
(b(n2)= 242 + 4(n) ; z = 1,2, ... (9)
Equation (10) shows t h a t there exists a definite structure for the Euler totient
function in terms of its argument. In what concerns the RSA, such a structure
is of particular importance since, for decryption purposes, b(n) is the crucial
secret number in t h e system. T h e ability to compute $(n) given n renders the
system vulnerable t o cryptanalytic attacks and, although the practical evaluation
of the factor z may still be complicated, it is thought that, in theory at least,
the existence of such a structure may lead the way towards developing a fast
algorithm for the evaluation of 4(n).This is currently being investigated.
The primes p and q involved in the RSA can be shown to have specific properties
in terms of the integer 24, namely,
Theorem 2
p + q = 2i (mod 24) ; i = 0,1, ..., 11 (11)
The proof of this theorem is rather simple and shall not be presented here.
$(n>=
24(24y + (n + 2 j - p)]
n-1
- 24(n - p)
- + 24(24y + 2j)
n-1
+
However, (24y 2 j ) will always yield an even value which may be expressed as
22 for any integer i. Hence,
24(n - p) 24.21 +
d(n) = n-1
- 24(n - p) + 48i
-
n-1
V . CONCLUSIONS
In this paper we have presented a stepwise mathematical deduction of t h e Euler
totient function #(n) from a knowledge of n. This deduction is based on some
interesting number theoretic properties relating to the integer 24. These prop-
erties, together with their proofs were presented in detail. An algorithm for the
final evaluation of 4(n)was also given. However, it must be stressed t h a t the aim
of the paper was mainly directed towards proving the existence of a consistent
structure for d ( n ) in terms of n and the integer 24. It is believed t h a t it may
also have strong implications on the different attempts to solve the factorisation
problem.
VI . ACKNOWLEDGEMENTS
The authors are grateful t o their colleagues and postgraduate students in the
Cryptology Research Group of the Department of Electrical and Electronic Engi-
neering, the University of Newcastle upon Tyne, for many interesting discussions
and comments on this work. They are particularly indebted to Jalil Tabatabaian
for providing the simple proof of Theorem 1.
References
Abstract
I. Introduction
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 275-280, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
276
The vectors, matrices and operations in the following discussion are all binary.
The next section describes McEliece’s cryptosystem and the following section
explains the best known cryptanalytic attack. After describing a systematic method of
checking whether the recovered message is correct or not, we will suggest a generalization
of the attack. Our analysis will show that the factor of improvement will be significant.
Further improvements will also be discussed and conclusions and other discussions will
follow.
McEliece’s system works as follows: The system user (receiver) secretly constructs
a linear t e r r o r correcting Goppa code with k X n code generator matrix G , a kXk
scrambler matrix S that has an inverse over GF(2), and an nXn permutation matrix P .
Then he computes
G = S G P (2)
which is also a linear code (but supposedly hard-to-decode) with the same rate and error
correction capability as the original code generated by G . He publishes G as his public
encryption key. The sender encrypts a k-bit message vector m into an n-bit ciphertext
vector c as
c=mG+e (3)
where e is a random n -bit error vector of weight less than or equal to t . The receiver
computes c P-’ = (m S) G + e P-’ and uses the decoding algorithm for the original
code with G to get rid of e P-‘. Finally to get m he descrambles m S by multiplying
s-l.
There have been several methods proposed for attacking McEliece’s system, El],
[3], [4], etc. Among them, the best attack with least complexity is to repeatedly select k
bits at random from the n-bit ciphertext vector c to form ck in hope that none of the
selected k bits are in error. If there is no error in them, then ck GL1 is equal to m
where Gk is the kXk matrix obtained by choosing k columns of G according to the same
selection of ck .
277
The work factor for the matrix inversion is O(k') for some 7 between 2 and 3.
However, ail of the known algorithms for 7 < 2.7 have enormous constants that make
them infeasible for matrices of a reasonable size. Perhaps the Winograd algorithm ([5],p.
481) with 7 =: 2.8 might be the best for these matrices of size between 500 and 1oOO.
However, for the following analysis, we will use as in [4] the elementary algorithm with
7 = 3 and small constant a.
The probability that there is no error in randomly selected k bits, among n bits
with r errors, is (nk')/ (E). Therefore, the total expected work factor for this attack is ;
[31,[41
w =a k3 (E) /)',"( . (4)
Originally, in [l],the values of Z=10 and t=50 (or n=1024,k=524 ) were suggested,
which result in the work factor of approximately 280.7(with a = 1). More recently, in [4],
the optimum value of t that maximizes the work factor for n=1024 was shown t o be 37
(or equivalently, k 4 5 4 ) providing W = 284.'.
Notice that the work factors for checking whether the obtained ck Gclis really m
was not discussed in [l] and [4]. While, [3] just suggested that the validity of ck Gc' may
be determined by the redundancy in m , which might not be practical.
Step 2) Choose an unused k-bit error pattern ek with less than or equal to j ones. If
(C -I-Ck Gr' G ) 4- e k (GL' G) has weight I or less, then stop (rn =ck GLl).
Step 3) If there are no more unused k-bit error patterns with less than or equal to i
ones, go to Step (1). Otherwise, go to Step (2).
Notice that Algorithm 0 is the attack discussed in Section I11 including our
systematic checking of ck GL'.
Let Qi be the probability that there are exactly i errors among the randomly
chosen k-bit vector c k . It can be shown that
t n-f
.
Qi = (i> (k-i) / (5)
Hence, the probability that the algorithm completes successfully is CiLoQi.
Therefore,
the expected number of executions of Step l), T j , is
Tj = 1 / CiLoQj. (6)
Let N , be the number of k-bit error patterns with less than or equal to j ones.
Then,
k
Nj = Cji,(i). (7)
Hence, N j is the number of executions of Step 2 ) for a given choice of ck with more than
j errors in it.
Notice that W = Wo. Also notice that for any reasonable value of Q and ,8, Wj
decreases and then increases as j increases. With CY = 0,we can show that the optimum
j which minimizes the work factor is 2 for all values of useful code parameters. With
CY =8
, = 1, the minimum work factor W , 273.4 for the case of n = 1024 and t = 37,
which is a factor of 2'l reduction as compared to W,. For n = 1024 case, the value of 1
For each Step 1) the new ck is selected randomly. However, one can just
randomly update only one bit of ck each time. The work factor in this Step 1)' is then
reduced to a' k 2 for updating (GL' G). In this case, however, we could n a t find the
expected number of excutions of Step 1)' before success, T i ' . If one assumes that Ti' is
the same as T j , it can be shown that the optimum j which minimizes Wj'is 1 when
CY'= p (with Step 2) ). And for the previous example of I = 10, the value of t that
maximize the W,' is also 38 resulting W,' = 269.6. And, together with Step 2 ) ' , we can
improve another factor of 10.
In [6],it was shown that the syndrome decoding of general linear algebraic code is
an NP-complete problem and the running time for the syndrome decoding is an
exponential function of its input dimension k , and it is claimed that the discovery of an
algorithm which runs significantly faster than this would be an important achievement.
The cryptanalytic attack of [l] described in Section I11 and our generalizations are
general probabilistic decoding algorithms for any general linear error correction code
which can run more efficiently (although still in exponential time) than the syndrome
decoding of a general code when the number of errors in a code word seldom exceeds its
error correcting capability.
References
[l] R. J. McEliece, "A public-key cryptosystem based on algebraic coding theory," CA,
May 1978.
[Z] E. R. Berlekamp, "Goppa codes," ZEEE Trans. Info. Theory, Vol. IT-19, pp. 590-
592, Sept. 1913.
[3] T.R.N. Rao and K.-H. Nam, "Private-key algebraic-coded cryptosystems," Proc.
Crypt0 '86, pp- 35-48, Aug. 1986
[4] C. M. Adams and H. Meijer, "Security-related comments regarding McEliece's
public-key cryptosystem," to appear in Roc. CTpto '87, Aug. 1987
[5] D. E. Knuth, The Art of Computer Programming, Vol. 2. Seminumerical Algorithms,
Addison-Wesley, 1981
[6] E. R. Berlekamp, et al., "On the inherent intactability of certain coding problems,"
IEEE Trans. Info. Theory, Vol. IT-22, pp. 644 - 654, May 1978.
HOW T O B R E A K OKAMOTO’S CRYPTOSYSTEM
BY REDUCING LATTICE BASES
ABSTRACT
The security of several signature schemes and cryptosystems, essentially
proposed by Oliamoto, is based on the difficulty of solving polynomial
equations or inequations modulo n. The encryption and the decryption
of these schemes are very simple when the factorisation of the modulus,
a large composite number, is known.
We show here that we can, for any odd n,solve, in polynomial proba-
bilistic time, quadratic equations modulo n,even if the factorisation of n
is hidden, provided we are given a sufficiently good approximation of the
solutions. We thus deduce how to break Okamoto’s second degree cryp-
tosystem and we extend, in this way, Brickell’s and Shamir’s previous
attacks.
Our main tool is lattices that we use after a linearisation of the problem,
and the success of our method depends on the geometrical regularity of
a particular kind of lattices.
Our paper is organized a s follows:
First we recall the problems already posed, their partial solutions and
describe how OUT results solve extensions of these problems. We then
introduce our main tool, lattices and show how their geometrical pro-
perties fit in our subject. Finally, we deduce our results. These methods
can be generalized to higher dimensions.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT ’88, LNCS 330, pp. 281-291, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
262
I. INTRODUCTION
Cryptosystems
In [6],Okamoto proposed a first public key cryptosystem:
The public key is the pair ( n , x o ) ,where zo is an easy element of Z ( n ) .
From a message u,which is small compared to n, the cipher text y is
built as follows:
y = ( 2 0 + uy [n]
283
As quoted in [7], Shamir [8]has two attacks to break this system: the first
one works for any pair (n,zo)while the second one uses the particular
form of the public key.
y = ( U I X O + u 2 ) 2. I . [
Okamoto stated as a n open question the breaking of this second system.
We show here that we can break this new cryptosystem without using
the particular form of the public key ( n ,Q).
Signature Scheme
In [5], Okamoto and Shiraishi proposed a signature scheme:
Given a ‘one-way’ function h , a signature x is considered as valid for a
message u if
Brickell [2] broke this scheme, without using the particular form of n.
Now, we state and solve problems which are natural extensions of all the
questions that we described above.
1.3. T w o Problems
Problem 1.
Given a square yo and a subset I ( a , s o ) (resp J ( a , z o ) ) which is known
to contain a square root x of yo, find x.
Problem 2.
Given I(b,yo) a subset of Z ( n ) ,find s such that z2 belongs to I ( b , yo).
Solving the first problem with the intervals I breaks the first version of
Okamoto’s cryptosystem, while the second version of Okamoto’s cryp-
tosystem is attacked by solving this problem with the subsets J . The
second problem is linked with improvements of Brickell’s results.
284
We state here OUT main results which solve generalisations of each of the
problems. On the one hand, Theorem 1 and Theorem Ibis, which are
uniqueness results, allow us to break the second version of Okamoto’s
cryptosystems, but also to make precise some points of Shamir’s attack
on the first version. On the other hand, Theorem 2, which is an existence
result, improves Brickell’s previous attack of the signature scheme.
THEOREM 1.
> 0,a and b reals in [0,1] satisfying
For a n y n , ~
2a + b = 1 - 3~ and b 2 a,
there exists an exceptional subset T ( E )of Z ( n ) such that the following is
true:
i) Card T ( E )5 nl-‘
ii) For anyzo, not in T ( E )and any yo in Z ( n ) :intervals J ( a , zo) and
I(b, yo) have a t most two compatible pairs, say (2,y) and ( n- x,y).
Moreover, there exists a probabilistic polynomial algorithm A which pro-
vides one of the following three answem:
‘exceptional case’ if xo is in T ( E )
‘no compatible couple’
(5, y) and ( n - z, y) are the two compatible pairs.
THEOREM 1 BIS.
For any n, E > 0, a and b reals in [0,1] satisfymg
a + b = 1 - 2~ and b 2 2a,
‘exceptional case’ if ro is in T ’ ( E )
‘no compatible couple’
(2, y) is the only compatible pair.
THEOREM 2.
For any n , E > 0, a and b reals in [0, I] satisfying
a + b = 1+ 2~ and b 2 2a,
there exists a n exceptional subset T ’ ( Eof) Z ( n ) ,such that the following
is true:
5 nl-‘
i) Card T’(E)
ii) For any ZO, not in T ” ( Eand
) for any yo in Z ( n ) , intervals I ( a , z o )
and I(b,yo) a r e compatible.
Moreover, there exists a probabilistic polynomial algorithm C which pro-
vides one of the following answers:
‘exceptional case’ if zo is in T” ( E )
a compatible pair (z,y) otherwise.
We give now the proofs of our results, mainly for Theorem 1, in the case
of subsets J , and see how our methods work for the intervals I , in the
proof of theorems lbis and 2. The main tool is lattices for which there
are two basic facts:
a) There is a high proportion of lattices with given determinant ha-
ving their smallest vector not too small.
b) Given a lattice and a point m in the space, one can find -using
an algorithm based on LLL reduction algorithm [4]-one point t which
belongs to the Iattice and which is close to rn.
(
x: 2x0
:)
n
which has determinant n.
