AU2004201034A1 - A key agreement protocol based on network dynamics - Google Patents

Description

AUSTRALIA

Patents Act COMPLETE SPECIFICATION

(ORIGINAL)

Class Int. Class Application Number: Lodged: Complete Specification Lodged: Accepted: Published: Priority Related Art: Name of Applicant: Non-Elephant encryption systems (Barbados), Inc.

Actual Inventor(s): Xiaomin Bao Address for Service and Correspondence: PHILLIPS ORMONDE FITZPATRICK Patent and Trade Mark Attorneys 367 Collins Street Melbourne 3000 AUSTRALIA Invention Title: A KEY AGREEMENT PROTOCOL BASED ON NETWORK DYNAMICS Our Ref: 714945 POF Code: 335833/467475 The following statement is a full description of this invention, including the best method of performing it known to applicant(s): -1- A KEY AGREEMENT PROTOCOL BASED ON NETWORK DYNAMICS BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to cryptographic systems. More particularly, the invention generates, by public discussion, a cryptographic key that is unconditionally secure. Prior to this invention, cryptographic keys generated by public discussion, such as Diffie-Hellman, satisfied the weak condition of computational security but were not unconditionally secure.

2. Discussion of the Related Art An Achilles heel of classical cryptographic systems is that secret communication c an only take place after a key is communicated in secret over a totally secure communication channel.

Lomonaco describes the matter as the "Catch 22" of cryptography, as follows: "Catch 22. Before Alice and Bob can communicate in secret, they must first communicate in secret." Lomonaco goes on to describe further difficulties involving the public key cryptographic systems that are currently in use. For a discussion on several other disadvantages of the Public Key Infrastructure (PKI) see U.S. General Accounting Office Report and Schneier [13].

Let x be a common key that has been created for Alice and Bob. That is, x is a binary vector of length n. Then x can be used as a one-time pad as follows. Let m be a message that Alice wishes to transmit to Bob: m is some binary vector also of length n. Alice encodes m as m E x where E denotes bitwise addition, exclusive OR. Thus m E x, not m, is broadcast over the public channel. Bob then decodes in exactly the same way. Thus Bob decodes the message (m e x) E x, which is m, because of the properties of bitwise addition.

Alternatively, the key x can be used in a standard symmetric key cryptosystem such as that of Rijndael [12] or Data Encryption Standard (DES) The idea now is to encode m asfx(m) where fx denotes the Rijndael permutation with the parameter x. Then, to get the message, Bob decodes by m where g. is the inverse off, To date, practical protocols for constructing such a common key x use for their security unproven mathematical assumptions concerning the complexity of various mathematical problems such as the factoring problem, the discrete log problem, and the Diffie-Hellman problem. Another serious difficulty concerning present systems involves the very long keys that are needed for even minimal security. In his monograph R. A. Mollin [17] points out that for elliptic curves cryptography an absolute minimum of 300 bits should be used for even the most modest security requirements and 500 bits for more sensitive communication. Further, key lengths of 2048 bits are recommended for RSA in the same reference.

In [19] chapter 5, Julian Brown gives an example:ofa financial encryption system depending on RSA keys of 512-bit, namely the CREST system introduced in 1997 by the Bank of England. He quotes the noted cryptographer A. Lenstra concerning such codes as follows: "Keys of 512 bits might even be within the reach of cypherpunks. In principle they could crack such numbers overnight".

Randomness in Arrival Times of Network Communications Computer networks are very complex systems formed by the superposition of several protocol layers Figure 1 shows the layers in a typical network. The following analysis of how the layers work together serves to explain the randomness in networks.

The lowest layer connects two computers, creates a channel between them, by some physical means and is called the Physical Layer.

The second layer removes random physical errors (called "noise") from the channel to create an error-free communications path from one point to another. This layer, the Data Link Layer, is primarily responsible for dealing with transmission errors generated as electrical impulses (representing bits) as sent over a physical connection. Error detection techniques [15] are used to identify the transmission errors in many protocols. Once an error is detected the protocol requests a resend. Random errors in the Data Link Layer can be observed by noting timing delays.

The Medium Access Layer deals with allocating and scheduling all communications over a single channel. In a networked environment, including the Internet, many computers communicate over a single channel. Bursts in packet traffic is a well-known characteristic and is due to the uncontrollable behavior of many individual computers communicating over a single channel [16] leading to random fluctuations in transmission times.

The Network Layer deals with routing information to create a true or virtual connection between two computers. The routing is dependent on thevariety of routing algorithms and the load placed on each router. These two factors makes the transmission times fluctuate randomly.

The Transport Layer interfaces with the final Application Layer to provide an end-to-end, reliable, connection-oriented byte stream from sender to receiver. To do so, the Transport Layer provides connection establishment and connection management. The times associated with Transport layer activities depend on all devices in the network and the algorithms being used. Thus, fluctuations'in transmission times in the Transport Layer also occur, contributing to timing delays.

However, not only the network influences timing fluctuations. The transmitting and. receiving computers have internal delays resulting from servicing network packets. Thus, even the act of observing the timings will also introduce random fluctuations. (See appendix B for an analysis of the effects of perturbations on arrival timing).

Another approach to obtaining independently generated but correlated raw random keys is to employ a commonly known to the communicating parties probabilistic array and agreed upon generation procedure.

SUMMARY OF THE INVENTION The present invention provides an efficient, practical system and method for a key agreement protocol based on network dynamics or a probabilistic generation method that has the strongest possible security, namely, unconditional Security, and that does not require any additional hardware.

Previous work in this area is either theoretical [11] or practically infeasible due the requirement for additional channels based on expensive and complicated hardware such as satellites, radio transmitter arrays and accompanying additional computer hardware to communicate with these devices All previous cryptographic keys only satisfy the weaker criterion of computational security.

In one embodiment, the present invention introduces relative time sequences based on roundtrip timings of packets between two communicating parties. These packets form the basic building blocks for creating an efficient and unconditionally secure key agreement protocol that can be used as a replacement for current symmetric and asymmetric key cryptosystems. In another embodiment, the present invention introduces correlated raw randomly generated keys that have been independently generated by two communicating parties based on a probabilistic array (or vector). The present invention is an unconditionally secure cryptographic system and method based on ideas that can be used in the domain of quantum encryption 5 and 20 Chapter Moreover, the present invention for the first time provides a cryptographic protocol that exploits fundamental results (and their interconnectedness) in the fields of information theory, error-correction codes, block design and classical statistics. The system and method of the present invention is computationally faster, simpler and more secure than existing cryptosystems. In addition, due to the unconditional security provided by the present invention, the system and method of the present invention are invulnerable to all attacks from super-computers and even quantum computers. This is in sharp contrast to all previous protocols.

The present invention provides a protocol that uses either two characteristics of network transit time: namely, its randomness, and the fact that, despite this, the average timing measured by two communicating parties will converge over a large number of repetitions or a probabilistic array and adjusting raw, key generation method. The result is that two correlated random variables are obtained, one by measuring the relative time a packet takes to complete a round trip with respect to a first party, Alice or A, and a round trip with respect to a second party, Bob or B, and the other by starting with a known probabilistic array and applying an agreed upon adjusting procedure to arrive at a correlated generated raw random key.

In a first preferred embodiment, A and B engage in rallying packets back and forth and calculate round-trip times individually. The packets may be used for any additional purpose since the contents of the packets are irrelevant. Only the round-trip times are of interest. Figure 2 shows one round of a relative r ound-trip time generator of the p resent invention. F igure 2 diagrammatically describes the process.

In a second preferred embodiment, A and B employ a pre-determined string P to independently generate raw random keys. Appendix C describes the process.

PHASE 1-Alice and Bob employ the system and method of the present invention to construct a raw random key.

For example, Alice and Bob exchange packets over a network, record round-trip times, and each form a bit string by concatenating a pre-arranged number of low order bits of successive packet round-trip times. Once sufficient bits are concatenated, the process is stopped and both Alice and Bob apply a pre-determined permutation to their respective concatenated bit strings to form permuted remnant raw keys KA and KB, respectively of equal length.

Or, in another example, Alice and Bob employ a pre-determined probabilistic string P to independently generate correlated random raw strings KA and KB using a process such as the one described in Appendix C.

