Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0852—Quantum cryptography
  • H04L9/0858—Details about key distillation or coding, e.g. reconciliation, error correction, privacy amplification, polarisation coding or phase coding

Definitions

• the present invention relates to cryptographic systems and more particularly to a method of generating an unconditionally secure cipher key based on the time differences recorded between two parties communicating over a noiseless public channel.
• Tn ia A pplication relates r corresponding Application f iled on the same date and entitled Hash
• x be a common key that has been created for Alice and Bob. That is, x is a binary vector of length n. Then x can be used as a one-time pad, as follows.
• m be a message that Alice wishes to transmit to Bob: m is some binary vector that is also of length n.
• Alice encodes m as m ⁇ x where ⁇ denotes bitwise addition, i.e., exclusive OR.
• m @ x not m, is broadcast over the public channel.
• Bob then decodes in exactly the same way.
• Bob receives the message (m ⁇ x) ⁇ x, which is m, because of the properties of bitwise addition.
• the key x can be used in a standard symmetric key cryptosystem such as that of Rijndael [13] or Data Encryption Standard (DES) [14].
• m as denotes bitwise addition, i.e., exclusive OR.
• m ® x not m, is broadcast over the public channel.
• Bob then decodes in exactly the same way.
• Bob decodes the message (m ⁇ x) ⁇ x, which is m, because of the properties of bitwise addition.
• the key x can be used in a standard symmetric key cryptosystem such as that of
• the lowest layer connects two computers, i.e., creates a channel between them, by some physical means and is called the Physical Layer.
• the second layer removes random physical errors (called "noise") from the channel to create an error-free communications path from one point to another.
• This layer i.e., the Data Link Layer, is primarily responsible for dealing with transmission errors generated as electrical impulses (representing bits) as sent over a physical connection. Error detection techniques [15] are used to identify the transmission errors in many protocols. Once an error is detected the protocol requests a resend. Random errors in the Data Link Layer can be observed by noting timing delays.
• the Medium Access Layer deals with allocating and scheduling all communications over a single channel.
• a networked environment including the Internet, many computers communicate over a single channel. Bursts in packet traffic is a well-known characteristic and is due to the uncontrollable behavior of many individual computers communicating over a single channel [16] leading to random fluctuations in transmission times.
• the Network Layer deals with routing information to create a true or virtual connection between two computers.
• the routing is dependent on the variety of routing algorithms and the load placed on each router. These two factors makes the transmission times fluctuate randomly.
• the Transport Layer interfaces with the final Application Layer to provide an end-to-end, reliable, connection-oriented byte stream from sender to receiver. To do so, the Transport Layer provides connection establishment and connection management. The times associated with Transport layer activities depend on all devices in the network and the algorithms being used. Thus, fluctuations in transmission times in the Transport Layer also occur, contributing to timing delays.
• the present invention provides an efficient, practical system and method for a key agreement protocol based on network dynamics that has the strongest possible security, namely, unconditional security, and that does not require any additional hardware.
• Previous work in this area is either theoretical [11] or practically infeasible due the requirement for additional channels based on expensive and complicated hardware such as satellites, radio transmitter arrays and accompanying additional computer hardware to communicate with these devices [7]. All previous cryptographic keys only satisfy the weaker criterion of computational security.
• the present invention introduces relative time sequences based on round-trip timings of packets between two communicating parties. These packets form the basic building blocks for creating an efficient and unconditionally secure key agreement protocol that can be used as a replacement for current symmetric and asymmetric key cryptosystems.
• the present invention is an unconditionally secure cryptographic system and method based on ideas that can be used in the domain of quantum encryption [1, 5 and 20 Chapter 6]..
• the present invention for the first time provides a cryptographic protocol that exploits fundamental results (and their interconnectedness) in the fields of information theory, error-correction codes, block design and classical statistics.
• the system and method of the present invention is computationally faster, simpler and more secure than existing cryptosystems.
• the system and method of the present invention are invulnerable to all attacks from super-computers and even quantum computers. This is in sharp contrast to all previous protocols.
• the present invention provides a protocol that uses two characteristics of network transit time: namely, its randomness, and the fact that, despite this, the average timing measured by two communicating parties will converge over a large number of repetitions.
• the result is that two correlated random variables are obtained by measuring the relative time a packet takes to complete a round trip with respect to a first party, Alice or A, and a round trip with respect to a second party, Bob or B.
• a and B engage in rallying packets back and forth and calculateround-trip times individually.
• the packets may be used for any additional purpose since the contents of the packets are irrelevant. Only the round-trip times are of interest.
• Figure 2 shows one round of a relative round-trip time generator of the present invention.
• Figure 2 diagrammatically describes the process.
• PHASE 1 -Alice and Bob employ the system and method of the present invention to construct a permuted remnant bit string from a sequence of observed packet round-trip times:
• Alice and Bob exchange packets over a network, record round-trip times, and each form a bit string by concatenating a pre-arranged number of low order bits of successive packet round-trip times. Once sufficient bits are concatenated, the process is stopped and both Alice and Bob apply a pre-determined permutation to their respective concatenated bit strings to form permuted remnant raw keys K A and K B , respectively of equal lenght.
