WO2001047178A2 - Generation of a mathematically constrained key using a one-way function - Google Patents

Generation of a mathematically constrained key using a one-way function Download PDF

Info

Publication number
WO2001047178A2
WO2001047178A2 PCT/US2000/032126 US0032126W WO0147178A2 WO 2001047178 A2 WO2001047178 A2 WO 2001047178A2 US 0032126 W US0032126 W US 0032126W WO 0147178 A2 WO0147178 A2 WO 0147178A2
Authority
WO
WIPO (PCT)
Prior art keywords
values
value
key
function
way function
Prior art date
Application number
PCT/US2000/032126
Other languages
French (fr)
Other versions
WO2001047178A3 (en
Inventor
Eric J. Sprunk
Original Assignee
General Instrument Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by General Instrument Corporation filed Critical General Instrument Corporation
Priority to EP00993073A priority Critical patent/EP1234404B1/en
Priority to DE60025401T priority patent/DE60025401T2/en
Priority to KR1020027006826A priority patent/KR20020060243A/en
Priority to CA002392077A priority patent/CA2392077A1/en
Priority to AU50742/01A priority patent/AU5074201A/en
Publication of WO2001047178A2 publication Critical patent/WO2001047178A2/en
Publication of WO2001047178A3 publication Critical patent/WO2001047178A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/26Testing cryptographic entity, e.g. testing integrity of encryption key or encryption algorithm