PHASE 2- Alice and Bob employ these remnant raw keys to create a reconciled key: Alice and Bob systematically partition their respective permuted remnant raw keys, KA and KB, into sub-blocks, compute, exchange and c ompare p arities for e ach s ub-block, and, discarding the low order bit of the sub-block, re-concatenate the modified sub-blocks in their original order. In the case of blocks with mismatched parities the partition process is iterated until mismatched bits are located and deleted.

PHASE 3 A lice and Bob create an unconditionally secure pad or key from their common reconciled key: Privacy amplification to eliminate any partial information that an eavesdropper, Eve, might have is applied by both Alice and Bob using a pre-determined proprietary hash function to produce a final unconditionally secure key of a pre-determined length from the reconciled key.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates a typical multi-layer computer network protocol.

FIG. 2 illustrates one rallying round between two communicating parties for generating a permuted remnant bit string by each party.

FIG. 3 illustrates mean arrival time as a function of channel noise (noise parameter).

FIG. 4 illustrates adjusting bits using the present invention to increase the correlation between the raw keys of the communicating parties while decreasing the correlation between the raw keys of the communicating parties and an possible eavesdropper.

DETAILED DESCRIPTION OF THE INVENTION In a preferred embodiment, the key agreement scheme of the present invention comprises three phases. The first phase is construction of a permuted remnant bit string. Two methods are presented.

The first method is based on physical characteristics of the network, wherein, for example and not limitation, the two communicating parties, Alice and Bob, rally packets back and forth recording round-trip times.

The second method is probabilistic, wherein, for example and not limitation, the two communicating parties, Alice and Bob, both know a probabilistic String P of real numbers and generate keys based on this string, see Appendix C.

Some of the bits may still be different after the initial bit string construction so Alice and Bob then participate in a second phase called Information Reconciliation. The second phase results in Alice and Bob holding exactly the same key. However, Eve may have partial knowledge of the reconciled strings, in the form of Shannon bits. Therefore, a third and final phase called Privacy Amplification is performed to eliminate any partial information collected by Eve.

PHASE I Alice and Bob rally packets back and forth to generate a bit string from truncated round-trip timings. This string is then systematically permuted. The procedure is as follows: Alice sends Bob a network packet and logs the time tAo.

(ii) Bob records the time of reception as tro and responds immediately to Alice with another network packet.

(iii) Alice records the time of reception as t Al, and responds immediately with a network packet.

(iv) .Bob records the time of reception as tBI and responds immediately to Alice with another network packet.

Alice and Bob respectively calculate AtA t A t

AO

and AtB t B) t

BO

Depending on the quality of the network connection, only some bits of AtA and AtB are kept.

The higher order bits are dropped. Typical experimental data and criteria for the truncation can be found in [18].

By taking a suitable probability distribution it can be shown that the average of AtA equals the average of AitB.

(vi) Repeat steps through in order to create enough bits that are then concatenated as a string of bits of a pre-determined length.

Alternatively, Alice and Bob each know a random probabilistic array P. They independently proceed as described in Appendix C to generate correlated raw random keys KA and KB.

PHASE II Once sufficient bits are created, theprocess is stopped. Alice and Bob must now use the relative time series to create an unconditionally secure pad or key. One skilled in the art can deduce, from a study of various papers in'the list of references that there are many ways to proceed. The present invention uses an approach which, very loosely speaking, is initially related to that ofBennett et However in 4 and 10], several changes and improvements have been indicated. These changes, based on fundamental results in algebraic coding theory, information theory, block design and classical statistics together achieve the following results: an a-priori bound on key-lengths; a method for estimating the initial and subsequent bit correlations and key-lengths; a precise procedure on how to proceed optimally at each stage; a formal proof that KA converges to Ks; a stopping rule; a verification procedure for equality; and a new systematic hash function for Privacy Amplification.

After PHASE I, Alice and Bob have their respective binary arrays KA and KB and both perform the following steps of PHASE II: (vii) Shuffle and partition. Alice and Bob apply a permutation to K 4 and KB They then partition the remnant raw keys into sub-blocks of length 1 4.

(viii) Parity exchange and bisective search with 1 4: Parities are computed and exchanged for each sub-block of length 4 by Alice and Bob. Simultaneously they discard the bottom bit of each sub-block so that no new information is revealed to Eve. If the parities agree Alice and Bob retain the three top bits of each sub-block. If the parities disagree Alice and Bob perform a bisective search discarding the bottom element in each sub-block exactly as described in and (see also The procedure in steps: (vii) and (viii) is denoted by KAP4.