• Alice and Bob systematically partition their respective permuted remnant raw keys, KA and K B , into sub-blocks, compute, exchange and compare parities for each sub-block, and, discarding the low order bit of the sub-block, re-concatenate the modified sub-blocks in their original order.
• the partition process is iterated until mismatched bits are located and deleted.
• Privacy amplification to eliminate any partial information that an eavesdropper, Eve, might have is applied by both Alice and Bob using a pre-determined proprietary hash function [4] to produce a final unconditionally secure key of a pre-determined length from the reconciled key.
• FIG. 1 illustrates a typical multi-layer computer network protocol.
• FIG. 2 illustrates one rallying round between two communicating parties for generating a permuted remnant bit string by each party.
• FIG. 3 illustrates mean arrival time as a function of channel noise (noise parameter).
• the key agreement scheme of the present invention comprises three phases.
• the first phase is construction of a permuted remnant bit string wherein the two communicating parties, Alice and Bob, rally packets back and forth recording round-trip times. Some of the bits may still be different after the initial bit string construction so Alice and Bob then participate in a second phase called Information Reconciliation.
• the second phase results in Alice and Bob holding exactly the same key.
• Eve may have partial knowledge of the reconciled strings, in the form of Shannon bits. Therefore, a third and final phase called Privacy Amplification is performed to eliminate any partial information collected by Eve.
• t be the smallest integer for which 2 1 ⁇ n .
• M m y , (1 ⁇ i ⁇ t+ ⁇ , 1 ⁇ J ⁇ 2' ) as follows: a.
• the entries m ⁇ , (1 ⁇ i,j ⁇ t ) are the entries of the t x t identity matrix / « • b.
• c Denote the top / entries in the " 1 column by the binary vector v, ( 1 ⁇ j ⁇ 2' ).
• vj ⁇ m, j
• the set ⁇ j ⁇ equals the set of all 2' distinct binary vectors of length * * . d.
• x, y denote the remnant keys KA, K written as row vectors of length n.
• x denote the vectors that result when a row of zeros of length 2'-n is adjoined, on the right of x, y respectively.
• the system and method of the present invention provide an unconditionally secure key agreement scheme based on network dynamics as follows.
• PHASE I Alice and Bob permute the bits of what remains of their respective raw keys, which keys incorporate delay occasioned by network noise.
• PHASE II the key from PHASE I undergoes the treatment of Lomonaco [5]. That is, in PHASE II Alice and Bob partition the remnant raw key into blocks of length /. An upper bound on the length of the final key has been estimated and the sequence of values of / that yield key lengths arbitrarily close to this upper bound has also been estimated [4].
• PHASE II for each of these blocks, Alice and Bob publicly compare overall parity checks, making sure each time to discard the last bit of the compared block.
• Alice and Bob initiate a binary search for the error, i.e., bisecting the mismatched block into two sub-blocks, publicly comparing the parities for each of these sub-blocks, while discarding the bottom bit of each sub-block. They continue their bisective search on the sub-block for which their parities are not in agreement. This bisective search continues until the erroneous bit is located and deleted. They then proceed to the next /-block.. PHASE I is then repeated, i.e., a suitable permutation is chosen and applied to obtain the permuted remnant raw key.
• PHASE II is then repeated, i.e., the remnant raw key is partitioned into blocks of length /, parities are compared, etc.
• Precise expressions for the expected bit correlation (see below) following each step have been obtained in [4], where it is also shown that this correlation converges to 1.
• the expected number of steps to convergence as well as the expected length of the reconciled key are tabulated.
• the final secret key can now be used for a one-time pad to create perfect secrecy or can be used as a key for a symmetric key cryptosystem such as Rijndael [12] or Triple DES [19].
• Procedure for 7 2. Alice and Bob divide their bit strings K A and KB into pairs (ao, ⁇ ;)...and o, bi)... HK A and K B have odd lengths the last bit is dropped.
• Working on the blocks (ao, a ⁇ ) and (bo, bj) we proceed as follows.
• Alice announces the parity of the block namely the number ao + ai (module2 ⁇ ).
• Bob compares the parity of his block. Then, if ao + aj (module2) equals bo+bj (rnodulel) we cancel the elements a ⁇ ,bj and retain the elements ao,bo- However, if ao + aj (module 2) is different than bo+bj (module2) we cancel the four elements ao,aj,bo,b ⁇ .
• Procedure for / 3.
• K A , K B into blocks of size 3 namely (ao, a ⁇ , ai)...and (bo, bubi)... respectively. If the size of K A is not divisible by 3 we discard the last one or two elements ofK A and K B as appropriate.
• Working on each block of size 3, say the blocks (ao, a , ai) and (bo, b , bi) we again examine the parities and proceed as follows.
• T e model wor s as follows- A particle is released at he node A, the particle is driven by a potential F towards node B over a potential flic,*). Because there is therm l noise., the particle will perform a random, -wal biased by the potential towards B r therefore if. will reach B in a finite amount of time.
• the aver ge arrreil time is described by the Langevin equation-.
• TA.B is calculated once for the original potential ix , hen for the 'perturbed* potential ⁇ j (x) and the difference between the two is obtainei
• the perturbed version of the potential is defined as

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Physics & Mathematics (AREA)
• Electromagnetism (AREA)
• Theoretical Computer Science (AREA)
• Detection And Prevention Of Errors In Transmission (AREA)
• Data Exchanges In Wide-Area Networks (AREA)

Applications Claiming Priority (5)

Publications (1)

Family

ID=26320333

Family Applications (1)

Country Status (5)

Families Citing this family (4)

• 2002
  • 2002-09-20 EP EP02777751A patent/EP1436940A2/de not_active Withdrawn
  • 2002-09-20 CA CA002462384A patent/CA2462384A1/en not_active Abandoned
  • 2002-09-20 WO PCT/IE2002/000135 patent/WO2003026197A2/en not_active Application Discontinuation
  • 2002-09-20 JP JP2003529686A patent/JP2005503716A/ja active Pending
  • 2002-09-20 IL IL16082902A patent/IL160829A0/xx unknown

Also Published As

Similar Documents

Legal Events