Are there many lattices M ( z 0 ) which have their shortest vector not too
long ? We have the following answer ([3], [9])
For any n,E > 0 , for any triple k = (ko,kl,k2) of product 1, there exists
an exceptional subset T(E)o f Z ( n ) such that the following is true:
i) Card T ( E )5 nl-'
ii) For anyzo, not in T ( E )the
, shortest vector Xl(i%f(zo))o f the lattice
M(z0) satisfies
p l ( M ( z o ) ) ~ ~2 m
n(1-2c)'3 (3)
We deduce that we can apply the facts described in 2.3 to most of lattices
iLf(z0) provided we choose
2a + b = 1 - 3~ and c = ( b - a ) / 3 (4)
Let m = ( O , O , k ~ y o ) then
; t is in the ball B(m,p1). The ClosePoint
algorithm h d s a point t’ in B ( m , p l ) . As this ball contains only one
point belonging to M ( z o ) , we must then have t = t‘. From t’, it is then
easy to get u1 by ordinary square root extraction, and then 212 and v; we
then verify if 211, u2, v satisfy (1). This ends the proof of Theorem 1.
We remark that the optimal choice for the pair ( a , b) is
u = b = 1/3 - E .
This result allows to make precise some points of Shamir’s first attack:
The underlying framework of this attack is the one of Theorem Ibis.
Why is it so often successful? We remark that the exceptional set T ( E )
associated to the value of E defined by the equality
does not contain any easy point zo provided that n‘ > 2. Shamir’s attack
almost always succeeds !
This attack also works even if the 2/3 least significant bits of the message
are lost or erroneous
1
u+c=b-c= -fE,
2
[l] L. Babai: On Lovasz’s lattice reduction and the nearest lattice point
problem, Combinatorica 6 (1986)) pp 1-14..
Summary
At Eurocrypt 87 the blockcipher F.E.A.L. was presented [2]. Earlier
algorithms called F.E.A.L-1 and F.E.A.L-2 had been submitted to standarization
organizations but this was presumably the final version. It is a Feistel cipher, but
in contrast to D.E.S., a software implementation does not require a table look-up.
The intention was a fast software implementation and also an avoidance of
discussions about random tables. As Walter Fumy indicated at Crypto 87 [11 a
certain transformation on 32 bits used by the cipher was not complete in contrast
to a remark made during the presentation of F.E.A.L. at Eurocrypt 87.
Furthermore, the transformation is too close to a quadratic function on the input.
I am informed that after my informal expose at Crypto 87 about certain
vulnerabilities of F.E.A.L, its designers have created F.E.A.L.4 with twice as
many rounds.Later on again versions were renamed. The (definite?) version in
the abstracts [2] without a serial number got version number 1.OO and F.E.A.L.4
got version number 2.00 in the proceedings of Eurocrypt '87 [3]. In this paper we
shall show that F.E.A.L. as presented at Eurocrypt 87 is vulnerable for a chosen
plaintext attack which requires at most ten thousand plaintexts.
Encryption Algorithm
For convenience and definiteness we first reformulate the encipherment
algorithm. The FEAL-algorithm is a blockcipher acting on 64 bits of plaintext to
produce a 64 bit ciphertext controlled by a 64 bit key.
One of the buildingblocks of the cipher is a transformation S from F28 *
Fzg * F;? to F28 defined by
S(x,y,a)=Rot((x+y+a)mod256)
"This research was supporred by the Netherlands Organizationfor Advancement of Pure
Research
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 293-299, 1988
0 Spnnger-Verlag Berlin Heidelberg 1988
294
i.e. the 8 bit numbers x and y are considered as residues mod 256, a is the residue
class of 0 or 1 and Rot cyclicly rotates the bits of its input 2 places such that the 6
least significant bits become the 6 most significant bits. Another building
block is the exclusive-or on two bytes denoted by El. The Same notation will be
used for the exclusive-or sums of four byte strings. We define a fk-box as
follows: fk transforms 2 smngs of 4 bytes L and R into a four byte string 0 as
follows: (In shorthand fk(L,R)=O.)
denote the input by L(0) up to L(3) and R(0) up to R(3) and the output by O(0) up
to O(3) then:
h~lp=L(2)@ L(3)
0(1?=S((L(O) @ L(l),Olulp tB R(0)),1)
o ( o ) = s ~ L ( o ) , ( o (@~ R(2)),0)
)
0(2)=S(O(1) @ R( l),hulp,O)
0(3)=S((W) @ R(3)),L(3),1)
The function G transforms one string of four bytes into one string of four bytes as
follows:(In shorthand G(I)=O.) denote the input by I(0) up to 1(3) and the
output by 0(1) up to O(3) ,then:
h~lp=I(2)@ 1(3)
O(I)=S(I(O) @ I(l),hUlp,l)
0(2)=S(O(I),hulp,O)
0(3)=S(0(2),1(3),1)
O(O)=S(O(1),O(O),O).
The blockcipher consists of a key schedule and a data randomizer. The
keyschedule operates as follows: The eight byte input is considered as two strings
A0 and Bo of four bytes each. Further a four byte string Co with all 32 bits zero
is introduced. Iteratively Ai,Bi,Ci,i=l, ...,6 are defined by
Bi+l= fk(Ai,(ci @ Bi?)
Ci+l=Ai
Ai+l=Bi.
Further we need two simple functions PL and PR transforming four byte strings
as follows:
295
PL(u,v,w,x)=(0,u,v,0)
PR(u,v,w,x)=(O,W,X,O).
The strings B1, ...,I36 of the keyschedule are transformed into 6 strings Mi,
i=O, ...,5 as follows:
%=B3 @ PR(B1)
M1=B3 @ B4 @ PL(B1)
M2=PL(B1) @ PL(B2)
M3=PR(B1) @ PR(B2,
M4=B5 @ Bg @ PR(B1)
M5=B5 @ PL(B1).
The datarandomizer operates as follows ( see fig 2): The 64 bit input is viewed as
two strings Po and Pi of four bytes. Now we define
DFPO @ Mo
%=Po @ P i @ Mi
D1=b
E ~ = D o@ G(E0)
D2=E1
E2=D1 @ G(E1)
D3=E2
E3=D2 @ G(E2 @ M2)
D4=D3 @ G(E3 @ M3) @ M5
E4=E3 @ M4
%=D4
C1=D4 @ E4
Finally the two strings Co and C1 of four bytes each are concatenated to form the
64-bit ciphertext.
Cryptanalysis
To determine the key we use a chosen plaintext attack. The choice of the
plaintext depends on results derived from previous plaintext and ciphertext. We
are going to determine the 160 unknown bits in the Mi's as though there is no
relation between them. Once they are determined we can decipher any ciphertext
but we also can use the keyschedule from the bottom to determine the 64-bit
296
counts will give only one consistent possibilty for the two or three values of c1
The actual counting never requires the full 192 ciphertexts but at most 127
ciphertexts in special cases (in a very favourable case 10 is enough).
To determine the 6 least significant bits of xo note that at least one of the
two or three actual values of c is o d d h that case there exist exactly one value
bol such that bol will give c q = l and bol 631 will give carry=O.From this we
conclude that bol equals 64-c1 l.We know the correspondingvalue of ao so indeed
we can determine the six least significant bits of xo.
To proceed we use this knowledge and start changing the lowest bit of ao
63 a1.Two well-chosen plaintexts and the corresponding values of f 5 is enough to
determine the least significant bit of xo 63 xl. The Same is true for the next two
bits of xo G3 x1 .Simultaneously the three least significant bits of x2 G3 x3 are
determined. To determine the next three bits of xo G3 x1 and x2 63 x3 might
require 42 plaintexts in the worst case. Still only the value of f15 is all what we
need of the ciphertext.
Along similar lines we can determine xo x1 ,x2 63 x3 ,the seven least
significant bits of xo and the seven least significant bits of x3. For the moment we
are allowed to assume that xog and x30 are zero. In other words KO is determined
and at the cost of at most 250 plaintexts.
Once Ko is determined the determination of KI and K2 is easy and will
cost at most 30 well chosen plaintexts with the corresponding
ciphertexts. There is a freedom in K1 of two bits but we can just do a choice.
Now observe what happens if we change Po $PI. Then the new value of
K1 is known. With the above described technique we establish the new value of
KO. Then K2 follows directly because of a linear relation.
This results in knowledge of Mo 63G(M1 €B (Po @PI)) for values
Po63P1 of our own choosing. With say at most 30 values we can establish Mo and
M1 except for a freedom of two bits.
Finally we study the values Co we have encountered up to this
moment.Those give equations of the form
Q1=M5 @ G W 3 @Qd
where Q1 and are known. Considering the fact that up to now we have between
298
100 and 10000 ciphertexts it is safe to assume that we have enough data to
determine M3 and M5.
Combining this knowledge we can decipher any ciphertext. If we want to
recover the original key we use the restricted possibilities for M2 and M3 to
reduce the uncertainty in Mo up to M5 . Given those Mi's we can use these data
and the last fk-box to solve Bg and B4 and a few more bytes. After that we can
simply try the 256 possibilties for B3(2) and resolve the keyschedule.
Conclusions
In the presented version the G-box is too regular. If one wants this small
number of rounds(4) a better design should be possible. In [3] the algorithm with
twice as many rounds is considered by the authors to be secure because four
statistical values are close or equal to theoretical values but the same argument was
used for the algorithm presented at Eurocrypt '87. As this turned out not to be
sufficient one should use other arguments for the security of an encipherment
algorithm.
Acknowledgement
The author wishes to thank D. Chaum and W. Fumy for a
challenging remark which made me start the investigations. Further the author
wishes to thank D. Chaum for stimulation during the investigations.The author
also wishes to thank TSiegenthaler for remarks on a draft version of this article.
References
1 W. Fumy, On the F-function of FEAL, lecture at Crypt0 87.
2 A. Shimizu & S. Miyaguchi, Fast data encipherment algorithm FEAL,
Abstracts of Eurocrypt 87.
3 A. Shimizu & S . Miyaguchi, Fast Data Encipherment Algorithm FEAL,
Advances in Cryptology - Eurocrypt '87, Lecture Notes in Computer Science
304.
299
a
X0 4
P
0.
bo
Y 4 F
M
4
f0 f' f2 f3
fig 1
FAST CORRELATION ATTACKS ON STREAM CIPHERS
(Extended Abstract)
HTL Brugg-Windisch
CH-5200 Windisch, Switzerland
GRETAG Aktiengesellschaft
Althardstr. 7 0 , CH-8105 Regensdorf
Switzerland
1. Extended Abstract
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 301-314, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
302
P\t 2 4 6 8 10 12 14 16 m
0.51 0.999 1.000 1.000 1.000 1.000 1.000 1.000 1.000 1.000
0.53 0.976 0.997 0.997 0.997 0.997 0.997 0.997 0.997 0.997
0.55 0.870 0.992 0.993 0.993 0.993 0.993 0.993 0.993 0.993
0.57 0.642 0.982 0.986 0.986 0.986 0.986 0.986 0.986 0.986
0.59 0.362 0.963 0.976 0.976 0.976 0.977 0.977 0.977 0.977
0.61 0.132 0.926 0.963 0.965 0.965 0.965 0.965 0.965 0.965
0.63 0.039 0.856 0.945 0.950 0,951 0.951 0.951 0.951 0.951
0.65 0.007 0.734 0.917 0.932 0.934 0.934 0.934 0.934 0.934
0.67 0.001 0.555 0.875 0.910 0.914 0.915 0.915 0.915 0.915
0.69 0.000 0.327 0.805 0.880 0.891 0.893 0.893 0.893 0.893
0.71 0.000 0.150 0.692 0.836 0.863 0.868 0.868 0.869 0.869
0.73 0.000 0.043 0.515 0.768 0.825 0.838 0.841 0.841 0.841
0.75 0.. 00 0 0.009 0.311 0.660 0.771 0.800 0.808 0.811 0.811
For given t and d = N/k Table 2 shows the value p = p(t,d) with
F(p,t,d) = 0. p(t,d) turns out to be the limit probability where algo-
rithm B may still be successful
d/t 2 4 6 8 10 12 14 16 18
11.1. Algorithm A
Suppose that N digits of the sequence 5, the length k of the LFSR with t
taps as well as the correlation probability p are given.
m = m(N,k,t) = log2(&) (t + 1)
2k
p sh( 1-s)m-h
p* =
p sh(l-s)m-h + (1-p)(l-s)hsm-h
m
R(p,m,h) = c (y) p s i ( i - ~ ) m-i (5)
i=h
Table 3
is greater than k = 100. Furthermore the entry in the 4th column shows
that 0 . 0 0 1 8 5 5 * 1 0 9 = 0 . 2 < 1 digits among these are expected to be wrong.
Thus we can expect to have already found more than k = 100 correct
digits. In fact this can be confirmed experimentally.
Algorithm A
11.2. Algorithm B
h
U(p,m,h) =
i=O
(y) ( p s
i (1-s) m-i+ (1-p)(l-s) is m-i)
Thus we see that I(p,m,h) is maximum for hmax = 4 relations. Under these
conditions 1 2 5 0 digits are expected to be wrong. Carrying out the cor-
rection with respect to 4 relations, 0 . 1 5 6 8 . 5 0 0 0 = 7 9 3 digits are com-
plemented. According to the fourth column, the number of wrong digits
decreases by 0 . 0 9 8 3 . 5 0 0 0 = 4 9 2 from 1 2 5 0 to 7 5 8 digits.