(ix) Estimate Correlation From the length of the new key, we can calculate the expected initial bit correlation xo between KA and KB Using xo we can calculate the present expected correlation x (p4( X Shuffle, parity exchange. bisective search with the optimal To the remnant keys KA, KB we apply a permutationf in order to separate adjacent keys. As a non-restrictive example, one suchf can be implemented by shuffling the bit order from into the order p 1, 2p 1, qp 1, 2 ,p 2 2 p 2 ,q2p 2 2 p-l, 3p- 1 qp,.P +p-l,p, 2 p, 3 p, qp where qi i) p.

Given the present correlation x we choose the optimal value for I 1(x) by using the tables in Similar to (viii), (ix) for the case 1 4, we carry out the procedure KAP From x, or from the new common length of the remnant keys, we calculate the expected present correlation after KAP has been applied. We repeat (xi) until the stopping condition holds.

(xi) Stopping Condition For key length n and correlation x we have n(l-x) e ,a predetermined small positive number. We then proceed to the verification procedure, an example of which is as follows.

(xii) Verification Procedure Let KA KB both be of length n. Let t be the smallest integer for which 2 n Construct a binary matrix M= my., (1 5 i t+l 1 5j as follows: a. The entries my, (1 ij t are the entries of the t x t identity matrix Ixt,.

b. The (t 1 )t h row ofM is the all-ones vector, that is m,+j 1 1 <j 2 t c. Denote the top t entries in thej th column by the binary vector vj 1 <j 5 Thus, vj {my 1 i Then we impose the condition that the vectors vj are all distinct. Thus, the set vj equals the set of all 2' distinct binary vectors of length t.

d. Denote the rows of M by R 1

R

2

R,+

1 Let x, y denote the remnant keys KA, KB written as row vectors of length n. Let x, y denote the vectors that result when a row of zeros of length 2'-n is adjoined, on the right of x, y respectively. Thus x (y,000..0).

e. Our verification criterion is to check that x. Ri Ri, (1 E i 5 t+1).

If the verification criterion is not satisfied we remove the first t+l bits from KA KB and repeat steps (xi) and check again if the verification criterion is satisfied.

Eventually, it will be satisfied.

At this stage Alice and Bob have confirmed that they now share the same key. Once confirmed, the final remnant raw key as transformed by Phase 2 is modified by removing the first t+l bits from KA K Our new key is re-named the "reconciled key" and phase 3, Privacy amplification is performed.

PHASE II- At this stage Alice and Bob now have a common reconciled key. In certain cases it is possible that the key is only partially secret to eavesdropper, Eve, in the sense that Eve may have some information on the reconciled key in the form of Shannon bits. Alice and Bob now begin the process of PrivacyAmplification that is the extraction of a final secret key from a partially secret one (see and A well-known result of Bennett, Brassard and Robert (see shows that Eve's average information about the final secret key is less than 2 'S/ln 2 Shannon bits as explained below (See also Shannon (xiii) Privacy Amplification Let the upper-bound on Eve's number of Shannon Bits be k and let s 0 be some security parameter that Alice and Bob may adjust as desired. Alice and Bob now apply a hash function described in "Method For The Construction Of Hash Functions Based On Sylvester Matrices, Balanced Incomplete BlockDesigns And Error- Correcting Codes", co-pending Irish Patent Application, (the entire contents of which is hereby included by reference as if fully set forth herein which produces a final secret key of length n k- s from the reconciled key of length in.

The system and method of the present invention provide an unconditionally secure key agreement scheme based on network dynamics as follows. In PHASE I, Alice and Bob permute the bits of what remains of their respective raw keys, which keys incorporate delay occasioned by network noise. In PHASE II, the key from PHASE I undergoes the treatment of Lomonaco That is, in PHASE II Alice and Bob partition the remnant raw key into blocks of length I. An upper bound on the length of the final key has been estimated and the sequence of values of I that yield key lengths arbitrarily close to this upper bound has also been estimated In PHASE II, for each of these blocks, Alice and Bob publicly compare overall parity checks, making sure each time to discard the last b it of the compared block. Each time an overall parity check does not agree, Alice and Bob initiate a binary search for the error, bisecting the mismatched block into two sub-blocks, publicly comparing the parities for each of these sub-blocks, while discarding the bottom bit of each sub-block. They continue their bisective search on the sub-block for which their parities are not in agreement. This bisective search continues until the erroneous bit is located and deleted. They then proceed to the next I-block..

PHASE I is then repeated, a suitable permutation is chosen and applied to obtain the permuted remnant raw key. PHASE II is then repeated, the remnant raw key is partitioned into blocks of length 1, parities are compared, etc. Precise expressions for the expected bit correlation (see below) following each step have been obtained in where it is also shown that this correlation converges to 1. Moreover in the expected number of steps to convergence as well as the expected length of the reconciled key are tabulated.

The probability that corresponding bits agree in the arrays KA KB is known as the bit correlation probability or, simply, as the bit correlation. It can be shown (see that each round can be used to increase the bit-correlation. For example, if we start with a bit-correlation of 0.7 then after one round with 1 3 the bit-correlation increases to about 0.77 and then to 0.87. For 1 2 the corresponding numbers are 0.84 and 0.97. E stimates a re also a vailable for t he key I engths a fter a round of the protocol of the present invention, for various values of 1 The final secret key can now be used for a one-time pad to create perfect secrecy or can be used as a key for a symmetric key cryptosystem such as Rijndael [12] or Triple DES [18].

A simplified version of the algorithm for the values I 2 and 3 is described in Appendix A.

The system and method of the present invention provides secure transmission over wireless and wire media and networks as set forth below; a. wireless 1. radio transmission 2. radio frequency 3. satellite 4. microwave 5. infrared 6. acoustic 7. electro-magnetic spectrum 8. spread spectrum 9. laser b. wired 1. optical 2. fiber optics 3. electrical 4. Ethernet 5. quantum communication c. networks 1. intranet 2. Internet 3. extranet 4. Public Switched Telephone Network (PSTN) Local Area Network (LAN) 6. Wireless Local Area Network (WLAN) 7. Wireless Fidelity (WIFI) 8. Wireless Local Area Network (WiLAN) 9. IEEE 802.11, 802.11a, 802.1 lb Personal Area Network (PAN) 11. Bluetooth 12. Code Division Multiple Access (CDMA) 13. Global System for Mobile (GSM) Communication 14. 3 rd Generation Mobile Network (3G) Asynchronous Transfer Mode (ATM) 16. Digital Subscriber Line (DSL) 17. Frame Relay It will be understood by those skilled in the art, that the above-described embodiments are but examples from which it is possible to deviate without departing from the scope of the invention as defined in the appended claims.

REFERENCE AND BIBLIOGRAPHY The following references are hereby incorporated by reference as if fully set forth herein.

Charles Bennett, Frangois Bessette, Gilles Brassard, Louis Salvail, and John Smolin, Experimental quantum cryptography, EUROPCRYPT '90 (Arhus, Denmark), 1990, pp. 253- 265.

Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert, Privacy Amplification by Public Discussion, Siam J. of Computing, 17, no.2 (1988), pp. 210-229.

Aiden Bruen and David Wehlau, Method for the Construction of Hash Functions Based on Sylvester Matrices, Balanced Incomplete Block Designs, and Error-Correcting Codes, Irish Patent Co-pending Irish Patent Application.

Aiden Bruen and David Wehlau, A Note On Bit-Reconciliation Algorithms, Non-Elephant Encryption Systems Technical Note 01.xx NE2, 2001.

Samuel J. Lomonaco, A quick glance at quantum cryptography, Cryptologia 23 (1999), no. l,pp. 1-41.

A Rosetta Stone for Quantum Mechanics With An Introduction to Quantum Computation, quant-ph/0007045 (2000).

Ueli M. Maurer, Secret Key Agreement By Public Discussion From Common Information, IEEE Transactions on Information Theory 39 no.3 (1993), pp. 733-742.

United States General Accounting Office, Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO 01-227 Report, February 2001, Report to the Chairman, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Committee on Government Reform, House of Representatives.

Claude E. Shannon, Communication Theory of Secrecy Systems, Bell System Technical Journal 28(1949), 656-715.

David Wehlau, Report for Non-Elephant Encryption, Non-Elephant Encryption Technical Note 01.08.2001.

[11] A. D. Wyner, The Wire-Tap Channel, Bell System Technical Journal 54 no.8(1975), 1355-1387.

[12] Joan Daemon and Vincent Rijnmeien, The Rijndael Block Cypher, June 1998, http://csrc.nist. ov/encryption/aes/riindael/riindael.pdf [13] Bruce S chneier, Applied Cryptography, 2 nd Edition, John Wiley Sons, New York, 1996, Chapter 12.

[14] Andrew Tanenbaum, Computer Networks, Prentice Hall, 1996.

[15] Claude E. Shannon, A Mathematical theory of Communication, Bell System Technical Journal 27(1948), pp. 379-423 and 623-656.

[16] Will E. Leland, Murad S. Taqq, Walter Willinger, and Daniel V. Wilson, On the Self- Similar Nature of Ethernet Traffic, Proc. SIGCOMM (San Francisco, CA; Deepinder P.

Sidhu, 1993, pp. 183-193.

[17] R. A. Mollin, An Introduction to Cryptography, Chapman Hall/CRC, 2000. Chapter 6.

[18] Douglas R. Stinson, Cryptography: Theory and Practice, CRC Press, 1995.

[19] Julian R. Brown, The Quest for the Quantum Computer, Simon Schuster, New York, 2001.

Xiaomin Bao, Probabilistic Adjusting Raw Key Generation Method, Reportfor Non- Elephant Encryption, Non-Elephant Encryption Technical Note 02.nm, July 26, 2002

Claims (4)

1. XA RAn RA,, XB RB n RB 1

2. XA RAnRAI nRA 2 XB RB n RB, n RB,;

3. XA RA n RA A, n RA, XB RB n RBI n RB 2 n RB;

4. XA =RAn RA, nRA, n RA R4, XB RB n RB 1 RBn RBs n RB 4 XA RA n RA 1 n RA n RA n RA4 n RA, XB RB n RB 1 n RB 2 n RB, n RB n RB,. The sets RAI, RA 2 RAs, RA 4 and RA, are generated by Alice by P, the sets RBx, RB 2 RBs, RB 4 and RB, are generated independently by ab. Bob by P. AiD and BiD (i denote Alice and Bob's relevant raw keys generated by the probabilistic adjusting raw key generation method. X-Y denotes the correlation between X and Y. SiD and SiTD denote Eve's relevant raw keys, these keys are based on her relevant Xss, for SiD the flipping are taken on (S n Rs) Xs; while for SiTDs the flipping are taken on S Rs and (S n Rs) Xs. SE denotes the raw key obtained by just flipping the bits indexed by the numbers in S Rs. The results show that in most cases Eve can get no better correlation than Alice and Bob can. The reason that Alice and Bob will succeed can be explained by the following example: Suppose three people A, B and E each has 100 pieces of paper, of the 100 pieces of paper that A or B has, only 50 of them are $1 bills, but all the 100 piece that E has are all $1 bills. Now put all 300 pieces of paper into a box and mix them thoroughly, then randomly divide them into three part so that each part has 100 pieces, and give each of A, B and E a part randomly. Statistically, A, B and E each will have about 66 pieces of S1 bills. correlation AiD-BlD 0.59935 AiD-S 0.6666323 AiD-SE 0.624465 7AD-SiD 0. 624465 A1D-SITD 0.666323 A2D-B2 0599539 A2D-S 0.499644 A2D-SE 0.562399 A2D-S2D 0.600677 A2D-S2TD 0.562837 A3D-B3D 0.650665 A3D-S 0.3995 1 A3D-SE 0.520948 A3D-S3D 0.651906 A3D-S3TD 0.547496 A4.D-B4D 0.697948 A4D-S 0.333111 A4D-SE 0.490154 A4D-S4D 0.699136 A4D-S4TD 0.550774 0.736324 0.285645 0.465445 0.737031 0.561381 A6D-B6D 0.767151 A6D-S 0.249924 A6D-SE 0.445514 A6D-S6D 0.767007 A6D-S6TD 0.573403 Table 1: