CA2458819A1 - A key agreement protocol based on network dynamics - Google Patents
A key agreement protocol based on network dynamics Download PDFInfo
- Publication number
- CA2458819A1 CA2458819A1 CA002458819A CA2458819A CA2458819A1 CA 2458819 A1 CA2458819 A1 CA 2458819A1 CA 002458819 A CA002458819 A CA 002458819A CA 2458819 A CA2458819 A CA 2458819A CA 2458819 A1 CA2458819 A1 CA 2458819A1
- Authority
- CA
- Canada
- Prior art keywords
- string
- station
- gamma
- strings
- length
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Detection And Prevention Of Errors In Transmission (AREA)
Abstract
A system and method for an unconditionally secure protocol to create identical pads or keys between two parties communicating over any network is provided. The protocol is composed of three parts, as follows, Firstly, the two parties generate an initial correlated string K A, K B of length N from a finite alphabet in a pre-arranged way from a commonly known probabilistic vector of real numbers.
Secondly, the two parties engage in Information Consolidation and Reconciliation in order to reconcile differences. Finally, Privacy Amplification is used to cancel any information that an eavesdropper may have acquired and to produce the key or pad. This key agreement protocol creates unconditionally secure cryptography with a symmetric key cryptosystem.
Alternatively, the symmetric keys can be used as a one-time pad with unconditional security.
Secondly, the two parties engage in Information Consolidation and Reconciliation in order to reconcile differences. Finally, Privacy Amplification is used to cancel any information that an eavesdropper may have acquired and to produce the key or pad. This key agreement protocol creates unconditionally secure cryptography with a symmetric key cryptosystem.
Alternatively, the symmetric keys can be used as a one-time pad with unconditional security.
Description
A >E~EY AGREEIv~ENT PROTOCOL BASED ON'~ETWORK D'YNaM)<CS
BACKGROUND OF TIE IMVENTION
1. Field of the invention The present invention relates to cryptographic systems. More particularly, the invention generates, by public discussion, a cryptographic key that is unconditionally secure. Prior to this invention, cryptographic keys generated by public discussion, such as Diffie-Hellman, satisfied the weak condition of computational security but were not unconditionally secure.
IO
BACKGROUND OF TIE IMVENTION
1. Field of the invention The present invention relates to cryptographic systems. More particularly, the invention generates, by public discussion, a cryptographic key that is unconditionally secure. Prior to this invention, cryptographic keys generated by public discussion, such as Diffie-Hellman, satisfied the weak condition of computational security but were not unconditionally secure.
IO
2. Discussion of the Related Art An Achilles Heel of classical cryptographic systems is that secret commux<ication c an o nly take place after a key is communicated in secret over a fatally secure communication channel.
Lomonaco [5,6] describes the matter as the "Catch 22" of ery~ptography, as follows:
"Catch 22. Before Alice and Bob ca~~ communicate in secret. they must first cortununicate in secret."
Lomooaco goes on to describe further difficulties involvin' the public lcey cryptographic systems that are currently in use. For a discussion on several other disadvantages of tloe Public Trey Infrastnich~re (PKI) see U.S. General Accounting Office Report [8) and Schneier [13].
Let x be a con~.mon key that has been created for Alice and Bob. That is, x is a binary vector of length rc. Then x can be used as a one-time pad as follows. Let m be a message that Alice wishes to trmsmit to Bob; m is some binary vector also of length t:. Alice encodes u:
as m ~ x where denotes bitlvise addition, i.e., etclusive OR. Thus rrr ~ x, not fn, i s broadcast over the public channel. Bob then decodes in exactly the same way. Thus Bab decodes the message (m ~ x) ~ x, which is m, because of th.e properties of birwise addition.
3b Al.ternati~~eiy, the key x can be used in a standard symmetric lcey cryptosystem such as that of Rijndael [12) or Data Bnciyption Standard (DES) [13]. The idea now is to encode rrr as fr(rtz) where fx denotes the Rijndael permutation with the parameter x. Then, to get the message, Bob decodes by I
gx[fxfm)1= m where gx is the inverse of fx To date, practical protocols for constructing such a common key x use for their security unpraven mathematical assumptions concerning the complexity of various mathematical problems such as the factoring problem, the discrete Iog problem, and the Diffie-ldellma.n problem. Another serious difficulty coneeming present systems involves the very long keys that are needed for even minimal security. In his monograph R. A. Mollin [17] points out that for elliptic curves cryptography an absolute winimum of 300 bits should be used for even the most modest security requirements and 500 bits for more sensitive communication. Further, key lengths of 2048 bits are recommended for RSA in the same reference.
In [19] chapter 5, Julian Brown gives an example of a financial encryption system depending on RSA keys of 512-bit, namely the CREST system ixztroduced in 1997 by the Hank of England. H'e quotes the noted cryptographer A. Lenstra concerning such codes as follows:
"Keys of 512 bits might even be within the reach of cyphcrpunks. In principle they could crack such numbers overnight".
Randomness in Arrival Times of Network Communications Computer nerivorlcs are ~~ery compJ.ex systems formed by the superposition oI
several protocol layers [14]. Fib ire 1 shows the layers in a typical network. The following analysis of how the layers work together serves to explain the randomness in netv~~orlcs.
The lowest layer cormects two computers, i.e., creates a channel between them, by some physical means and is called the Physical Layer.
The second layer removes random physical errors (called "noise") .from the channel. to create m error-free communications path from one point to another. This layer. i.e., the Data Lirzh Layer, is primatZly responsible for dealing with irar~mission errors eeneratEd as electrical impulses (representing bits) as sent over a physical connection. Error detectir~n techniques [I5) are used to identify the transmission errors in many protocols. Once an error is detected the protocol requests a resend. Random errors in the Data Link Layer can be observed by noting timing delays.
The Medium Access Layer deals with allocating and scheduling all communi.catian.s over a single channel. Tn a networked environtnent, including the Internet, many computers communicate over a single channel. Bursts in packet traffic is a well-known characteristic and is due to the uncontrollable behavior of many individual computers communicating over a single channel [16]
leading to random fluctuations in transmission times.
The Network Layer deals with routing information to create a true or virtual connection between two computers. The routing is dependent on the variety of routing algorithms and the load placed on each muter. These two factors makes the transmission times fluctuate randomly.
is The Transport Layer interfaces with the final Application Layer to provide an end-to-end, reliable, connection-oriented byte stream from sender to receiver. To da so, the Transport Layer provides connection establislunent and connection management. The times associated with Transport Layer activities depend on all devices in the network and the algorithms being used. Thus, fluetuatiom in transmission times in the Transport Layer also occur, contributing to timing delays.
However, izot only the network influences timing fluctuations. The transmitting and receiving computers have internal delays resulting from servicing network packets. Thus, even the act of observing the. timings will also introduce random iluctua.tions. (fee appendix B for an analysis of the 2a effects of perturbations on arrival timing).
Another approach to obtaining independently generated but correlated raw random keys is to employ a commonly known to the communicati~.~g parties probabilistic array and agreed upon generation procedure.
SUM:'vlARY OF TFIk. .T~,'VENT10N
The present invention provides an ef~eient, practical system and method for a key ayement protocol based on network dynamics or a probabilistic generation method that ha.s the strongest possible security, namely, unconditional security, and that does not require airy additional hardware.
Previotu work in this area is either theoretical [11] or practically infeasible due the requirement for additional channels based on expensive and complicated hardware such as satellites, radio transmitter arrays and accompanying additional computer hardware to communicate ~svith these devices f 7]. All previous cryptographic keys only satisfy the weaker criterion of computational security.
Tn one embodiment, the present invention introduces relative time sequences based vn round-trip timings of packets between vvo communicating patties. These packets form the basic building blocks for creating an efficient and unconditionally secure key agreement protocol that can be used as a replacement for current symmetric and asymunetric key cr~~Ptosystems. In another embodiment, the present invention introduces correlated raw randomly generated keys that have been independently generated by two communicating parties based on a probabilistic array (or vector). The present invention is an unconditionally secure cryptographic system and method based on ideas that can be used in the domain of quantum encryption [l, 5 and 20 Chapter 6]. Moreover, the present invention for the first time provides a cryptographic protocol that exploits fundamental results (and their interconnectedness) in the Cteids of information theory, error-correction codes, block desiy and classical statistics. The system and metliod of the present invention is computationally faster, simpler 1 ~ arid more secure tha~r existing cryptosystems. In additioy due to the unconditional security pro~rided by the present invc-ntion, the system and method of the present invention are in~-ulnerable to all attacks from super-computers and even qumtum computers. This is in sharp contrast to all previous protocols.
The present invention provides a protocol that uses either two characteristics of network transit time: namel;r, its raz~dornness, and the fact that, despite this, the average timing measured by two canvnunicating parties will converge over a Iarge number of repetitions or a probabilistic aiTay and adjusting raw Icey generation method. Tl:e r esult i s t hat t wo c orrelated r andom v ariables a re obtained, one by measuring the relative time a packet takes to complete a round trip with respect to a first party, Alice or A, and a round trip with respect to a second party, Bob or B, and the other by starting with a known probabilistic array and applying an agreed upon adjusting procedure to arrive at a correlated generated raw random key.
rn. a first preferred embodiment, A and B engage in rallynng packets back and forth and calculate round-trip times individually. the packets may be used .for any additional purpose since the contents of the packets are irrelevant. Only the round-trip times are of interest. Figure 2 shows one ro~.md of a relative x ound-trip t ime g enerator o f t he p resent i nvention. F figure 2 d iagrammatically describes the pzocess.
In a second preferred embodiment, A and B employ a pre-determined string P to independently generate raw random keys. Appendix C describes the process.
PHASE 1-Alice and Bob employ the system and method of the present invention to construct a raw random key.
For example, Alice and Bob exchange packets over a network, record round-trig lU times, .and each form a bit string by concatenating a pre-arranged number of low order bits of successive packet round-trip times. O~.~ce sufficient bits are concatenated, the process is stropped and both Alice and Bob apply a pre-determined permutation to their respective concatenated bit strings to fonn permuted remnant raw keys K,, and ICB, respectively of equal length.
Or, in another example, Alice and Bob employ a pre-deternlined probabilistic string P
to independently generate correlated random raw strings li,~ and K~ usi.nb a process such as the one described in Appendix C.
''U PHASE 2- Alice and Bob employ these remnal~t raw hevs to create a reconciled key~
Alice and Bob systematically partition their respective permuted remnant raw keys, li,, and rB, i nto s ub-blocks, a ompute, a xchange a nd a ornpare p arities f or a ach s ub-block, and, discarding the low order bit of the sub-block, re-concatenate the modified sub-blocks in their 2 ~ original order. In the case of blocks with misma~ched parities the partition process is iterated until mismatched bits are located and deleted.
PHASE 3 - A lice and Bob create an unconditionally secure pad or key fxom their common reconciled key:
privacy amplif carton to eliminate any partial information that an eavesdropper, Lve, might have is applied by both Alice and Bob using a pre-determined pxopiietary hash function [4] to produce a final unconditionally secure key of a pre-determined length from th.e reconciled key.
BRIEF DESCRIrPTION OF TIDE DRAffINGS
S FIG. 1 illustrates a tyical mufti-layer computer network protocol.
F'IG. 2 illustrates one rallying round between tvvo communicating parties for genezating a pezmuted remnant bit string by each party.
FIG. 3 illustrates mean arrival tizz~e as a function of channel noise noise parameter).
FIG. 4 illustrates adjusting bits using the present invention to increase the correlation between the raw keys of the communicating parties while decreasing the correlation between the raw keys of the corximunicating parties and an possible eavesdropper.
DETAILED D)>SCRIPTION OF 1'H;E INVENTION
In a preferred embodiment, the key agreement scheme of the present invention comprises three phases. The first phase is construction of a permuted remnant bit stri.ug. Two m ethods ~ re presented.
?0 The first metkrod is based on physical characteristics of tine network, wherein, for example and not limitation, the two communicatino- parties, Alice and Bob, rally packets back and forth recording round-trip times.
Tre second method is probabilistic, wherein, for example and not limitation, the two communicating parties, Alice and Bob, both know a probabilistic string P of real numbers and generate keys based on this string, see Appendix C.
Same of the bits may still be different after the initial bit string construction so Alice and Bob then participate in a second phase called Information Re;.onciliation. The second phase results in Alice aaad Bob holding etactly the same key. However, ):ve may have partial kn.owl.edge of the reconciled strings, in the form of Shannon bits. Therefore, a third and Fnal phase called Privacy Amplification is perforrx~.ed to elin~.inate any partial information collected by EL~e.
1?HASE I - Alice and Bob rally packets back and faith to generate a bit string from truncated round-trip timings. This suing is then systematically permuted. The procedure is as follows:
(ij Alice sends Bob a network packet and logs the time t~,a (ii) Bob records the time of reception as tao and responds immediately to Alice with another network packet.
(iii) Alice records the time of reception as tAl, and responds immediately with a networJc packet.
(iv) Bob records the time of reception as t$~ and responds immediately to Alice with another network packet.
(v) Alice and Bob respectively calculate At,, - t,~ ~ - t,~ o and .QtB ~ tee - too Depending on the quality of the network connection, only some bits of fit,, and ~tB are kept.
The higher order bits are dropped. Typical expeumental data and criteria for the truncation can be found in [18].
By taking a suitable probability distribution it can be shown that the average of b.t,~ equals the average of dta.
(vi) Repeat steps {i) throw. (v) in order to create enou~T bits that are then concatenated as a string of bits of a pre-detennined length.
{i)-(vi) Altez'natively, Alice and Bob each know a random probabilistic array P. They independently proceed as described in Appendix C to generate correlated raw random keys K,, and K~.
PHASE Il. - Once Buff cient bits are created, the process is stopped. Alice arid Bob must now use the relative time series to create ar~ unconditionally secure pad or key. One 3~) skilled in the art can deduce, from a study of various papers in the list of references that there are many ways to proceed. The present in~~ention uses an approach which, very loosely speaking, is initially related to that of Bennett ct al.[1). However in [3, 4 and 10J, several changes and improvements have. been indicated. These changes, based on fundamental r results in algebraic coding theory, information theory, block design and classical statistics together achieve the following results:
(a) an a-priori bound on key-lengths;
(b) a method fox estimating the initial and subsequent bit correlations and key-lengths;
(c) a precise procedure on how to proceed optimally at each stage;
(d) a foxmal proof that KA converges to K~;
(e) a stopping rule;
(f) a verification procedure for equality; and (g) a new systematic hash function for Privacy Amplification.
After PHASE I, Alice and Bob have their respective binary arrays K,, and Kg and both perforn~. the following steps of PHASE TI:
(vii) Shuttle and partition. Alice a«d Bob apply a permutation to K,; and X~ .
They then 1 S partition the remnant raw keys into sub-blocks of length 1= 4.
(viii) Parity exchange and bisective search with 1= 4: Parities are computed and exchanged for each sub-block of length 4 by Alice and Bob. Simultaneously they discard the bottom bit of each sub-block so that no new infonnation is revealed to Ew. If the parities agree Alice aid B ob r etain t he t hree top bits of each sub-block. If the parities disagree Alice and Bob '20 perform. a bisective search discarding the bottom element in each sub-block exactly as described in [1] and [5] (see also [4]). The procedure in steps (vii) and (viii) is denoted by XAP4 .
(ix) Estimate Correlation From the length of the new key, we can calculate the expected initial bit correlation xo bet~u,~een K,, and h'B [4J. Using xo eve can calculate the present 25 expected correlation x = cpa( xo ).
(x) Shuffle. parity exchan~g, bisective search with the optimal 1: To the remnant keys KA, K~ we apply a permutation f in order to separate adjacent ke~-s. As a non-restricti~~e example, one suchJcan be irnplenzcnted by shuffling the bit order from (1.2,3,....,n) into the order (l ;p +1,2p+1,...,q,p+1,?,p+2,2p+2,...,qzp+',...,p-1,2p-1,3p-1.,...,qp.tp+p-l,p, 30 2 p, 3 p, 9~P +P!, whexe q; _ (n - i) i p.
Given the present correlation x we choose the optimal value for I = l(x) by using the tables in s [4~. Similar to (viii), (ix) for the case 1 = 4, we carry out the procedure KAP, . From x, or from the new common length of the remnant keys, we calculate the expected present correlation after hA,p! has been applied. We repeat (xi) until the stopping condition holds-(xi) Stopping Condition : For key length n and correlation x we have rr(1-x) <
E ,a pre y determined small positive number. We then proceed to tile verification procedure, an examl7le of which is as follows.
(xii) Verification Procedure : Let KA , X~ both be of length rr. Let t be the smallest integer for which 2' 5 rt . Construct a binary matrix M= m~~, (1 < i 5 t+1 , 1 <_ j <_ 2' ) as follows:
a. The entries m;~, (1 5 i j < t ) are the entries of the t x r identity matrix fx' .
b. The (t +1 )'~' row of M is the a11-ones vector, that I5 rn'+~,~ = 1 ( 1 _<
j S 2' ).
c. Denote the top t entries in the j'h column by the binary vector v; ( 1 5 j < 2' ).
Thus, vj = ~mi~ ( 1 5 i S t; . Then we impose the condition that the vectors vi are all distinct. Thus, the set ; v~ ; equals the set of all 2' distinct binary vectors of length t.
d. Denoie the rows of Mby RI, Rz, .. ., R,m . Let x, y denote the remnant keys li,~, 1 ~ Ifs written as row vectors of length n. Let x, ~ denote the vectors that result when a row of zeros of lend h 2'-rr is adjoined, on the right of x, y respectively.
Thus x = (x,000..0), y = (y,000..0).
e. Our verification criterion is to check that x . R; =y . lZ;, (1 < i S t+1 ).
Xf the vErification criterion is not satisfied we renxove the first t+1 bits from li~, , lip and repeat steps (x), (xi) and check again if the verification criterion is satisfied.
Eventually, it will be satisfied.
At this stage Alice and Bob have coraf m~ed that they no~v share the same key.
Once confirmed, the final remnant raw key as transformed by Phase 2 is modified by removing the first t-vl bits from KA = KB . Our new key is re-named the "reconciled key" and phase 3, privacy amplification is perfornzed.