After the first round the expected number Nw of digits with p* below
Pthr is
Phase I can be iterated. To this purpose, formula (2) for s(p,t) has to
be generalized to the situation where each of the t digits may have dif-
ferent probabilities pl, pzf ... pt:
Algorithm B
.
Step 4 : For every digit of f compute the new probability p* (cf (2)
and (15)) with respect to the individual number of relations
satisfied (phase I). Determine the number Nw of digits with
P* ' Pthr.
Step 5: If Nw < Nthr or i < a increment i and go to step 4
Step 6 : Complement those digits of f with p* < Pthr and reset the pro-
bability of each digit to the original value p (phase 11).
Step 7 : If there are digits of 2 not satisfying the basic feedback rel-
ation go to step 3 .
round 1
iteration 1 1784 998 212 7998
phase I1 0 0 0 7786
round 2
iteration 1 264 151 38 7786
iteration 2 1354 838 322 7786
phase I1 0 0 0 7464
round 3
iteration 1 133 80 27 7464
iteration 2 880 601 322 7464
iteration 3 2364 1537 710 7464
phase I1 0 0 0 6754
round 4
iteration 1 62 44 26 6754
iteration 2 623 474 325 6754
iteration 3 1693 1244 795 6754
phase 11 0 0 0 5959
round 5
iteration 1 26 26 26 5959
iteration 2 515 443 371 5959
iteration 3 1499 1223 947 5959
phase I1 0 0 0 5012
round 6
iteration 1 36 28 20 5012
iteration 2 617 550 483 5012
iteration 3 1594 1383 1172 5012
phase 11 0 0 0 3840
round 7
iteration 1 52 50 48 3840
iteration 2 675 619 563 3840
iteration 3 1578 1425 1272 3840
phase 11 0 0 0 2568
round 8
iteration 1 73 72 71 2568
iteration 2 650 604 558 2568
iteration 3 1317 1231 1145 2568
phase 11 0 0 0 1423
round 9
iteration 1 66 66 66 1423
iteration 2 509 498 487 1423
iteration 3 921 905 889 1423
iteration 4 1002 984 966 1423
iteration 5 1039 1022 1005 1423
phase I1 0 0 0 418
314
round 10
iteration 1 32 32 32 418
iteration 2 183 183 183 418
iteration 3 289 287 285 418
iteration 4 306 305 304 418
iteration 5 314 313 312 418
phase I1 0 0 0 106
round 11
iteration 1 4 4 4 106
iteration 2 62 62 62 106
iteration 3 96 96 96 106
iteration 4 106 106 106 106
phase 11 0 0 0 0
References:
Shu Tezuka
ABSTRACT
I . INTRODUCTION
where ao, a;, a j j , ... are in GF(2), the Galois Field with two elements.
In particular, if F(z1, ...,2,) has the following form:
it is of great importance.
319
Moreover, when the function Fl(z2, ..., zn) of (1) has a balanced truth
table, there are two additional theorems that must be considered[3, 91.
Theorem E. In the feedback type, the function Fl(z2, ..., 5 , ) has a bal-
anced truth table if and only if the autocorrelation with delay n of the
key-sequence con>-erges zero as the cycle length approaches 2".
From above results, we can see that when F(x1,...,xn) has the form
of (1) it is very significant for both types of feedback and feedforward gen-
erators. Therefore, we will concentrate on this type of nonlinear function
in this paper.
IV . Analysis of Mapping f ( x ) = ux + b ( m 0 d 2 ~ )
+
The mapping of f(x) = ax b(rnodZn) , which we refer to hereafter
as an affine mapping, is of great importance from a practical viewpoint.
It requires only one addition and one multiplication, thereby making the
implementation much easier and speeding up the generation of the key-
sequences. Another merit is theoretical due to the fact that the linearity
in the integer arithmetic sense makes the analysis of the key-sequence
characteristics easier. First, we obtain the theorem that deals with the
total number of distinct truth tables provided by &ne mappings.
Theorem 4. Let fl(x), f2(z) be two affine mappings. For all II: E In
if and only if the truth table associated with f l ( x ) is identical with that
of f 2 ( x ) .
The following corollary is easily obtained.
The next theorem is important since this theorem holds for not only affine
mappings but also for any mappings in rn.
Theorem 5. The number of 1's in the truth table of Fl(x2, ...: zn) is
given as follows:
322
2"-l - Sn(f),
where Sn(f)denotes the number of points (z,f(z)) in the range 0 4
x , f ( z ) < 2-l.
+ t;-b
~ n - 2
c
k= 1
t;+1
(tg - l ) ( t k - 1)
= 0,
The next corollary is useful for the practical design of nonlinear functions.
a - 2b - 1 = 2n-l(mod2"),
V . Discussions
DES ( Data Encryption Standard ) can be regarded a s a nonlinear
function when used in the output-feedback or in cipher-feedback modes.
This cipher scheme, as well as classical ones, consists of two basic ele-
ments: permutation and substitution. However, in this paper we have
proposed a new approach to building nonlinear functions by using inte-
ger arithmetic operations such as addition, multiplication. This approach
has the following advantages:
1. It makes theoretical analysis of the cryptographic strength of the
generated key-sequence easier.
2. It makes the implementation of the system easier and cheaper be-
cause integer arithmetic operation units are accessible or available
in both software and hardware.
3. It provides wide variety in selecting nonlinear functions when design-
ing a stream cipher system.
REFERENCES
ABSTRACT
The windmill technique has several practical advantageous over other techniques
for high-speed generation or blockwise generation of pn-sequences. In this paper
we generalize previous results by showing that if f ( t ) = a ( t " ) - p (t -")t L is the
minimal polynomial of a pn-sequence, then the sequence can be generated by a
windmill generator. For L = 1, . . .127, and v = 4,8,16 such that L = 1 3 mod 8
no irreducible polynomials f ( t > were found. When L E f l mod 8 the number of
primitive f(t)'s was found to be approximately twice the expected number.
I INTRODUCTION
In various crypto systems m-sequence generators are used as building blocks in
more complex systems. In such systems like the EBL proposal [l] for the en-
cryption of TV-pictures, the m-sequence generators are used t o generate blocks of
(pseudo-)random symbols. A straightforward method to generate blocks of v , say,
symbols is to operate the m-sequence generator at c times the rate at which the
blocks are needed. This method, for instance, is used in the above mentioned EBU
proposal. Other methods which do not require this rate increase were described,
for instance, in 121, (31, [4], and [5]. The windmill technique is one of such methods.
It offers several practical advantages over all the other methods.
Part of this work was supported by the National Swedish Board for Technical Development under grant 863759 a t
the University of Lund.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 325-330, 1988.
0 Spnnger-Verlag Berlin Heidelberg 1988
326
The latter fact is very useful for cryptographic purposes because it will make it
easy to use the generating polynomial as part of the key information.
In this extended abstract we describe a generalization of the windmill tech-
nique for generating m-sequences. The windmill structure is more general than the
ones discussed in [3]and [ 5 ] . We state a new result that generalizes Theorem 7.4 in
[5] and that gives the sdicient and necessary conditions for a feedback polynomial
to be a primitive windmill polynomial. With this result it becomes easy to devise
a straightforward search for all the primitive windmill polynomials.
Furthermore, we investigate the number of distinct windmill generators that
can generate m-sequences of period 2L - 1 in blocks of size v = 4 , s and 16.
When L f 3 mod 8 no irreducible windmill polynomials for L = 7,. .. ,127.
When L E fl mod 8 the number of primitive windmill polynomials was found to
be approximately twice the expected number which is 2 F ( L ) / L , where F ( L ) =
+(2L - 1). If the number of primitive windmill polynomials is small then the
possibility to change easily the feedback polynomial of the generated sequence has
not much value for cryptographic applications. Hence, the latter result, combined
with the simple mechanism to change the generating (windmill) polynomial in a
windmill generator, shows that it is realistic to use the windmill polynomials as
part of the key information.
vane v-1
I
I
I
permutation 0
I I
I
1
the vane. Evidently I(k) 2 max(m,n). Each vane has identical a ( t ) and p ( t - ' ) .
The contents of the first stage of each vane is used to form a v-tuple. The manner
in which the v symbols are combined to form the final v-tuple is governed by a
permutation 0. The output sequence z is the sequence
Xk = x"t) = c
00
i=O
";ti.
The blocks of length v are consecutive blocks from a sequence z which is given
by the expression.
z(t) = g
k=O
tQ(k)Xk(t") (2)
Theorem Let L , u be integers such that 1 5 v < L and let L and u be relatively
prime. Furthermore, let a ( t ) ,respectively p(t-') be two polynomials over GF(q)
of positive degree m < L / u and n < L / v respectively such that a ( 0 ) = 1 and
P(0) # 0. Suppose f ( t ) = a ( t ' ) - p(t-")tL is a primitive feedback polynomial
over GF(q). Then there exist a permutation u of the numbers 0, 1,. .. ,v - 1,
and a set & of length parameters given by
a(k) = L k + c (modv),
f(k) = ( u ( k ) - a ( k + 1)+ L ) / . ,
for c, k = 0, 1,. . . ,v - 1 and c fixed, such that the windmill [ a ( t )p(t-'),
, &, u , 01
generates the m-sequence z with generating function
Before we will look at the number of f ( t ) ' s of the above type which are prim-
itive we want to make some comments. First, if the polynomial f ( t ) in the above
theorem is a primitive polynomial, then the sequence z is an m-sequence. Secondly,
if degP(t-') = [L/vJ then at least one of the vanes will have its input connected by
the feedforward connection to the output of the vme. Such a connection could be
source of timing problems in practical applications. Windmill polynomials which
do not result in such connections will be called proper windmills. A windmill
is certainly proper if it satisfies the additional restriction v(degp(t-l) 1) 5 L . +
Thirdly, without loss of generality we may put c = 0 and hence the values of t(k)
and u ( k ) depend only on L and v. Fourthly, the theorem can easily be generalized
to arbitrary polynomials of the type f ( t ) .
this assumption we expect the find the same fraction of windmill-type polynomials
to be irreducible respectively to be primitive. We find that the number of binary
windmill polynomials of degree L which satisfy the condition f(0) = 1 and thbt
are irreducible should be roughly
21+21WJ
L
For the corresponding number of primitive windmill polynomials we find the esti-
mate
References
ABSTRACT
I. INTRODUCTION
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 331-343, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
332
The sequences {c,} and {a,} of the stage in Fig 1 are related by
I
Evidently S, is the s u m C alemodp . Since it determines where CR has got
r'=O
to in its cycle it will be called the phase of CR. (By a m o d p for positive p
we mean the value x satisfying O l x < p obtained by adding (subtracting) a
suitable integer multiple of p to (from) a .)
A modified system (the "m-sequence cascade") consists of a similar cas-
cade of clock-controlled linear feedback shift registers of length n with primi-
tive feedback polynomials [1, ~1871.The regularly clocked output of such a
register has period p =2" -1, and the sequence ( b(0), b (l), . . . b (p-l)} is a
period of the m-sequence.
The output of a Gollmann cascade of length K has period pK if p is an
odd prime [6]. I f p satisfies a further fairly weak condition (that (2'-1) is not
a multiple of p for any j satisfying 0 c j - q - 1 ) then the linear equivalence is
either p K or pK-1 [6, 41. Among the small primes 3, 5, 11, 13, 19 and 29
satisfy this condition whereas 7, 17, 23, and 31 do not. In an m-sequence
cascade of length K the period is (2n-1)K and the linear equivalence exceeds
n (2" -l)K-l [3].
III. THEATTACK
We now suppose that the stage just described is the fmal stage of the genexa-
tor, so that [c, } is the final output, some of which has been intercepted by the
cryptanalyst X. (How much he needs is considered below.) In the attack to be
described he tries to reverse the transformation from {a, } to {cl } effected by
the final stage. Iteration of this technique should then enable him to "unravel"
the cascade, starting with the f d stage.
The reversing transform is carried out as follows: X guesses a sequence
b' and a value S'-l, and then sets
a',=c,-b'(S'I-l) mod 2, S',=S'f-l+a'I mod p , t=0,1,2 ,... (2)
where the primed quantities are guesses or deductions from guesses. W e n
334
b ‘=b and S ’,
we find that { a }={a, ) .) Such a transform may be imple-
mented by a decryption stage (Fig 2) using the sequence b’ with initial phase
S’-l. In the case when b’(t)=b((t+$)mod p ) for some $ we say that b has
been guessed correctly except for phase. (Thus for p=3 there are only two
non-trivial choices for b differing by more than phase.)
We now make Assumption A (to be examined below): Suppose that X
has guessed the sequence b’ correctly except possibly for the phase. Let ct in
(2) be the output from (1). We may instead presume that b‘=b and that the
initial guess S’-l needed for (2) may be incorrect. Then as the iteration (2)
proceeds the phase S’, may be expected to bounce around in some manner
until it happens to take the correct value S,. Thereafter it will be locked in
into its correct value, so that for all future r we find S’, =S, and a’,= a t .
(Investigations described in Sec 4 indicate that this takes a number of steps
roughly equal to Yip2 on average.)
When the whole cascade is unravelled, the original input 111... is
recreated. This is how X knows whether he has succeeded. At the same time
he learns the phase of each CR in the generating cascade, not, it is true, at the
start t =0, but at a value of t ( t o say) where it is fairly safe to assume that
lock-in has taken place. Thus the output from the generator after t o can be
predicted. It is also possible to work backwards from t o to t =0, so that the
initial setting can be deduced. Let us consider (la) as applying to the first
stage of the generator, where X knows the input a, for all t (as 1). Let us
suppose moreover that X knows for r>tP Then he may frnd St-2 as
S,-l-al-l mod p , and so proceed backwards to Thus the c, may also be
found all the way back to the start. But {c, } is the input to the second stage,
and thus the process can be iterated.
Assumption A is now examined. There are situations where it is valid for
every stage without further ado: a) If for ease of manufacture the contents of
each CR are laid down in advance, with the key determining how many steps
are taken by each CR in preparing the initialization, then X knows each CR
except for phase. b) In the m-sequence cascade with registers of length n the
period of each register is p = 2”-1. If the feedback polynomial of each stage
is specified in manufacture, the outputs are again known apart from their
phase, since all m-sequences associated with a given primitive feedback poly-
nomial are cyclic shifts of one another [l, ~1861.
In other cases X has to make a number of trials, in only one of which
Assumption A is valid for every stage. Thus in Gollmann’s cascade with p
prime there are 2 P -2 initial settings for CR, and (2p - 2 ) l p initial s e b g s
that differ by more than phase. For a cascade of length K the number of
335
TABLE 1
It might appear that the arrangement where the “slight delay” of Fig 1 is put
instead at the point X would give a different problem, with a, implicitly
dependent on c, , rather than explicitly as in (2). For then we have
Appearances are however deceptive, and the inversion may be carried out by
a, =c, - b ( S , ) m d 2, S f _ 1 = S , - a , m o d p , (4)
337
where we let r run downwards from some large value N to 0, and all we need
to guess is the initial value .S, Thus lock-in can be made to occur if the out-
put sequence from (3) is fed backwards into (4).
This suggests that if the cryptographer arranges that a choice between
"add then step" and "step then add' be made for each stage under the control
of the key, then the use of lock-in as a cryptanalytic technique is made more
difficult. It may however be better to spend the additional cryptographic
effort on extending the length of the cascade, with a corresponding increase in
the linear equivalence and the period [6].
First suppose the validity of Assumption A. Then the length of the bit-string
needed for the attack by lock-in is of the order of S = Kp2, where p is the
length of the cycling sequence b and K is the number of stages in the cas-
cade. Since the decryption involves passing the string through K decryption
stages the computing complexity, that is the number of computing steps
needed, is of the order of C, = K2p2. If on the other hand Assumption A is
not valid then every possible instance of b has to be med in each stage and so
the computing complexity is of the order of C = K2p2.((2p- 2)/ p >K . To give
examples of these values we note that C exceeds Id'for p = 3, K = 56, or for
p = 11, K =8, with S less than 1000 in both cases.
For an m-sequence cascade we set p =2" - 1 where n is the register
length. It may be necessary to use fixed feedback connections, so that
Assumption A is valid. Then we find that C, > lpl for n = 34, K =2, or for
n =29, K =59. Huge string-lengths are needed in these cases. We find
~ ~1.7 x lOI9 respectively. On the other hand small values of n
S = 5 . 9 ~ 1 0and
would not be safe.
Without Assumption A the attack may be improved by a "meet-in-the-
middle" technique. The encryption cascade is regarded as being in two sec-
tions, of length a at the top and b at the bottom, with a + b = K . All
(2p - 2 y possible initializations of the top section are tried and the initial part
of each sequence thus generated is stored in order, together with the sening
that generated it. All ((2p - 2 ) l ~ )initializations
~ of the lower part are used
in a decryption cascade of length b to lock-in on to the sequence to be bn>-
ken. Again the output strings are ordered. Then the analyst looks for
matching pairs in the two ordered lists. If a matching pair is found it is
338
investigated further. Optimally the two lists should be roughly of the same
size, so that for s m a l l values of p the size of b is around two-thirds to three-
quarters of K. This vdue should perhaps replace K in the above considera-
tions.
So far it has been assumed that the cascade is used as a pseudo-random binary
sequence generator, with the all-1’s sequence fed in at the top. Under these
conditions lock-in is a cryptanalytic hazard. However it may be employed
more constructively by the cryptographer. Suppose that the plaintext is fed
into the top of the cascade, and the ciphertext taken from the bottom. Then
the legitimate receiver will use a decryption cascade. Here the key given to
the receiver specifies the contents of each register and Assumption A is cer-
tainly satisfied. Then it is almost certain that the lock-in property ensures the
self-synchronization of the decryption, even if it is not properly synchronized
at any stage. Under these circumstances we would want fairly quick lock-in,
so that short registers (say p =3) would be used in a long cascade (say
K=100). A long cascade is of course vital for security, the effective
keylength being K bits with p = 3. The mean time to lock-in with p = 3 and
K=100 is about 0 . 3 2 1 0 ~ 3 ~ ~ 1 0 0 = 2steps.
90
We have also studied the effects of a single-bit error on lock-in. There
are three types of such an error, the alteration, the insertion and the loss of a
bit. Computer simulations (carried out for p = 3 , 5 , 7 and 11 with K =31)
suggest that lock-in times after a single-bit error have a distribution very like
that for lock-in starting with random phases. Thus for the cascade with p = 3
and K = 100 the mean recovery time would be around 290 steps. This is just
over twice the recovery time for a 64-bit block cipher such as DES [I, p2671
used in the cipher-feedback mode [l, ~2871. Moreover as far as a cascade
cipher is concerned the loss or insertion of a bit is no worse than the altera-
tion of a bit, whereas for a block cipher such an error causes misalignment of
the blocks, and some method for maintaining synchronization is needed.
339
We develop further the model of Sec 4 in which a random binary input (a,1
is fed into an encryption stage E using a given .sequence b of given least
period p, and the output { c, ] generated according to (1) is fed to a decryption
stage D also using b. We find easily computed expressions for the mean and
variance of the number of steps to lock-in for any given b, averaged over the
initial states of D and E . By a random binary sequence {a, ] we mean that
the a, are independent identically distributed random variables taking just the
values 0 and 1 with equal probabilities, or equivalently that for any n all
sequences of length n are equally likely. Since the sequences {a, ] and ( c, }
(for given b and S - , ) are in one-to-one reciprocal correspondence it is readily
shown that [c, } is also a random binary sequence in the above sense.
Equations (la) and (2) may be written as
',,
is no need to distinguish between S, and S so the states may be represented
as number pairs ( a ,b ) with 0 Ia c b cp , the numbers being of course values
of S, and S',. There are altogether %p(P -1) such states, and they will be
denoted by Greek suffices a, p and y. Let T g u denote the probability of a
transition from a to p. Then we find that T P a 2 0 , and that c,TPall with
P
xTpa< 1 if a can go to a coalesced state in one step. Let p a ( t ) denote the
P
probability of the system being in the state a at step t . We find
p p(f + 1) = Z T m p ,(t ) or in vector-matrix notation p(t + 1)= Tp(t ), so that
a
p(n)=T"p(O). The probability of "no lock-in after n steps" may be written
as P, = e'p(n ) where e is the all-ones vector. With a start from any state a,
lock-in takes place with a probability not less than h=2-Q after Q = p (p - 1)
steps. (The quantity h is the probability that { q }starts with Q consecutive
1's.) Now the probability distribution after n steps starting from the state a is
p P = (T")pa,so that X(TQ)Ba I1 - h. Thus for any integer 1 2 0 we find
B
By iteration this is then less than or equal to (1-h)l+l, and hence so is each
term in the sum on the left. We are using the fact that all these matrix com-
ponents are non-negative. Thus we fmd that T" + 0 as n +00. From this it
follows (by reductio ad absurdum) that the eigenvalues of T are strictly less
than unity in magnitude. This approach may well give a hopelessly pessimis-
tic estimate of the rate of convergence of T" to 0, but it is all that is needed
for the theory.
The initial probability distribution will be taken as uniform, with
p(0) = (2/p2)e;this takes account of the possibility of coalescence at the start,
since P o = e'p(0) = 1 - Up. The mean time to coalescence is then given by
00
P = C (n +1)(P, -Pn+l)
n =O
p= c Pn =(Up2)c e'TRe=(2/p2)e'(I-T)-'e
00 oa
n=O n =O
where I is the unit matrix. Here a matrix geometric progression has been
summed, which is possible since all the eigenvalues are less than one in mag-
nitude.
341
REFERENCES
c
delay
-- Ct
X
FIG 1: A stage of Gollmann's cascade, as described in Sec 2. The input bit
a, is added to the output from the cycling register CR to give the output c,.
It is also used to clock CR after the addition. In another arrangement (Sec 5)
the "slight delay" is put at X instead, so that CR is clocked before the addi-
tion.
-
CR 1
%
I....
slight I b'(.)
I delay 1 c+
C w s h e n g Ding
Department o f Applied Mathematics
N o r t h w e s t Telecommunication Engineering I n s t i t u t e
X i a n , P e o p l e ' s Republic o f China
I . INTRODUCTION
and Si-(ali aZi ... sri)t , %(B1 B2 ... B M ) t , Si=S I...S i'
Then t h e Massey's
c o n j e c t u r e d a l g o r i t h m in F i g . 1 can be s t a t e d as
MASSEY'S CONJECTUREr Assume t h a t ( f i , l i ) i s t h e SLF'SR which g e n e r a t e s Si,
dn = - 2
i=1
ui&Ki , I= ti : uiko, 16isr)
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 345-349, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
346
L e t fi= l + f i , l s +
=** + fi,li
,Ii, and ffi-(O ... 0 fiYl ... f i , l i l 0 ... 0)
[n-L )xn
t h e f o l l o w i n g t h e o r e m 1 holds.
Theorem 1. L e t f ( x ) = 1 + ulx + ... + uLxL ( L < n + l ) , then (f,L) generates
i
Theorem 3. A s s u m e that ( f i , L ) i s t h e SLFSR u h i c h g e n e r a t e s S , GO, .a. n*
Let 1; be t h e s h o r t e s t L s u c h t h a t ( f i , L ) can g e n e r a t e S
i
. If (g,L) g e n e r a t e s
347
t h a t fk ,*O.
9 3
-f(Sbl)-O.
k
Thus h(S ' 1- ... =h(SLL+l)-O.This meas that (h,LL)=(g,LL) g e n e r a t e
k l + j ) . Put LLL-m+kl, t h e n j a L L C 5
I
. For t h e same reason we know t h a t ( h ( x ) ,
n-1 n-i
1
(f,ln+l) i s a SLFSB t h a t g e n e r a t e S ,
n+1 and ln+l-=n+l. By theorem 2 t h e r e mast
2) If V
3) If V
-- Fm, t h e n it i s t h e Massey's one f o r multi-sequence LFSR s y n t h e s i s .
Fnxn, t h e n it g i v e s a minimal r e a l i z a t i o n algorithm f o r matrix
sequence.
4 ) If F - CF(q), V - G F ( 4 , then it g i v e s a minimal r e a l i z a t i o n a l g o r i t h m
f o r t h e sequence i n CF(qm) o v e r CF(q) .
ACKNOWLEDMWT
"CES
c.-i
c(D)+l n+l COHMENT: any ~ ( D ) - l + c ~ D + . . . + cDn+
can be used a t t h e point marked
~+~ 1
0 .
ABSTRACT
1. Intrduction
Reed and Steward [ll], Spann [5] and [2] have studied the arrays of so-called
perfact maps. This has ied IIO research on various types of window properties for
arrays(see [2]-[11]).
In this paper, we make a systematic study of the linear recurring m-arrays of
dimension 2 . We characterize their structure, discuss their properties o f translation
- addition, pseudo-random and sampling. We also give the number of linear recurring
m-arrays,
A11 the results in this paper are obtained over the finite field GF(2). One can
easily generalize the results to any finite field GF(q).
2 . Basic concepts
and
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 351-357, 1988.
0Springer-Verlag Berlin Heidelberg 1988
352
00 . . . O"0
00...0*0
. . . o* . . . o...o+
. . .0"...1 . . . 0"
. D O . . .1* .. ." ,
.............
00. . . O " 0 . . .0" ... 0...1"
where the entries at * s ' positions are elements in F 2 , tien we say A is an LR array
o f order mxn. The window A(0,O) (or A(0,O)) is called t52 initial state of A .
Definition 2.3: If an LR array of order mxn is alsc +n m-array oE order mxn, then
we call it an LR m-array of order mxn.
3. +Array
Let L be a non-zero funcrioi, o n the field GF(q) over its prime field GF(p). We
define L* to be an elementwise transformation between vectors or matrices over GF(q)
and those over GF(p) respectively as follows
Let f(x)=x
m
+ xi=l
m
c.x
m- i
be a monic polynomial of degree m o v e r GF(2). Let
(3.1)
we say A G ( f , T ) .
Proposition 3.6: Let AEG(€,T) be a n m-array of order mzn and period rss. Then
r=the period p(f) of f(x) a n d o ( 2 mod r)=m.
Proposition 3.1: If rs=Zmn-l, then either o(2 mod r)=mn o r 0 ( 2 mod s)=F^.
Proposition 3.8: Let f, T be as in prop. 3.4, all arrays in G(f,T) be (r,s;m,n)
m-arrays, o(2 mod r)=m and u be a root of f(x). Construct a polynomial g(x) of degree
n over F (~)=cF(z"') a s fol1ows:
2
4 . General LR m-Array
In this section, we discuss general LR in-arrays. The main results are about their
structure, enumeration and the necessary and sufficient conditions f o r existence of
arrays with given period rxs.
Remark 4 . 6 : By Prop. 3.9, i t is easy to prove thac, for any two conjugate primi-
tive elements 9, and v2
of GF(2mn) with respect to GF(2), A
rx s
(fl,L) and Arxs(Y2,L)
are equivalent. But the number o f conjugate classes of primitive elements of GF(2mn)
with respect to GF(2) is also #(rs)/log (rs+l), so that there is a 1-1 correspondence
2
between the equivalence classes of rss periodic LR m-arrays and the conjugate classes
of primitive elements o f GF(Zmn) (or a l l primitive polynomials of degree mn over GF(
2))(see Remark 4.5 and Corollary 4.4.2). This map can be obtained by (4.1) o f Remark
4.5.
The above correspondence is very powerful in Section 5 f o r studying the properties
of LR m-arrays. From now on, Grxs(f) will 5enote the set of all the arrays of period
rxs which are corresponded to a primitive polynomial f.
5. Properties of LR m-Arrays
Proposition 5.2: For any LR m-array of order rnxn, the mn vectors X(i,j)(O<i<m,
O<j<n) are linearly independent and all A(i,j) can be linearly expressed by them.
Definition 5.1: Let A=(a.~ )j. , ~ ~ ~ (,r ,js ) ~beo a, pair of positive integers. We
call is called a
(air,js)iaO, jzo an (r,s)-sample o E A. Especilly,
diagonal sample of A .
r'=r2t nod 2 m -1 and s'zs2t+mnt mod Zmn-l for some t and t'
rs when p ~ modr
0 and q10 mod s
CA(PA)' (-1 others
Theorem 5 . 4 : Suppose A is a pseudo-random array with period rxs. Then rs=3 mod 4
and the difference between the numbers o f 1 ' s and 0 ' s in a period of A is 1.
CA,B: 2x2- Z: C
A , B (p,q)= x:Ii x3lfi ?(aij) T(bi+p,j+q)
CA,B (t 1' 2
t ) ,< zn-1-2" k
REFERENCE
[l]. Zhe-xian Wan, "Algebra and Coding Theory." Science Press, B e i j i n g . LT'SO,
revised edition.
[2]. B. G o r d o n , "On the existence of perfect maps" !EEE T r a n s . Inform. Thezry Val.
IT-12 486-487 1966.
[3]. F.J. Macwilliams and N.J.A. Sloane, "Pseudo-random sequences and arrays". Proc.
357
Eiji OKAMOTO
ABSTRACT
I . INTRODUCTION
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 361-373, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
362
There are two methods of designing encryption schemes to overcome the mu-
tual dependence of keys. The first method is based on the key selection such that
the keys to select are separated from each other in the key space, called ‘sphere
packing cipher’. Na.kamura[l] showed this kind of seKsynchronizing stream cipher
scheme using error correcting codes. The design of transposition ciphers using
Reed-Solomon codes in [2] is also based on the same idea.
The second method is based on the design scheme such that the probability
of any key lying in the neighborhood of any other key is to be made as small as
2-56, for instance. This method does not require special selection of keys as in the
first method. Users can select any key in the key space.
The second method leads to a new concept of the number of keys, Substantial
Number of Keys (SNK). Roughly speaking, SNK is the number of keys which are
different from each other in the sense that the close keys are regarded as one key.
In this paper, the difference of two keys in the key space is defined precisely and
SNK is discussed in this space. The design parameters of any encryption scheme
are restricted by the condition that the encryption scheme should have enough
SNK to avoid exhaustive key attacks. The sphere packing cipher is also reviewed
from the point of SNK. The SNK should be considered as one of the criteria of
encipherment strength.
1. Definition of SNK
A key space consists of a set of all keys, probabilities of selecting any key and
differences between any two keys. The key set of transposition cipher, for example,
contains all transpositions including the through one of input data. Let Qd(K) be
the probability of selecting a key lying in the sphere of radius d from key K . Then,
the substantial number of keys, S N & , regarding any two keys within difference
d of each other as same, is defined as
where A [ ] means the average with respect to the probability of selecting keys.
This definition is justified by the following example: the total number N of stones
is given by l / Q when the probability of selecting any one stone from all stones is
Q , because Q = 1 / N .
Although the difference of two keys in the key space could be defined variously,
this paper employs reversed-bits rate[l],r ( K 1 ,K 2 ) , to define it.
363
Here, M is any message, and E K ( ), DK( ) are encryption and decryption with
key K , respectively. Key K2 is not necessarily the corresponding decryption key
of K1. Function h( , ) shows Hamming distance, and L( ) shows length. In the
Eq.(2), A [ ] is the average when message M is randomly selected from the message
space which contains all messages. Then, the difference p(Kl,K2) between two
keys K1 and K2 is defined as
2 2 l1
p(Kl,K2) = - - - - T(Kl,K2) . (3)
The difference p is the reversed-bits rate T when T 5 1/2, or 1 - T when r > 1/2.
In other words, it means the minimum difference between the reversed-bits rate
and 0 or 1. The measure is useful especially for voice data.
2. Examples of SNK
This section illustrates SNK's of four block ciphers in Fig.2. In the figure, (a),(b)
and (c) are examples of fundamental ciphers and (d) is an example of a product
cipher. Every key is selected with equal probability. The integer n meam block
length of ciphers.
a) Exclusive-or cipher
An exclusive-or cipher has vector P as a key. The key space is an n dimensional
space which contains 2" keys in all. If the Hamming distance between the en-
crypting key P1 and the decrypting key P2 is h , the reversed-bits rate r is given
by
h
r=-. (4)
n
If P2 is a uniform random variable, the distance h is a binomial random variable.
Then the probability of Q d = A[Qd(Pl)] is
+<d - h<dn
r>l-d h>(l-d)n
ck
i=O
(n) p'qn-'
a
21 1 - e7-f
k - np
p+q=l
364
Therefore SNKd is
1
Figure 3 (a) shows the SNK curve of exclusive-or ciphers with respect t o n,
where d is regarded as a parameter. The number k is a length of SNK:
k = log, S N K . (11)
The data block length n should be more than 500, if S N K > 256 and the
reversed-bits rate lies between 0.3 and 0.7.
b) Substitution cipher
A substitution cipher of n-bit block is a permutation of n-bit patterns, hence the
total number of keys is 2"!. Let Kl,K2 denote keys of encryption and decryption
transformations, respectively, and D K , E K ~be the composite transformation of
the two transformations. The reversed-bits rate between any input bit to D K Z E K ~
and any output bit from it is equal to that of between the MSB's (most significant
bit) of the input and the output. Figure 4 illustrates an example of substitution
ciphers when n = 3. When Hamming distance between column I1 (MSB in the
input bits) and 01 (MSB in the output bits) is 2h, which is always even, the
reversed-bits rate is
2h
r=-
N'
and the total number of substitution ciphers is given by:
4..
h<dM
h>(l-d)M
365
The equation (14) is the same as Eq.(9), if the integer n in Eq.(9) is replaced
with 2". This means substitution ciphers might be exponentially stronger than
exclusive-or ciphers. Hence, SNK of substitution ciphers is equal to:
Figure 3 (b) shows the SNK curve of exclusive-or ciphers with respect to n,
where d is regarded as a parameter. The data block length n should be more than
8, if S N K > 256 and the reversed-bits rate lie between 0.3 and 0.7.
c) Transposition cipher
There are n! transposition ciphers of n-bit block in all. Since an inverse of a
transposition cipher and a composite transformation of two transposition ciphers
are transposition ciphers, the transformation D K ~ E KisI another transposition
cipher. An example of D ~ z l . 3 ~is1 illustrated by Fig.5. In the figure, the integer
h is the number of bits permutated actually in the product transposition. The
reversed-bits rate of the product transposition cipher is
h 1
r=-<-.
2n 2
The total number of transposition ciphers whose h bits are actually permuted is
j=o
366
When h > 5 , &/h! coincides with more than 2 digits. The probability of
Y- < d is obtained by
Z h n!
e ( n - h - a)! a!
Hence, the probability of r < d or r > 1 - d is
j-[:even
2e-' c-
I= ( 1 2 d)n
1
fi
Here, the second and third w hold because the terms corresponding with j = 2
and 1 = (1 - 2 d ) n are much larger than other terms. Therefore, SNK of the
transposition and exclusive-or cipher is obtained by
The length of SNK of the transposition and exclusive-or ciphers, JCTkE, is nearly
equal to
kT&E kT + (1 - 2d)n - 1 , (26)
where kT indicates the length of SNK of the transposition cipher. This shows the
SNK length of the transposition cipher increases owing to exclusive-or of bit pat-
tern P. Figure 3 d) illustrates the SNK. The data block length of the transposition
368
and exclusive-or ciphers should be more than 37, when SNK is more than 256 and
the reversed-bits rate lies between 0.3 and 0.7.
The substantial number of keys are closely related with sphere packing. In this
section, boundary of SNK is given with the number of spheres packed in key spaces.
Though the difference defined by Eq.(3) does not necessarily constitute distance
in key spaces, the key spaces are assumed to be metric spaces in this section.
The differences in exclusive-or ciphers or nonlinear feedback shift register stream
ciphers[l], for instance, are proved to be distance.
Sphere packing is to pack as many spheres in thP key space as possible. The
maximum number of spheres of diameter d, that is the number of keys of the
sphere packing cipher Nd, is less than or equal to S N K d :
In encryption designs, both substantial number of keys SNK and difference d (or
reversed-bits rate T ) are given as design parameters. When S N K = 256 and the
reversed-bits rate is more than 0.3 and less than 0.7 ( d = 0.3), for example, Fig.3
shows the block size n should be
369
~ T &2
E 38.
Under these SNK conditions, one can pick up any key in the key space as
an encryption key. One does not have to select special keys. An arbitrary n-bit
pattern P can be used as a key in the exclusive-or cipher. You don’t have to worry
about an eavesdropper happening to pick up a decipher key close to the right key,
because the probability is less than SNK-’ = 2-56.
The sphere packing ciphers have to satisfy the SNK condition too. Though
Nd is the number of keys of the ciphers, the condition N d 2 Z56 is not enough.
The ciphers must also satisfy SNKd 2 256. Otherwise, the key picked up by an
eavesdropper, which is not necessarily the key of this scheme, is close to the right
key with probability greater than 2-56. This shows the condition Nd 2 256 is
meaningless. Eq.(28) shows SNKd, not Nd, is critical.
DES probably satisfies the SNK condition, because SNK of DES is much larger
than 256. SNK of DES is approximately given by 2 e(217(1--2d)2)/7r using EQ.(15),
if DES is treated as a huge substitution cipher. When DES is considered as a
product cipher, SNK would be less than that, but much larger than 2 5 6 , though
actual calculation is very complicated.
The SNK condition is useful when one wishes to construct a rather simple
encryption scheme by the combination of fundamental ciphers.
.
V CONCLUSION
The substantial number of keys, SNK, is defined and illustrated with examples
of fundamental ciphers and a product cipher, SNK is one of the encipherment
strength criteria. In encryption designs, SNK is used to condition design parame-
ters. The SNK is useful for designs of product cipher in particular.
I would like to thank Mr. Nakamura and Ms. Tanaka for lots of helpful
discussions.
REFERENCES
Tr a n s p o s i t i o n Subs t i tu t i on
Fig. 1 Product C i p h e r
n n n n
Fig. 2 E x a m p l e s of Cipher
371
l o g z SNK
100 I d=O. 2
d=O. 3
00
c
0,
a
x
z
rn
1
l n L n
0 20 40 60 80 100 120 0 20 40 60 80 100
Block Length Block Length
(c> Transposit ion ( d ) Transposition & Exclusive-or
F i g . 3 Examples o f SNK
372
Input Output
0 0 0
-1 0 1
0 0 1 O i l
0 1 0 1 1 0
0 1 1 I -----
l l
--------I--
h=3
1 0 0 0 0 1
1 0 1 0 0 0
I 1 0 I 0 0
1 1 1 -
0 1 0
Ip
w -
n-h h
TIE ET&E
Fig.6 Product Cipher OK, KI
A MEASURE O F SEMIEQUIVOCATION
Andrea Sgarro
ABSTRACT
I. Introduction
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 375-387, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
376
neat descriptions for the behaviour of the message source which we have
argued to be fishy in the case M = 1.
Our approach leads us to define a new measure of equivocation,
which we call semiequivocation. Key equivocation, say, represents the
uncertainty of the spy who has intercepted the cryptogram and wants
to identify the correct key (cf e.g. /8/); instead, key semiequivocation
will represent the uncertainty of the spy who only wants to find a dou-
bleton containing the correct key. Equivocation is a conditional entropy;
its meaning is based on the fact that Shannon's entropy is an adequate
measure of statistical uncertainty. Before introducing our new measure of
semiequivocation, we shall have to introduce an (unconditional) new mea-
sure of "semi-uncertainty", called sernientropy, which will be the counter-
part to Shannon's entropy. This will be done in section 11, while section
I11 is devoted to the notions of semiequivocation and duplicity distance,
the latter being the counterpart to that of unicity distance (cf e.g. / 8 / ) ;
an example is given. Section IV contains a final comment.