Definitions

  • the present invention relates to a method and apparatus for generating a cryptographic key.
  • a oneway function and prime testing is used to provide a modulus that is highly secure.
  • a modulus for use with the Rivest, Shamir, and Adleman (RSA) public key encryption algorithm may be provided.
  • the invention may be used, e.g., in encrypting data that is communicated to a decoder population via a broadband communication network such as a satellite distribution network, or cable television network, or used with any other security device.
  • Video, audio and other data that is communicated to a decoder population in a broadband communication network is encrypted under one or more cryptographic keys at the headend to provide access control to the data. Seed data is generated and loaded into addressable receivers at the time of their manufacture.
  • This predetermined function may be a one-way function.
  • a one-way function is essentially irreversible such that input data that is processed through the one-way function cannot be recovered by an unauthorized person.
  • a one-way function may comprise a distribution hash function, where input data is encrypted under one or more encryption algorithms, and the resulting encrypted data is hashed with the input data, for example, using an exclusive-or (XOR) function.
  • XOR exclusive-or
  • the above technique of providing a pre-seed to the decoder is appropriate when the pre-seed is a bit string or key that corresponds, for example, to the Data Encryption Standard (DES) .
  • DES Data Encryption Standard
  • a valid DES key comprises essentially any random, string of 56 bits. Accordingly, a DES key that is processed by a one-way function results in output data that can be used as another DES key. While the DES key can provide adequate security in many cases, different security properties associated with public key encryption can be achieved with an RSA key.
  • K2 K2 mod( ⁇ ) .
  • a valid RSA key K2 that is processed by a one-way function is highly unlikely to result in another valid RSA key since the occurrence of prime numbers becomes less and less likely for large numbers, e.g., 56 bit and longer bit strings.
  • FIG. 1 shows a known asymptotic relationship between bit length and the percentage of numbers that are prime.
  • the Prime Number Theorem states that, for a value X, the number of primes less than X is asymptotically equal to X divided by the logarithm of X.
  • An x-axis 110 shows the number of bits in a prime number
  • a y-axis 120 shows the percentage of numbers that are prime. For example, for a 56-bit binary number, only about 0.025% of all numbers are prime. As shown by the curve 130, this proportion decreases with bit length. The probability of a randomly-generated number being prime follows this same proportion, even if a one-way function is used in such random generation. It is very unlikely that the processing of an RSA key with a one-way function would produce a valid RSA key.
  • the present invention relates to a method and apparatus for generating a mathematically constrained key, such as an RSA cryptographic key or modulus, using a one-way function. This generated key satisfies a mathematical constraint condition, such as primicity.
  • Pre-seed data is processed at an encoder at the time of manufacture, using a one-way function and tested to determine if the processed data meets some mathematically constrained conditions, such as being a prime number. If so, the tested number is used, for example, to form an RSA modulus N and cryptographic key K2.
  • specific authorized decoders have chips that store the RSA keys that result from the one- way function processing of pre-seed data by that decoder at the time of decoder manufacture.
  • the pre-seed data is obtained by subdividing a random bit string into several segments, then independently processing each segment with a oneway function to obtain corresponding processed segments.
  • the processed segments are assembled to obtain a processed bit string which is then tested as a whole for the mathematically constrained condition, such as primicity.
  • RSA keys which are based on prime numbers, are only one example of a mathematically constrained key.
  • Other constraints of an arbitrary nature for existing and emerging algorithms, such as Elliptic Curve Cryptosystems are meant to be encompassed.
  • a specific encoding method illustrated herein for generating a cryptographic key, K2 includes the step of generating a first set of random values pre-P, such as a 512-bit bit string. At least a portion of the values pre-P are processed with a first one-way function to obtain a corresponding value P.
  • pre-P includes sets of values (e.g., bits) that are processed individually by the one-way function.
  • the value P is tested for satisfaction of a mathematical constraint such as primicity (primeness) . If P does not meet the constraint, the above steps are repeated to form a new value P until the constraint is met.
  • the key K2 is ultimately formed as a function of the value P and other variables P and KI .
  • a second set of random values pre-Q may be processed analogously to the pre-P values to derive a value Q that also satisfy the mathematical constraint.
  • a third set of random values pre-Kl are processed using a one-way function to derive a value KI . It is then determined whether KI is relatively prime to ⁇ . This condition is satisfied if Euclid's Algorithm indicates that the greatest common divisor (GCD) of KI and ⁇ is one. If the condition is not satisfied, additional values of KI are formed until the condition is met.
  • GCD greatest common divisor
  • data such as television programming may be encrypted at an encoder.
  • a decoding method for generating a cryptographic key, KI .
  • the values pre-P, pre-Q, and pre-Kl that were ultimately used at the encoder to derive K2 are provided to a decoder.
  • pre-P and pre-Q are processed with the previously used one-way functions to form P and Q, respectively.
  • the third set of random values pre-Kl that were used at the encoder are processed using the same oneway function to derive the value KI .
  • the encrypted data can then be decrypted using KI and N.
  • the encrypted message X may be transmitted from the encoder to the decoder via a broadband communication network with a decoder population P, pre-Q, and pre-Kl may be stored as a seedload message locally in a chip at the decoder, e.g., internally or in a smart card.
  • a corresponding encoding apparatus and decoding apparatus are also presented.
  • FIG. 1 illustrates the Prime Number Theorem.
  • FIG. 2 illustrates a broadband communication network with an encoder and decoder in accordance with the present invention.
  • FIG. 3 illustrates an encoder in accordance with the present invention.
  • FIG. 4(a) illustrates the first part of an encoding method in accordance with the present invention.
  • FIG. 4(b) illustrates the second part of the encoding method of FIG. 4(a) in accordance with the present invention.
  • FIG. 5 illustrates a decoder in accordance with the present invention.
  • FIG. 6 illustrates a decoding method in accordance with the present invention.
  • the present invention relates to a method and apparatus for generating a mathematically constrained key, such as an RSA cryptographic key and modulus, using a one-way function and testing for the mathematically constrained condition, such as primeness .
  • a conditional access (CA) system such as a broadband cable television or satellite distribution network, delivers information in messages to trusted components that store that information. Attackers of a CA system can sometimes illicitly clone or copy trusted components by removing and resubmitting information using that component's normal message delivery syntax and processing. It is therefore desirable for the information stored to exist in a form that prevents its re-use as a legitimate information delivery message. This problem is referred to as an "Information Delivery and Reuse Problem" .
  • a typical one-way function has one or more inputs INI, IN2 , ..., and an output OUT. Its salient one-way characteristics are:
  • Computational infeasibility means that no method is known to be better than simply trying all possible values of the missing variable to determine the correct one .
  • broadband communication networks such as cable television networks, movies, sports events and other video
  • audio and data are provided to authorized decoders in a decoder population based on payment of a fee.
  • the service is encrypted under one or more cryptographic keys .
  • Seed or pre-seed data (e.g., a seedload message) is provided at authorized decoders for use in generating the cryptographic keys for decrypting the encrypted service.
  • the seed or pre-seed data may be stored in chips, internal to the decoders or in smart cards. Accordingly, the most sensitive information in many decoders is the seeds.
  • Seeds along with the public Unit Address, which is a unique identifier for each decoder, comprise the unique and unchangeable identity of a component. All cryptographic functions within the decoders may be based on seeds in some fashion. In the past, attackers have had the goal of copying or cloning security components by extracting seeds from one component and loading them into multiple others. This process is often referred to as "cloning" .
  • Some decoders are designed to accept a seedload message of the following form:
  • the five pieces of information loaded by this message may be placed unaltered in five areas of a decoder's memory, for example. After the decoders are sent into the field, an attacker might find a way to access these five areas of memory and remove the information. Since this information allows creation of the original seedload message, such an attack would allow a "pirate" to manufacture unauthorized clone decoder units. This is a significant problem since it results in loss of revenue to the network operator and others .
  • pre-seeds may be used.
  • the pre-seedload message may have the following form:
  • the pre-seeds are processed using a OWF to create the seeds:
  • Seed-2 [stored] OWF ( Pre-seed-2 [received] )
  • Seed-3 [stored] OWF ( Pre-seed-3 [received] )
  • Seed-4 [stored] OWF ( Pre-seed-4 [received] )
  • This method provides greater security since it is now computationally infeasible for an attacker to calculate a pre-seed from a seed extracted from security component memory.
  • To calculate pre-seed-1 from seed-1 for example, the attacker would have to compute :
  • Pre-seed-1 OWF ( Seed-1 )
  • Step 1 Generate 56 random bits.
  • Step 2 Use all 56 as a valid DES key.
  • RSA keys are generated differently, using the following complex numerical procedure .-
  • Step 1 Choose a (big) modulus size, e.g., 1024 bits .
  • Step 2 Probabilistically generate a 512 bit prime number P as follows: a) Generate 512 random bits. b) Assemble these bits into the number P. c) Test if P is a prime number. d) If prime, retain P and go to Step 3. e) If not prime, go back to Step 2a.
  • Step 3 Repeat Step 2 for another 512 bit prime Q.
  • Step 6 Randomly generate key KI , where KI must be relatively prime to (P-l) • (Q-l) . a) Generate 1024 random bits. b) Assemble these bits into the number KI . c) Test if KI is relatively prime to ( P-l ) • (Q-l ) . d) If relatively prime, go to Step 7. If not, go back to Step 6a.
  • Step 7 Derive Key K2 from Key KI and (P-l) -(Q-l) using Euclid's Extended Algorithm.
  • Step 8 Discard P, Q, and (P-l) -(Q-l) (important).
  • Steps 2 and 3 are the problematic differences with DES key generation with regard to this invention.
  • the random generation of numbers that meet a mathematically constrained condition, such as primicity is a probabilistic process, with many numbers generated that are not prime. This is because prime numbers are relatively rare, as discussed previously with regard to FIG. 1, and because there is no known way to directly generate a prime number. Instead, random numbers are generated and tested to see if they are prime. When a prime number is found, the search can stop.
  • the "entropy" of a key can be defined as the number of valid keys for a key size of N bits.
  • a maximally “entropic” key of N bits has 2 N valid keys.
  • a key that is constrained in any way is less entropic, with tighter constraints reducing entropy accordingly.
  • a fixed key is degeneratively entropic (i.e., has "zero entropy") since it only has a single value.
  • DES keys, RSA moduli, RSA Keys KI , and RSA Keys K2 can all be ranked in terms of entropy, from least entropic to most entropic as follows: RSA Key K2 , RSA Moduli, RSA Key KI, and DES Keys.
  • DES keys are maximally entropic, in that a DES key of size N bits has 2 N valid keys. Any N bit number is a valid key.
  • An RSA modulus has medium-low entropy, since it is generated as a prime number. Primes are unusual among the field of numbers, and their generation is improbable, as shown in FIG. 1. Many attempts are needed to create a single valid RSA modulus.
  • the present invention provides a system that performs the OWF operation during the initial random bit generation phase, before further validity tests such as primality are applied. Then, if a valid number is found (e.g., a prime number) the input to a OWF that outputs that valid number has already been captured.
  • a valid number e.g., a prime number
  • a OWF creates an output that is best modeled as a random number.
  • the challenge that is solved by the present invention is to use such a OWF output as a key when the type of key desired is not maximally entropic. It is likely that a given OWF function output will not be a valid RSA Key or modulus, which prohibits the use of a OWF if only one output is available. Even if multiple outputs are available through repeated trials, the procedure must allow the time to perform such trials to obtain valid output. Since any number, e.g., of length 56 bits, is a valid DES key, DES is well-disposed for accepting the output of a OWF. It does not matter whether that number came directly from a random source of bits, or from the output of a OWF; both will work. DES key generation is efficient and flexibly applicable for this reason, since random bits are easy to make at fairly high rates .
  • RSA Key K2 is utterly ill-disposed to be the output of a OWF, since it is vanishingly unlikely for the lone valid value of K2 to be generated by a randomly-modeled process .
  • RSA Key KI is less disposed to accept the output of a OWF, according to its lower entropy. But, if multiple outputs from multiple trials were available, obtaining a valid KI might be feasible. An application with only one OWF output (such as seedloading) cannot work with RSA Key KI .
  • RSA modulus used as an RSA modulus, a given random number or OWF output has only a very small probability of being valid, as seen from FIG. 1.
  • the RSA modulus is part of key generation and is created first, so RSA key generation is slow and inefficient. And worse, even if a valid modulus is found, it is very probable that it cannot be passed through a OWF without becoming an invalid modulus.
  • RSA key generation or “key generation” shall include both the RSA modulus and RSA key Kl and K2 generation process, and the OWF described is assumed to have a 64 bit input and output. Fewer or more bits may be used. Additionally, check bits may be used for error correction.
  • RSA keys and moduli can be generated using a OWF as follows. Conventionally, random key generation is a separate process from how the valid keys generated are used. This works because DES keys are easy to generate and are valid even if subsequently passed through a OWF. But, separating key generation from seedload message creation is not possible when traditionally- generated RSA keys are used.
  • the seedload message OWF is merged into the RSA key and modulus generation process itself. This is done in three specific places in the process, resulting in the below modified RSA key and modulus generation procedure :
  • Step 1 Choose a (big) modulus size, like 1024 bits .
  • Step 6 Randomly generate key Kl , where Kl must be relatively prime to (P-l) • (Q-l) : a) Generate 1024 random bits. b) Assemble each 64 bits into 16 numbers Pre- Kl.... Pre-Kl 16 c) Pass Pre-Kl.... Pre-Kl. 6 through a OWF to form K1....K1 16 , respectively. d) Assemble Kl.... Kl 16 into the 1024 bit number Kl. e) Test if Kl is relatively prime to (P-l) • (Q-l) . f) If relatively prime, go to Step 7. If not, go back to Step 6a.
  • Step 7 Derive Key K2 from Key Kl and (P-l) • (Q-l) via Euclid's Extended Algorithm.
  • Step 8. Discard P, Q, and (P-l) -(Q-l) (important).
  • Step 9 Retain the following to use in OWF message delivery & RSA encryption: a) Pre-Kl.... Pre-Kl 16 b) K2 c) Pre-P....Pre-P 8 d) Pre-Q x ...Pre-Q 8 .
  • the above procedure of the present invention allows the generation of valid RSA keys that are the output of a OWF.
  • the OWF is now integrated into the key generation process itself, e.g., in the creation of P, Q , and Kl .
  • the OWF RSA key generation procedure can be used to solve the Information Delivery and Reuse Problem as follows.
  • the objective is to deliver the modulus N and key Kl to the receiver/decoder.
  • Key K2 is not needed by the receiver since it will be used for message encryption only at the headend.
  • Key Kl is used for message decryption only at a decoder.
  • Step 1 Generate RSA key variables Pre- Kl....Pre-Kl 16 , Pre-P.... Pre-P 9 , Pre-Q ⁇ .. Pre-Q 9 , and K2 using the OWF procedure above.
  • the OWF may have a 64 bit input and output.
  • Step 2. Form an RSA pre-seedload message of the following form:
  • Step 3 Send the RSA pre-seedload message to the message receiver (e.g., decoder).
  • the message receiver e.g., decoder
  • the message receiver e.g., decoder
  • the decoder must have the OWF used in key generation above.
  • the OWF can be provided to decoders in a decoder population using various techniques.
  • the OWF may be installed in non-volatile memory at the time the decoder is manufactured, using a smart card or the like, or downloaded via the communication network.
  • the OWF may itself be encrypted to prevent interception and compromise.
  • the decoder performs the following steps to derive Kl and N for use in decrypting the encrypted video, audio or other data:
  • Step 1 Process Pre-P. . . . Pre-P ⁇ : a) Pass Pre-P. . . . Pre-P 8 through the OWF to form P . . . P • • b) Discard Pre-P. . . . Pre-P B ( important ) . c) Reassemble P j .-.P, to form P. Step 2.
  • Process Pre-Q.... Pre-Q 8 a) Pass Pre-Q j ... Pre-Q 8 through the OWF to form
  • Process P and Q a) Multiply P and Q to form the Modulus N.
  • Step 4 Process Pre-Kl.... Pre-Kl 16 : a) Pass Pre-Kl., ... Pre-Kl 16 , through the OWF to form Kl j -.-Kl.,, respectively b) Discard Pre-Kl.... Pre-Kl 16 (important).
  • Process Pre-Kl.... Pre-Kl 16 a) Pass Pre-Kl., ... Pre-Kl 16 , through the OWF to form Kl j -.-Kl.,, respectively b) Discard Pre-Kl.... Pre-Kl 16 (important).
  • the message receiver/decoder has the desired information, having derived it by passing RSA seedload message information through a OWF. If an attacker somehow extracts the modulus N and Key Kl , he cannot form a valid RSA pre-seedload message since, first, P and Q cannot be formed without factoring the modulus N. This is the "hard problem" that the security of RSA is based upon. Second, even given P, Q or Kl, Pre-P....Pre-P 8 , Pre-Q.... Pre-Q 8 , and Pre- Kl.... Pre-Kl 16 cannot be derived due to the use of the OWF.
  • FIG. 2 illustrates a broadband communication network with an encoder and decoder in accordance with the present invention.
  • An encoder is shown generally at 200, while a decoder is shown generally at 260.
  • the encoder 200 may be provided at the headend of a cable television or satellite distribution network, while the decoder 260 represents one decoder in a decoder population, e.g., at a consumer's home.
  • the encoder 200 includes a key and modulus generator 205, and, optionally, multiplexer (MUX) 240.
  • MUX multiplexer
  • the key and modulus generator 205 uses a one-way function to generate a number of pre-seed segments, Pre-P 1 through Pre-P 8 , Pre-Q j through Pre-Q 8 , and Pre-K.- 1 through Pre-K j -16.
  • different one-way functions can be used for the different sets of segments. For example, a first one-way function can be used with Pre-P j through Pre-P 8 , (Pre-P), a second oneway function can be used with Pre-Q x through Pre-Q 8 , (Pre-Q) , and a third one-way function can be used with Pre-K.-l through Pre-K.-16 (Pre-K) . It is also possible to use different one-way functions for each segment within a set.
  • the key and modulus generator 205 uses the pre- seed data to generate the RSA key K2 , and the RSA modulus N.
  • the encryptor 230 usds K2 and N to encrypt clear data Y, thereby providing corresponding encrypted data X.
  • the clear data Y may comprise video, audio or other data.
  • unencrypted data may be communicated with the encrypted data to the decoder 260 and other decoders in the network.
  • a tiered distribution service may be offered wherein all decoders are authorized to receive a basic level of programming, while only specific decoders are authorized to receive one or more levels of premium programming upon payment of additional fees . In this case, only the premium programs need be encrypted.
  • a control center 210 which may optionally be part of the encoder 200, can control the processing of the key and modulus generator 205.
  • the control center 210 may optionally provide an accounting capability, e.g., by maintaining records regarding which decoders are authorized to receive the encrypted data. For example, the control center 210 may keep track of payments, billing and other relevant information.
  • the same pre-seed data at the key and modulus generator 205 is provided at the decoder 260, e.g., via a chip. This step generally only occurs in the manufacturing process for the decoder 260.
  • the encrypted data X is provided to the MUX 240 for communication across a channel 250 to the decoder 260.
  • the channel 250 may comprise a cable television distribution network or a satellite distribution network that communicates with a decoder population.
  • Other data such as encrypted or unencrypted program and/or control data may be multiplexed with the encrypted data X at MUX 240.
  • the transmitted data is received from the channel 250 at the demultiplexer (DEMUX) 270.
  • the DEMUX 270 provides the encrypted data X to a decryptor 265. Other data received at the DEMUX 270 is routed as required.
  • the pre-seed data is processed at the key and modulus generator 275, e.g., via a chip at the decoder that stores a pre-seedload message, where the pre-seed data is processed with the same one-way function used at the encoder 200 to derive the cryptographic key Kl and the modulus N. Kl and N are provided to the decryptor 265 for use in decrypting the encrypted data X to recover the clear data Y.
  • a control center 282 is optionally provided at the decoder 260 for controlling the processing at the key and modulus generator 275.
  • the clear data Y may be further processed using conventional circuitry as required. For example, if the clear data Y comprises video data, it may be necessary to perform conventional video decompression processing. Details regarding this processing are within the purview of those skilled in the art.
  • FIG. 3 illustrates an encoder in accordance with the present invention.
  • the encoder 200' includes a number of different processes which are shown individually. However, it should be appreciated that the different processes may be implemented using shared circuitry, including a common microprocessor and memory storage elements, and/or other software, firmware and/or hardware. Furthermore, these processes may generally be considered part of the key and modulus generator 205 and encryptor 230 of FIG. 2.
  • the encoder 200' includes a central processing unit (CPU) 310 that communicates with a bus 305.
  • a random bit generator 315 generates random bit strings using any known random data generating technique. For example, 512 bit and 1024-bit bit strings may be generated.
  • a bit subdivider/assembler 320 may subdivide the random bit string into a number of segments.
  • each segment may be used.
  • a length such as 64 bits or more, that provides the necessary degree of security when a one-way function is used to process each segment. If the segment is too short, the level of security may be insufficient even when a one-way function is used to process the segment.
  • the probability that a randomly generated bit string or any subset thereof will be prime or meet another desired mathematical constraint decreases, thereby increasing computing time.
  • a one-way function 325 individually processes each of the bit segments from the bit subdivider/assembler 320. Any known one-way function may be used. For example, each segment may be encrypted using one or more DES keys and a feedforward hash. The segments that are processed by the one-way function 325 are then assembled into a single bit string at the bit subdivider/assembler 320. For example, when eight 64- bit segments are used, the segments may be concatenated or otherwise assembled to obtain a new 512 bit length bit string.
  • random re-ordering of the segments may occur before and/or after processing by the one-way function to provide further security.
  • Corresponding re-ordering must be used at the decoder.
  • the newly assembled bit string may be provided to a prime tester 345, which may implement any known prime testing technique to determine whether the processed bit string is a prime number. Moreover, even if primicity cannot be determined to a complete certainty, it is possible to achieve a desired level of confidence that the bit string is prime, e.g., 99.9999% confidence.
  • WITNESS In Miller, G., "Reimann's Hypothesis and Tests for Primality,” Proceedings of the Seventh Annual ACM Symposium on the Theory of Computing, May 1975, and Rabin, M. ,
  • WITNESS (a, n)
  • WITNESS may be invoked repeatedly using randomly chosen values for "a”. If at any point, TRUE is returned, "n” is not prime. If FALSE is returned "s" times in succession, then the probability that "n” is prime is at least 1- 2 "s . Thus, for a sufficiently large value of "s", a corresponding confidence level that that "n” is prime can be established.
  • Totient represents the number of positive integers less than N and relatively prime to N.
  • a positive integer C is the GCD of two integers A and B if C is a divisor of A and B, and any divisor of A and B is a divisor of C.
  • Euclid's Extended Algorithm is performed at function 365 to obtain the key K2.
  • the CPU 310 and memory 340 may be used to control the other functions and provide intermediate and/or final storage of data as required. Additionally, the data to be encrypted at the encryptor 230 may be provided via the bus 305 or by other means.
  • FIG. 4(a) illustrates the first part of an encoding method in accordance with the present invention.
  • a random bit string e.g., having a length of 512 bits
  • the bits are assembled into a number of pre-seed subsets, Pre-P j through Pre-P 8 .
  • Pre-P j For example, eight subsets, each having a length of 64 bits may be used.
  • each of the subsets is processed with a one-way function to obtain corresponding subsets P x through P 8 . Since a one-way function is used, it is essentially impossible to derive the pre-seed subsets Pre-P j through Pre-P 8 from the subsets P x through P 8 , respectively.
  • the processed subsets P ⁇ through P 8 are assembled to form the 512 bit length bit string P.
  • P is tested to determine if it is prime to a sufficient degree of confidence. If not, the process is repeated at block 400, and the pre-seed data is discarded. If so, processing continues at block 455.
  • a corresponding bit string Q is derived at blocks 430, 435, 440, and 445, which correspond to blocks 400, 405, 410, and 415, respectively.
  • another 512 bit random bit string is generated.
  • the bit string is assembled into subsets Pre-Q 1 through Pre-Q ⁇ .
  • Pre- Q j through Pre-Q 8 are processed with a one-way function to obtain the corresponding processed subsets Q : through Q 8 , respectively.
  • Q 1 through Q 8 are assembled to form the 512-bit bit string Q.
  • testing for any desired mathematical constraint may be performed at blocks 420 and 450.
  • processing continues at block A of FIG. 4 (b) .
  • the one-way functions used in blocks 410 and 440 may be the same; however, this is not required.
  • Other variations, including the use of additional, conventional encryption steps, will be apparent to those skilled in the art.
  • FIG. 4(b) illustrates the second part of the encoding method of FIG. 4(a) in accordance with the present invention.
  • Processing continues at block 500.
  • a random bit string having a length, e.g., of 1024 bits, is generated.
  • the bit string is subdivided into sixteen pre-seed subsets Pre-K.-l through Pre-K.-16, each having a length of 64 bits.
  • each 64-bit subset is processed with a one-way function to obtain corresponding processed subsets K.-l through K.-16.
  • the one-way function used at block 515 may the same as, or different than, the one-way functions used at blocks 410 and 440 of FIG. 4(a).
  • the processed subsets Kl-1 through Kl-16 are assembled to form the RSA key Kl .
  • Kl is relatively prime to ⁇ ("PHI") with a sufficient degree of confidence.
  • P, Q and ⁇ are discarded. This step is important since an attacker may be able to obtain this information if it is stored in memory.
  • the encrypted message X is transmitted to the decoder population. Note that the pre-seed segments Pre-P x through
  • Pre-P 8 , Pre-Q x through Pre-Q ⁇ , and Pre-K.-l through Pre- K.-16 are also provided to the decoder population, e.g., via chips. This step generally occurs independently of the previous steps, which involve processing at an encoder.
  • the pre-seed data for the three bit strings P, Q and Kl is provided to the decoders.
  • FIG. 5 illustrates a decoder in accordance with the present invention.
  • the decoder 600 includes a CPU 602 that communicates with a bus 605.
  • a bit subdivider/assembler 610, one-way function 615, memory 620, and modulus calculator 625, correspond generally to the liked-named elements of the encoder 200' of FIG. 3.
  • the pre-seed segments that are provided to the decoder 600 are processed by the one-way function 615 to obtain the corresponding processed segments.
  • the bit subdivider/assembler 610 assembles the respective processed segments to form P, Q and Kl .
  • the RSA modulus N is calculated at function 625.
  • the CPU 602 and memory 620 may be used to control the other decoder functions and provide intermediate and final data storage as required.
  • each of the decoder elements may be implemented in separate and/or shared components, including software, firmware and/or hardware.
  • FIG. 6 illustrates a decoding method in accordance with the present invention.
  • the respective pre-seed segments that were used at the encoder are also available at the decoder, e.g., from a chip, smart card or the like.
  • the pre-seed segments Pre-P x through Pre-P ⁇ are processed with a one-way function to obtain the corresponding processed segments P. through P 8 . This is the same one-way function used at block 410 of FIG. 4(a).
  • the processed segments P. through P ⁇ are assembled to form P.
  • the pre-seed segments Pre-Q 1 through Pre-Q 8 are processed with a one-way function to obtain the processed segments Q 1 through Q 8 , respectively. This is the same one-way function used at block 440 of FIG.
  • the processed segments Q. through Q 8 are assembled to form Q.
  • the modulus N P-Q is formed.
  • the pre-seed segments Pre-K. -1 through Pre-K x -16 are processed with a one-way function to obtain the processed segments K : -l through K.-16, respectively. This is the same one-way function used at block 515 of FIG. 4(b).
  • Pre-K.-l through Pre-K x -16 are discarded.
  • the processed segments K.-l through K.-16 are assembled to form the RSA key Kl .
  • the present invention provides a method and apparatus for generating a mathematically constrained key, such as an RSA cryptographic key and modulus using a one-way function and testing for the mathematically constrained condition, such as primicity.
  • a mathematically constrained key such as an RSA cryptographic key and modulus using a one-way function and testing for the mathematically constrained condition, such as primicity.
  • the invention achieves the security benefits of both the RSA system and one or more one-way functions.
  • the invention is particularly suitable for use with access- controlled broadband communication networks in which pre-seed data is provided to specific decoders on the network.
  • pre-seed data is processed at an encoder, such as a headend, using a one-way function and tested to determine if it is prime. If so, two prime numbers P and Q are thusly obtained and used to form an RSA modulus N and cryptographic key K2.
  • decoders receive the pre-seed data, e.g., via local chips, which is processed at the decoders using the same one-way function used during the key generation processto obtain the modulus N and the RSA key Kl .
  • Kl is derived from K2 using Euclid's Extended Algorithm.
  • the pre-seed data is obtained by subdividing a random bit string into several segments, then independently processing each segment with the one-way function to obtain corresponding processed segments.
  • the processed segments are assembled to obtain a processed bit string which is tested for primicity.
  • the bit string is used if it is found to be prime to a sufficient confidence level. Otherwise, successive iterations are performed until an acceptable bit string is obtained.
  • the bit string segments are selected to be long enough to provide adequate security, yet short enough to avoid excessive computing time due to multiple iterations to obtain a prime bit string.
  • LANs local area networks
  • MANs metropolitan area networks
  • WANs wide area networks
  • internets intranets
  • intranets and the Internet
  • bit string lengths and number of segments per bit string used in the illustrations are examples only. Generally, the only requirement in this regard is that the minimum bit string length for a segment that is processed by a one-way function is sufficiently large, e.g., 56 or 64 bits, to maintain a high level of security.
  • processing of multiple bit string segments may be implemented at the key generator during manufacture and/or at the decoder either serially, or concurrently in a parallel processing scheme.
  • each of P, Q and Kl are processed with one-way functions, this is not required. For example, security benefits will still be achieved if only one or more of P, Q and Kl are processed with one or more one-way functions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Electrophonic Musical Instruments (AREA)
  • Detection And Correction Of Errors (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)
  • Lock And Its Accessories (AREA)

Abstract

A cryptographic key (K2) is generated using a one-way function (325) and testing for a mathematical constraint. Pre-seed data is obtained by subdividing (320) a random bit string into several segments (PRE-P1, ..., PRE-P8, PRE-Q1, ..., PRE-Q8), then independently processing each segment with a one-way function (325) to obtain respective values (P, Q) which are tested for a mathematical constraint such as primeness (345). If the values do not pass the test, the steps are repeated. Otherwise a modulus N (350), and Euler's Totient 011001 = (P-1) (Q-1) (355) are formed. Segments Pre-K1-1, ..., Pre-K1-16 are also processed through a one way function to form segments K1-1, ..., K1-16, which are assembled to form a value K1. Euclid's Basic Algorithm (360) is used to determine if K1 is relatively prime to &phgr:. If not, a new K1 is formed. If so, a key (K2) is formed from Euclid's Extended Algorithm (365) for encrypting data.

Description

GENERATION OF A MATHEMATICALLY CONSTRAINED KEY USING A
ONE-WAY FUNCTION
BACKGROUND OF THE INVENTION
The present invention relates to a method and apparatus for generating a cryptographic key. A oneway function and prime testing is used to provide a modulus that is highly secure. For example, a modulus for use with the Rivest, Shamir, and Adleman (RSA) public key encryption algorithm may be provided. The invention may be used, e.g., in encrypting data that is communicated to a decoder population via a broadband communication network such as a satellite distribution network, or cable television network, or used with any other security device. Video, audio and other data that is communicated to a decoder population in a broadband communication network is encrypted under one or more cryptographic keys at the headend to provide access control to the data. Seed data is generated and loaded into addressable receivers at the time of their manufacture. This allows them to subsequently process messages containing these cryptographic keys once they are deployed in a communication network. However, a hostile attacker may be able to obtain the seed data through various known attack techniques, such as chip decapsulation, probing, and the like. Once an attacker has this seed information, he could potentially decrypt all messages sent to that receiver, thereby compromising that receiver permanently or for a long period. One way to overcome this problem at the time the receiver is manufactured is for the receiver to process a pre-seed using a predetermined function to derive the seed. Then, even if the pre-seed is subsequently discovered by an attacker, the attacker cannot obtain the seed unless the attacker knows the predetermined function.
This predetermined function may be a one-way function. A one-way function is essentially irreversible such that input data that is processed through the one-way function cannot be recovered by an unauthorized person. A one-way function may comprise a distribution hash function, where input data is encrypted under one or more encryption algorithms, and the resulting encrypted data is hashed with the input data, for example, using an exclusive-or (XOR) function. Thus, given a seed, a pre-seed that is processed by a one-way function to obtain a seed is essentially impossible to recover in a trial-and-error attack without knowledge of the one-way function. Generally, an attacker who reads stored information, e.g. from a chip, rather than the pre-seed load message used to generate the stored information, is faced with working backwards through a one-way function (O F) to recreate the pre-seed load message. Since the attacker cannot perform this one-way function reversal, and since he does not have the original pre- seed load message used to load pre-seeds into the chip, he cannot load valid seeds into the chip in a receiver. This use of a OWF generally occurs only in a factory in which decoders are produced, not in a network. Thus, decoders in the field do not usually receive messages that employ this technique.
The above technique of providing a pre-seed to the decoder is appropriate when the pre-seed is a bit string or key that corresponds, for example, to the Data Encryption Standard (DES) . A valid DES key comprises essentially any random, string of 56 bits. Accordingly, a DES key that is processed by a one-way function results in output data that can be used as another DES key. While the DES key can provide adequate security in many cases, different security properties associated with public key encryption can be achieved with an RSA key.
The RSA Public Key Cryptosystem is a widely used standard in public key cryptography. With this system, a message Y is encrypted to obtain the cyphertext X=YK2(mod N) . A public key is defined by (K2,N) , where K2 is the public exponent, and the modulus N is the product of two large prime numbers, P and Q. Additionally, K2<N, and K2 is relatively prime to Euler's Totient, φ= (P-l) • (Q-l) . Two integers are relatively prime to one another if they have no prime factors in common. That is, their only common factor is one. The security of the system is based on the difficulty in factoring N into its two components, P and . In the deciphering operation, the message Y is recovered from the cyphertext X as Y=XK1 (mod N) , where KI is the private key or private exponent, and K2_1=K1 mod(φ) . A valid RSA key K2 that is processed by a one-way function is highly unlikely to result in another valid RSA key since the occurrence of prime numbers becomes less and less likely for large numbers, e.g., 56 bit and longer bit strings. FIG. 1 shows a known asymptotic relationship between bit length and the percentage of numbers that are prime. Specifically, the Prime Number Theorem states that, for a value X, the number of primes less than X is asymptotically equal to X divided by the logarithm of X. An x-axis 110 shows the number of bits in a prime number, while a y-axis 120 shows the percentage of numbers that are prime. For example, for a 56-bit binary number, only about 0.025% of all numbers are prime. As shown by the curve 130, this proportion decreases with bit length. The probability of a randomly-generated number being prime follows this same proportion, even if a one-way function is used in such random generation. It is very unlikely that the processing of an RSA key with a one-way function would produce a valid RSA key. Similarly, since the output of a one-way function is best modeled as a random number, it is unlikely that an output will satisfy any improbable mathematical constraint, primality being only one example. Accordingly, it would be desirable to provide a computationally efficient system for generating mathematically constrained keys, such as valid RSA keys, using a one-way function. Such a system should provide a highly secure encryption key, e.g. a pre- seed, that is protected by both the selected encryption system and a one-way function.
It would further be desirable to provide a communication network with a transmission site or headend wherein mathematically constrained values, such as an RSA public exponent K2 and modulus N=P-Q, are produced using the same or different one-way functions, and where data such as video, audio or other data is encrypted according to the RSA system under K2 and N. It would be desirable to provide a pre-seedload message with pre-seed data that is also processed by a one-way function in a chip (i.e., integrated circuit) at a receiver or decoder for use in deriving KI and N to decrypt the encrypted video or other data. The present invention provides a system having the above and other advantages .
SUMMARY OF THE INVENTION
The present invention relates to a method and apparatus for generating a mathematically constrained key, such as an RSA cryptographic key or modulus, using a one-way function. This generated key satisfies a mathematical constraint condition, such as primicity.
Pre-seed data is processed at an encoder at the time of manufacture, using a one-way function and tested to determine if the processed data meets some mathematically constrained conditions, such as being a prime number. If so, the tested number is used, for example, to form an RSA modulus N and cryptographic key K2. Data Y, such as video, audio or other data in a cable or satellite television network, for example, is subsequently encrypted to obtain the encrypted data X=YK2(mod N) , and transmitted over the network to a decoder population.
Additionally, specific authorized decoders have chips that store the RSA keys that result from the one- way function processing of pre-seed data by that decoder at the time of decoder manufacture. The encrypted data X is decrypted using these RSA keys to recover the clear data Y=XK1 (mod N) .
Preferably, the pre-seed data is obtained by subdividing a random bit string into several segments, then independently processing each segment with a oneway function to obtain corresponding processed segments. The processed segments are assembled to obtain a processed bit string which is then tested as a whole for the mathematically constrained condition, such as primicity.
Generally, the present invention is not specific for RSA, but is applicable anywhere a mathematically constrained key must be generated. RSA keys, which are based on prime numbers, are only one example of a mathematically constrained key. Other constraints of an arbitrary nature for existing and emerging algorithms, such as Elliptic Curve Cryptosystems , are meant to be encompassed.
A specific encoding method illustrated herein for generating a cryptographic key, K2 , includes the step of generating a first set of random values pre-P, such as a 512-bit bit string. At least a portion of the values pre-P are processed with a first one-way function to obtain a corresponding value P. Preferably, pre-P includes sets of values (e.g., bits) that are processed individually by the one-way function. The value P is tested for satisfaction of a mathematical constraint such as primicity (primeness) . If P does not meet the constraint, the above steps are repeated to form a new value P until the constraint is met. The key K2 is ultimately formed as a function of the value P and other variables P and KI . In particular, a second set of random values pre-Q may be processed analogously to the pre-P values to derive a value Q that also satisfy the mathematical constraint. A modulus N=PQ, and Euler's Totient φ=(P- 1) (Q-l) are then formed. Next, a third set of random values pre-Kl are processed using a one-way function to derive a value KI . It is then determined whether KI is relatively prime to φ. This condition is satisfied if Euclid's Algorithm indicates that the greatest common divisor (GCD) of KI and φ is one. If the condition is not satisfied, additional values of KI are formed until the condition is met.
The key K2 may then be formed using Euclid's Extended Algorithm, i.e., K2=K1 "1 (mod cp) . Data Y can be encrypted under K2 and N, e.g., using X=YK2 (mod N) . For example, data such as television programming may be encrypted at an encoder.
Also in accordance with the present invention, a decoding method is provided for generating a cryptographic key, KI . The values pre-P, pre-Q, and pre-Kl that were ultimately used at the encoder to derive K2 are provided to a decoder. At the decoder, pre-P and pre-Q are processed with the previously used one-way functions to form P and Q, respectively. The modulus N=PQ is then formed as before.
The third set of random values pre-Kl that were used at the encoder are processed using the same oneway function to derive the value KI . The encrypted data can then be decrypted using KI and N. For example, the data X can be decrypted using Y=XK1(mod N) .
The encrypted message X may be transmitted from the encoder to the decoder via a broadband communication network with a decoder population P, pre-Q, and pre-Kl may be stored as a seedload message locally in a chip at the decoder, e.g., internally or in a smart card.
A corresponding encoding apparatus and decoding apparatus are also presented.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates the Prime Number Theorem.
FIG. 2 illustrates a broadband communication network with an encoder and decoder in accordance with the present invention.
FIG. 3 illustrates an encoder in accordance with the present invention.
FIG. 4(a) illustrates the first part of an encoding method in accordance with the present invention.
FIG. 4(b) illustrates the second part of the encoding method of FIG. 4(a) in accordance with the present invention.
FIG. 5 illustrates a decoder in accordance with the present invention.
FIG. 6 illustrates a decoding method in accordance with the present invention.
DETAILED DESCRIPTION OF THE INVENTION
The present invention relates to a method and apparatus for generating a mathematically constrained key, such as an RSA cryptographic key and modulus, using a one-way function and testing for the mathematically constrained condition, such as primeness .
A conditional access (CA) system, such as a broadband cable television or satellite distribution network, delivers information in messages to trusted components that store that information. Attackers of a CA system can sometimes illicitly clone or copy trusted components by removing and resubmitting information using that component's normal message delivery syntax and processing. It is therefore desirable for the information stored to exist in a form that prevents its re-use as a legitimate information delivery message. This problem is referred to as an "Information Delivery and Reuse Problem" .
A typical one-way function (OWF) has one or more inputs INI, IN2 , ..., and an output OUT. Its salient one-way characteristics are:
• Given all inputs INI, IN2 , .... , it is easy to calculate OUT; but • Given OUT and at least one missing input INI or IN2 or ... , it is computationally infeasible to calculate the missing input.
Computational infeasibility means that no method is known to be better than simply trying all possible values of the missing variable to determine the correct one .
In the present invention, a simple OWF with one input and one output can be used, where OUT = OWF (IN) is easy to calculate, but IN = OWF (OUT)"1 is not.
In broadband communication networks such as cable television networks, movies, sports events and other video, audio and data ("services") are provided to authorized decoders in a decoder population based on payment of a fee. To prevent unauthorized persons from viewing or otherwise using a service, the service is encrypted under one or more cryptographic keys . Seed or pre-seed data (e.g., a seedload message) is provided at authorized decoders for use in generating the cryptographic keys for decrypting the encrypted service. For example, the seed or pre-seed data may be stored in chips, internal to the decoders or in smart cards. Accordingly, the most sensitive information in many decoders is the seeds. Seeds, along with the public Unit Address, which is a unique identifier for each decoder, comprise the unique and unchangeable identity of a component. All cryptographic functions within the decoders may be based on seeds in some fashion. In the past, attackers have had the goal of copying or cloning security components by extracting seeds from one component and loading them into multiple others. This process is often referred to as "cloning" . Some decoders are designed to accept a seedload message of the following form:
Unit Address + Seed-1 + Seed-2 + Seed-3 + Seed-4
Four seeds are provided in this message only as an example. Fewer or more may be used. The five pieces of information loaded by this message may be placed unaltered in five areas of a decoder's memory, for example. After the decoders are sent into the field, an attacker might find a way to access these five areas of memory and remove the information. Since this information allows creation of the original seedload message, such an attack would allow a "pirate" to manufacture unauthorized clone decoder units. This is a significant problem since it results in loss of revenue to the network operator and others . Instead of using seeds in the seedload message, pre-seeds may be used. The pre-seedload message may have the following form:
Unit Address + Pre-seed-1 + Pre-seed-2 + Pre-seed-3 + Pre-seed-4 When the pre-seedload message is received at a decoder, the pre-seeds are processed using a OWF to create the seeds:
Unit Address [stored] = Unit Address [received] Seed-1 [stored] = OWF ( Pre-seed-1 [received] )
Seed-2 [stored] = OWF ( Pre-seed-2 [received] ) Seed-3 [stored] = OWF ( Pre-seed-3 [received] ) Seed-4 [stored] = OWF ( Pre-seed-4 [received] )
This method provides greater security since it is now computationally infeasible for an attacker to calculate a pre-seed from a seed extracted from security component memory. To calculate pre-seed-1 from seed-1, for example, the attacker would have to compute :
Pre-seed-1 = OWF ( Seed-1 )
However, as long as the OWF chosen was adequately strong, this was an untenable problem. In particular, DES-based OWFs are well-studied and thought quite reliable. This OWF approach solves the Information Delivery and Reuse Problem for delivery of DES keys. Note that, when using this OWF technique, it is fundamentally assumed that passing a valid DES key through the OWF will form an output that is also a valid DES key. Were this not true, then Seeds would not be valid DES keys, making them useless. DES keys are easily generated using any adequate source of random bits and a trivial procedure:
Step 1. Generate 56 random bits.
Step 2. Use all 56 as a valid DES key.
The term "random" is used herein to encompass
"pseudo-random" . It is understood that a purely random process is difficult to achieve in practice.
RSA keys are generated differently, using the following complex numerical procedure .-
Step 1. Choose a (big) modulus size, e.g., 1024 bits .
Step 2. Probabilistically generate a 512 bit prime number P as follows: a) Generate 512 random bits. b) Assemble these bits into the number P. c) Test if P is a prime number. d) If prime, retain P and go to Step 3. e) If not prime, go back to Step 2a.
Step 3. Repeat Step 2 for another 512 bit prime Q. Step 4. Form the 1024 bit modulus N = P-Q.
Step 5. Form the Euler Totient, φ (PHI) = (P-
1) (Q-l) •
Step 6. Randomly generate key KI , where KI must be relatively prime to (P-l) • (Q-l) . a) Generate 1024 random bits. b) Assemble these bits into the number KI . c) Test if KI is relatively prime to ( P-l ) • (Q-l ) . d) If relatively prime, go to Step 7. If not, go back to Step 6a.
Step 7. Derive Key K2 from Key KI and (P-l) -(Q-l) using Euclid's Extended Algorithm.
Step 8. Discard P, Q, and (P-l) -(Q-l) (important). Step 9. Retain the following to use in RSA encryption : a) KI b) K2 c) The modulus N = P-Q
Steps 2 and 3 are the problematic differences with DES key generation with regard to this invention. The random generation of numbers that meet a mathematically constrained condition, such as primicity, is a probabilistic process, with many numbers generated that are not prime. This is because prime numbers are relatively rare, as discussed previously with regard to FIG. 1, and because there is no known way to directly generate a prime number. Instead, random numbers are generated and tested to see if they are prime. When a prime number is found, the search can stop.
However, there is a problem with RSA public key generation, as the following discussion reveals. The "entropy" of a key can be defined as the number of valid keys for a key size of N bits. A maximally "entropic" key of N bits has 2N valid keys. A key that is constrained in any way is less entropic, with tighter constraints reducing entropy accordingly. A fixed key is degeneratively entropic (i.e., has "zero entropy") since it only has a single value. DES keys, RSA moduli, RSA Keys KI , and RSA Keys K2 can all be ranked in terms of entropy, from least entropic to most entropic as follows: RSA Key K2 , RSA Moduli, RSA Key KI, and DES Keys.
These entropy rankings come from the following considerations :
• DES keys are maximally entropic, in that a DES key of size N bits has 2N valid keys. Any N bit number is a valid key.
• RSA Key KI is of medium-high entropy, since it is chosen randomly, but is constrained (loosely) to be relatively prime to (P-l) • (Q-l) . It is reasonably likely that a randomly chosen value is relatively prime to a like-sized (P-l) (Q-l) , so relatively few values would be invalid.
• An RSA modulus has medium-low entropy, since it is generated as a prime number. Primes are unusual among the field of numbers, and their generation is improbable, as shown in FIG. 1. Many attempts are needed to create a single valid RSA modulus.
• RSA Key K2 has zero entropy, since the one valid value of K2 is directly derived from Key KI and modulus N, rather than randomly generated. Key K2 therefore has degenerative entropy.
For a traditional DES keys of 56 bits, we need only generate 56 random bits to have a good key. This is because all 256 possible values of a 56 bit key are legal DES keys with equivalent security. However, with public key algorithms based on number theoretic principles, this is not the case. If one generates a candidate RSA modulus of N bits, most of the time it is not even a valid modulus and must be discarded. An RSA public key modulus must be the product of two large prime numbers, for example, so each time a candidate key is assembled from randomly generated bits, further testing is needed to know if it is really a valid key.
In RSA, this is tested to determine whether the assembled bits constitute a prime number. In other algorithms, there are other tests besides prime testing, and these can be extraordinarily complex. The present invention provides a system that performs the OWF operation during the initial random bit generation phase, before further validity tests such as primality are applied. Then, if a valid number is found (e.g., a prime number) the input to a OWF that outputs that valid number has already been captured.
For example, if we were making an eight-bit key for a "mini-DES", there are 256 legal keys of size 8 bits (i.e., 28=256) .. If we were making an eight-bit RSA modulus N=P*Q with a P and Q of four bits each, we are constrained by there only being five acceptable four-bit prime numbers (i.e., 3, 5, 7, 11, 13) yielding 5*5 = 25 possible RSA moduli N of 8 bits. The odds of randomly generating one of these four-bit numbers is only 5/16, so a OWF would probably not generate one. If some undetermined algorithm XYZ had keys constrained in some way besides being prime (e.g., "all keys must be divisible by 13"), we would have a similar situation differing only in the type of mathematical constraint.
Moreover, there are 19 eight-bit numbers that are divisible by 13, i.e., 13, 26, 39, 52, 65, 78, 91, 104, 117, 130, 143, 156, 169, 182, 195, 208, 221, 234 and 247. Accordingly, randomly generating an eight-bit number has only a 19/256 chance of being a valid key for such a constrained-key system. This is simply another constraint besides primality, with similar techniques being just as relevant. Accordingly, the present invention is meant to encompass all such mathematically constrained systems, not just RSA.
A OWF creates an output that is best modeled as a random number. The challenge that is solved by the present invention is to use such a OWF output as a key when the type of key desired is not maximally entropic. It is likely that a given OWF function output will not be a valid RSA Key or modulus, which prohibits the use of a OWF if only one output is available. Even if multiple outputs are available through repeated trials, the procedure must allow the time to perform such trials to obtain valid output. Since any number, e.g., of length 56 bits, is a valid DES key, DES is well-disposed for accepting the output of a OWF. It does not matter whether that number came directly from a random source of bits, or from the output of a OWF; both will work. DES key generation is efficient and flexibly applicable for this reason, since random bits are easy to make at fairly high rates .
In contrast, RSA Key K2 is utterly ill-disposed to be the output of a OWF, since it is vanishingly unlikely for the lone valid value of K2 to be generated by a randomly-modeled process .
RSA Key KI is less disposed to accept the output of a OWF, according to its lower entropy. But, if multiple outputs from multiple trials were available, obtaining a valid KI might be feasible. An application with only one OWF output (such as seedloading) cannot work with RSA Key KI .
But, used as an RSA modulus, a given random number or OWF output has only a very small probability of being valid, as seen from FIG. 1. The RSA modulus is part of key generation and is created first, so RSA key generation is slow and inefficient. And worse, even if a valid modulus is found, it is very probable that it cannot be passed through a OWF without becoming an invalid modulus.
Neither is it possible to take a valid RSA modulus and work backwards through a OWF to derive the input that would calculate it. That means working backwards through a one-way function, which is computationally 2ι
infeasible, by definition. Direct use of a OWF output as an RSA modulus is completely unworkable. A conventional OWF seedload message approach therefore cannot be used, leaving us with the Information Delivery and Reuse Problem.
Obtaining a valid RSA modulus at the output of a OWF is a problem this invention solves.
Hereafter, the term "RSA key generation" or "key generation" shall include both the RSA modulus and RSA key Kl and K2 generation process, and the OWF described is assumed to have a 64 bit input and output. Fewer or more bits may be used. Additionally, check bits may be used for error correction.
RSA keys and moduli can be generated using a OWF as follows. Conventionally, random key generation is a separate process from how the valid keys generated are used. This works because DES keys are easy to generate and are valid even if subsequently passed through a OWF. But, separating key generation from seedload message creation is not possible when traditionally- generated RSA keys are used.
In accordance with the present invention, the seedload message OWF is merged into the RSA key and modulus generation process itself. This is done in three specific places in the process, resulting in the below modified RSA key and modulus generation procedure :
Step 1. Choose a (big) modulus size, like 1024 bits . Step 2. Probabilistically generate a 512 bit prime number P as follows: a) Generate 512 (= 8-64) random bits. b) Assemble each 64 bits into eight pieces or segments called Pre-P: ... Pre-P8. c) Pass Pre-Pj... Pre-P8 through a OWF to form P....P8, respectively. d) Assemble P.... P„ back into the 512 bit number P. e) Test if P is a prime number. f) If P is prime, retain P and Pre-P....Pre-P8 and go to Step 3. g) If P is not prime, discard Pre-P.... Pre-P8 and go back to Step 2a. Step 3. Repeat Step 2 for prime Q, forming Pre-
Q....Pre-Q8 in the process.
Step 4. Form the 1024 bit modulus N = P-Q.
Step 5. Form the Euler Totient = (P-l) -(Q-l).
Step 6. Randomly generate key Kl , where Kl must be relatively prime to (P-l) • (Q-l) : a) Generate 1024 random bits. b) Assemble each 64 bits into 16 numbers Pre- Kl.... Pre-Kl16 c) Pass Pre-Kl.... Pre-Kl.6 through a OWF to form K1....K116, respectively. d) Assemble Kl.... Kl16 into the 1024 bit number Kl. e) Test if Kl is relatively prime to (P-l) (Q-l) . f) If relatively prime, go to Step 7. If not, go back to Step 6a.
Step 7. Derive Key K2 from Key Kl and (P-l) • (Q-l) via Euclid's Extended Algorithm. Step 8. Discard P, Q, and (P-l) -(Q-l) (important).
Step 9. Retain the following to use in OWF message delivery & RSA encryption: a) Pre-Kl.... Pre-Kl16 b) K2 c) Pre-P....Pre-P8 d) Pre-Qx...Pre-Q8.
The above procedure of the present invention allows the generation of valid RSA keys that are the output of a OWF. The OWF is now integrated into the key generation process itself, e.g., in the creation of P, Q , and Kl .
The OWF RSA key generation procedure can be used to solve the Information Delivery and Reuse Problem as follows. The objective is to deliver the modulus N and key Kl to the receiver/decoder. Key K2 is not needed by the receiver since it will be used for message encryption only at the headend. Key Kl is used for message decryption only at a decoder.
Step 1. Generate RSA key variables Pre- Kl....Pre-Kl16, Pre-P.... Pre-P9, Pre-Q^ .. Pre-Q9, and K2 using the OWF procedure above. The OWF may have a 64 bit input and output. Step 2. Form an RSA pre-seedload message of the following form:
Unit Address + Pre-P.... Pre-P8 + Pre-Q.... Pre-Q8 + Pre-Kl....Pre-Kl16
Step 3. Send the RSA pre-seedload message to the message receiver (e.g., decoder).
Now the message receiver (e.g., decoder) does all the processing. Note that the decoder must have the OWF used in key generation above. The OWF can be provided to decoders in a decoder population using various techniques. For example, the OWF may be installed in non-volatile memory at the time the decoder is manufactured, using a smart card or the like, or downloaded via the communication network. The OWF may itself be encrypted to prevent interception and compromise.
The decoder performs the following steps to derive Kl and N for use in decrypting the encrypted video, audio or other data:
Step 1 . Process Pre-P. . . . Pre-Pβ : a) Pass Pre-P. . . . Pre-P8 through the OWF to form P . . . P • • b) Discard Pre-P. . . . Pre-PB ( important ) . c) Reassemble Pj.-.P, to form P. Step 2. Process Pre-Q.... Pre-Q8: a) Pass Pre-Qj... Pre-Q8 through the OWF to form
Q ...Qβ- b) Discard Pre-Q....Pre-Qβ (important) . c) Reassemble Qj.-.Qg to form Q. Step 3. Process P and Q: a) Multiply P and Q to form the Modulus N. b) Discard P and Q (important) . Step 4. Process Pre-Kl.... Pre-Kl16: a) Pass Pre-Kl., ... Pre-Kl16, through the OWF to form Klj-.-Kl.,, respectively b) Discard Pre-Kl.... Pre-Kl16 (important). c) Reassemble K1....K116 to form Kl .
At this point, the message receiver/decoder has the desired information, having derived it by passing RSA seedload message information through a OWF. If an attacker somehow extracts the modulus N and Key Kl , he cannot form a valid RSA pre-seedload message since, first, P and Q cannot be formed without factoring the modulus N. This is the "hard problem" that the security of RSA is based upon. Second, even given P, Q or Kl, Pre-P....Pre-P8, Pre-Q.... Pre-Q8, and Pre- Kl.... Pre-Kl16 cannot be derived due to the use of the OWF.
The invention is illustrated in the following figures.
FIG. 2 illustrates a broadband communication network with an encoder and decoder in accordance with the present invention. An encoder is shown generally at 200, while a decoder is shown generally at 260. The encoder 200 may be provided at the headend of a cable television or satellite distribution network, while the decoder 260 represents one decoder in a decoder population, e.g., at a consumer's home. The encoder 200 includes a key and modulus generator 205, and, optionally, multiplexer (MUX) 240.
The key and modulus generator 205 uses a one-way function to generate a number of pre-seed segments, Pre-P1 through Pre-P8, Pre-Qj through Pre-Q8, and Pre-K.- 1 through Pre-Kj-16. Optionally, different one-way functions can be used for the different sets of segments. For example, a first one-way function can be used with Pre-Pj through Pre-P8, (Pre-P), a second oneway function can be used with Pre-Qx through Pre-Q8, (Pre-Q) , and a third one-way function can be used with Pre-K.-l through Pre-K.-16 (Pre-K) . It is also possible to use different one-way functions for each segment within a set.
The key and modulus generator 205 uses the pre- seed data to generate the RSA key K2 , and the RSA modulus N. The encryptor 230 usds K2 and N to encrypt clear data Y, thereby providing corresponding encrypted data X. The encryptor 230 implements the RSA public key crypto system according to X=YK2 (mod N) . As mentioned, the clear data Y may comprise video, audio or other data.
Note that unencrypted data may be communicated with the encrypted data to the decoder 260 and other decoders in the network. For example, a tiered distribution service may be offered wherein all decoders are authorized to receive a basic level of programming, while only specific decoders are authorized to receive one or more levels of premium programming upon payment of additional fees . In this case, only the premium programs need be encrypted.
A control center 210, which may optionally be part of the encoder 200, can control the processing of the key and modulus generator 205. The control center 210 may optionally provide an accounting capability, e.g., by maintaining records regarding which decoders are authorized to receive the encrypted data. For example, the control center 210 may keep track of payments, billing and other relevant information.
The same pre-seed data at the key and modulus generator 205 is provided at the decoder 260, e.g., via a chip. This step generally only occurs in the manufacturing process for the decoder 260. The encrypted data X is provided to the MUX 240 for communication across a channel 250 to the decoder 260. For example, the channel 250 may comprise a cable television distribution network or a satellite distribution network that communicates with a decoder population. Other data, such as encrypted or unencrypted program and/or control data may be multiplexed with the encrypted data X at MUX 240. At the decoder 260, the transmitted data is received from the channel 250 at the demultiplexer (DEMUX) 270. The DEMUX 270 provides the encrypted data X to a decryptor 265. Other data received at the DEMUX 270 is routed as required. The pre-seed data is processed at the key and modulus generator 275, e.g., via a chip at the decoder that stores a pre-seedload message, where the pre-seed data is processed with the same one-way function used at the encoder 200 to derive the cryptographic key Kl and the modulus N. Kl and N are provided to the decryptor 265 for use in decrypting the encrypted data X to recover the clear data Y.
