Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
  • H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
  • H04L9/0847—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
  • H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
  • H04L9/3073—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
  • H04L9/3093—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/34—Encoding or coding, e.g. Huffman coding or error correction

Definitions

• This invention is related to the construction of cryptographic systems, in particular, key exchange (KE) systems, key distribution (KD) systems and identity-based-encryption (IBE) systems, which are based on essentially the same mathematical principle, pairing with errors.
• KE key exchange
• KD key distribution
• IBE identity-based-encryption
• KD key distribution
• KD key distribution
• Shamir proposed another kind of public key encryption system [SHA].
• a person or an entity's public key is generated with a public algorithm from the information that can identify the person or the entity uniquely.
• the information may include the person's name, residential address, birthday, finger print information, e-mail address, social security number and etc. Since the public key is determined by the public information that can identify the person, this type of public key cryptosystem is called an identity-based encryption (IBE) system.
• IBE identity-based encryption
• IBE Identity-based-encryption
• a sender encrypts a message for a given receiver using the receiver's public key based on the identity of the receiver.
• the receiver decrypts the message using the receiver's private key.
• the receiver obtains the private key from a central server, which has a system to generate and distribute the IBE private key for the legitimate user securely.
• An IBE system does not demand the sender to search for the receiver's public key, but rather, a sender in an IBE system derives any receiver's corresponding public key using an algorithm on the information that identifies the receiver, for example, an email address, an ID number or other information.
• Current IBE systems are very complicated and not efficient in terms of computations, since the bilinear paring over elliptic curves is very computationally intensive. These systems based on pairing over elliptic curves can also be broken efficiently if we have a quantum computer as showed in the work of Shor [SHO]. There are also constructions based on lattices, but those are also rather complicated systems for applications [ABB] [ABVVW] [BKPW]. Therefore it is important and desirable that we have secure and efficient IBE systems.
• This invention first contains a novel method for two parties A and B to perform an secure KE over an open communication channel.
• This method is based on the computation of pairing of the same bilinear form in two different ways but each with different small errors.
• each users will choose a private matrix S A , S B respectively with small entries following certain error distributions secretly and a public matrix M randomly.
• each user will compute the multiplication of the user's secret matrix with the publicly chosen matrix but with small errors, exchange the new matrices, and then perform the computation of pairing of S A and S B over the same bilinear form based on M in two different ways but each with different small errors.
• This kind of mathematical computation is called pairing with errors.
• the shared key is derived from the pairings with a rounding technique.
• This invention second contains a novel method to build a KD system with a central server or authority.
• the central server or authority assigns each user i a public ID as a matrix A i with small entries or establish the ID of each user as a matrix A i with small entries following certain error distributions with the information that can identify the user uniquely, and, in a secure way, gives each user a private key based on certain multiplication of this ID matrix with the central server or authority's secret master key M, another matrix, but with small errors.
• any two users in the system will compute the pairing of the two ID matrices of the users with the same bilinear form based on the master key matrix M in two different ways but each with different small errors to derive a shared key between these two users with certain rounding technique.
• This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005 [Reg].
• the security of this system depends on the hardness of the problem related to pairing with errors. This system involves only matrix multiplication and therefore is very efficient.
• This invention third contains a novel method to build a IBE system with a central server or authority.
• the central server or authority assigns each user i a public ID A i as a matrix with small entries following certain certain error distributions or establish the ID of each user as a matrix with small entries following certain certain error distributions with the information that can identify the user uniquely.
• Each user is given by the central server or authority a private key S i based on certain multiplication of this ID matrix with the central server or authority's master private key S, another matrix, but with errors related to one part of the master public key M, another matrix.
• the central server or authority will establish another half of the mater key as the multiplication of M and S with small errors, which we call M 1 .
• any user who wishes to send the user i a message in the system will compute public key of i which consists of M and a paring of M and A i of the bilinear form based on the master secret key matrix S, then encrypt the message using the encryption system based on the MLWE problem, and the user i will use the secret key S i to decrypt the message.
• This method can be viewed as an extension of the idea of the learning with error problem discovered by REGEV in 2005.
• the security of this system depends the harness of certain lattice problem, which can be mathematically proven hard. This system involves only matrix multiplication and therefore is very efficient.
• a LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution n on the finite ring (field) F q with q elements. To simplify the exposition, we will take q to be a odd prime and but we can also work on any whole number except that we may need to make slight modifications.
• each element is represented by the set ⁇ (q ⁇ 1)/2, . . . , 0, . . . , (q ⁇ 1)/2 ⁇ .
• an error distribution
• we mean a distribution we mean a distribution such that there is a high probability we will select an element, which is small. There are many such selections and the selection directly affect the security of the system. One should select good error distribution to make sure the system works well and securely.
• ⁇ S, ⁇ , on F q be the probability distribution obtained by selecting an element A in F q n randomly and uniformly, choosing e ⁇ F q according to ⁇ , and outputting (A, ⁇ A, S>+e), where + is the addition that is performed in F q .
• A is a square matrices of the size n ⁇ n and, S and e of the size n ⁇ 1.
• ⁇ S, ⁇ n over F q be the probability distribution obtained by selecting an n ⁇ n matrix A, whose each entry are chosen in F q uniformly and independently, choosing e as a n ⁇ 1 vector over F q with entries chosen according to certain error distribution ⁇ n , for example, each entries follows an error distribution n independently, and outputting (A, A ⁇ S+e), where + is the addition that is performed in F q n .
• An algorithm that solves a LWE with modulus q and error distribution ⁇ n , if, for any vector S in F q n , with any number of independent sample(s) from ⁇ S, ⁇ n , it outputs S (with high probability).
• ⁇ S, ⁇ n 2 over F q be the probability distribution obtained by selecting an n ⁇ n matrix A, whose each entry are chosen in F q uniformly and independently, choosing e as a n ⁇ n matrix over F q with entries following certain error distribution ⁇ n 2 , for example, an distribution chosen according to the error distribution n independently, and outputting (A, A ⁇ S+e), where + is the addition that is performed in F q n 2 .
• An algorithm that solves a LWE with modulus q and error distribution ⁇ n 2 if, for any n ⁇ n matrix S in F q n , with any number of independent sample(s) from ⁇ S, ⁇ n 2 , it outputs S (with a high probability).
• Any element in R q is represented by a degree n polynomial, which can also be viewed as a vector with its corresponding coefficients as its entries.
• q to be even positive number and things need slight modification.
• the RLWE f,q, ⁇ problem is parameterized by an polynomial f(x) of degree n, a prime number q and an error distribution X over R q . It is defined as follows.
• the secret s be an element in R q , a uniformly chosen random ring element.
• this system can be very efficient due to the possibility doing fast multiplication over the ring R q using FFT type of algorithms.
• the system can be essentially understood as that the master key of a central server is a symmetric matrix M of size n ⁇ n and each user's identity can be seen as a row vector H i of size n.
• the central server gives each user the secret H i ⁇ M.
• two users can derive the shared key as H i ⁇ M ⁇ H j t .
• large number of users can collaborate to derive the master key. If one can collect enough (essentially n) H i ⁇ M, which then can be used to find the master key M and therefore break the system.
• the key distribution system is set up step by step as follows.
• the RLWE problem can be viewed as a specialized commutative version of matrix-based LWE since an element in the ring can be view as a homomorphism on the ring.
• A, B, e i can follow different error distributions.
• S i is a solution to a MLWE problem with the pair (A i , B i ) as the problem input. Therefore S i is indeed a secret key that could be used for decryption. Therefore the construction works. We need to choose parameters properly to ensure security.
• the small elements like S, A i , e, e i can follow different error distributions.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Theoretical Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Algebra (AREA)
• Mathematical Analysis (AREA)
• Mathematical Optimization (AREA)
• Mathematical Physics (AREA)
• Pure & Applied Mathematics (AREA)
• Physics & Mathematics (AREA)
• Computing Systems (AREA)
• Storage Device Security (AREA)
• Complex Calculations (AREA)

Priority Applications (1)

Applications Claiming Priority (4)

Publications (1)

Family

ID=49327117

Family Applications (4)

Family Applications Before (1)

Family Applications After (2)

Country Status (6)

Families Citing this family (47)

Citations (16)

Family Cites Families (8)

• 2013
  • 2013-04-11 WO PCT/CN2013/074053 patent/WO2013152725A1/en active Application Filing
  • 2013-04-11 TW TW102112925A patent/TWI502947B/zh active
  • 2013-04-11 US US16/678,335 patent/USRE48643E1/en active Active
  • 2013-04-11 US US15/881,531 patent/USRE47841E1/en active Active
  • 2013-04-11 KR KR1020147027625A patent/KR102116877B1/ko active IP Right Grant
  • 2013-04-11 US US14/491,992 patent/US9246675B2/en not_active Ceased
  • 2013-04-11 CN CN201380019518.3A patent/CN104396184B/zh active Active
  • 2013-04-11 US US16/678,383 patent/USRE48644E1/en active Active
  • 2013-04-11 EP EP13776224.1A patent/EP2837128B1/en active Active

Patent Citations (16)

Also Published As

Similar Documents

Legal Events