We adopt the notation of /9/ for information-theoretic concepts; in
particular, H ( X ) = H ( P ) is the entropy of the random variable (r.v.)
X with probability distribution (p.d.), or probability vector, P = @ I ,
p 2 , . . . , p ~ )while
, I ( X ;Y ) = I ( P ,W ) is the mutual information between
the r.v.'s X and Y , the probability distribution of this random couple
being determined by the p.d. P of X and the stochastic matrix W
which gives the conditional probabilities of Y given X ;h ( p ) is the hi-
nary entropy function: h ( p ) = H ( P ) with P = ( p , 1 - p ) ; D(P I &) is
the informational divergence (cross-entropy) of P and Q, in this or-
der. Logarithms are to any base greater than 1. The source alphabet
is N = {ul ,a2, . . . ,a K } ,K 2 2; we s h d write indifferently p i or P ( a ; ) .
11. Semientropy
(we suppose here t h a t the logs are t o the base 2). In our setting a '7re-
liable description" of the outcome of X must be understood in a slacker
sense. Actually, we are not interested in knowing the exact value of X,
but rather in finding out a n M-set to which this value belongs. We shall
take inspiration from rate-distortion theory. Let us take a reproduction
alphabet whose "letters" are the M-sets of primary letters (we assume
M 5 K ) ; let us consider a distortion measure d ( a , y ) which is zero iff (if
and only if) letter a belongs t o set y (one may define d ( a , y ) = 1 other-
wise, but this is irrelevant for zero distortions). We shall resort to R p ( O ) ,
the rate-distortion function computed for distortion level 0, to measure
the "reduced uncertainty" contained in X which is relevant to us. Of
course, for M = 1 one re-finds Shannon's entropy; for M = 2, R p ( 0 ) will
be called the semientropy of X , or of P , and denoted by S ( X ) = S ( P ) .
In the following, unless otherwise specified, we assume M = 2.
S ( P ) represents the minimum (not necessarily integer) number of
bits (of D-its if logs t o the base D are used) needed to reliably describe
the outcome of X,taking into account our reduced needs of fidelity with
respect to the classical case A4 = 1.
Definition 1. T h e semientropy S ( X ) = S ( P ) of r.v. X with p.d. P is
defined as
1
S ( V )= - S ( R )
2
+ -12S ( Q ) = (1 - Tl)S(-Il) + (1- qr)S(Q)
and
S ( V ) = 2(1 - ?Jl)S(iq
or:
uH(fi) + (1 - a ) H ( Q )= H ( c ) , with Q = 1-r
2--rl'ql
Below we deal with the case i W = 2; however. much of what follows can
be extended t o the case of any M (cf the remark in section I1 ).
So far we have defined a measure of unconditional "semi-uncertain-
ty". Now we define a measure of conditional semi-uncertainty. Assume
S C is a finite random couple; for convenience S will he interpreted as
the random key (also the random message would be a suitable interpre-
tation) and C as the random cryptogram. For an observed cryptogram c.
S(X I c;' = c), the unconditional semientropy of the conditional distribu-
tion of S given C = c, is well-defined unless c has zero probability. We
set:
303
S ( X I C) = x P r o b { C = c} S ( X I C = c),
the sum being extended to all c's of positive probability.
Recall that the usual equivocation (conditional entropy) H ( X I C)
can be defined in a similar way.
From the properties of the semientropies S ( X I C = c) one soon de-
rives properties for the semiequivocation S ( X 1 G ) (use corollary 1):
Corollary 2.
j ) S ( X 1 C)5 S ( X ) ;if X and C are independent S ( X I C) = S ( X ) ;
jj) o 5 S ( X I C ) 5 log C; S ( X I C ) = o iff for any cryptogram of posi-
tive probability there are at most two keys with positive conditional
probability; for IC > 2: S ( X 1 C ) = Eog5 iff for any such cryptogram
the conditional probability of the random key is uniform.
The inequality in j), which is an essential requirement for any mea-
sure of conditional uncertainty, follows from concavity; note that the in-
dependence of X and C is not a necessary condition to have S ( X I C)=
I
S ( X ) : actually S ( X C ) = S ( X ) iff the conditional distributions of X
given the cryptograms c of positive probabilities lie all on the same lin-
earity segment (use theorem 2), or if they coincide, that is if X and C
are independent. This is at variance with the case of the usual equiv-
ocation H ( X 1 C), where independence is also a necessary condition to
have H ( X I G ) = H ( X ) . An explicit expression for S ( X I C) follows (use
theorem 1).
Corollary 3. Set h * ( p ) = h ( p ) if p 2 f , h*(p)= log 2 else. Then
A = t l ! t z ! .. . t,!
where r is the number of distinct components in the message letter p.d.,
+ + +
each appearing t l , t 2 , . . . , tr times, respectively (tl t 2 . . . t r = t ) .
One has 1 5 A 5 t ! ;A = 1 when all the t letter probabilities are distinct,
A = t! when the message letter p.d. is uniform. Then, for a suitable
infinitesimal S(n):
R(a,b) + R ( a , c )+ R ( a , d ) = 2 P ( a )
R ( a ,b) + R ( b , c ) + R(b,d ) = 2P(b)
R ( a ,c) + R(b,c) = 2P(c)
R(a , d ) + R(6, d ) = 2P(d )
References
')GAO
Gesellschaft fur Automation
und Organisation mbH
Euckecstrafle 1 2
D-8000 Miinchen 70, West Germany
1 INTRODUCTION
Any scheme which is to protect information has to be designed with the
following three main points in mind: possible loss or destruction of the
information or parts thereof, attack from inside or outside to obtain or
destroy the information and efficiency.
In the above definition the number s stands for the maximum number
of shadows one can hand out to the trustees. If s = t , the loss of any one
391
shadow is, by definition, equivalent to the loss of the secret datum. This
is also the case, if s > t but the number of shadows handed out is equal
to t. Administrative procedures such as a back-up list of all shadows, of
course, prevent such a break down but impair the security.
2 GEOMETRIC BACKGROUND
Line L are incident with each other and write x I L if and only if the pair
(2, L ) is an element of I.
+
(i) Each point is incident with exactly 1 7 lines (7 2 1) and two
distinct points are incident with at most one line.
+
(ii) Each line is incident with exactly 1 u points (g 2 1) and
two distict lines are incident with at most one point.
(iii) For every point x and every line L which are not incident with
each other, there exists a unique line which is incident with both x
and a (unique) point on L.
It follows from this definition that every GQ of order (0, T) has associated
with it a GQ of order ( T , a) which is obtained by interchanging the rdes
of the points and lines. We call it the dual GQ. This implies that in any
definition or theorem the words ”points” and ”lines” and the parameters
”u” and ”7”may be interchanged.
The definition allows us to identify each line with the set of points it
is incident with. This and the obvious geometric structure of a GQ are
the reasons for expressions such as ”z lies on L”, ” x is contained in L”
for x I L and ” L and M intersect each other in the point 2’’for L I x I M .
x -
We call two not necessarily distinct points x and y collinear and write
y, if there exists a line which contains both of them. If there is no
+
such Line we say t h a t they are not collinear and write z y. The set of
points collinear with a point x is denoted by xL (note that x E xl).
If 2 and y are couinear, then sp(s, y) is the unique line through 3: and
no two points of sp(z, y) are collinear and Isp(z, y)I 5 T + 1. The latter
follows since the points of sp(z, y) have to be contained in the T + 1 lines
through any of the points of zL n yl.
3 THESCHEMES
3.1 The 2-Threshold Schemes
Let G be a generalized quadrangle of order (m, r ) with 0,T > 1, and let x
and y be two non-collinear points of G. Then the points of sp(z,y) can
be used as the shadows of a 2-threshold scheme with the secret datum X
being the span of 2: and y.
When setting the security level one has, however, to take into account
that a trustee knows some finite geometry and for some reason or other
the lines through his own shadow. This increases his probability of a
successful attempt to break the system t o
395
s-1 --s-1 1
Prob = - 5 - (3.2)
u2r + +
a7 0 - (ur u) + u2r Is2
as he can rule out the QT + u points which are collinear with his shadow.
Equation (3.2) implies that the security level only depends on or, in
Q
Let ( 5 ,y, z ) form a triad, and let sp(a, y, z ) = {z, y, z}'~ be the secret
datum X. It is easy to see that any three points of X uniquely determine
X. So condition (i) for a 3-threshold scheme is satisfied.
Two disloyal trustees with i-espective shadows x',y' have a success rate
of
(s - 2)/(a2r + a7 + I7 - 1) (3.3)
+
in a staight forward attack. If they can rule out the 2a(r 1)- ( r 1) = +
2ar+2u-r-1 points which are collinear with z', y', then their probability
to break the system is
s-2
Prob = . (3.4)
g 2 r - ur - a + r
Prob = cr-l
--.
- 1
a4-a3+a2-a a3+a
(3-5)
If the two trustees z‘ and y’ can work out the points of tr(z‘,y’) they
could make use of this knowledge and the relationship between a trace
and its span. They take any point u in tr(z,y), choose a Line L through
this point and a point g # u on L. The probability that u is in tr(z, y, Z)
is (a+ l)/(a2+ l), the one for L to intersect s p ( t , y, z ) in a point different
to z and y is ( a - l)/(a2- l ) ,while the probability that g is indeed this
point is l/a. Assuming that the three events are independent the two
disloyal trustees succeed in breaking the system with a probability of
a+l a-1
-.-._- 1 -, 1
- (3.6)
a2+1 ( 7 2 - 1 u a3+a
fair to assume that they can determine a point of sp(z’,y’) and feed the
system this point. As sp(z, y, z ) is contained in sp(z’, y’) the security now
depends only on the size of sp(z’, 9‘) which is bounded above by a2 1. +
This yields a probability of
Prob =
a-1
>--a - 1 - -. 1 (3.7)
Isp(x‘,y’)/ - 0 2 - 1 afl
Hence, if the trustees know the underlying implementation, the security
level depends only on the span of 2‘ and y’ and might be unacceptable.
There is clearly no need for a trustee to know ”his” shadow but one
cannot rule out the possibility that he does. There is, however, in this
scheme a way to prevent the trustee from making use of his knowledge.
Before the system checks the shadows for their validity it does apply a
secret coordinate transformation to them. So the secret datum X is not
the span of the points z,y and z but of their transforms. This renders
the knowledge of both tr(z‘,y‘) and sp(z’,y’) a useless information and
increases the security level to the security level given in (3.4).
This is the only point of T which is collinear with the shadow in B1.
Even if all the trustees of one class join their forces they cannot improve
this probability. If the two shadows are collinear, then X is one of the
c7 - 1 2 r points on their common line. So this case gives a probability
of
1 1
a-1-7
< - (3.9).
Using the same kind of implementation as before one can check that
the shadows belong to the correct classes. We store three points X,Z
and w , where w is in tr(z, y). When three points together with their
respective ”class numbers” are entered, the system checks that they are
collinear with the appropiate pair of the three stored points.
So we have joined two 2-threshold schemes to form a (1,2)*-threshold
scheme.
400
Since the system checks the entered values for the correct class, the
probability to break the system is smaller then the ones given above, if
the knowledge of X in itself is not equivalent t o a compromise of the
system.
There are several ways to construct a possible third shadow. None of
these yields a better probability than trying to figure out X first and
then a "correct" shadow. So the probability in (3.8) has to be multiplied
by 1/(a - 1) and the one given in (3.9) by l/a. So the chances to enter
a correct third shadow are about 1/?.
It should be mentioned that a coordinate transformation will reduce all
these probababilities to about 1 over the number of points of the GQ. So
two trustees stand no better chance than two outsiders who just know
the underlying GQ.
Acknowledgement
References
[l]T. Beth, D. Jungnickel and H. Lenz, Design Theory, Wissenschafts-
verlag Bibliographisches Institut Mannheim, 1985.
401
Christoph G. Gunther
Asea Brown Boveri
Corporate Research
CH-5405Baden, Switzerland
ABSTRACT
I . INTRODUCTION
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 405-414, 1988.
0 Spnnger-Verlag Berlin Heidelberg 1988
406
blocks of symbols of the cipher text are known. This uncertainty is quantified by
the equivocation of the key k E IC given n cipher blocks (CO,c-I,. . . ,~ ( ~ - 1 1E )
cn [2]:
H(~Ico,c-I, .*.,c-(n-1)). (1)
The smallest n for which the key is completely determined is called the unicity
distance d. According t o Shannon [2] and Hellman 131, it is given by
where T is the length over which the blocks become statistically independent and
where the basis of the logarithms involved in the definition of H is equal to the
size C of the cipher alphabet C. For English texts, Hellman [3] has estimated that
which implies
d 21 1.5 H ( k ) . (4)
In the case of DES, the key is therefore completely specified by the redundancy
in the text after two cipher blocks of 64 bits each. The only property that has
prevented so far the design of efficient algorithms to break DES is the mismatch
between the statistical information and the block structure of DES.
Even if cryptography is based t o a large extent on the complexity of certain
computations, unconditionally secure systems are preferable. In the present sit-
uation, unconditional security can be achieved by a suitable conditioning of the
message either by reducing its redundancy with a data compression algorithm or
by increasing its entropy in a randomisation process. The reduction of redundancy
is more attractive from a theoretical point of view. The data compression algo-
rithms known today, however, only imply a unicity distance proportional to the
size of their encoding table, which makes them practically useless for the present
purpose.
Amongst the randomisation techniques, homophonic coding seems by far the
most adequate, as was pointed out by Massey [4].The basic idea of such a coding
is to improve the distribution of the symbols in the cipher text alphabet C towards
equidistribution by introducing a suitable number of representations for each letter
from the message alphabet JM and by randomly choosing one of the representations
at each step. Such a coding was already used in 1401 by the Duke of Mantua in
his correspondence with Simeone de Crema [5]and is also well known through the
407
b
a-l,o
- { 11 w i t h probability 1,
(5)
i.e. the message m = a is encoded at random into 00,01,10, with equal prob-
abilties. As a consequence of this encoding, the message source stays i.i.d. and
becomes equidistributed, and the unicity distance skips from d = 5.3 H ( k ) t o
infinity if at least two keys are used.
A similar approach can in principle be chosen for every rational frequency
distribution. In general, this will however lead to an enormous data expansion.
Furthermore, the frequency distribution completely specifies the cipher text alpha-
bet in this scheme. Both disadvantages are avoided in the systematic approach we
shall adopt now.
The homophonic code defined in equation (5) contains two essential elements, an
encoding table, i.e. the association of the symbols 00,Ol and 10 with the letter
a and the association of the symbol 11 with the letter b, and an encoding rule
which states that each representation of a letter has to be chosen with equal
probability. The construction of these two elements are the main steps in the
universal algorithm. In order to get an idea of the general form of these elements,
we observe that the following mapping also defines a homophonic code for the
above example:
0 with probability 2/3,
10 w i t h probability 1/3,
b ---+ { 11 w i t h probability 1.
This mapping causes a smaller data expansion than the previous one. The mapping
itself is obtained by noting that the second bit in the strings 00 and 01 of equation
(5) does neither carry information nor contribute to the equidistribution. The
mapping can be interpreted as follows: if a 0 is transmitted it is to represent an a,
if a 1 is transmitted it is not t o represent any letter but just to tell the decoder to
408
wait for the next symbol in order t o determine the information transmitted. With
this interpretation the encoding table can be rewritten as two tables (see Figure
1) with ir denoting the prefix symbol, i.e. the symbol which tells the decoder to
wait and to decode the next symbol according to table T ( 2 :)
T (1) T (2)
This form of the encoding table immediatly suggests the association with a bi-
nary, or more generally with a C-ary representation of the frequency distribution
{ P , } ~ E M . And the two objectives of having a number of representations of the
letters in the encoding tables which is proportional to the probability of that letter
and of having at least one letter represented in each table together with the above
association lead t o the following general construction of the encoding tables:
Initialisation:
The encoding tables for the slightly more complex example M = {a,b,c}, C =
{0,1} and p a = &, Pb = 31 and p , = $ are shown in Figure 2.
-41
-
5
12
-+-
5
12
1
4
3
a
1
The number of tables generated in this example is infinite. However, only three of
these tables are truly different (T(2")= T ( 2 ) T(2n+1)
, = T ( 3 ) V, n 2 1). The parti-
tion of the interval [0, 1)induced by the probability distribution (p,,pb,pc}, which
is represented in Figure 2, is useful for the construction of the tables themselves
and also for the formulation of the encoding rule. If an a is to be encoded, the rule
for the first symbol reads: choose at random a number T in the interval [0, A), if
T < $ transmit the s_vmbolOOif T 2 $ transmit the s-mbol 11 and encode a using
the next table. This rule is symbolically represented in Figure 3:
p(rlm=a) c I I
a
00
--
01
b 10
C 11
the symbol 00 is transmitted and the encoding ends, else the symbol 11
is transmitted and further steps are needed to transmit the letter a to
the receiver.
The effect of this algorithm is to combine the message source and the randomness
from homophonic coding such that all symbols 00, 01, 10 and 11, and a fortiori
0 and 1, become equally likely. This does not only hold for the first step but for
41 1
every one, which immediately implies the statistical independence of the output
stream if the symbols from the source are statistically independent. With these
remarks, the proof of the following theorem is easy:
Theorem 1: If a message source generates a sequence of i.i.d. variables but
with unequal letter probabilities, then the sequence obtained by applying the
universal homophonic coding algorithm is i.i.d. and has equal letter probabil-
ities.
Many sources are modelled more accurately by a hlarkovian process with finite
memory. For them the following theorem applies:
Theorem 2: If the message source can be described by a Markovian process
with finite memory 7 , then the sequence obtained by applying the universal
homophonic coding algorithm, with the probability distribution EM re-
placed by the conditional probability distribution
{ p Q l p - l,...,a - , } c r ; Q - l,...,a - , E ~ ,is i.2.d. and has equal letter probabilities.
In both cases we thus have perfect statistical properties and therefore an infinite
unicity distance.
So far the homophonic coding algorithm has been described without taking its
practical aspects into consideration. Amongst these, the two most important ones
are the termination conditions for the table construction and the data expansion.
Two simple conditions for the termination of the table construction are obtained
from the observation that the algorithm induces the following representation of
the probabilities p a :
with
i-1
j=1
In applications, a given key is only used for a finite message length and cor-
respondingly the unicity distance does not need to be larger than this length.
Therefore, we can tolerate a deviation of the probabilities q7 of the cipher symbol
y from its ideal value and restrict the algorithm to a maximum of say I 1 +
tables. If this is done by constructing I tables according to the algorithm of Sec-
tion I1 and by adding one table, which contains a representation for every symbol
cy E M with pi' > 0, the probability gr of the symbol y E C is given by:
where i7 is the frequency of the symbol y in table T('sl), where M is the size of
the alphabet M , where n ~ is+ the
~ dimension of that table, and where X i is given
bv
6
In this expression, the error gr - converges exponentially to zero for 1
the Taylor expansion of the entropy
- 00 and
therefore implies an ezponential increase of the unicity distance with the table size
1.
IV . DATA EXPANSION
From the description in Section I1 it is rather obvious that the algorithm will
change the data rate. In some singular cases in which the distribution is concen-
trated on a few symbols, this change can be a lowering of the rate. In the example
p d = $, and C = {O, 1) the compres-
3 1 1
M = ( a , b,c, d } , p a = 4, pb = g, p , = Is,
sion factor isg. In the generic case this change will, however, be an expansion
and it is very important to have some information on how large this expansion
will be.
Theorem 4 : The ratio X of the output rate divided by the input rate of the
homophonic coding algorithm is
413
In this theorem we have taken to our disadvantage the value logc M for the input
rate (instead of rlogciCI1) in order not to overestimate the mismatch between
the usual alphabet { a , b, . . . ,z } and the technically relevant binary alphabet. For
M 5 C we have the following general result:
L e m m a 5 : a. If M 5 C, the data expansion X is bounded by
X5 c *log, c.
b. For Ad = C = 2 or 3, the distribution
p j := (=V-l
C
c-1 c
1 - (7)
has a d a t a expansion X = C . log, C.
The proof of this lemma follows easily from the observation that R; = 1 and
T Z ( ~ )5 C- 1 if M 5 C. Lnfortunately, the lemma is too weak for most applications.
Therefore, we have estimated the average value of A, with the average taken
over all probability distributions For M 5 C we have obtained
A Monte Carlo simulation has confirmed this estimate and has provided the fol-
lowing results for the relevant cases M = 27 (usual alphabet with blank) and
C = 2,4,8,16,32,64,128,256 : (the error of X is 5 0.1)
C = 2 4 8 16 32 64 128 256
(A} = 2.7 2.4 1.9 2.4 1.7 1.7 1.6 1.8
Finally, we have also computed X for the frequency distribution of letters in English
texts, as taken from Beker and Piper [l]: (the error of X is 5 0.1)
C = 2 4 8 16 32 61 128 256
X = 2.7 2.3 2.0 2.3 1.6 1.5 1.6 1.8
If we compare this with the above results we see that English is quite typical.
Furthermore, we note t h a t a suitable choice of the alphabet size C can considerably
reduce the data expansion. This indicates that our simple rule for the choice of the
dimension ~i of table T(*) was not optimal and that it can be further improved.
414
V . CONCLUSION
In the present contribution we have shown that homophonic coding is an effi-
cient precoding, suitable to increase the unicity distance of a cipher to any required
length. Furthermore, even if only the lower order correlations are smoothed out,
attacks on the higher order dependencies become practically infeasible due t o the
variable length of the codewords. The additional random data transmitted causes
a data expansion by a factor of roughly two. It can, however, be used t o further
strengthen the system by suitably randomising the cipher applied to the precoded
data. Finally, we note tha t the described precoding can, after some s m d modi-
fications, be run in an adaptive way. Homophonic coding is thus highly adequate
to substantially increase the strength of ciphers in most applications.
ACKNOWLEDGMENT
I would like to thank Professor James L. Massey for his continuous interest and
support .
REFERENCES
[6] “The Beale Ciphers”, The Beale Cipher ASSOC.,Medfield, Mass. (1978).
A NEW PROBABILISTIC ENCRYPTION SCHEME
1. Introduction
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 415-418, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
41 6
ameter. The one more lucky thing is that the new scheme can be used to sign digital
signatures, which seems impossible in the schemes of [l], [5] and [ 6 ] .
Remark: Blum and Goldwasser have presented another secure probabilistic encryp-
tion method with a message expansion of l+k/l. Their method is similar to that of B1-
urn et a1.([5]), in which it exlusive-or the plaintext with a sequence of the same
length generated by a pseudo-random number generator. For the details see [5] and [ 6 1
2 . Background
4
.
Let N denote the set of positive integers and n6N. Let Z* ={xi l s x < n and
1
(x,n) =1 1 , Z =ix 1 1 d x 4 n and (x/n)=l) , where (x/n) is the Jacobi symbol Of
x mod n. The symbol In1 denotes the binary length of n.
Let Q be a predicate defined on Z1 such that Q (x)=l iff x is a quadratic re-
sidue mod n . Let \ denote the set of "hard composite integers", i.e., Hk={nln=Pq,
where p and q are distinct primes such that (pl=]q\=k.).
The security of our scheme is based on the quadratic residuosity assumption (-)-
From QRA Goldwasser d M i c a l i have proven the following.
Lemma 1 ([l]). Under QR4, the predicate Q defined on Z i is unappoximable by any
circuit of polynomial size even if some quadratic nonresidue mod n are known. (Recall
that a circuit C &-approximates a predicate Q:B-+{O,l) if C(x)=Q(x) for at least a
fraction 1/2+E of the xCB.)
Let J =tx\l&xLn/Z and (x/n)=l}. Lec QRn denote the set of quadratic residues mod
n. It is easy to prove the following
Lemma 2 . Let n=pq where p and q are distinct primes such that p=q=3 mod 4. Then
each zfQR has exactly one square root that is in Jn and we denote this root by sqr(z)
1
We point out that Lemma 1 will still hold when Q defined on Zn is restricted to
Jn, and we still call the result Lemma 1.
Dn: Jn x {O,lf-bJn x ( 0 , l )
Dn(z, j)=( sqr(z), 0 ) if j=O and zGQR.
-1
=( sqr(zy ),1) if j=1 and ztQR.
-1
=( sqr(-zy ) , 1) if j=1 and ziQR.
=( sqr(-z), 0 ) if j=1 and z4QR.
1
For convenience we denote the first and second components of E (x,i) by En(x,i) and
2
En(x,i) respectively.
For any positive integer 1, E can be generalized as follows:
En: Jn x ;0,l)'-.Jn x {O,l)'
En(x,m l...m 1 )=(xl, bl...bl)
where
xo =xs1
x. =E ( x. mi),
1 ll 1-1'
b. =E ( x . mi),
1 n 1-1'
i =l,Z, ...,1.
The generalized E is also invertible and it's inverse is still denoted by Dn .
Now let k (an even number) be the security parameter. The new probabilistic pub-
lic key cryptosystem works as follows:
(1) it randomly selects two distinct primes p and q such that p=q=3 mod 4 and
\PI= Iqi=k/2,
( 2 ) s e t s n=pq,
(3) picks y, a quadratic nonresidue mod n, and finally,
( 4 ) outputs (n,y) and {p,q).
Some user, say A , publicizes the pair ( n , y) and keeps secret the pair {p,q).
Encryption: Suppose some user B want to send a binary message m=m l"'ml to
A. Then he encrypts rn as follows:
(1) Randomly selects an xCJ and sets z=x.
( 2 ) Performs step ( 3 ) for i=1,2, ...,1.
(3)(z,bi):=En(z,mi).
( 4 ) Sends A the ciphertext E (x,m)=(z,b l...bl).
2
Encrypting an 1-bit long message m takes O(lk ) time, and m is transformed into
an (l+k-1)-bit long ciphertext. So the message expansion is l+(k-l)/l which is much
less than k (the message expansion of Goldwasser and Micali's scheme).
Decryption: Upon receiving the ciphertext (z,bl...b ) , user A decrypts it as
1
follows:
(1) Performs step ( 2 ) for i=l,1-1, ...,1.
( 2 ) (z,mi):=Dn(z,bi).
(3) Gets the message m=m
l'"ml - 3
Recovering m ( I m l = l ) from it's ciphertext takes O(lk ) time.
IJsing the proof techniques in [3] and [ 6 ] , we can prove the following
41 0
4 . AppLications
References
Tsutomu Matsumoto
Hideki Imai
I. INTRODUCTION
With the aid of public-key cryptography"], how much computation is
sufficient to keep the authenticity and the confidentiality of digital data?
Reducing the computational complexity implies wider and deeper uti-
lization of the fascinating nature of public-key cryptography. This paper
gives an answer t o this challenging question by constructing an asymmet-
ric cryptosystem C' (called c-star) which consists of public transforma-
tions of complexity O(m2n3)and secret transformations of complexity
+
O((mn)'(m logn)), where each complexity is measured in the total
number of bit-operations for processing a message block of mn bits.
Each public key of C" is an n-tuple
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 419-453, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
420
is determined by
42 1
[Secret Items]
S1. A v-degree extension field L(ul of K and a K-isomorphism $(,) from
K" to L(,) for each integer v = (2X + 1)2P with X 2 1 and p 2 0;
S2. Each secret key is a tuple I? = [SR,TR,r,OJ
:
S2-1. Two n-tuples SR and T R of n-variate polynomials of degree one
over K , representing affine bijections 5-1 and t-' on K" ;
S2-2. A partition T = [ n l ,. . . ,nd] of the integer n such thzt
and projections
where a; = Cj=l nj ;
i
T % ~ (= ) .
P n' (
Ie$:): .
It can be easily shown that the total number of nonzero terms of P ,
denoted by .(P), is always less than or equal to T ~ , ( P ) .
U over K whose diagonal components are all 1, then find the product of
them
Bc = LDU.
--
(stepl) y +- z ;
(step2) y yb2 . y ;
-
(step31
WP4)
y
Y -- yb2 z ;
Yb. Y ;
(step5)
(step6)
y
z - y b .z ;
y .
429
W 2 ( u )= C{Ujlj= 0 )1)* . a
}
,
Theorem 6. +
For HPA, O ( m logn) times L-multiplication are
sufficient for evaluating the x t h power of an element of L. And hence,
the circuit-size complexity of HPA is
Proof: From Corollary 1, we know that evaluating the C,",: qith and
2 " t hcan be performed in O(log6) and O(logl), re-
the ~ ~ ~ ~ q powers
spectively, times Emultiplication. Since B , C < n/2, the summation of
them is O(1ogn). And also we know, from Theorem 5, that evaluating
the 2'th power can be performed in at most m - 1 [log mJ + +
W2(m)- 1 = O ( m ) times L-multiplication. Further, evaluating q2"th
and the qe-'th powers can be done only by cyclic shifts, hence the com-
plexities of them c m be neglected. Now, evaluating the 2*-lth power
can be accomplished in ( m- 1) times multiplication. Summing all the the
above terms, we get the first half of the theorem. The second half of the
theorem is obvious, since the L-multiplication can be done in O(m2n2)
times operations over GF(2). L,
D p K = mT,p(F) [bit]
1
= -mn(n
2
+ l ) ( n + 2) [bit]
1
N -mn3 [bit]
2
432
n-1 "-1
When m = 1, we have
("; 2) (20(rn2n2) + cd
i= 1
O(m2n;)}= O ( m 2 n 4 )
[GF(2) - operation].
+
be a +n(n 3) x n matrix. Using S and F , we can rewrite (5) as
F ( z ) = F, + zE.
So, we can first find 5, then find F ( s ) to perform the public transforma-
tion. This complexity is
=0 ( ~ 2 ~ 3 ) [GF(2)- operation].
+
{ ( n 3) * O(n2+")- O ( m * ) } / n= O(rn2n2+")[GF(2)- operation].
IV -0. Preliminaries
Basic concepts and notations used in this chapter are sketched in the
following.
Finite Fields[g]
Let p be a prime integer, m and n positive integers, and q = p". Fix
a finite field K of. order q (i.e., with q elements). Denote by K" the
n-dimensional vector space over K , each element of which is an n-tuple
over K . Determine an n-degree extension field L of K . L contains q"
elements. When L is taken as an n-dimensional vector space over K , L is
isomorphic to K". The isomorphism between L and K" will be denoted
+
by a bijection : K" L.
----f
Functions on Integers
Let a be an integer greater than 1, i a nonnegative integer. Denote the
a-ary representation of i by
where s and t are affine bijections on K " , n is a positive integer which can
be partitioned into d positive integers satisfying n = n1 f n 2 +-
- . + n d , and
L; is an n;-degree extension field of the field K . $*is an isomorphism from
Kn*t o L ; , and e; a bijection on L,. Further, p , : K" -+ K"* is a projec-
tion which maps [Q,. . . ,z,+~] E K" to [z ,. . . ,r(c;=ln J l - l I €
c,=,
I-l
"J
(iii) If and only if both s and t are bijections, the following holds for all
eEE
Proof (sketch): Proving this theorem is not difficult but wastes pages.
So, we mention here only that the proof for general q can be readily
obtained from that for the case q = 2, which is described in [12]. 4
Theorem 8. For the bijection f defined by (7) and (8), the followings
are true :
1) deg ([In)
= rnax{wt,([ei~)Ii = 1,.. . , d }
2) deg([f-l]) = max{wt,([e;'])li = l,...,d}.
(12),(13) and (14) imply the first half of the theorem. The second half
can be proved in the same way. 4
Theorem 9. For the bijection defined by (7), (81, (15) and (16), we
have
1) deg([f]) = max{W,(hi)li = 1,. . . , d }
hence,
2Wq(Q = (Q - l)(n - R,(?i)) 1 +
and it proves the theorem. 4
2c
- 1
h - Qbk(-l)'(modq" - 1).
2 k=O
Since gcd(b, 2 l + 1) = 1, the multiplicative inverse element 5 of b modulo
+
(2&+ 1) exists. Assume that j = ( b k ) mod (2& l ) , k can be expressed
+
as k = ( z j ) mod ( 2 1). Hence
. 21
21
i=o
=1 + c
21-1
i=O
Q i ( - l )[i;(i+l)]mod(2ft1) + Q21
and
V . CONCLUDING REMARKS
On a basis different from the previous, this paper has proposed and an-
alyzed an asymmetric cryptosystem C* which can serve for both digital
signatures and encryption.
An advantage of C* over the previous asymmetric cryptosystems is
that both secret and public transfromations can be done in complexity
much less than U(N 3 ) for a message block of size iV. Actually, we have
implemented C* with the languages "C" and Occam on 32-bit micropro-
cessors and verified high performance of C' .
The description length of a key for C' is greater than that of previous
systems with the same block size. However, this is not always a dement
as mentioned in Section I11 -5.
Thus the present authors believe that C* is a cryptosystem worth
investigating for everybody interested in high-speed cryptographic com-
munications.
449
ACKNOWLEDGMENT
The authors wish t o thank Youichi Takashima for his help on making
numerical examples of C* and Yuliaag Zheng for his kind interpreta-
tion of the Chinese papers [7, 81. This work was supported in part by
the Ministry of Educations, Science and Culture under Grant-in-Aid for
Encouragement of Young Scientists # 62750283.
REFERENCES
[8] Zhou,T., "A note on boolean public key cryptosystem of the second
order," Journal of China Institute of Communications, Vo1.7, No.1,
pp.85-92, (Jan. 1986) (in Chinese).
APPENDIX
and
2bf = (71 + (2* f 1))f
= c(;)
f
j=O
(71)j(2b f 1)f-.j
= (2b f l){E
j=O
(i)
3
( T l ) j ( P* 1)f-J-l} + (rfl)f,
451
we get
2" f 1 = ( 2 b + l){E(f)
f-1
j=O3
(-1)J(2b + l)f-j-1}2c + (-1)f2" f 1,
-1 Rl(U/d) = &(a)
R*(b/d) = &(b)
- &(d) = 0
- &(d)
= -1 and ( - l > b / d= 1
>0
-1
gcd(2"
=Zd+l
gcd(2' - 1,2d + 1) = g ~ d ( 2 ~ +
1,2O - 1)
=2d+1
'
. (2d + 1)1gcd(2" + 1,2b - 1)
which proves the theorem. 4
Lemma A2. For integers m,q,O,n and h with m > 0,q = 2",0 I
8
- < n,h = 1 + q*,gcd(h,q" - 1) = 1, the multiplicative inverse element
h of h satisfies
452
qn - h = q e z - (k - l)(q" - 1) (A2 - 2)
Because
n-1 0-1
we get
n-1 0-1
-
from (A2-2). Also, q" - h < qn - 1 since h > 1. Hence
where X = R,(u).
1.e.;
Colin Boyd,
British Telecom,
Data Security Laboratory,
1, Cutler Street, Ipswich IP1 lW, UK.
Abstract
1 Introduction
The insight of Diffie and Hellman [6] was that the enciphering
and deciphering keys of a cryptosystem need not be the same.
Therefore a cryptosystem could have two keys, one of which would
remain secret and the other would be made public. This has led to
numerous applications such as digital signatures.
We start off the paper with some general ideas about multiple-key
ciphers and then consider some applications and how they fit
in with these ideas. The applications considered in this paper
are selective distribution of information to subsets of a group
of users, digital signatures with more than one signatory, and
electronic voting. There are many other potential applications.
The scheme we consider here appears to be useful for applications
of a type concerning different groups of interacting users. The
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 455-467, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
456
E(E(M,kl),kZ) = E(M,kl.kZ)
For example consider the case where there are only two keys r and
s. Let R be the subset of users of the population who possess the
key r and S be the set who possess s . These subsets overlap in
the subset of users who possess both keys, which may or may not
be empty.
M**r mod m S R
M**s mod m R S
When the number of keys is increased to three there are many more
possibilities. We extend the previous diagram by adding a third
458
I T
M**r mod m S n T R
M**s mod m R n T s
M**t mod m S n R T
M**rs mod m T R n S
M**rt mod m S R n T
M**st mod m R S n T
Where the table indicates that the message can be read or written
by S T, it can be written or read by any member of both groups,
or, what is just as important, can be written or read by any
member of S and any member of T in collaboration. In an
application some of the named subsets of U may be empty. In the
applications described in this paper we always assume the
existence of an authority which is responsible for generating and
distributing keys.
3 Applications
Let us call the users A, B and C. These users are then issued
with the key sets {r,s}, {r,t}, and {s,t} respectively. The
authority can then choose any combination of the users it wishes
to distribute a given message M. The way this can be done is
illustrated in the following table.
M**K C
M**S B
M**t A
M**rs B and C
460
M**rt A and C
M**st A and B
In order for this scheme to work the users must not be able to
collude to share keys since the keys of any two users could be
used to read every piece of information. If this is likely the
keys would need to be distributed by the authority in a tamper-
proof form which could not be read by the users, and which could
only be used in a fixed protocol.
S1 = M**r mod m
Sl**st mod m = M.
S 2 = Sl**s mod m
= M**rs mod m
S2**t mod m = M.
s1 S R
s2 U R n S
The voting slip is issued to the voter as V**r mod m. (This must
be transported secretly to the correct voter, a problem we do not
address herel) If the voter wants to vote 'yes' he forms
(V**r)**s mod m
(V**r)**t mod m.
The authority can then validate and count each vote V' by forming
V'**t mod m
or v'**s mod m
Voting slips may not be forged since they are signed by the
issuing authority. On the other hand they are anonymous (except
to the issuing authority) since the voting keys are public. In
terms of the model of section two a valid vote must have been
written by the issuing authority plus any user, and can be read
by any user.
If the same random number is found more than once then all votes
with that number should be discarded. (Of course, there is a
small probability, depending on the number of voters and the size
of m, that a valid vote is discarded.) Copies of all the votes
(including any discarded ones) can be published with the results
of the ballot and each voter can confirm that his vote was
included.
Closure Property
Inverse Property
Associative Property
465
j o (k o 1) = ( j o k) o 1.
Commutative property
k o j = j o k.
One property of RSA that we have used but not mentioned yet is
the trapdoor property. This allows the 'owner' of the 'scheme, Or
466
5 Acknowledgements
6 References
s e e \iil)liminal channel
Privac) protected payment, 107
h:e>. Probabilistic mcryption. 41 5
Conference lie!. distribution. 11 Pseiidoprinies. s t c Primalit>, tests
Uiffie-Hellman. 3 . 159 l’seudorandorn sequences
lie\. agreement. 3 , 159 Cascade generators, 331
K e > distribution, 3. 11. 1.59 Clock control. 331
3Iultiple ke!. 455 Correlation attack. s t t .Attacks
Substantial number of keys, 361 Luby and Hackov generator, 225
Knapsack. 97 Son-linear functions, 301. 317
Shift register sequences. 301.
Linear complexity. 191 325. 331
linear complexity profiles. 191 \\-indmill generators. 325
s F E n /so llassey- Berlekamp Public key cryptosystems, 419
.A1 g ori t h m Diffie-Hellman scheme,
Linear recurring m-array. 351 see K e y
Lu b y - R ackov generator, El-Gamal scheme. see Signature
scc Pseudorandom sequences 1Ic Eliece scheme, 275
Lucas numbers. 211 Okamoto scheme, 281
Ri\-est-Shamir-.4dleman scheme,
llassey-Berlekamp Algorithm, 345 10;. 257. 455
R a n d o m numbers, Sublirriinal free protocols. 23. 35
set Pseudorandom sequences
Registration in databases Table look-up. 245
anonymous and verifiable. 167 Threshold scherrirs. 389
RS.4, s t e Public ke! cr) ptos? s i err15
Running k e ~generators
see Pseudorandorri sequences