A control center 282 is optionally provided at the decoder 260 for controlling the processing at the key and modulus generator 275.
The clear data Y may be further processed using conventional circuitry as required. For example, if the clear data Y comprises video data, it may be necessary to perform conventional video decompression processing. Details regarding this processing are within the purview of those skilled in the art.
Note also that, while a single decoder 260 is shown in FIG. 2, typically there will be thousands of decoders in a decoder population that receive data from a single headend encoder, such as encoder 200.
FIG. 3 illustrates an encoder in accordance with the present invention. The encoder 200' includes a number of different processes which are shown individually. However, it should be appreciated that the different processes may be implemented using shared circuitry, including a common microprocessor and memory storage elements, and/or other software, firmware and/or hardware. Furthermore, these processes may generally be considered part of the key and modulus generator 205 and encryptor 230 of FIG. 2. The encoder 200' includes a central processing unit (CPU) 310 that communicates with a bus 305. A random bit generator 315 generates random bit strings using any known random data generating technique. For example, 512 bit and 1024-bit bit strings may be generated. A bit subdivider/assembler 320 may subdivide the random bit string into a number of segments. For example, eight equal segments may be used. Generally, it is desirable for each segment to have a length, such as 64 bits or more, that provides the necessary degree of security when a one-way function is used to process each segment. If the segment is too short, the level of security may be insufficient even when a one-way function is used to process the segment. However, as the length of each segment increases, the probability that a randomly generated bit string or any subset thereof will be prime or meet another desired mathematical constraint decreases, thereby increasing computing time.
Accordingly, there is a trade-off between security and computing time.
A one-way function 325 individually processes each of the bit segments from the bit subdivider/assembler 320. Any known one-way function may be used. For example, each segment may be encrypted using one or more DES keys and a feedforward hash. The segments that are processed by the one-way function 325 are then assembled into a single bit string at the bit subdivider/assembler 320. For example, when eight 64- bit segments are used, the segments may be concatenated or otherwise assembled to obtain a new 512 bit length bit string.
Optionally, random re-ordering of the segments may occur before and/or after processing by the one-way function to provide further security. Corresponding re-ordering must be used at the decoder.
The newly assembled bit string may be provided to a prime tester 345, which may implement any known prime testing technique to determine whether the processed bit string is a prime number. Moreover, even if primicity cannot be determined to a complete certainty, it is possible to achieve a desired level of confidence that the bit string is prime, e.g., 99.9999% confidence.
For example, one prime testing technique uses an algorithm called "WITNESS", discussed in Miller, G., "Reimann's Hypothesis and Tests for Primality," Proceedings of the Seventh Annual ACM Symposium on the Theory of Computing, May 1975, and Rabin, M. ,
"Probabilistic Algorithms for Primality Testing, " Journal of Number Theory, December 1980. The algorithm receives an input "n" , the number to be tested for primeness, and some integer "a", where a<n, as set forth in the following pseudo-code:
WITNESS (a, n)
1. let b.b._.. . . b0 be the binary representation of (n-1) .
2. d <- 1 3. for i <— k downto 0
4. do x r- d
5. d <— (d x d) mod n
6. if d = 1 and x ≠ 1 and x ≠ n - 1 7. then return TRUE
8. if b. = 1
9. then d <— (d x a) mod n
10. if d . 1
11. then return TRUE 12. return FALSE
If TRUE is returned, then "n" is definitely not prime. If FALSE is returned, then "n" may be prime.
Moreover, as discussed in Cormen, T., Leiserson, C. and Rivest, R., Introduction to Algorithms, Cambridge, Mass., MIT Press, 1990, WITNESS may be invoked repeatedly using randomly chosen values for "a". If at any point, TRUE is returned, "n" is not prime. If FALSE is returned "s" times in succession, then the probability that "n" is prime is at least 1- 2"s. Thus, for a sufficiently large value of "s", a corresponding confidence level that that "n" is prime can be established.
Specifically, two 512-bit bit strings, P and Q, may be tested by the prime tester 345. Once the bit strings P and Q have been found to be sufficiently prime, they are provided to a modulus calculator 350 to form the RSA modulus N=P-Q. Note that any function that tests for any mathematical constraint (not limited to primicity) may be used in accordance with the present invention.
Additionally, an Euler's Totient function 355 is used to form the product φ= (P-l) • (Q-l) . Euler's
Totient represents the number of positive integers less than N and relatively prime to N. Once φ is determined, Euclid's (Basic) Algorithm is performed at function 360 to form the greatest common divisor (GCD) of Kl and φ, as explained further in connection with
FIGs 4(a) and 4 (b) . A positive integer C is the GCD of two integers A and B if C is a divisor of A and B, and any divisor of A and B is a divisor of C.
Euclid's Extended Algorithm is performed at function 365 to obtain the key K2.
K2 and N are used by an encryptor 230 to encrypt data X=YK2 (mod N) . The CPU 310 and memory 340 may be used to control the other functions and provide intermediate and/or final storage of data as required. Additionally, the data to be encrypted at the encryptor 230 may be provided via the bus 305 or by other means.
FIG. 4(a) illustrates the first part of an encoding method in accordance with the present invention. At block 400, a random bit string, e.g., having a length of 512 bits, is generated. At block 405, the bits are assembled into a number of pre-seed subsets, Pre-Pj through Pre-P8. For example, eight subsets, each having a length of 64 bits may be used. At block 410, each of the subsets is processed with a one-way function to obtain corresponding subsets Px through P8. Since a one-way function is used, it is essentially impossible to derive the pre-seed subsets Pre-Pj through Pre-P8 from the subsets Px through P8, respectively. At block 415, the processed subsets Pα through P8 are assembled to form the 512 bit length bit string P. At block 420, P is tested to determine if it is prime to a sufficient degree of confidence. If not, the process is repeated at block 400, and the pre-seed data is discarded. If so, processing continues at block 455.
A corresponding bit string Q is derived at blocks 430, 435, 440, and 445, which correspond to blocks 400, 405, 410, and 415, respectively. Specifically, at block 430, another 512 bit random bit string is generated. At block 435, the bit string is assembled into subsets Pre-Q1 through Pre-Qθ . At block 440, Pre- Qj through Pre-Q8 are processed with a one-way function to obtain the corresponding processed subsets Q: through Q8, respectively. At block 445, Q1 through Q8 are assembled to form the 512-bit bit string Q.
At block 450, corresponding to block 420, a determination is made as to whether Q is prime to a sufficient degree of confidence. If not, the process is repeated at block 430, and the pre-seed data is discarded. If so, processing continues at block 455.
Alternatively, testing for any desired mathematical constraint may be performed at blocks 420 and 450. At block 455, the RSA modulus N=P-Q is formed, and at block 460, Euler's Totient φ= (P-l) • (Q-l) is formed. At block 465, processing continues at block A of FIG. 4 (b) . Note that the one-way functions used in blocks 410 and 440 may be the same; however, this is not required. Moreover, it is even possible to process each subset with a different one-way function, and/or to use two or more one-way functions to process a single subset or complete bit string. Other variations, including the use of additional, conventional encryption steps, will be apparent to those skilled in the art.
FIG. 4(b) illustrates the second part of the encoding method of FIG. 4(a) in accordance with the present invention. Processing continues at block 500. At block 505, a random bit string having a length, e.g., of 1024 bits, is generated. At block 510, the bit string is subdivided into sixteen pre-seed subsets Pre-K.-l through Pre-K.-16, each having a length of 64 bits. At block 515, each 64-bit subset is processed with a one-way function to obtain corresponding processed subsets K.-l through K.-16. The one-way function used at block 515 may the same as, or different than, the one-way functions used at blocks 410 and 440 of FIG. 4(a). At block 520, the processed subsets Kl-1 through Kl-16 are assembled to form the RSA key Kl .
At block 525, a determination is made as to whether Kl is relatively prime to φ ("PHI") with a sufficient degree of confidence. Kl is relatively prime to φ when Euclid's Basic algorithm indicates that GCD(Kl,φ)=l. If GCD(Kl,φ)≠l, the processing is repeated beginning at block 505, and the pre-seed data is discarded. If GCD(Kl,φ)=l, processing continues at block 530, where Euclid's Extended Algorithm is used to form the RSA key K2=K1 "1modφ.
At block 535, a message Y is encrypted under K2 and N to form the cipher text X=YK2- (mod N) . At block 540, P, Q and φ are discarded. This step is important since an attacker may be able to obtain this information if it is stored in memory. Finally, at block 550, the encrypted message X is transmitted to the decoder population. Note that the pre-seed segments Pre-Px through
Pre-P8, Pre-Qx through Pre-Qβ, and Pre-K.-l through Pre- K.-16 are also provided to the decoder population, e.g., via chips. This step generally occurs independently of the previous steps, which involve processing at an encoder.
Preferably, the pre-seed data for the three bit strings P, Q and Kl is provided to the decoders. However, it is possible to implement the invention by providing the pre-seed data for less than all three of the bit strings to the decoders. The security of the system is still improved since the burden placed on an attacker is increased.
FIG. 5 illustrates a decoder in accordance with the present invention. The decoder 600 includes a CPU 602 that communicates with a bus 605. A bit subdivider/assembler 610, one-way function 615, memory 620, and modulus calculator 625, correspond generally to the liked-named elements of the encoder 200' of FIG. 3.
The pre-seed segments that are provided to the decoder 600, e.g., via a chip, are processed by the one-way function 615 to obtain the corresponding processed segments. Next, the bit subdivider/assembler 610 assembles the respective processed segments to form P, Q and Kl . The RSA modulus N is calculated at function 625. At the decryptor 265, Kl and N are used to decrypt the received encrypted data X to recover the clear text Y=XK1 (mod N) . The CPU 602 and memory 620 may be used to control the other decoder functions and provide intermediate and final data storage as required. Moreover, each of the decoder elements may be implemented in separate and/or shared components, including software, firmware and/or hardware.
FIG. 6 illustrates a decoding method in accordance with the present invention. The respective pre-seed segments that were used at the encoder are also available at the decoder, e.g., from a chip, smart card or the like.
At block 705, the pre-seed segments Pre-Px through Pre-Pβ are processed with a one-way function to obtain the corresponding processed segments P. through P8. This is the same one-way function used at block 410 of FIG. 4(a). At block 710, the processed segments P. through Pβ are assembled to form P. Similarly, at block 715, the pre-seed segments Pre-Q1 through Pre-Q8 are processed with a one-way function to obtain the processed segments Q1 through Q8, respectively. This is the same one-way function used at block 440 of FIG.
4(a) . At block 720, the processed segments Q. through Q8 are assembled to form Q. At block 725, the modulus N = P-Q is formed.
At block 730, the pre-seed segments Pre-K. -1 through Pre-Kx-16 are processed with a one-way function to obtain the processed segments K:-l through K.-16, respectively. This is the same one-way function used at block 515 of FIG. 4(b). At block 732, Pre-K.-l through Pre-Kx-16 are discarded. At block 735, the processed segments K.-l through K.-16 are assembled to form the RSA key Kl . Finally, at block 740, the encrypted data X is decrypted under Kl and N to obtain Y=XK1 (mod N) .
As mentioned, it is possible to use different one- way functions at the encoder in processing the different segments and/or complete bit strings. Accordingly, the same corresponding one-way function or functions should be used at the decoder to obtain the original segments and bit strings. Additionally, it is possible to use more than one one-way function serially in processing a given bit string. Moreover, other known encryption techniques may be used in conjunction with the present invention.
Accordingly, it can be seen that the present invention provides a method and apparatus for generating a mathematically constrained key, such as an RSA cryptographic key and modulus using a one-way function and testing for the mathematically constrained condition, such as primicity. In one embodiment, the invention achieves the security benefits of both the RSA system and one or more one-way functions. The invention is particularly suitable for use with access- controlled broadband communication networks in which pre-seed data is provided to specific decoders on the network.
In an illustrated embodiment, pre-seed data is processed at an encoder, such as a headend, using a one-way function and tested to determine if it is prime. If so, two prime numbers P and Q are thusly obtained and used to form an RSA modulus N and cryptographic key K2. Data Y, such as video, audio or other data in a cable or satellite television network, is encrypted to obtain the encrypted data X=YK2(mod N) , and transmitted over the network to a decoder population.
During the manufacturing process or at the time of installation, decoders receive the pre-seed data, e.g., via local chips, which is processed at the decoders using the same one-way function used during the key generation processto obtain the modulus N and the RSA key Kl . Kl is derived from K2 using Euclid's Extended Algorithm.
The encrypted data X is decrypted to recover the clear data Y=XK1(mod N) . Preferably, the pre-seed data is obtained by subdividing a random bit string into several segments, then independently processing each segment with the one-way function to obtain corresponding processed segments. The processed segments are assembled to obtain a processed bit string which is tested for primicity. The bit string is used if it is found to be prime to a sufficient confidence level. Otherwise, successive iterations are performed until an acceptable bit string is obtained. Moreover, the bit string segments are selected to be long enough to provide adequate security, yet short enough to avoid excessive computing time due to multiple iterations to obtain a prime bit string.
Although the invention has been described in connection with various specific embodiments, those skilled in the art will appreciate that numerous adaptations and modifications may be made thereto without departing from the spirit and scope of the invention as set forth in the claims.
For example, while the invention was discussed in connection with a cable or satellite television broadband communication networks, it will be appreciated that other networks such as local area networks (LANs) , metropolitan area networks (MANs) , wide area networks (WANs), internets, intranets, and the Internet may be used.
Moreover, it should be appreciated that the bit string lengths and number of segments per bit string used in the illustrations are examples only. Generally, the only requirement in this regard is that the minimum bit string length for a segment that is processed by a one-way function is sufficiently large, e.g., 56 or 64 bits, to maintain a high level of security.
Furthermore, processing of multiple bit string segments, e.g., with the one-way functions, may be implemented at the key generator during manufacture and/or at the decoder either serially, or concurrently in a parallel processing scheme.
Additionally, although preferably each of P, Q and Kl are processed with one-way functions, this is not required. For example, security benefits will still be achieved if only one or more of P, Q and Kl are processed with one or more one-way functions.
Moreover while processing was discussed in terms of generating bit strings and bits, it is understood that the values generated can be expressed in any numerical base including, e.g., decimal and hexadecimal .

Claims

What is claimed is:
1. A method for generating a cryptographic key, K2 , comprising the steps of:
(a) generating a first set of values;
(b) processing at least a portion of said first set of values with a first one-way function to obtain a corresponding value P;
(c) testing the value P for satisfaction of a mathematical constraint;
(d) if the value P does satisfy said mathematical constraint in said step (c), forming said cryptographic key K2 as a function of the value P; and
(e) if the value P does not satisfy said mathematical constraint in said step (c) , repeating said steps (a), (b) and (c) as necessary to obtain a value P that satisfies said mathematical constraint in said step (c) , and forming said cryptographic key K2 as a function of the value P.
2. The method of claim 1, wherein: at least one of the first set of values is randomly generated.
3. The method of claim 1, wherein: the key K2 is a Rivest, Shamir, and Adleman (RSA) key.
4. The method of claim 1, wherein: said mathematical constraint is associated with an Elliptic Curve Cryptosystem.
5. The method of claim 1, comprising the further steps of:
(f) encrypting a message Y to form an encrypted message X as a function of the key K2 ;
(g) transmitting said encrypted message X to a decoder in a decoder population via a broadband communication network; and
(h) providing the decoder with data for use in decrypting said encrypted message X.
6. The method of claim 1, wherein: said step (b) comprises the step of processing at least a portion of the first set of values with said first one-way function to obtain a corresponding first set of processed values.
7. The method of claim 6, wherein said step (b) comprises the further step of: assembling said first set of processed values to form said value P.
8. The method of claim 1, wherein: said mathematical constraint is primicity at a desired primicity confidence level.
9. The method of claim 8, comprising the further steps of: (f) generating a second value Q from a second set of values;
(g) forming φ= (P-l) • (Q-l) ;
(h) generating a third set of values;
(i) processing at least a portion of said third set of values with a one-way function thereof to obtain a corresponding value Kl;
(j) testing the value Kl for relative primicity to φ; and
(k) if the value Kl is not found to be relatively prime to φ in said step (j), repeating said steps (h) , (i) and (j) as necessary to obtain a value Kl that is relatively prime to φ.
10. The method of claim 9, wherein: said step (i) comprises the step of processing at least a portion of the third set of values with said one-way function thereof.
11. The method of claim 9, wherein: said step (j) determines that the value Kl is relatively prime to φ when a greatest common divisor of the value Kl and φ is one.
12. The method of claim 9, wherein: at least a portion of the second set of values is randomly generated.
13. The method of claim 9, wherein: the second value Q is generated in said step (f) by processing at least a portion of the second set of values with a one-way function thereof.
14. The method of claim 9, wherein: at least a portion of the third set of values is randomly generated.
15. The method of claim 9, comprising the further steps of:
(1) forming a modulus N=PxQ; and
(m) forming an encrypted message X by encrypting a message Y as a function of the key K2 and the modulus N.
16. The method of claim 15, wherein: said step (m) comprises the step of encrypting said message Y to form the encrypted message X=YK2 (mod N) .
17. A method for decoding an encrypted message X at a decoder, comprising the steps of:
(a) processing at least a portion of a first set of values with a first one-way function to obtain a corresponding first set of processed values;
(b) forming a value P from said first set of processed values;
(c) generating a cryptographic key Kl from a second set of values; and (d) decrypting the encrypted message X as a function of said cryptographic key Kl and said value P; wherein :
(i) said encrypted message X is encrypted at an encoder as a function of a cryptographic key K2 , (ii) the key K2 is generated at the encoder from values including a third set of values, and (iii) at least a portion of the third set of values is processed with a first one-way function thereof corresponding to said first one-way function of said step (a) to obtain a corresponding third set of processed values which satisfy a mathematical constraint.
18. The method of claim 17, wherein: at least one of the second set of values is randomly generated.
19. The method of claim 17, wherein: the key Kl is a Rivest, Shamir, and Adleman (RSA) key.
20. The method of claim 17, wherein: said mathematical constraint is associated with an Elliptic Curve Cryptosystem.
21. The method of claim 17, wherein: said encrypted message X is transmitted from the encoder to a decoder population including said decoder via a broadband communication network.
22. The method of claim 17, wherein: at least one of the first set of values is randomly generated.
23. The method of claim 17, wherein: at least one of the third set of values is randomly generated.
24. The method of claim 17, wherein: said mathematical constraint is primicity at a desired primicity confidence level.
25. The method of claim 17, wherein said step (b) comprises the further step of: assembling said first set of processed values to form said value P.
26. The method of claim 17, wherein: said step (c) comprises the step of processing at least a portion of said second set of values with a one-way function thereof to obtain a corresponding second set of processed values .
27. The method of claim 26, wherein said step (d) comprises the step of: assembling said second set of processed values to form the key Kl .
28. The method of claim 17, comprising the further steps of: (d) providing a fourth set of values;
(e) processing at least a portion of said fourth set of values with a one-way function thereof to obtain a corresponding value Q; and
(f) forming a modulus N=PxQ for use in decrypting the encrypted message X.
29. The method of claim 28, wherein: the fourth set of values are the same as the third set of values.
30. The method of claim 28, wherein:
K2 and Kl are related by K2=K1 "1 mod φ, where φ=(P- l)x(Q-l) -
31. The method of claim 28, wherein at least a portion of the fourth set of values is randomly generated.
32. The method of claim 28, wherein said encrypted message X is formed from a message Y at the encoder according to: X=YK2 (mod N) , comprising the further step of:
(g) decrypting the encrypted message X using said cryptographic key Kl and said modulus N to obtain said message Y according to: Xκl(mod N) .
33. An encoder method for generating a cryptographic key, K2 , comprising: means for generating a first set of values; means for processing at least a portion of said first set of values with a first one-way function to obtain a corresponding value P; means for testing the value P for satisfaction of a mathematical constraint; and means for forming said cryptographic key K2 as a function of the value P if the value P does satisfy said mathematical constraint; wherein if the value P does not satisfy said mathematical constraint, said generating means generates a new first set of values, said processing means processes the new first set of values, and said testing means tests the new value P for satisfaction of the mathematical constraint until the value P satisfies said mathematical constraint, and said forming means is adapted to form said cryptographic key K2 as a function of the value P.
34. A decoder for decoding an encrypted message X, comprising: means for generating a first set of values; means for processing at least a portion of said first set of values with a first one-way function to obtain a corresponding first set of processed values; means for forming a value P from said first set of processed values; means for generating a cryptographic key Kl from a second set of values; and means for decrypting the encrypted message X as a function of said cryptographic key Kl and said value P; wherein:
(i) said encrypted message X is encrypted at an encoder as a function of a cryptographic key K2 , (ii) the key K2 is generated at the encoder from a set of values thereof, and (iii) at least a portion of the set of values of the key K2 are processed with a first oneway function thereof corresponding to said first oneway function of said step (b) to obtain corresponding set of processed values which satisfy a mathematical constraint .
PCT/US2000/032126 1999-11-29 2000-11-22 Generation of a mathematically constrained key using a one-way function WO2001047178A2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
EP00993073A EP1234404B1 (en) 1999-11-29 2000-11-22 Generation of a mathematically constrained key using a one-way function
DE60025401T DE60025401T2 (en) 1999-11-29 2000-11-22 GENERATION OF A MATHEMATICALLY RESTRICTED KEY USING AN ONE-WAY FUNCTION
KR1020027006826A KR20020060243A (en) 1999-11-29 2000-11-22 Generation of a mathematically constrained key using a one-way function
CA002392077A CA2392077A1 (en) 1999-11-29 2000-11-22 Generation of a mathematically constrained key using a one-way function
AU50742/01A AU5074201A (en) 1999-11-29 2000-11-22 Generation of a mathematically constrained key using a one-way function

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US45019499A 1999-11-29 1999-11-29
US09/450,194 1999-11-29

Publications (2)

Publication Number Publication Date
WO2001047178A2 true WO2001047178A2 (en) 2001-06-28
WO2001047178A3 WO2001047178A3 (en) 2002-04-25

Family

ID=23787154

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/032126 WO2001047178A2 (en) 1999-11-29 2000-11-22 Generation of a mathematically constrained key using a one-way function

Country Status (10)

Country Link
US (1) US20040234074A1 (en)
EP (1) EP1234404B1 (en)
KR (1) KR20020060243A (en)
CN (1) CN1402920A (en)
AT (1) ATE315292T1 (en)
AU (1) AU5074201A (en)
CA (1) CA2392077A1 (en)
DE (1) DE60025401T2 (en)
TW (1) TW548940B (en)
WO (1) WO2001047178A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7170997B2 (en) 2000-12-07 2007-01-30 Cryptico A/S Method of generating pseudo-random numbers in an electronic device, and a method of encrypting and decrypting electronic data

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8068516B1 (en) * 2003-06-17 2011-11-29 Bigband Networks, Inc. Method and system for exchanging media and data between multiple clients and a central entity
KR100667757B1 (en) * 2004-07-07 2007-01-11 삼성전자주식회사 Method for self-enforcing and Method for transming and receiving Contents using the same
FR2879866B1 (en) * 2004-12-22 2007-07-20 Sagem METHOD AND DEVICE FOR PERFORMING A CRYPTOGRAPHIC CALCULATION
DE102005030657B3 (en) * 2005-06-30 2006-11-16 Siemens Ag Meter, e.g. odometer, coding method, for securing meter reading, involves determining newly coded meter reading by using forward linked one-way function of reading, where display area of function is included in function prototype area
US7814320B2 (en) * 2005-07-19 2010-10-12 Ntt Docomo, Inc. Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks
KR101285597B1 (en) * 2006-06-29 2013-07-15 삼성전자주식회사 Method of updating group key and group key update device using the same
US8595273B2 (en) * 2007-01-24 2013-11-26 International Business Machines Corporation Hash algorithm using randomization function
US8060750B2 (en) * 2007-06-29 2011-11-15 Emc Corporation Secure seed provisioning
US8307210B1 (en) 2008-05-02 2012-11-06 Emc Corporation Method and apparatus for secure validation of tokens
DE102008002588B4 (en) * 2008-05-15 2010-06-02 Compugroup Holding Ag A method for generating an asymmetric cryptographic key pair and its application
US7522723B1 (en) 2008-05-29 2009-04-21 Cheman Shaik Password self encryption method and system and encryption by keys generated from personal secret information
US8954696B2 (en) 2008-06-24 2015-02-10 Nagravision S.A. Secure memory management system and method
ATE532143T1 (en) * 2008-06-24 2011-11-15 Nagravision Sa SECURE STORAGE MANAGEMENT SYSTEM AND METHOD
FR2941115B1 (en) * 2009-01-14 2011-02-25 Sagem Securite CODING POINTS OF AN ELLIPTICAL CURVE
US20120032816A1 (en) * 2010-08-06 2012-02-09 Cho Jeffrey C System And Method For Controlling Sport Event Transducers
US9432342B1 (en) * 2011-03-08 2016-08-30 Ciphercloud, Inc. System and method to anonymize data transmitted to a destination computing device
US10333696B2 (en) 2015-01-12 2019-06-25 X-Prime, Inc. Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency
CN108055128B (en) * 2017-12-18 2021-11-19 数安时代科技股份有限公司 RSA key generation method, RSA key generation device, storage medium and computer equipment
CN113127911B (en) * 2021-05-06 2022-05-20 国网河北省电力有限公司信息通信分公司 Electric power data encryption method and device and terminal

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0534420A2 (en) * 1991-09-27 1993-03-31 International Business Machines Corporation A method for generating public and private key pairs using a passphrase

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4405829A (en) * 1977-12-14 1983-09-20 Massachusetts Institute Of Technology Cryptographic communications system and method
US5241599A (en) * 1991-10-02 1993-08-31 At&T Bell Laboratories Cryptographic protocol for secure communications
US5488412A (en) * 1994-03-31 1996-01-30 At&T Corp. Customer premises equipment receives high-speed downstream data over a cable television system and transmits lower speed upstream signaling on a separate channel
US5515307A (en) * 1994-08-04 1996-05-07 Bell Communications Research, Inc. Pseudo-random generator
US5602917A (en) * 1994-12-30 1997-02-11 Lucent Technologies Inc. Method for secure session key generation
AU5266596A (en) * 1995-04-21 1996-11-07 Certicom Corp. Method for signature and session key generation
US5675649A (en) * 1995-11-30 1997-10-07 Electronic Data Systems Corporation Process for cryptographic key generation and safekeeping
US5937066A (en) * 1996-10-02 1999-08-10 International Business Machines Corporation Two-phase cryptographic key recovery system
US5809140A (en) * 1996-10-15 1998-09-15 Bell Communications Research, Inc. Session key distribution using smart cards
US5953420A (en) * 1996-10-25 1999-09-14 International Business Machines Corporation Method and apparatus for establishing an authenticated shared secret value between a pair of users
US6304658B1 (en) * 1998-01-02 2001-10-16 Cryptography Research, Inc. Leak-resistant cryptographic method and apparatus

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0534420A2 (en) * 1991-09-27 1993-03-31 International Business Machines Corporation A method for generating public and private key pairs using a passphrase

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"LOOK-AHEAD PROCESSING FOR HIGH SPEED RSA CRYPTOGRAPHIC KEY PAIR GENERATION" IBM TECHNICAL DISCLOSURE BULLETIN, IBM CORP. NEW YORK, US, vol. 37, no. 1, 1994, pages 115-118, XP000428715 ISSN: 0018-8689 *
MENEZES, OORSCHOT, VANSTONE: "HANDBOOK OF APPLIED CRYPTOGRAPHY" HANDBOOK OF APPLIED CRYPTOGRAPHY, CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS, BOCA RATON, FL, CRC PRESS, US, 1997, XP002178884 ISBN: 0-8493-8523-7 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7170997B2 (en) 2000-12-07 2007-01-30 Cryptico A/S Method of generating pseudo-random numbers in an electronic device, and a method of encrypting and decrypting electronic data

Also Published As

Publication number Publication date
KR20020060243A (en) 2002-07-16
CN1402920A (en) 2003-03-12
AU5074201A (en) 2001-07-03
DE60025401D1 (en) 2006-03-30
EP1234404B1 (en) 2006-01-04
US20040234074A1 (en) 2004-11-25
EP1234404A2 (en) 2002-08-28
CA2392077A1 (en) 2001-06-28
DE60025401T2 (en) 2006-09-14
ATE315292T1 (en) 2006-02-15
TW548940B (en) 2003-08-21
WO2001047178A3 (en) 2002-04-25

Similar Documents

Publication Publication Date Title
EP1234404B1 (en) Generation of a mathematically constrained key using a one-way function
US9973334B2 (en) Homomorphically-created symmetric key
US5708714A (en) Method for sharing secret information and performing certification in a communication system that has a plurality of information processing apparatuses
US5974144A (en) System for encryption of partitioned data blocks utilizing public key methods and random numbers
US6934389B2 (en) Method and apparatus for providing bus-encrypted copy protection key to an unsecured bus
US7200752B2 (en) Threshold cryptography scheme for message authentication systems
US6550008B1 (en) Protection of information transmitted over communications channels
EP1155527B1 (en) Protecting information in a system
Struik et al. The Rao-Nam scheme is insecure against a chosen-plaintext attack
US9762560B2 (en) Method for generating cryptographic “one-time pads” and keys for secure network communications
CN112602288B (en) Method for obtaining a sequence of encryption keys
JP2004515160A (en) Threshold encryption method and system for message authentication system
JP2007507940A (en) Portable safety module pairing
JP4758110B2 (en) Communication system, encryption apparatus, key generation apparatus, key generation method, restoration apparatus, communication method, encryption method, encryption restoration method
US7415110B1 (en) Method and apparatus for the generation of cryptographic keys
EP2225846B1 (en) Method to generate a private key in a Boneh-Franklin scheme
US8306220B2 (en) Method to generate a private key in a boneh-franklin scheme
JP3610106B2 (en) Authentication method in a communication system having a plurality of devices
US20120263296A1 (en) Private key compression
CN111200602B (en) Rights-sharing management method, encryption card, administrator lock and cipher machine
JP4171346B2 (en) Content distribution system and content distribution method
WO2014154236A1 (en) Obtaining or providing key data
Chattopadhyay et al. A verifiable and cheating-resistant secret sharing scheme
CN117221878A (en) Information security control method and device based on wireless network equipment
JP2001237822A (en) Key deposition system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2392077

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 008163456

Country of ref document: CN

Ref document number: 1020027006826

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 2000993073

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1020027006826

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 2000993073

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWG Wipo information: grant in national office

Ref document number: 2000993073

Country of ref document: EP