PHASE TlI- At this stage Alice and Bob now have a common reconciled hey. In certain cases it is possible that the key is only partially secret to eavesdropper, Eve, in the sense that Eve may hare some information on the reconciled key in the form of Shannon nits. Alice and Bob now begin the process of PrivacyrlmplijicQtion that is the extraction of a final secret key from a partially secret one (see [1] and [2]). A well-known result of Bennett, Brassard and Robert (see [I8]) shows that Eve's average informarion about the final secret key is less than 2-iilr~ 2 Shannon bits as explained below (See also Shannon [9]).
(xiii) Pn- '~ Arnplitication - Let the upper-bound on E4~e's number of Shannon Bits be k and let s > 0 be some security parameter that Alice and Bob may adjust as desired. Alice and Bob now apply a hash function described in "Method For The Construction Of dash Functions Based On Sylvester : atrices, Balanced Incomplete Block Designs And Error-Correcting Codes", co-pending Irish Patent Application, (the entire contents of which is hereby included by reference as if fully set foz<h herein [3]) tvhich produces a final secret key of length ~a - k- s from the reconciled key of length rt.
The system az~.d method of the present invention provide an unconditionally secure key agreement scheme based on network dynamics as follows. In P?~IASE I, ?lice and Bob permute the bits of what remains of their respective raw keys, which keys incorporate delay occasioned by network noise. In PHASE II, the key from PHASE z undergoes the treatment of Lomonaco [S]. That i~, in PHASE II Alice and Bob partition the remnant raw key into blocks of length. L An upper bound on the length of the final key has been estimated and the sequence of values of l that geld l:ey lengihs arbitrarily close to this upper bound has also been estimated [4]. In PHASE
IT, for each of these blocks. Alice and Bob publicly con spare overall parity checks, making sure each time to discard the last b it o f the compared bloclt. Each time an overall parity check does not agree, Alice and Bob initiate a binary search for the error, i.e., bisecting the mismatched black into two sub-blocks, publicly comparing the parities for each of these sub-blocks, ~rhile discarding the bottom bit of each sub-block. They continue their bisective search on the sub-block for which their parities are not in a.green~ent. This bisective search continues until the en~oneous bit is located and deleted. They then proceed to the next l-block..
PHASE f is then repeated, i.e., a suitable permutation is chosen and applied to obtainthe permuted remnant raw key. PFIA,SE II is then repeated, i.e., the remnant raw key is partitioned into blocks of length l, parities are compared, etc. Precise expressions for the:
expected bit correlation (see below] following each step have been obtained in [4~, where it is also shown shat this c.orTelation conver3es to 1. Moreover in [4] the expected number of steps to convergence.
as ~.vell as the expected length of the reconciled key are tabulated.
The probability that corresponding bits ayee in the arrays KA , KB is la~o~rn as the bit correlation probability or, simply, as the bit correlation. It can be shown (see [A.]) that each round can be used to inczease the bit-correlation. For example, if we statrt with a bit-correlation of 0.7 then after one round with l = 3 the bit-correlation increases to about 0.77 and then to 0.8?. For l = 2 the corresponding numbers are 0 .84 a nd 0 .97. E stimates a re a lso a vailable f or t he k ey 1 engths a fter a round of the protocol of the present invention, for various values of l [4].
The final secret lcey can now be used fox a one-time pad to c:eate perfect secrecy or can be used as a key for a symmetzic key cry~ptosystem such as Rijndael [1?.] or Triple DES [18].
A simplified version of the algorttlun for the values l = 2 and 3 is described in. Appendix A.
The system and method of the present invention provides secure transmission over wireless and wire media and networks as set forth below;
1 S a. wireless 1. radio transmission 2. radio frequency 3. satellite 4. microwave 5. infrared G. acoustic 7, elec.tro-magnetic spectrum 8. spread spectrum 9. laser b. u-ired 1. optical 2. fiber optics 3. electrical 4. Ethernet 5. quantum communication c. net<vorks 1. intranet 2. Internet 3. extranet 4. Public Switched Telephone Network (PSTN) 5. Local Area Network (LAN) 6. Wireless Local Area Network (WLAN) 7, Wireless Fidelity (WLFI]
8. Wireless Local Area Network (~'iLAN]
9. TEEE 802.11, 802.11a, 802.1 lb I0. Personal Area Net<voxk (PAN) 11. Bluetooth 12. Code Division Multiple Access (CDMA) 13. Global System for Mobile (GSM) Communication 14. 3'd Generation Mobile Network (3G) 15. Asynchronous Transfer Mode (ATM) 16. Digital Subscriber Line (DSL) 1. 5 I7. Frame Relay Lt will be understood by those skilled in tire art, that ?he above-described embodiments are but examples from which it is possible to deviate without departing from the scope of the invention as defined in the appended clainss.
REFERENCE AND 13ISLIOORA.PkIY
The following references are hereby incorporated by reference as if fully set forth herein.
S
[l] Charles Bennett, Fran~.ois Besseite, Gilles l3rassard, Louis Salvail, and John Smolin, L~'zperi~nental quantum cryptography, EUROl'CRYPT '90 (~~hus, Denmark), 1990, pp. 253-265.
[?-] Charles Td. Bernett, Gilles Brassard, and Jean-Mare Robe1-t, Privacy Amplification by Public Discursior~, Siam J. of Computing, 17, no.2 ( 1988), pp. 210-229.
[3] Aiden Bruen and David Wehlau, Method for the Construction ofHash Functions Based on Sylvester Matrices, Balanced In.eornplete Block Desio s, and Error-Correcting Codes, Tiish J'atent Co-pending Trish Patent Application.
[4J Aiden Bruen and David Wehlau, A Note pn Bit-Reronciliation Algoritlarns, Non-Flepha~~.t Encryption Systems Technical Note. OI _x~ NE2, 2001.
[S] Samuel J. Lomonaco, A quick glance at guantunr cryptography, Cryptologia 23 (1999), no. 1, pp. 1-41.
[6] , .! Rosetta Stone for Quantum ,Mechanics Y~itlz An Introduction to Ouanturn Compurarion, quart-phI000704~ (2000).
[7] C.Teli 1~I. Maurer, Secret Key Adreetnent By Public Discussion From COrlant0T1 Information, IEPE Transactions on Information Theory 39 no.3 (1993), pp. 733-7~2.
[8] United States General Accouniing Office:, Advances and Rrnaair~ir~g Challenges to Adoption of Public h,'ey Infrastructure Technology. GAD 01-227 Report, February 2001, Report to the Chaimnan, Subcommittee on Government Lfficiency, Fii:ancial fvlanagement and 7ntengovernmental Relations, Committee on Government Reform, House of Representatives.
[9] Claude E. Shannon, Communication Theory of Secrecy Systems, Bell System Technical Journal 2 8( 1949), 556-715.
Lomonaco [5,6] describes the matter as the "Catch 22" of ery~ptography, as follows:
"Catch 22. Before Alice and Bob ca~~ communicate in secret. they must first cortununicate in secret."
Lomooaco goes on to describe further difficulties involvin' the public lcey cryptographic systems that are currently in use. For a discussion on several other disadvantages of tloe Public Trey Infrastnich~re (PKI) see U.S. General Accounting Office Report [8) and Schneier [13].
Let x be a con~.mon key that has been created for Alice and Bob. That is, x is a binary vector of length rc. Then x can be used as a one-time pad as follows. Let m be a message that Alice wishes to trmsmit to Bob; m is some binary vector also of length t:. Alice encodes u:
as m ~ x where denotes bitlvise addition, i.e., etclusive OR. Thus rrr ~ x, not fn, i s broadcast over the public channel. Bob then decodes in exactly the same way. Thus Bab decodes the message (m ~ x) ~ x, which is m, because of th.e properties of birwise addition.
3b Al.ternati~~eiy, the key x can be used in a standard symmetric lcey cryptosystem such as that of Rijndael [12) or Data Bnciyption Standard (DES) [13]. The idea now is to encode rrr as fr(rtz) where fx denotes the Rijndael permutation with the parameter x. Then, to get the message, Bob decodes by I
gx[fxfm)1= m where gx is the inverse of fx To date, practical protocols for constructing such a common key x use for their security unpraven mathematical assumptions concerning the complexity of various mathematical problems such as the factoring problem, the discrete Iog problem, and the Diffie-ldellma.n problem. Another serious difficulty coneeming present systems involves the very long keys that are needed for even minimal security. In his monograph R. A. Mollin [17] points out that for elliptic curves cryptography an absolute winimum of 300 bits should be used for even the most modest security requirements and 500 bits for more sensitive communication. Further, key lengths of 2048 bits are recommended for RSA in the same reference.
In [19] chapter 5, Julian Brown gives an example of a financial encryption system depending on RSA keys of 512-bit, namely the CREST system ixztroduced in 1997 by the Hank of England. H'e quotes the noted cryptographer A. Lenstra concerning such codes as follows:
"Keys of 512 bits might even be within the reach of cyphcrpunks. In principle they could crack such numbers overnight".
Randomness in Arrival Times of Network Communications Computer nerivorlcs are ~~ery compJ.ex systems formed by the superposition oI
several protocol layers [14]. Fib ire 1 shows the layers in a typical network. The following analysis of how the layers work together serves to explain the randomness in netv~~orlcs.
The lowest layer cormects two computers, i.e., creates a channel between them, by some physical means and is called the Physical Layer.
The second layer removes random physical errors (called "noise") .from the channel. to create m error-free communications path from one point to another. This layer. i.e., the Data Lirzh Layer, is primatZly responsible for dealing with irar~mission errors eeneratEd as electrical impulses (representing bits) as sent over a physical connection. Error detectir~n techniques [I5) are used to identify the transmission errors in many protocols. Once an error is detected the protocol requests a resend. Random errors in the Data Link Layer can be observed by noting timing delays.
The Medium Access Layer deals with allocating and scheduling all communi.catian.s over a single channel. Tn a networked environtnent, including the Internet, many computers communicate over a single channel. Bursts in packet traffic is a well-known characteristic and is due to the uncontrollable behavior of many individual computers communicating over a single channel [16]
leading to random fluctuations in transmission times.
The Network Layer deals with routing information to create a true or virtual connection between two computers. The routing is dependent on the variety of routing algorithms and the load placed on each muter. These two factors makes the transmission times fluctuate randomly.
is The Transport Layer interfaces with the final Application Layer to provide an end-to-end, reliable, connection-oriented byte stream from sender to receiver. To da so, the Transport Layer provides connection establislunent and connection management. The times associated with Transport Layer activities depend on all devices in the network and the algorithms being used. Thus, fluetuatiom in transmission times in the Transport Layer also occur, contributing to timing delays.
However, izot only the network influences timing fluctuations. The transmitting and receiving computers have internal delays resulting from servicing network packets. Thus, even the act of observing the. timings will also introduce random iluctua.tions. (fee appendix B for an analysis of the 2a effects of perturbations on arrival timing).
Another approach to obtaining independently generated but correlated raw random keys is to employ a commonly known to the communicati~.~g parties probabilistic array and agreed upon generation procedure.
SUM:'vlARY OF TFIk. .T~,'VENT10N
The present invention provides an ef~eient, practical system and method for a key ayement protocol based on network dynamics or a probabilistic generation method that ha.s the strongest possible security, namely, unconditional security, and that does not require airy additional hardware.
Previotu work in this area is either theoretical [11] or practically infeasible due the requirement for additional channels based on expensive and complicated hardware such as satellites, radio transmitter arrays and accompanying additional computer hardware to communicate ~svith these devices f 7]. All previous cryptographic keys only satisfy the weaker criterion of computational security.
Tn one embodiment, the present invention introduces relative time sequences based vn round-trip timings of packets between vvo communicating patties. These packets form the basic building blocks for creating an efficient and unconditionally secure key agreement protocol that can be used as a replacement for current symmetric and asymunetric key cr~~Ptosystems. In another embodiment, the present invention introduces correlated raw randomly generated keys that have been independently generated by two communicating parties based on a probabilistic array (or vector). The present invention is an unconditionally secure cryptographic system and method based on ideas that can be used in the domain of quantum encryption [l, 5 and 20 Chapter 6]. Moreover, the present invention for the first time provides a cryptographic protocol that exploits fundamental results (and their interconnectedness) in the Cteids of information theory, error-correction codes, block desiy and classical statistics. The system and metliod of the present invention is computationally faster, simpler 1 ~ arid more secure tha~r existing cryptosystems. In additioy due to the unconditional security pro~rided by the present invc-ntion, the system and method of the present invention are in~-ulnerable to all attacks from super-computers and even qumtum computers. This is in sharp contrast to all previous protocols.
The present invention provides a protocol that uses either two characteristics of network transit time: namel;r, its raz~dornness, and the fact that, despite this, the average timing measured by two canvnunicating parties will converge over a Iarge number of repetitions or a probabilistic aiTay and adjusting raw Icey generation method. Tl:e r esult i s t hat t wo c orrelated r andom v ariables a re obtained, one by measuring the relative time a packet takes to complete a round trip with respect to a first party, Alice or A, and a round trip with respect to a second party, Bob or B, and the other by starting with a known probabilistic array and applying an agreed upon adjusting procedure to arrive at a correlated generated raw random key.
rn. a first preferred embodiment, A and B engage in rallynng packets back and forth and calculate round-trip times individually. the packets may be used .for any additional purpose since the contents of the packets are irrelevant. Only the round-trip times are of interest. Figure 2 shows one ro~.md of a relative x ound-trip t ime g enerator o f t he p resent i nvention. F figure 2 d iagrammatically describes the pzocess.
In a second preferred embodiment, A and B employ a pre-determined string P to independently generate raw random keys. Appendix C describes the process.
PHASE 1-Alice and Bob employ the system and method of the present invention to construct a raw random key.
For example, Alice and Bob exchange packets over a network, record round-trig lU times, .and each form a bit string by concatenating a pre-arranged number of low order bits of successive packet round-trip times. O~.~ce sufficient bits are concatenated, the process is stropped and both Alice and Bob apply a pre-determined permutation to their respective concatenated bit strings to fonn permuted remnant raw keys K,, and ICB, respectively of equal length.
Or, in another example, Alice and Bob employ a pre-deternlined probabilistic string P
to independently generate correlated random raw strings li,~ and K~ usi.nb a process such as the one described in Appendix C.
''U PHASE 2- Alice and Bob employ these remnal~t raw hevs to create a reconciled key~
Alice and Bob systematically partition their respective permuted remnant raw keys, li,, and rB, i nto s ub-blocks, a ompute, a xchange a nd a ornpare p arities f or a ach s ub-block, and, discarding the low order bit of the sub-block, re-concatenate the modified sub-blocks in their 2 ~ original order. In the case of blocks with misma~ched parities the partition process is iterated until mismatched bits are located and deleted.
PHASE 3 - A lice and Bob create an unconditionally secure pad or key fxom their common reconciled key:
privacy amplif carton to eliminate any partial information that an eavesdropper, Lve, might have is applied by both Alice and Bob using a pre-determined pxopiietary hash function [4] to produce a final unconditionally secure key of a pre-determined length from th.e reconciled key.
BRIEF DESCRIrPTION OF TIDE DRAffINGS
S FIG. 1 illustrates a tyical mufti-layer computer network protocol.
F'IG. 2 illustrates one rallying round between tvvo communicating parties for genezating a pezmuted remnant bit string by each party.
FIG. 3 illustrates mean arrival tizz~e as a function of channel noise noise parameter).
FIG. 4 illustrates adjusting bits using the present invention to increase the correlation between the raw keys of the communicating parties while decreasing the correlation between the raw keys of the corximunicating parties and an possible eavesdropper.
DETAILED D)>SCRIPTION OF 1'H;E INVENTION
In a preferred embodiment, the key agreement scheme of the present invention comprises three phases. The first phase is construction of a permuted remnant bit stri.ug. Two m ethods ~ re presented.
?0 The first metkrod is based on physical characteristics of tine network, wherein, for example and not limitation, the two communicatino- parties, Alice and Bob, rally packets back and forth recording round-trip times.
Tre second method is probabilistic, wherein, for example and not limitation, the two communicating parties, Alice and Bob, both know a probabilistic string P of real numbers and generate keys based on this string, see Appendix C.
Same of the bits may still be different after the initial bit string construction so Alice and Bob then participate in a second phase called Information Re;.onciliation. The second phase results in Alice aaad Bob holding etactly the same key. However, ):ve may have partial kn.owl.edge of the reconciled strings, in the form of Shannon bits. Therefore, a third and Fnal phase called Privacy Amplification is perforrx~.ed to elin~.inate any partial information collected by EL~e.
1?HASE I - Alice and Bob rally packets back and faith to generate a bit string from truncated round-trip timings. This suing is then systematically permuted. The procedure is as follows:
(ij Alice sends Bob a network packet and logs the time t~,a (ii) Bob records the time of reception as tao and responds immediately to Alice with another network packet.
(iii) Alice records the time of reception as tAl, and responds immediately with a networJc packet.
(iv) Bob records the time of reception as t$~ and responds immediately to Alice with another network packet.
(v) Alice and Bob respectively calculate At,, - t,~ ~ - t,~ o and .QtB ~ tee - too Depending on the quality of the network connection, only some bits of fit,, and ~tB are kept.
The higher order bits are dropped. Typical expeumental data and criteria for the truncation can be found in [18].
By taking a suitable probability distribution it can be shown that the average of b.t,~ equals the average of dta.
(vi) Repeat steps {i) throw. (v) in order to create enou~T bits that are then concatenated as a string of bits of a pre-detennined length.
{i)-(vi) Altez'natively, Alice and Bob each know a random probabilistic array P. They independently proceed as described in Appendix C to generate correlated raw random keys K,, and K~.
PHASE Il. - Once Buff cient bits are created, the process is stopped. Alice arid Bob must now use the relative time series to create ar~ unconditionally secure pad or key. One 3~) skilled in the art can deduce, from a study of various papers in the list of references that there are many ways to proceed. The present in~~ention uses an approach which, very loosely speaking, is initially related to that of Bennett ct al.[1). However in [3, 4 and 10J, several changes and improvements have. been indicated. These changes, based on fundamental r results in algebraic coding theory, information theory, block design and classical statistics together achieve the following results:
(a) an a-priori bound on key-lengths;
(b) a method fox estimating the initial and subsequent bit correlations and key-lengths;
(c) a precise procedure on how to proceed optimally at each stage;
(d) a foxmal proof that KA converges to K~;
(e) a stopping rule;
(f) a verification procedure for equality; and (g) a new systematic hash function for Privacy Amplification.
After PHASE I, Alice and Bob have their respective binary arrays K,, and Kg and both perforn~. the following steps of PHASE TI:
(vii) Shuttle and partition. Alice a«d Bob apply a permutation to K,; and X~ .
They then 1 S partition the remnant raw keys into sub-blocks of length 1= 4.
(viii) Parity exchange and bisective search with 1= 4: Parities are computed and exchanged for each sub-block of length 4 by Alice and Bob. Simultaneously they discard the bottom bit of each sub-block so that no new infonnation is revealed to Ew. If the parities agree Alice aid B ob r etain t he t hree top bits of each sub-block. If the parities disagree Alice and Bob '20 perform. a bisective search discarding the bottom element in each sub-block exactly as described in [1] and [5] (see also [4]). The procedure in steps (vii) and (viii) is denoted by XAP4 .
(ix) Estimate Correlation From the length of the new key, we can calculate the expected initial bit correlation xo bet~u,~een K,, and h'B [4J. Using xo eve can calculate the present 25 expected correlation x = cpa( xo ).
(x) Shuffle. parity exchan~g, bisective search with the optimal 1: To the remnant keys KA, K~ we apply a permutation f in order to separate adjacent ke~-s. As a non-restricti~~e example, one suchJcan be irnplenzcnted by shuffling the bit order from (1.2,3,....,n) into the order (l ;p +1,2p+1,...,q,p+1,?,p+2,2p+2,...,qzp+',...,p-1,2p-1,3p-1.,...,qp.tp+p-l,p, 30 2 p, 3 p, 9~P +P!, whexe q; _ (n - i) i p.
Given the present correlation x we choose the optimal value for I = l(x) by using the tables in s [4~. Similar to (viii), (ix) for the case 1 = 4, we carry out the procedure KAP, . From x, or from the new common length of the remnant keys, we calculate the expected present correlation after hA,p! has been applied. We repeat (xi) until the stopping condition holds-(xi) Stopping Condition : For key length n and correlation x we have rr(1-x) <
E ,a pre y determined small positive number. We then proceed to tile verification procedure, an examl7le of which is as follows.
(xii) Verification Procedure : Let KA , X~ both be of length rr. Let t be the smallest integer for which 2' 5 rt . Construct a binary matrix M= m~~, (1 < i 5 t+1 , 1 <_ j <_ 2' ) as follows:
a. The entries m;~, (1 5 i j < t ) are the entries of the t x r identity matrix fx' .
b. The (t +1 )'~' row of M is the a11-ones vector, that I5 rn'+~,~ = 1 ( 1 _<
j S 2' ).
c. Denote the top t entries in the j'h column by the binary vector v; ( 1 5 j < 2' ).
Thus, vj = ~mi~ ( 1 5 i S t; . Then we impose the condition that the vectors vi are all distinct. Thus, the set ; v~ ; equals the set of all 2' distinct binary vectors of length t.
d. Denoie the rows of Mby RI, Rz, .. ., R,m . Let x, y denote the remnant keys li,~, 1 ~ Ifs written as row vectors of length n. Let x, ~ denote the vectors that result when a row of zeros of lend h 2'-rr is adjoined, on the right of x, y respectively.
Thus x = (x,000..0), y = (y,000..0).
e. Our verification criterion is to check that x . R; =y . lZ;, (1 < i S t+1 ).
Xf the vErification criterion is not satisfied we renxove the first t+1 bits from li~, , lip and repeat steps (x), (xi) and check again if the verification criterion is satisfied.
Eventually, it will be satisfied.
At this stage Alice and Bob have coraf m~ed that they no~v share the same key.
Once confirmed, the final remnant raw key as transformed by Phase 2 is modified by removing the first t-vl bits from KA = KB . Our new key is re-named the "reconciled key" and phase 3, privacy amplification is perfornzed.
PHASE TlI- At this stage Alice and Bob now have a common reconciled hey. In certain cases it is possible that the key is only partially secret to eavesdropper, Eve, in the sense that Eve may hare some information on the reconciled key in the form of Shannon nits. Alice and Bob now begin the process of PrivacyrlmplijicQtion that is the extraction of a final secret key from a partially secret one (see [1] and [2]). A well-known result of Bennett, Brassard and Robert (see [I8]) shows that Eve's average informarion about the final secret key is less than 2-iilr~ 2 Shannon bits as explained below (See also Shannon [9]).
(xiii) Pn- '~ Arnplitication - Let the upper-bound on E4~e's number of Shannon Bits be k and let s > 0 be some security parameter that Alice and Bob may adjust as desired. Alice and Bob now apply a hash function described in "Method For The Construction Of dash Functions Based On Sylvester : atrices, Balanced Incomplete Block Designs And Error-Correcting Codes", co-pending Irish Patent Application, (the entire contents of which is hereby included by reference as if fully set foz<h herein [3]) tvhich produces a final secret key of length ~a - k- s from the reconciled key of length rt.
The system az~.d method of the present invention provide an unconditionally secure key agreement scheme based on network dynamics as follows. In P?~IASE I, ?lice and Bob permute the bits of what remains of their respective raw keys, which keys incorporate delay occasioned by network noise. In PHASE II, the key from PHASE z undergoes the treatment of Lomonaco [S]. That i~, in PHASE II Alice and Bob partition the remnant raw key into blocks of length. L An upper bound on the length of the final key has been estimated and the sequence of values of l that geld l:ey lengihs arbitrarily close to this upper bound has also been estimated [4]. In PHASE
IT, for each of these blocks. Alice and Bob publicly con spare overall parity checks, making sure each time to discard the last b it o f the compared bloclt. Each time an overall parity check does not agree, Alice and Bob initiate a binary search for the error, i.e., bisecting the mismatched black into two sub-blocks, publicly comparing the parities for each of these sub-blocks, ~rhile discarding the bottom bit of each sub-block. They continue their bisective search on the sub-block for which their parities are not in a.green~ent. This bisective search continues until the en~oneous bit is located and deleted. They then proceed to the next l-block..
PHASE f is then repeated, i.e., a suitable permutation is chosen and applied to obtainthe permuted remnant raw key. PFIA,SE II is then repeated, i.e., the remnant raw key is partitioned into blocks of length l, parities are compared, etc. Precise expressions for the:
expected bit correlation (see below] following each step have been obtained in [4~, where it is also shown shat this c.orTelation conver3es to 1. Moreover in [4] the expected number of steps to convergence.
as ~.vell as the expected length of the reconciled key are tabulated.
The probability that corresponding bits ayee in the arrays KA , KB is la~o~rn as the bit correlation probability or, simply, as the bit correlation. It can be shown (see [A.]) that each round can be used to inczease the bit-correlation. For example, if we statrt with a bit-correlation of 0.7 then after one round with l = 3 the bit-correlation increases to about 0.77 and then to 0.8?. For l = 2 the corresponding numbers are 0 .84 a nd 0 .97. E stimates a re a lso a vailable f or t he k ey 1 engths a fter a round of the protocol of the present invention, for various values of l [4].
The final secret lcey can now be used fox a one-time pad to c:eate perfect secrecy or can be used as a key for a symmetzic key cry~ptosystem such as Rijndael [1?.] or Triple DES [18].
A simplified version of the algorttlun for the values l = 2 and 3 is described in. Appendix A.
The system and method of the present invention provides secure transmission over wireless and wire media and networks as set forth below;
1 S a. wireless 1. radio transmission 2. radio frequency 3. satellite 4. microwave 5. infrared G. acoustic 7, elec.tro-magnetic spectrum 8. spread spectrum 9. laser b. u-ired 1. optical 2. fiber optics 3. electrical 4. Ethernet 5. quantum communication c. net<vorks 1. intranet 2. Internet 3. extranet 4. Public Switched Telephone Network (PSTN) 5. Local Area Network (LAN) 6. Wireless Local Area Network (WLAN) 7, Wireless Fidelity (WLFI]
8. Wireless Local Area Network (~'iLAN]
9. TEEE 802.11, 802.11a, 802.1 lb I0. Personal Area Net<voxk (PAN) 11. Bluetooth 12. Code Division Multiple Access (CDMA) 13. Global System for Mobile (GSM) Communication 14. 3'd Generation Mobile Network (3G) 15. Asynchronous Transfer Mode (ATM) 16. Digital Subscriber Line (DSL) 1. 5 I7. Frame Relay Lt will be understood by those skilled in tire art, that ?he above-described embodiments are but examples from which it is possible to deviate without departing from the scope of the invention as defined in the appended clainss.
REFERENCE AND 13ISLIOORA.PkIY
The following references are hereby incorporated by reference as if fully set forth herein.
S
[l] Charles Bennett, Fran~.ois Besseite, Gilles l3rassard, Louis Salvail, and John Smolin, L~'zperi~nental quantum cryptography, EUROl'CRYPT '90 (~~hus, Denmark), 1990, pp. 253-265.
[?-] Charles Td. Bernett, Gilles Brassard, and Jean-Mare Robe1-t, Privacy Amplification by Public Discursior~, Siam J. of Computing, 17, no.2 ( 1988), pp. 210-229.
[3] Aiden Bruen and David Wehlau, Method for the Construction ofHash Functions Based on Sylvester Matrices, Balanced In.eornplete Block Desio s, and Error-Correcting Codes, Tiish J'atent Co-pending Trish Patent Application.
[4J Aiden Bruen and David Wehlau, A Note pn Bit-Reronciliation Algoritlarns, Non-Flepha~~.t Encryption Systems Technical Note. OI _x~ NE2, 2001.
[S] Samuel J. Lomonaco, A quick glance at guantunr cryptography, Cryptologia 23 (1999), no. 1, pp. 1-41.
[6] , .! Rosetta Stone for Quantum ,Mechanics Y~itlz An Introduction to Ouanturn Compurarion, quart-phI000704~ (2000).
[7] C.Teli 1~I. Maurer, Secret Key Adreetnent By Public Discussion From COrlant0T1 Information, IEPE Transactions on Information Theory 39 no.3 (1993), pp. 733-7~2.
[8] United States General Accouniing Office:, Advances and Rrnaair~ir~g Challenges to Adoption of Public h,'ey Infrastructure Technology. GAD 01-227 Report, February 2001, Report to the Chaimnan, Subcommittee on Government Lfficiency, Fii:ancial fvlanagement and 7ntengovernmental Relations, Committee on Government Reform, House of Representatives.
[9] Claude E. Shannon, Communication Theory of Secrecy Systems, Bell System Technical Journal 2 8( 1949), 556-715.
[10] David Wehlau, Report for Non-Elephant EncryptiorT, Non-Elephant Encryption Technical Note 01.08.2001.
[11) A. D. Wyner, The Wire-Tap Channel. Bell System Technical Journal 54 no.8(1975), 1355-1387.
[12] Joan Daemon a.nd Vincent Rijnmeien, T7ie Rijndael Block Cypher, June 199$, http:llcsrc.nist. aovieneryntion/aeslri jndaellriindael.ndf I5 [13] B race S chneier, Applied CryPtod aphy, 2 "~ E dition, Jo hn W iley &
S ons, N ew York, 1996, Chapter 12.
[I4] Andrew Tanenbaum, Computer Nehs~orl~s, Prentice Hall, 1996.
[15] Claude E. Shannon, A ~fatherrrntical theory of Communication, Bell System Technical Journal27(1948), pp. 379-423 and 623-6~6.
[16] Will E. Leland, Murad S. Taqq, Walter Willinger, and Daniel V. Wilson, On the SeJ' Sin:ilar Nature of Ethernet Truff e, Proe. SIGCOItZM (San Francisco, CA;
Deepinder P.
2~ Sidhu, Ed.), 1993, pp. 183-193.
( 17] R. A. Mollin., An Introduction to Cryptography, Chapmzn & Hall!CRC, 2000. Chapter 6.
[18] Douglas R. Stinson, Cryptograplry: Theor~~ and Practice, CRC Press, 1995.
[19] Julian R. Brown, The Quest for the Quantum Computer, 51111011 & Schustrr, New York, 2001.
(20) Xiaomin Bao, Probabilistic Adjusting Raw Key Generation Method, Report for IJon-Elephant Encryption, Non-Elephant Encryption Technical Vote 02.nm., July 26,
S ons, N ew York, 1996, Chapter 12.
[I4] Andrew Tanenbaum, Computer Nehs~orl~s, Prentice Hall, 1996.
[15] Claude E. Shannon, A ~fatherrrntical theory of Communication, Bell System Technical Journal27(1948), pp. 379-423 and 623-6~6.
[16] Will E. Leland, Murad S. Taqq, Walter Willinger, and Daniel V. Wilson, On the SeJ' Sin:ilar Nature of Ethernet Truff e, Proe. SIGCOItZM (San Francisco, CA;
Deepinder P.
2~ Sidhu, Ed.), 1993, pp. 183-193.
( 17] R. A. Mollin., An Introduction to Cryptography, Chapmzn & Hall!CRC, 2000. Chapter 6.
[18] Douglas R. Stinson, Cryptograplry: Theor~~ and Practice, CRC Press, 1995.
[19] Julian R. Brown, The Quest for the Quantum Computer, 51111011 & Schustrr, New York, 2001.
(20) Xiaomin Bao, Probabilistic Adjusting Raw Key Generation Method, Report for IJon-Elephant Encryption, Non-Elephant Encryption Technical Vote 02.nm., July 26,
Claims (7)
1) A method of generating an unconditionally secure cryptographic key between a first and a second cryptographic station A and B, said method comprising the steps of:
a) in said first and second station A and B, constructing, in a pre-arranged way from a commonly known probabilistic vector of real numbers, a first and second correlated string L A, L B each of a given length N (i.e., said first and second string L A, L B
constructed such that the corresponding statistical variables are not independent) of digits selected from a finite alphabet;
b) in said first and second station A and B, applying a predetermined permutation g = g N to L A, L B to obtain a first and second permuted string g(L A) and g(L B), wherein g = g H is a pre-determined permutation and then expressing g(L A), g(L B) as a pre-determined concatenation U1(=S A), U2, ... ,U m and V1(=S B), V2, ... ,V m' respectively wherein S A is a substring of said first permuted string g(L A), S B is a substring of said second permuted string g(L B), and the lend h of U i equals the length of V i for 1 <= i <= m;
c) evaluating recursively P (S A,S B) = P l(S A,S B) wherein l = ¦S A¦ = ¦S B¦
is the common length of S A and S B, and P is a function defined on certain ordered pairs (U,V) of strings U, V having a common length s= ¦U¦ = ¦V¦, said evaluating step further comprising the substeps of;
(i) in said first station A, transmitting to said second station B, the computed value .GAMMA.(S A), of a predetermined function .GAMMA. on S A, wherein .GAMMA. is a function mapping strings to strings that maps the null string to the null string having the property that for strings X,Y with ¦X¦ = ¦Y¦, .GAMMA.(X) = .GAMMA.(Y)- and transmitting said value to station B;
(ii) in said second station B, transmitting to said first station A, the digit 1 if .GAMMA.(S A) is equal to the computed value .GAMMA.(S B) and the digit 0 otherwise;
(iii) in said first and second station a and B, respectively, calculating strings f(S A), f(S B) wherein f is a pre-assigned function mapping strings to strings that maps the null string to the null string, maps all strings of length one to the null string and is such that for any string X the length of f(X) is less than or equal to the length of X and having the property that for strings X, Y with ¦X¦ = ¦Y¦, f(X)¦ = ¦f(Y)¦;
(iv) in said first and second station A and B, setting P l(S A,S B) = (f(S
A),f(S B)) in the case when .GAMMA.(S A) = .GAMMA.(S B);
(v) when .GAMMA.(S A) .noteq. .GAMMA.(S B), performing the substeps of:
a. in said first station A, writing f(S A) as a concatenation M A N A of strings M A, N A having .lambda. = ¦N A¦ = 1/2 t or 1/2 t + 1/2 (when t is even or odd respectively) where t is the common length of f(S A), f(S B), b. in said second station B, writing f(S B) as a concatenation M B N B of strings M B, N B having .lambda. = ¦N A¦ =¦N B¦;
(vi) in said first station A, transmitting .GAMMA.(N A) to said second station B;
(vii) in said second station B, transmitting to said first station A the digit 1 if .GAMMA. (N A) = .GAMMA.(N B) and the digit 0 otherwise;
(viii) setting P l(S A,S B) =(X1,Y1) in the case when .GAMMA.(N A) = .GAMMA.(N
B) wherein X1 is a concatenation of the first component of P t-.lambda.(M A,M B) with the string f(N A) and Y1 is a concatenation of the second component of P t-.lambda.(M A, M B) with f(N B);
(ix) setting P l(S A,S B) = (X2,Y2)~in the case .GAMMA.(N A) .noteq.
.GAMMA.(N B), where X2 is a concatenation of M A with the first component of P.lambda.(N A,N B) and Y2 is the concatenation of M B with the second component of P.lambda.(N A,N B) (x) recursively calculating P.lambda. (N A,N B), (or P t-.lambda. (M A,M B)) by repetition of sub-steps (i) to (ix) with S A=N A , S B=N B (or S A=M A , S B=M B) thereby obtaining P l(S A,S
B).
d) calculating successively P li(U i,V i) with l i = ¦U i¦=¦V i¦ by repeating step (c) with S A = U i, S B =
V i and then, concatenating W1, W2, W3, ... W m to construct a first concatenated string K A in said station A where W1 is the first component of the pair P l (U1,V1) = P l (S A, S B) and W i is the first component of the pair P l (U i,V i), 2 <= i <= m ;
e) calculating successively P li (U i,V i) with l i, = ¦U i¦ = ¦V i¦ by repeating step (c) with S A = U~, S B =
V i and then concatenating the strings Z1, Z2, Z3, ... Z m to construct a second concatenated string K B of length n in said station B where Z1 is the second component of the pair P l (U1,V1) = P l (S A, S B) and Z i is the second component of the pair P l (U i, V i), with l i = ¦U i¦=¦V i¦,
a) in said first and second station A and B, constructing, in a pre-arranged way from a commonly known probabilistic vector of real numbers, a first and second correlated string L A, L B each of a given length N (i.e., said first and second string L A, L B
constructed such that the corresponding statistical variables are not independent) of digits selected from a finite alphabet;
b) in said first and second station A and B, applying a predetermined permutation g = g N to L A, L B to obtain a first and second permuted string g(L A) and g(L B), wherein g = g H is a pre-determined permutation and then expressing g(L A), g(L B) as a pre-determined concatenation U1(=S A), U2, ... ,U m and V1(=S B), V2, ... ,V m' respectively wherein S A is a substring of said first permuted string g(L A), S B is a substring of said second permuted string g(L B), and the lend h of U i equals the length of V i for 1 <= i <= m;
c) evaluating recursively P (S A,S B) = P l(S A,S B) wherein l = ¦S A¦ = ¦S B¦
is the common length of S A and S B, and P is a function defined on certain ordered pairs (U,V) of strings U, V having a common length s= ¦U¦ = ¦V¦, said evaluating step further comprising the substeps of;
(i) in said first station A, transmitting to said second station B, the computed value .GAMMA.(S A), of a predetermined function .GAMMA. on S A, wherein .GAMMA. is a function mapping strings to strings that maps the null string to the null string having the property that for strings X,Y with ¦X¦ = ¦Y¦, .GAMMA.(X) = .GAMMA.(Y)- and transmitting said value to station B;
(ii) in said second station B, transmitting to said first station A, the digit 1 if .GAMMA.(S A) is equal to the computed value .GAMMA.(S B) and the digit 0 otherwise;
(iii) in said first and second station a and B, respectively, calculating strings f(S A), f(S B) wherein f is a pre-assigned function mapping strings to strings that maps the null string to the null string, maps all strings of length one to the null string and is such that for any string X the length of f(X) is less than or equal to the length of X and having the property that for strings X, Y with ¦X¦ = ¦Y¦, f(X)¦ = ¦f(Y)¦;
(iv) in said first and second station A and B, setting P l(S A,S B) = (f(S
A),f(S B)) in the case when .GAMMA.(S A) = .GAMMA.(S B);
(v) when .GAMMA.(S A) .noteq. .GAMMA.(S B), performing the substeps of:
a. in said first station A, writing f(S A) as a concatenation M A N A of strings M A, N A having .lambda. = ¦N A¦ = 1/2 t or 1/2 t + 1/2 (when t is even or odd respectively) where t is the common length of f(S A), f(S B), b. in said second station B, writing f(S B) as a concatenation M B N B of strings M B, N B having .lambda. = ¦N A¦ =¦N B¦;
(vi) in said first station A, transmitting .GAMMA.(N A) to said second station B;
(vii) in said second station B, transmitting to said first station A the digit 1 if .GAMMA. (N A) = .GAMMA.(N B) and the digit 0 otherwise;
(viii) setting P l(S A,S B) =(X1,Y1) in the case when .GAMMA.(N A) = .GAMMA.(N
B) wherein X1 is a concatenation of the first component of P t-.lambda.(M A,M B) with the string f(N A) and Y1 is a concatenation of the second component of P t-.lambda.(M A, M B) with f(N B);
(ix) setting P l(S A,S B) = (X2,Y2)~in the case .GAMMA.(N A) .noteq.
.GAMMA.(N B), where X2 is a concatenation of M A with the first component of P.lambda.(N A,N B) and Y2 is the concatenation of M B with the second component of P.lambda.(N A,N B) (x) recursively calculating P.lambda. (N A,N B), (or P t-.lambda. (M A,M B)) by repetition of sub-steps (i) to (ix) with S A=N A , S B=N B (or S A=M A , S B=M B) thereby obtaining P l(S A,S
B).
d) calculating successively P li(U i,V i) with l i = ¦U i¦=¦V i¦ by repeating step (c) with S A = U i, S B =
V i and then, concatenating W1, W2, W3, ... W m to construct a first concatenated string K A in said station A where W1 is the first component of the pair P l (U1,V1) = P l (S A, S B) and W i is the first component of the pair P l (U i,V i), 2 <= i <= m ;
e) calculating successively P li (U i,V i) with l i, = ¦U i¦ = ¦V i¦ by repeating step (c) with S A = U~, S B =
V i and then concatenating the strings Z1, Z2, Z3, ... Z m to construct a second concatenated string K B of length n in said station B where Z1 is the second component of the pair P l (U1,V1) = P l (S A, S B) and Z i is the second component of the pair P l (U i, V i), with l i = ¦U i¦=¦V i¦,
2 <= i <= m;
f) from ¦K A¦=¦K B¦ calculating a bit correlation x = x(K A,K B) from a pre-determined formula using the length n = ¦K A¦=¦K B¦ wherein K B is replaced by a Boolean complement K
B* (obtained by replacing 1 and 0 in K B by 0 and 1 respectively) whenever the bit correlation between K A and~
K B is less than 0.5, yielding x > 0.5;
g) determining whether x(K A, K B) satisfies a pre-determined stopping inequality S;
h) repeating steps (b) to (g) with L A = K A, L B = K B in the case that S is not satisfied;
i) otherwise in the event that inequality S is satisfied, performing the substeps of;
(i) evaluating C(K A) in said first station A where C is a pre-determined hash function defined on all non-null strings;
(ii) in said first station A, transmitting C(K A) to said second station B;
(iii) evaluating C(K B) in said second station B;
(iv) in said second station B, transmitting to said first station A a digit 1 if C(K B)=
C(K A) and a digit 0 otherwise;
i) in the event that C(K A) = C(K B), constructing .LAMBDA.(K A) = .LAMBDA.(K
B), an unconditionally secure cryptographic key shared by said first and second cryptographic stations A and B, wherein A
is a pre-determined hash function that eliminates all of an eavesdropper's potential information; and k) repeating steps (b) to (j) in the event that C(K A) is not equal to C(K B), wherein L A = K A and L B = K B, respectively.
2) The method of claim 1, wherein said predetermined hash function C of step i) is the syndrome of a binary linear code of minimum distance d wherein d is some predetermined positive integer.
f) from ¦K A¦=¦K B¦ calculating a bit correlation x = x(K A,K B) from a pre-determined formula using the length n = ¦K A¦=¦K B¦ wherein K B is replaced by a Boolean complement K
B* (obtained by replacing 1 and 0 in K B by 0 and 1 respectively) whenever the bit correlation between K A and~
K B is less than 0.5, yielding x > 0.5;
g) determining whether x(K A, K B) satisfies a pre-determined stopping inequality S;
h) repeating steps (b) to (g) with L A = K A, L B = K B in the case that S is not satisfied;
i) otherwise in the event that inequality S is satisfied, performing the substeps of;
(i) evaluating C(K A) in said first station A where C is a pre-determined hash function defined on all non-null strings;
(ii) in said first station A, transmitting C(K A) to said second station B;
(iii) evaluating C(K B) in said second station B;
(iv) in said second station B, transmitting to said first station A a digit 1 if C(K B)=
C(K A) and a digit 0 otherwise;
i) in the event that C(K A) = C(K B), constructing .LAMBDA.(K A) = .LAMBDA.(K
B), an unconditionally secure cryptographic key shared by said first and second cryptographic stations A and B, wherein A
is a pre-determined hash function that eliminates all of an eavesdropper's potential information; and k) repeating steps (b) to (j) in the event that C(K A) is not equal to C(K B), wherein L A = K A and L B = K B, respectively.
2) The method of claim 1, wherein said predetermined hash function C of step i) is the syndrome of a binary linear code of minimum distance d wherein d is some predetermined positive integer.
3) The method of claim 1, wherein step a) further comprises the substeps of:
a.1) in said first and second station A and B, respectively concatenating a generated first and second random string R A and R B with said first and second string L A and L B
to result in a first and second concatenated string L A R A and L B R B; and a.2) in said first and second station A and B, respectively substituting said first concatenated string L A R A for said first string L A and said second concatenated string L B R B
for said second string L B.
a.1) in said first and second station A and B, respectively concatenating a generated first and second random string R A and R B with said first and second string L A and L B
to result in a first and second concatenated string L A R A and L B R B; and a.2) in said first and second station A and B, respectively substituting said first concatenated string L A R A for said first string L A and said second concatenated string L B R B
for said second string L B.
4) The method of claim 1, wherein step a) further comprises the substep of in said least and second station A and B, respectively, replacing said first and second string L A and L B with the dot product modulo 2 of a generated first and second random binary string R A
and R B with said first and second string L A and L B to form a first and second dot product string L
A.cndot.R A and L B.cndot.R B, wherein R A and R B are generated random binary strings having the same length as L A
and L B, respectively.
and R B with said first and second string L A and L B to form a first and second dot product string L
A.cndot.R A and L B.cndot.R B, wherein R A and R B are generated random binary strings having the same length as L A
and L B, respectively.
5) A method of generating a first and second string U and V in first and second station A
and B, respectively, said first and second string U and V having a predetermined bit correlation x0, 0.5 < x0 < 1, said method comprising the steps of:
i. conducting steps a) to f) of claim 1 to construct a first and second string K A and K B having bit correlation x > 0.5;
ii. if x < x0, repeatedly conducting steps a) to f) of claim 1 until the bit correlation x = x (K A,K B) is greater than or equal to x0; and iii. if x > x0, replacing K A, K B by a first and second concatenated string U
= R A K A and V = R B K B, respectively, wherein R A and R B is a first and second random string generated in first and second station A and B, respectively, each having a length which ensures that the bit correlation of U and V is equal to x0.
and B, respectively, said first and second string U and V having a predetermined bit correlation x0, 0.5 < x0 < 1, said method comprising the steps of:
i. conducting steps a) to f) of claim 1 to construct a first and second string K A and K B having bit correlation x > 0.5;
ii. if x < x0, repeatedly conducting steps a) to f) of claim 1 until the bit correlation x = x (K A,K B) is greater than or equal to x0; and iii. if x > x0, replacing K A, K B by a first and second concatenated string U
= R A K A and V = R B K B, respectively, wherein R A and R B is a first and second random string generated in first and second station A and B, respectively, each having a length which ensures that the bit correlation of U and V is equal to x0.
6) A method of generating a first and second string U and V in a first and second station A and B, respectively, said first and second string having a predetermined bit correlation x0 in the range of 0 < x0 < 0.5, said method comprising the steps of:
i. constructing a third and fourth string K A, K B with bit correlation x1 = 1 - x0 according to the method of claim 9; and ii. replacing K B by its Boolean complement K B*, wherein said complement is obtained by replacing 1 and 0 in K B by 0 and 1, respectively.
i. constructing a third and fourth string K A, K B with bit correlation x1 = 1 - x0 according to the method of claim 9; and ii. replacing K B by its Boolean complement K B*, wherein said complement is obtained by replacing 1 and 0 in K B by 0 and 1, respectively.
7) An unconditionally secure encryption method, said method comprising the steps of:
i. generating first and second unconditionally secure keys .LAMBDA.(K A) =
.LAMBDA. (K B) according to the method of claim 1; and ii. concatenating said first and second unconditionally secure keys .LAMBDA.
(K A) and .LAMBDA. (K B) to generate a one-time pad.
3) A complete cryptographic system, comprising:
a standard Kerberos configuration, wherein a server authenticates a plurality of communicating parties and said parties generate an unconditionally secure cryptographic key according to the method of claim 1.
9) A complete cryptographic system, comprising:
an unconditionally secure key generated by claim 1; and an authentication algorithm.
10) The method of claim 1, wherein all strings are binary strings.
11) The method of claim 1, wherein the function f maps a non-null string to that same string with the last element deleted.
12) The method of claim 1, wherein;
the alphabet is a finite abelian group G; and the function .GAMMA. maps a string over G to the sum of the elements in the string.
13) The method of claim 12 wherein G is the binary field and .GAMMA.maps a string to its parity.
14) The method of claim 1, wherein the function .GAMMA. maps all strings to a given fixed string such that for any two strings X and Y, .GAMMA.(X) = .GAMMA.(Y).
15) The method of claim 1, wherein:
for a binary string U of length l >= 1, f(U) = parity of U; and for a first and second substring X and Y of L A and L B, respectively, .GAMMA.(X) = .GAMMA.(Y) such that P l(X,Y) = (parity(X),parity(Y)).
16) The method of claim 1 wherein:
f maps a non-null string to that same string with the last element deleted;
.GAMMA. maps a binary sting to its parity; and the strings U1(=S A), U2, ...
,U m; and V1(=S B), V2, ... ,V m all have a common length l.
17) The method of claim 1, wherein:
all strings are over the alphabet G, wherein G is a finite abelian group;
in step a) said strings L A and L B are replaced by L A+R A,L B+R B, R A and R
B being a first and second random string over G of the same length as L A and L B and + denoting component-wise addition over G.
18) The method of claim 1, wherein:
for each i, l <= i <= m, f and .GAMMA. are predefined on all substrings of all iterates f(U i), f(f(U i)), f(f(f(U i))), ... and f(V i), f(f(V i)), f(f(f(V i))), ....;
f, .GAMMA. map the null string to the null string; and f maps all strings of length 1 to the null string.
19) The method of claim 1, wherein S of step g) is the inequality n(1-x) <
.epsilon. where .epsilon. is a pre-determined positive number.
20) The method of claim 1, wherein .lambda. is a pre-determined fraction of t, said fraction lying in the range between 0 and 1.
21) A method for checking the equality of a first and second key U and V in a first and second station A and B, respectively, comprising the steps of:
obtaining said first and second key U and V, respectively, from a public key exchange algorithm used between said first and second station A and B; and conducting the method of claim 28 wherein S1=U and S2=V.
i. generating first and second unconditionally secure keys .LAMBDA.(K A) =
.LAMBDA. (K B) according to the method of claim 1; and ii. concatenating said first and second unconditionally secure keys .LAMBDA.
(K A) and .LAMBDA. (K B) to generate a one-time pad.
3) A complete cryptographic system, comprising:
a standard Kerberos configuration, wherein a server authenticates a plurality of communicating parties and said parties generate an unconditionally secure cryptographic key according to the method of claim 1.
9) A complete cryptographic system, comprising:
an unconditionally secure key generated by claim 1; and an authentication algorithm.
10) The method of claim 1, wherein all strings are binary strings.
11) The method of claim 1, wherein the function f maps a non-null string to that same string with the last element deleted.
12) The method of claim 1, wherein;
the alphabet is a finite abelian group G; and the function .GAMMA. maps a string over G to the sum of the elements in the string.
13) The method of claim 12 wherein G is the binary field and .GAMMA.maps a string to its parity.
14) The method of claim 1, wherein the function .GAMMA. maps all strings to a given fixed string such that for any two strings X and Y, .GAMMA.(X) = .GAMMA.(Y).
15) The method of claim 1, wherein:
for a binary string U of length l >= 1, f(U) = parity of U; and for a first and second substring X and Y of L A and L B, respectively, .GAMMA.(X) = .GAMMA.(Y) such that P l(X,Y) = (parity(X),parity(Y)).
16) The method of claim 1 wherein:
f maps a non-null string to that same string with the last element deleted;
.GAMMA. maps a binary sting to its parity; and the strings U1(=S A), U2, ...
,U m; and V1(=S B), V2, ... ,V m all have a common length l.
17) The method of claim 1, wherein:
all strings are over the alphabet G, wherein G is a finite abelian group;
in step a) said strings L A and L B are replaced by L A+R A,L B+R B, R A and R
B being a first and second random string over G of the same length as L A and L B and + denoting component-wise addition over G.
18) The method of claim 1, wherein:
for each i, l <= i <= m, f and .GAMMA. are predefined on all substrings of all iterates f(U i), f(f(U i)), f(f(f(U i))), ... and f(V i), f(f(V i)), f(f(f(V i))), ....;
f, .GAMMA. map the null string to the null string; and f maps all strings of length 1 to the null string.
19) The method of claim 1, wherein S of step g) is the inequality n(1-x) <
.epsilon. where .epsilon. is a pre-determined positive number.
20) The method of claim 1, wherein .lambda. is a pre-determined fraction of t, said fraction lying in the range between 0 and 1.
21) A method for checking the equality of a first and second key U and V in a first and second station A and B, respectively, comprising the steps of:
obtaining said first and second key U and V, respectively, from a public key exchange algorithm used between said first and second station A and B; and conducting the method of claim 28 wherein S1=U and S2=V.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002458819A CA2458819A1 (en) | 2004-02-24 | 2004-02-24 | A key agreement protocol based on network dynamics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002458819A CA2458819A1 (en) | 2004-02-24 | 2004-02-24 | A key agreement protocol based on network dynamics |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2458819A1 true CA2458819A1 (en) | 2005-08-24 |
Family
ID=34865929
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002458819A Abandoned CA2458819A1 (en) | 2004-02-24 | 2004-02-24 | A key agreement protocol based on network dynamics |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2458819A1 (en) |
-
2004
- 2004-02-24 CA CA002458819A patent/CA2458819A1/en not_active Abandoned
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20030215088A1 (en) | Key agreement protocol based on network dynamics | |
| Catalano et al. | Efficient network coding signatures in the standard model | |
| Desmedt | Some recent research aspects of threshold cryptography | |
| Vilela et al. | Lightweight security for network coding | |
| US7609839B2 (en) | Quantum key distribution method and communication device | |
| Zeng et al. | A distributed fault/intrusion-tolerant sensor data storage scheme based on network coding and homomorphic fingerprinting | |
| Yao et al. | Network codes resilient to jamming and eavesdropping | |
| D'Oliveira et al. | Post-quantum security for ultra-reliable low-latency heterogeneous networks | |
| CN107786327B (en) | Safe and reliable transmission method based on LDPC code | |
| Karimi et al. | Increasing the raw key rate in energy-time entanglement based quantum key distribution | |
| Wu et al. | Three improved algorithms for multipath key establishment in sensor networks using protocols for secure message transmission | |
| Park | Authentication protocol providing user anonymity and untraceability in wireless mobile communication systems | |
| Maurer | The role of information theory in cryptography | |
| Safaka et al. | Exchanging pairwise secrets efficiently | |
| CA2462384A1 (en) | A key agreement protocol based on network dynamics | |
| CA2458819A1 (en) | A key agreement protocol based on network dynamics | |
| Lietzén et al. | A two-way QKD protocol outperforming one-way protocols at low QBER | |
| IE20020742A1 (en) | A Key Agreement Protocol Based on Network Dynamics | |
| Limmanee et al. | Secure physical-layer key generation protocol and key encoding in wireless communications | |
| AU2002339702A1 (en) | A key agreement protocol based on network dynamics | |
| Ibrahim et al. | Ciphertext-only attack on RSA using lattice basis reduction | |
| AU2004201034A1 (en) | A key agreement protocol based on network dynamics | |
| Evgnosia-Alexandra | A note on post quantum onion routing | |
| RU2812343C1 (en) | Method for managing authentication resources in quantum key distribution networks described by connected graphs of arbitrary configurations | |
| Noura et al. | Edca: efficient diffusion cipher and authentication scheme for wireless sensor networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |