WO2001050675A2 - Systeme cryptographique a cle publique securise et lineaire base sur un code de correction d'erreurs de controle de parite - Google Patents

Systeme cryptographique a cle publique securise et lineaire base sur un code de correction d'erreurs de controle de parite Download PDF

Info

Publication number
WO2001050675A2
WO2001050675A2 PCT/IL2000/000865 IL0000865W WO0150675A2 WO 2001050675 A2 WO2001050675 A2 WO 2001050675A2 IL 0000865 W IL0000865 W IL 0000865W WO 0150675 A2 WO0150675 A2 WO 0150675A2
Authority
WO
WIPO (PCT)
Prior art keywords
key
vector
public
private
message
Prior art date
Application number
PCT/IL2000/000865
Other languages
English (en)
Other versions
WO2001050675A3 (fr
Inventor
Eran Kanter
Ido Kanter
Original Assignee
Bar-Ilan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from IL13730900A external-priority patent/IL137309A0/xx
Priority claimed from IL139186A external-priority patent/IL139186A/en
Application filed by Bar-Ilan University filed Critical Bar-Ilan University
Priority to AU20228/01A priority Critical patent/AU2022801A/en
Priority to US10/169,468 priority patent/US20030223579A1/en
Publication of WO2001050675A2 publication Critical patent/WO2001050675A2/fr
Publication of WO2001050675A3 publication Critical patent/WO2001050675A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/304Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy based on error correction codes, e.g. McEliece
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/16Obfuscation or hiding, e.g. involving white box
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/20Manipulating the length of blocks of bits, e.g. padding or block truncation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/30Compression, e.g. Merkle-Damgard construction

Definitions

  • the present invention relates to cryptographic methods based on error-correcting codes. More particularly, the invention relates to a method and apparatus for encryption decryption, digital signature, authentication, and other tasks of the secured channel exemplified by Gallager-type parity-check error-correcting codes.
  • Cryptography is a type of transformation applied to transmitted information in order to conceal its meaning (ciphering) and prevent unauthorized entities from revealing the transmission content.
  • cryptosystems are widely used in applications in which a strong demand exists for high security, and wherein transmission authentication and its source identification must be guaranteed.
  • the parties that are involved agree on a ciphering algorithm or on a cryptographic key (that is actually utilized to perform the encryption).
  • the algorithm or the cryptographic keys are utilized to encrypt the information prior to its transmission on the transmitting side, and later for decrypting the received transmission on the receiving side. Decryption is utilized to reveal the transmitted information, and therefore it is knowledge that should be in the possession of an authorized party only.
  • cryptosystems provide means for concealing the content of the transmitted information (usually plaintext) from unauthorized parties, who may eavesdrop on the communication channel, or accidentally receive the encrypted transmission.
  • the ciphering methods are specially designed such that to perform decryption without the knowledge of the ciphering algorithm or the cryptographic private key, is very difficult, most likely impossible.
  • Public-key cryptography provides the means to establish encryption and Digital Signature (DS) over an insecure communication channel with which the participating parties are communicating.
  • DS Digital Signature
  • each of the authorized parties participating is assigned a pair of cryptographic keys, a private-key and a public-key.
  • the public key is made public, meaning that it is in the possession of all the participating parties (and may ultimately become known as well to an eavesdropper or a disrupter).
  • the private key remains secret, and its knowledge must be in the possession of its owner only. Since the public key is made public, forgery of secured messages can be easily managed. This is one of the reasons for using a DS, as will be explained herein.
  • the channel security and efficiency of a pubhc key cryptosystem depends on many parameters, among them: (a) the complexity of determining the private key from knowledge of the public key; (b) the complexity of the encryption/decryption processes; (c) the length of the ciphertext and the public key in comparison to the length of the plaintext.
  • the recipient public-key To send a secured message, one should use the recipient public-key to encrypt the message prior to its transmission. Since all the participating parties share their public-keys, everyone may encrypt a message that is intended for other individuals, utilizing their public-keys. To reveal the transmitted information, the recipient decrypts the received message utilizing his private key. It is important to emphasize that the message can be decrypted only with the recipient's private key. This way, the message content may be revealed only by authorized recipients, assuming that the knowledge of the private key is in their possession only.
  • Digital signature is utilized to identify the source of the transmitted message (like a signature on a check).
  • a DS is established utilizing a unique identifier of the message source.
  • the said identifier is encrypted, utilizing the sender's private key. It should be mentioned that the transmitted message is not necessarily encrypted in this case. However, it is transmitted accompanied by the message's DS.
  • the recipient is interested to guaranty for the message source (identification) and to assure that the message content has not been tampered with (authentication). To do so, the recipient produces a message identifier, similar to the way it was produced by the sender. Then, the received DS is decrypted, utilizing the sender pubhc key, thus revealing the message identifier that was originally produced by the sender. If the two message identifiers differ, then the received message was forged, or changed after its transmission. Since only the sender has access to his private key, it is assumed that no one can forge the DS assigned to messages sent by him.
  • the information to be transmitted is usually truncated into fixed size blocks called packets.
  • packets When said information is sent over the Internet, for instance, it is almost always carried out utilizing different routes for the different packets.
  • an opponent may easily replace a packet or tamper with its contents.
  • the sender should seal every packet that he sends.
  • each packet is sealed with a dedicated DS prior to its transmission.
  • the recipient To detect replacement of blocks, done by opponents, the recipient must check the DSs of each of the packets received. In this way, it is guaranteed that the content of said packet is as it was originally transmitted and that the received blocks were't changed.
  • the public key is another number, e (e ⁇ g), that is relatively prime to (p-l)x(q- ) (i.e., they have no common factors except 1).
  • the public key, d is another number which satisfies that (exd-1) is divisible by (p- ⁇ )x(q- ⁇ ).
  • An eavesdropper may try to decrypt the plaintext from the transmitted ciphertext and or the DS.
  • a disrupter may try, for instance, to repeat, replace or corrupt the message during transmission. It is important to note that the ability to forge many meaningless but legally signed messages could be disastrous in the event of real-time procedures. It may take some critical time for the recipient to realize that legally signed messages are forged messages rather than noisy ones (in the case of the repeater).
  • cryptosystems such as RSA, it is easy to forge a meaningless signed message or to repeat the transmission of the same message or previously legally signed messages. The outcome of the transactions of a malicious repeater may be catastrophic, for instance, repeatedly sending a meaningful message like one saying "withdraw $10,000,000 from my account”.
  • the RSA cryptosystem is based on the difficulty of factorizing large integers, it is computationally infeasible to determine the private key d given the pubhc key e. Hence the public key, e, can be made public. However, the computational effort involved in the encryption and the decryption is relatively large. In terms of asymptotic efficiency, the - -
  • BSC Binary Symmetric Channel
  • ECC electronic code
  • Private noise a noise known only to one side of the channel.
  • the noise added to the ciphertext is a private noise of the sender.
  • the noise added to the pubhc key is a private noise of the recipient.
  • Diagonal block matrix a matrix in which all the non-zero elements are in square sub -matrices located along its diagonal.
  • noisy plaintext a plaintext with additional noise added prior to encoding or Encryption. This noise is correlated with the noise added after the encryption, and optionally with previous data and noise
  • the invention is directed to a method for a secure public key cryptography employing a parity check error-correcting code, and noise signals, comprising: a) creating a communication channel; b) providing a set of private cryptographic keys which are assigned to each of the entities utihzing said secure public cryptography, wherein each of said private cryptographic keys may be accessed only by the entity it was assigned to; c) providing a set of public cryptographic keys assigned to entities utilizing said secure public-key cryptography; and d) providing a set of random private noise signals, or generating the same using a random private noise signal generator; the method further comprising ciphering vectors of information by adding a noise signal to the information vector before encryption and/or after the encryption.
  • a fraction of the rows of the cryptographic public-key are corrupted by randomly flipping some or all of the bits in said rows, to obtain the corrupted public-key [Ek].
  • a message "s" is encrypted utilizing the public key of the recipient, [ ⁇ k] , to obtain -
  • the ciphering and the deciphering comprises: a) providing a first vector of data s of dimensions N*l; b) providing a private-public key for encryption, wherein said public key is the generator matrix [Ek] of an error-correcting code, and the dimensions of said generator matrix are MxN; c) generating a second vector n, wherein said second vector comprising a noise signal, and the dimensions of said second vector are Mx-1; d) generating a third vector ni, of dimensions Nxl, by performing permutations and bit manipulation on said second vector n, by following a known procedure; e) generating a fourth vector of data s n by the Boolean addition of said first vector s with third vector ni to obtain (mod 2); - -
  • the ciphering can be carried out, for instance, utilizing the corrupted public-key [Ek].
  • the ciphering/deciphering consists of two layers, comprising: a) providing a data vector v; b) providing a set of pubhc-keys Pub J and their corresponding private-keys ⁇ ? ⁇ i J ; c) dividing said data vector ⁇ into a set of ko data vectors ⁇ i, V2,..., ⁇ ko; d) generating a vector n comprising a noise signal; e) generating a vector following a known procedure /_?
  • said procedure comprises permutations and bits manipulation performed to the vector n; f) selecting an ordered set of k2 public-keys Pub f' ⁇ from said set of public-keys Pub J utilizing an indexing scheme /' to select the f'( ⁇ ) public-key of said set of public-keys Pub f' ⁇ ; g) encrypting each of the data vectors ⁇ i, V2,...,vw with a corresponding public-key from said ordered set of h.2 public-keys to obtain a vector s consisting of a set of
  • the set of private-keys Prz- 7 and public-keys Pub J can be, for instance, RSA cryptographic keys.
  • the noise signal ri2 is utihzed to guide the indexing scheme f. - o ⁇
  • N_ N/
  • the index of the cryptographic ⁇ / ⁇ o key is obtained from the computation of mod(n 2 ' ,k 2 ) •
  • the ciphering and deciphering can be utilized to configure a turbo error correcting code.
  • the ciphering and deciphering are utilized to configure other types of cryptosystems or types of error correcting codes, comprising: a) ciphering the parameters and other data required to configure communication utilizing a known error correcting code or cryptographic method, said ciphering being performed as described in any one of the preferred embodiments of the invention; b) transmitting said ciphered parameters and other data to another participating party; c) decrypting said ciphered parameters and data information upon receipt, to reveal said parameters and other data; and d) initiating communications by configuring a known method according to said parameters and other data.
  • the average connectivity of rows and/or columns of the second sparse and Boolean matrix [B] are equal or greater than 2.
  • the method can be used for producing a set of different public keys by performing permutations of the rows/columns of the sparse matrix [B] and/or matrix [B] .
  • [B] the inverse of the sparse matrix [B] is also sparse.
  • the average connectivity of the derived public-key, [Ek] is less than 2.
  • the aforementioned method may further comprise the construction of sparse matrices [A] and [B] comprising: - ⁇ -
  • matrix [A] from groups of sparse rows where the number of non-zero elements in the rows belonging to a specific group of said groups is fixed and predefined; and b) constructing matrix [B] from linear-independent sparse rows where each of said rows belongs to a group of sparse rows, and where the number of non-zero elements in the rows belonging to a specific group of said groups, is fixed and predefined.
  • the method further comprises performing permutations in the order of the sparse matrices rows, [A] and [B], where said permutations may be performed arbitrarily to obtain new sparse matrices.
  • the invention in another aspect relates to a method which further comprises constructing a time dependent cryptographic key scheme wherein the time dependent components of each transmission, the private noise signal an ⁇ Vor the transmitted information, are utilized to choose the cryptographic key of the next transmission.
  • the same noise signal is utilized for ciphering a set of data blocks.
  • the ciphering and deciphering comprises: a) providing a vector of data; b) dividing said vector of data into an ordered set of blocks of the same length; c) ciphering the first block of said ordered set of blocks utilizing a noise signal and a public-key, as described above; d) ciphering all other blocks of said ordered set of blocks, apart from said first block, by adding said noise signal to each of said other blocks, thereby obtaining a set of ciphered blocks from said set of ordered blocks; e) upon deciphering said set ciphered blocks: e.l) deciphering the first block of said set of ciphered blocks utilizing the private-key, thereby reveahng the content of said first block, and said noise signal; and e.2) deciphering all the other ciphered blocks of said set of ciphered blocks, apart from said first block, by subtracting said noise signal from each of said other cip
  • the ciphering and deciphering comprises: a) providing a vector of data; b) dividing said vector of data into an ordered set of blocks of the same length; c) ciphering the first block of said ordered set of blocks utihzing a noise signal and a public-key, as described above; d) ciphering all other blocks of said ordered set of blocks, apart from said first block, by the following steps: d.l) encrypting each block by performing vector and matrix multiplication of the each block by an invertible matrix [Ei ⁇ ; d.2) adding said noise signal to each of said encrypted blocks, thereby obtaining a set of ciphered blocks from said set of ordered blocks; e) upon deciphering said set ciphered blocks: e.l) deciphering the first block of said set of ciphered blocks utilizing the private-key, thereby revealing the content of said first block, and said noise signal; and e.2) deciphering all the other
  • the ciphering rate is enhanced to one.
  • the ciphering and deciphering can be utilized to conceal the information stored on a storage device to allow the access to the information stored on said storage device only to entities having access to the concealing cryptographic key.
  • the cryptographic key can be stored oh disk or other type of magnetic or optic storage media that may be accessed via a computerized system.
  • the cryptographic key can be split among a set of computer systems, connected in a network, where only a predefined number of computer systems from said set of computer systems is required in order to reconstruct said cryptographic key.
  • encryption and ciphering are utilized to improve data compression of the transmitted information by the use of private noise signals to make changes in the statistical features of the transmission, and therefore enabling better compression of the data.
  • the noise signal(s) of the first block(s) can be utilized for random selection of the communication and/or ECC parameters required for initiating communication between subscribers in a cellular communication networks in which the transmitted data is concealed from any arbitrating devices in the network.
  • encryption and ciphering can be utilized to construct a communication channel utilizing time dependent ECC, or spread spectrum techniques, comprising a scheme according to which the parameters to estabhsh said ECC or said spread spectrum code are transmitted with the first block(s), or selected in accordance with the content of the private noise signal of the previous transmission(s), thereby establishing a dynamic spread spectrum scheme or ECC encoding/decoding.
  • the coding rate can be continuously changed, according to a preferred embodiment of the invention, by utilizing a set of cryptographic keys, and choosing a different key for each transmission.
  • the private noise of previous transmission is utilized to select the cryptographic key utilized for the encryption decryption of the next transmission(s).
  • the noise signal can be obtained from a fixed set, or where said noise signal is time dependent and obtained by some manipulation performed to the content the disc or another computer device, or alternatively, where said noise signal depends on the environment, or was directly typed by the user.
  • the invention in another aspect relates to a secure channel system which is a public-key cryptosystem.
  • the secure channel system of the invention is a digital signature system.
  • the invention further provides for the hiding of the transmission utilizing Spread Spectrum techniques comprising: a) utilizing the recipient public-key to send a ciphered message comprising the Spread Spectrum parameters that will be utilized for the transmission of the message; b) receiving said message, deciphering said message, and revealing said Spread Spectrum parameters; c) sending a message utilizing Spread Spectrum techniques modulated with accordance to said parameters; and d) receiving said message and utilizing said parameters to demodulate the received Spread Signal;
  • the parity check error-correcting code is of the Gallagar type, or any version of it like MN-code.
  • a convolution code is utilized for the encryption process.
  • the number of operations required to perform encryption and decryption is linearly scaled to the length of the message "s".
  • the noise signal is of fixed flip rate, or where each of the bits of said noise is of different flip in a manner known both to the sender and the recipient.
  • the encryption comprises successive encryption of a message [C o x Y 5 " utilizing a predetermined set of Q pubhc-keys ⁇ k J (l ⁇ j ⁇ Q) to recursively
  • the invention in another aspect relates to a method for constructing a digital signature for the ciphertext t of the message "s", comprising: a) producing a unique identifier, X(s,na), where said identifier is the combination of modifications made to the message "s" and the noise signal n a that was utilized for the ciphering of said message s; b) encrypting said identifier X with the corrupted public key [Ek] to obtain the encrypted identifier c) producing a digital signature from a combination of another noise signal and the encrypted identifier to obtain the digital signature d) publicizing a verification vector V constructed from a combination of said message "s" and noise signals, n a and ti i; e) verifying the transmission source and its integrity by the following steps: e.l) decrypting the received ciphertext t and the digital signature utilizing decryption algorithm and obtaining the decrypted message s', and the decrypted private noise signals
  • the invention is further directed to a method for constructing a digital signature for the ciphertext t of the message "s", comprising: a) producing a unique identifier, Vs(s,n a ), from a combination of modifications made to the message "s" and the noise signal that was utihzed for the ciphering of said message s, n a ; b) permuting some of the rows of the recipient public key following a permutation procedure to obtain a permuted public key [Ek?]; c) encrypting said identifier, Vs, with the permuted public key [Ek 13 ], to obtain an encrypted signature and d) publicizing said permutation procedure.
  • the invention also encompasses a method for constructing a digital signature for the ciphertext t of the message "s”, comprising: a) producing a unique identifier V of the same dimensions of the message "s", where said identifier is the combination of modifications made to the message "s" and the noise signal n a ; b) encrypting the identifier Vwith the public-key to obtain the digital signature [Ek]V; and c) publicizing the procedure by which said digital signature was established.
  • the identifier can be constructed, for instance, from a combination of modifications made to the message "s" and the noise signal n a comprising flipping non-zero elements of said identifier until a predetermined number K (or less than or equal to a constant K) of non-zero elements is obtained, thereby obtaining a new identifier V n ;
  • the modifications comprise permutations and/or truncations and/or pasting predefined sections of the message "s" and/or the noise signal n a into predefined locations in each other.
  • the permutation procedure is one in which the public-key rows are permuted, is derived from the location of non-zero elements in the message "s" or/and the noise signal n a content or by another procedure guided by the structure of "s" and/or n a
  • the permutation procedure according to which the public-key rows are permuted, is predefined and known to both the recipient and the sender, and therefore not required to be publicized.
  • Fig. 1 formally illustrates a method to construct sparse matrices.
  • Fig. 2 schematically illustrating a method for a secure public-key cryptosystem according to a preferred embodiment of the invention;
  • Fig. 3 is a flow chart illustrating a preferred embodiment of the invention for encryption;
  • Fig. 4 formally illustrates the different components of the resulting ciphertext in a possible embodiment of the invention.
  • Fig. 5 is a flow chart illustrating a preferred embodiment of the invention for a simple digital signature; and
  • Fig. 6 is a flow chart illustrating a preferred embodiment of the invention for an advanced secure digital signature.
  • Fig. 7 schematically illustrates a method of constructing a class of sparse matrix [B];
  • Fig. 8 is a flow chart illustrating the encryption/decryption process according to a preferred embodiment of the invention.
  • Fig. 9 is a flow chart illustrating the encryption/decryption process according to another embodiment of the invention.
  • Fig. 10 is a flow chart illustrating a digital signature procedure according to a preferred embodiment of the invention.
  • the goal of cryptography is to enable two people to communicate over an insecure channel in such a way that a potential interceptor cannot decrypt the transmitted message.
  • the plaintext (the message), s, is encrypted by the sender prior to its transmission, utilizing the recipient public key Ek.
  • the resulting ciphertext, c is sent to its destination over the channel.
  • a third party eavesdropping on the channel, cannot determine the content of the plaintext.
  • the recipient who knows the decryption key, can decrypt the ciphertext using his private key Dk and recover the plaintext.
  • the cryptosystem disclosed herein is based on an Error Correcting Code (ECC) method and exemplified by the Gallager-type MN code. More precisely, it is based on linear codes that are based on sparse matrices.
  • the code matrices, [A] and [B] are sparse, it is meant that the number of non-zero elements, in each of said matrices, scales linearly with N.
  • sparse matrices according to the invention method obeys a much stronger constraint.
  • Each line or row of a sparse matrix, according to the method of the invention contains a finite number of non-zero elements. This is important for parallel dynamics as well as for the time delay. It is important to note that all the operations that are involved in encryption, and almost all operation in the decryption utilizing the method of the invention, are performed utilizing modular arithmetic (mod 2).
  • the cryptosystems' public key, Ek (which its' dimensions are MxN), is derived from the matrix product given by - (mod 2).
  • the cryptographic keys are utilized in a very similar way as in ECCs for encoding, and decoding.
  • each bit of the ciphertext c is derived from the parity of certain bits following the public-key matrix [Ek].
  • noise is added to the transmission by the channel.
  • BSC Binary Symmetric Channel
  • the noise interference will cause part of the transmission bits to flip.
  • the average fraction of flipped bits is utilized to express the flipping rate, / (0 ⁇ / ⁇ l), of said channel.
  • other communication channels such as the Gaussian channel
  • noise signals i.e., Gaussian
  • the method of the invention noise is added to a selected part of the ciphertext (or to the entire ciphertext) by the sender/receiver.
  • the invention is applicable to the BSC and other channels such as the Gaussian channel as described in "Elements of Information Theory", by T. M Cover and J. A. Thomas, (Wiley 1991).
  • To reveal the plaintext s it is required to find a solution for s and for the noise signal n a .
  • This may be carried out utihzing s and n statistics (for instance, unbiased message for s and probability /, for nd), and utilizing standard methods, such as behef network decoding (also referred to as belief algorithm herein) described in "Graphical Models for Machine Learning and Digital Communication" by B. J. Frey, (MIT, Cambridge, MA 1998). It should be clear that other standard methods, like belief revision, might be also adequate for decryption.
  • the complexity of the encryption/decryption processes scale linearly with the size of the plaintext N.
  • Those complexities can be easily reduced even further under parallel dynamics where the decryption by the behef algorithm, for example, is carried out in parallel for each non-zero element in the matrices [A] and [B].
  • the invention's method is based on boolean operations between two sparse matrices, and as will be described later, it consists of many stochastic ingredients.
  • the method is applicable as a public-key cryptosystem, as well as for DSs, authentication, and other tasks of the secured channel.
  • the maximal noise probability / (for which the decryption could terminate successfully without error bits in the decrypted plaintext) is given by the maximal channel capacity where ⁇ Lzif) is the binary entropy function given by -
  • Fig. 1 One possible method of constructing the sparse matrices, [A] and [B], is illustrated in Fig. 1.
  • the rows of matrix [A], 110, are denoted by ai, wherein i stands for the row number (l ⁇ i ⁇ M).
  • the rows of matrix [B], 120, are denoted by b
  • W( ⁇ ) the notion Hamming weight, W( ⁇ ) is utilized.
  • the weight of the binary vector v, W( ⁇ ) is actually the number of the non-zero element in ⁇ .
  • a fraction, p, of matrix [A] rows ,at (l ⁇ t ⁇ / r ⁇ ty 111, has 2 non-zero elements, W(at) 2 (l ⁇ i ⁇ p-M).
  • the non-zero elements in matrices [A] 110, and [B] 120 can be located randomly (It is found that fluctuations in the quality of the decoding process are suppressed by keeping the number of non-zero elements per column as homogenous as possible. However, it is not a condition necessary for the success of the method of the invention).
  • the method of the invention is not limited to any particular communication channel, and can be used in conjunction with any type of communication and environment, e.g., over the Internet, satellite communication, wireless communication, by modem communication, etc.
  • Fig. 2 is a flow chart illustrating the steps required to establish a secure public-key cryptosystem according to the invention.
  • step 200 two sparse matrices are constructed, matrix [A], which its' dimensions are Mx-N, and matrix [B], which its' dimensions are M M.
  • step 201 the public key, [Ek], is derived from the pair of sparse matrices [A], and [B]. Utilizing sparse matrices, such as those illustrated in Fig. 1, to obtain the public key, results in a new matrix, [Ek], which is also sparse since [B] is sparse.
  • step 202 the pubhc-key [Ek] is corrupted (prior to the publication of the public key) by randomly flipping elements in a fraction, p q , of the public-key rows, to obtain the corrupted version of the public key, [Ek] (this is an optional step).
  • the corrupted public key is publicized accompanied by the preferred locations for the addition of the noise bits n a , and the noise's flip rate /.
  • the stochastic noise n a is exemplified by an homogenous noise, meaning each bit in the allowed regime is flipped with the same flip rate, /. But it should be clear that in the general scenario, bits can be flipped with probabilities depending on their index. More particularly, in such cases, the bits of the noise signal, n a , have different flip rates, fj (l ⁇ j ⁇ p-M). This will make breaking the code even more difficult.
  • Fig. 3 The process of transmitting information over the secure public-key cryptosystem according to the method of the invention is illustrated in Fig. 3 in the form of a flow chart.
  • the process is initiated by composing the message s, and fetching the private noise fraction, p, and its location in the ciphertext, as publicized by the recipient.
  • the message is encrypted, in step 301, utilizing the corrupted version, [Ek], of the public key.
  • the process proceeds in step 302, wherein the sender adds his private noise, n a , to fraction p-M of the ciphertext.
  • the private noise signal statistics are such that full recovery of the code, from the errors that were comprised in it deliberately, is guaranteed, as described here below.
  • step 303 a Digital Signature (DS) is produced, the DS is attached to the ciphertext, or left publicized by the sender, and it is utilized later by the recipient for source identification.
  • the DS is determined uniquely utilizing the plaintext message s, and/or the private noise n a , as will be explained hereafter.
  • step 304 the ciphertext t is transmitted, and the DS is transmitted or left publicized to the recipient.
  • the encrypted message may be transmitted without DS, so that step 303 is optional.
  • Matrix [B], 120 construction, as illustrated in Fig. 1, provides a sparse matrix with average column density (the number of non-zero elements in a column) which is less than 2.
  • the inverse matrix, [B]' 1 is also sparse, and therefore the resulting public-key obtained in step 201, is also sparse.
  • the encryption evolves a product of a sparse matrix [Ek]M ⁇ N by the plaintext s, hence its complexity scales to 0(N).
  • the complexity of each step of the decryption is 0(N).
  • this complexity is less than the cubic complexity of the decryption process in the RSA cryptosystem.
  • the recipient publicizes a given fraction, p, of the ciphertext where the sender private-noise, na, can be added.
  • This localized private-noise consists of a flip rate /of given p-M bits of the ciphertext.
  • Fig. 4 formally illustrates one possible process, 400, of constructing the ciphertext, and private-noise addition, according to the method of the present invention.
  • the rows of the public-key, 410 are denoted by ei (l ⁇ i ⁇ M.
  • the private-noise vector 411 is a binary vector comprising (1 -p)M zero elements, while the rest of the p-M elements comprise the private-noise signal n a .
  • the corrupted rows of the public-key are denoted by e ⁇ (l ⁇ i ⁇ p q M). It should be noted that in general, the corrupted rows of the public key can be the same or have an overlap with the noisy bits.
  • the resulting ciphertext is then comprised from frozen (non-flipped) bits 403, evs ((p q +p)-M+l ⁇ i ⁇ M), randomly flipped bits 401, e s (l ⁇ i ⁇ pq-M), and flipped bits with probability 402, ei-s+n ai (p q M+l ⁇ i ⁇ (p q +p)M.
  • the presence of flipped bits in the plaintext serves to increase the secure channel and the presence of frozen bits serve to suppress finite size effects. Similar to Shannon's bound, one can show that for a given rate R the
  • the flip rate of the noise signal, na (l ⁇ j ⁇ p-M), can be varied from bit to bit and may depend on the bit index j, so that for each noise bit, no,, there is a corresponding flip rate, fi (l ⁇ j ⁇ p-M).
  • the sender follows a predetermined pattern of flip rates / • , or alternatively, utilizes random patterns and publicizes them.
  • the recipient will utilize said flip pattern to guide the belief algorithm when the decryption is performed, and therefore should have access to this information. It should be noted that in order to increase the security, the preferred number of not perturb bits, 403, in the ciphertext, should be less than N.
  • the number of iterations of the belief algorithm is typically 10 steps, in all the above-mentioned classes, where the complexity of each step of the algorithm is of the order of the number of non-zero elements in matrices [A] and [B], 0(N). No long tail in the distribution of the convergence time was observed. Note that each of the belief algorithm iterations can be implemented in parallel over the non-zero elements of the matrices [A] and [23] such that the time complexity can be reduced to 0(1).
  • Fig. 7 formally describes construction of matrix [B] according to another embodiment of the invention.
  • each sub-matrix [Bi] should be invertible (det(Bi) ⁇ Q).
  • More plausible sparse and invertible [23] matrices may be produced by the permutation of the appropriate rows/columns in ⁇ /[B]- 1 , to obtain a new matrix, which its structure is not from the pure sub-matrices blocks along the diagonal.
  • the method of the invention works well also in cases wherein the signal, n a , is not fully decoded in the decryption process. Since this point may be crucial for applications, it should be understood that even when few plausible noise signals are found to be appropriate for the same plaintext according to the Belief algorithm decoding (especially close to saturation, i.e. near Shannon's bound), all these possible noise signals are highly correlated, and hence if the combination of the noise and the palintext in the signature is satisfied for high percentage of the bits (e.g., 93%). It is also a criterion which is far from a random guess. The security of the channel does not alter and it remains the same in the leading order.
  • Fig. 5 is a flow chart illustrating the process of producing a simple DS.
  • the process is initiated in step 500, where an additional plaintext, X(s,nd) 3 is constructed from a linear combination of the message s and/or n a .
  • linear combinations of s and n a may comprise modulus 2 addition of a modification of the signals, s and n a , which may involve Boolean bit operations such as inverting fraction of the bits, and/or permutations (such as bit rotation).
  • the length of said additional information, X(s,nd) may be different from the plaintext's length (by performing truncations, or by pasting fractions of the vectors, e.g., adding a fraction of s into nd).
  • a new plaintext Zis encrypted to a new ciphertext, ci , utilizing [Ek].
  • a new private noise rial is added to the new ciphertext a to produce a corrupted version, h, of the new plaintext X.
  • a verification vector, V is publicized.
  • the verification vector is constructed by following a known procedure also involving some linear combination comprising Boolean bit operations, and/or permutations of the message s and the noise signals, n a ⁇ and n a .
  • the verification vector, V is made pubhc, and it is utihzed later by the recipient for receipt verification.
  • the ciphertexts t and the DS h (alternatively tx may be publicized), are transmitted to the recipient.
  • the sender has two options. The first is to send tx, and the second is to leave tx publicized (in his site) as a signature for message number m, for instance.
  • the verification procedure V may also be left publicized by the sender or transmitted over the channel. The sender can choose the same verification procedure V for all DSs. Alternatively, a verification procedure V is constructed differently for each message, in order to increase security.
  • the sender should maintain and publicize a list of verification procedures in which each message is given a corresponding verification procedure. This may be substantially alleviated by adopting a compact verification procedure which depends in an accumulated way on previous noises and /or plaintexts or in general previous stochastic ingredients.
  • the recipient receives the transmission, step 505, and in steps 506 the cipfertexts t and the DS tx are decrypted " .
  • the verification process, step 507 is comprised from a comparison between the verification parameters in V and the noise signals, n a and n a ⁇ , which results from the decryption., If the comparison yields a match, then messages' authentication, and the sender identification is guarantied.
  • An advanced secure signature is one in which the sender first generates a vector V (whose dimensions are ZVxl) from a combination of s and/or n a following a public protocol. Next, the number of non-zero elements in V is truncated to a fixed number K following the sender's public protocol (For rare events in which there are insufficient l's in V, the sender provides a special procedure). For instance, this may be accomplished by flipping non-zero elements.
  • the most simple scenario is;, starting from the beginning of the vector V, and proceeding until the number of non-zero elements equals K (Of course it is easy to construct a procedure which is less spatially structured, meaning that in the above illustration the probability for a bit to be flipped in generating Vis higher when we are in the beginning of the ciphertext).
  • the signature [Ek]V is left publicized by the sender. Determining V from the knowledge of [Ek] and the signature is known to be an NP-complete problem. The recipient, who knows s and n a , can easily verify the signature. (In general, the number of non-zero elements may be fixed to be less than or equal to a constant K. This problem is known as NP, too).
  • the rows of [Ek] that correspond to the non-zero elements in V are also truncated from [Ek].
  • a private noise signal may be added to the signature, but in such a case, the pubhc-key [Ek] should be utilized to generate the signature, without any truncations applied to it.
  • Fig. 6 is a flow chart illustrating another advanced secure signature based on the public key [Ek].
  • a message identifier, Vs is produced in step 510 from a combination of s and or n a (f represents a function for producing said identifier).
  • the rows of the public key, [Ek] are permuted to implement a permuted public key [Ek ].
  • the permutations among the rows of [Ek] are implemented as a function of the detailed structure of s (and/or nd). For instance, one can exchange/permute, any rows corresponding to successive l's in V s , or any other permutation which is less spatially correlated.
  • the recipient knows the manner according to which Vs is obtained.
  • the DS tx is produced by the encryption of the message identifier Vs with the permuted public key [Eh?].
  • the sender publicizes the permutation scheme that was utilized to produce the permuted public key, [Ek 13 ].
  • said permutations can be time-dependent, as the public key [Ek], so that step 513 is only optional.
  • the ciphertext t and the DS tx are transmitted to the recipient in step 514.
  • the transmittal of the DS tx is optional, and the DS may be pubhcized instead (at the sender site, for instance).
  • the recipient receives t and tx (or fetch tx if it was pubhcized) in step 515, and then in step 516, the message s', and the private noise n a ' are recovered by decryption of the ciphertext z; utilizing the behef algorithm.
  • the recipient construct the permuted public key, [Ehr 0 ], guided by the structure of the plaintext s' (and/or noise signal nd), and by the permutation scheme that was publicized by the sender (in step 513).
  • the recipient produces a message identifier Vs' following the public protocol and utilizing the recovered information s' and n a '.
  • step 519 the identifier Vs' is encrypted to establish the recipient version of the DS, tx'.
  • step 520 a verification process is carried out, in which the two encrypted DSs, tx and tx', are compared. If the encrypted DSs, tx and tx', are identical, then the verification is completed successfully, assuring source identification. However, if said DSs are slightly different, as noted above, it is sufficient for high percentages of bits in t and tx to be the same. In this way, a more reliable procedure is obtained, especially in cases wherein the belief algorithm failed to recover the noise exactly.
  • the same plaintext transmitted to different addresses or at different times is characterized by different signatures. It should be understood that with this method, an on-line encryption system is dynamically constructed. The resulting DS is always different, even when produced several times for the same message s.
  • n a and [Ek] Since the potential eavesdropper does not know s, n a and [Ek], the task, to disrupt the transmission is very difficult. The lack of an independent permuted public-key as a function of the plaintext seems to make the work of a disrupter even harder. In general, one can make the situation even more complex.
  • a new noise signal, n a may be added to the DS tx in step 512, resulting in a new DS C2. Then, said new DS c% is publicized instead of tx.
  • the behef algorithm should be applied to separate tx from c 2 , before performing verification.
  • Another possible embodiment of the invention may be one in which the recipient determines a detailed permutation scheme to be applied to the public key. This will make the decryption (decoding) step standard.
  • the aim of the authentication procedure is to keep the integrity of the message constructed from a sequence of plaintexts, such that an eavesdropper cannot forge (add/delete) cipher-texts.
  • this goal can be achieved by utilizing correlated noise for successive ciphertexts.
  • a method for obtaining successive correlated noise signals may be one in which the noise signal that is utilized to encrypt the next block is a cyclic permutation of the previous one, or part of it, that is chosen at random, and the rest of it is a one bit shifted of the pervious one.
  • the recipient has only to decrypt the first plaintext, whereas the rest of the message is uniquely defined, since the noise is known.
  • the eavesdropper knows the authentication scheme and may concentrate only on the decryption of the first ciphertext.
  • the decryption by the eavesdropper of an intermediate plaintext immediately reveals the successive plaintexts.
  • the private-noise for the current ciphertext depends on all previous plaintexts and or private-noise utilizing a publicized procedure by the sender or by the recipient. This yields a different authentication scheme for different messages, and from the same message transmitted at different times, or addresses.
  • FIG. 8 is a flow chart illustrating a process for the encryption decryption (which may be extended also for the DS and other tasks of the secure channel) according to another embodiment of the invention.
  • a message s (plaintext) for transmission is composed in step 800, and in step 801, two noise signals are generated, n and (n of length M and m of length N ).
  • the private noise signal n may be generated in any preferable way as was previously discussed above.
  • the noise signal ni is generated by performing bit manipulation to the bits of the private noise signal n following a known procedure (i.e., predetermined, or publicized by the sender or the recipient), as will be exemplified later.
  • the new signal s n is encrypted in step 803, to obtain the ciphertext C -
  • the noise ni added to the plaintext s is a function of the noise n added to the ciphetext C, in step 804. More particularly, is obtained by manipulating the bits of the noise signal n (including all Boolean operations and permutations among the bits) following a scheme which is known (public scenario) to both, the sender and the recipient. The process of obtaining ni from the knowledge of n may be determined and publicized either by the sender or the recipient. Alternatively, such a process may follow the particular structure of the private noise signal n (or the noisy plaintext sd).
  • the decryption results reveal both the noise signal n and the noisy plaintext s n .
  • the pubhcized recipe for ni may depend on both s n and n, as was previously described above for digital signature. It should be clear that since all the additional operations regarding ni scale linearly with the size N of the plaintext s, the linear complexity of the encryption/decryption process is not altered. In addition, all the additional time-dependent ingredients may still be utilized for DS and authentication as it was described here above.
  • the encryption is of two layers.
  • the first layer of the encryption efficiently utilizes traditional encryption methods, such as RSA, and the second layer is carried out utilizing an error correction code.
  • the public key consists of three portions.
  • the first one is [Ek] as before, the second one consists of the directions for constructing and m of rank M, and the third part consists of a series of RSA public-keys of length N P each -
  • the sender composes a plaintext message s, and a private noise signal n ⁇ .
  • the length of the private noise signal U3 should be the same as the resulting ciphertext C 2 (i.e., M bits long), as will be understood later.
  • additional noise signals ni and (of ranks N and M respectively) are generated from the private noise signal na, by following publicized procedures and
  • the encryption key RSA ⁇ 1 ' utilized to encrypt each planetext si is chosen from the set of h.2 keys - RSA], ,RSA N 2 ,...,RSA .
  • n 2 ' stands for the binary representation of the bits [(z - l)' TV + 1,Z ' N J in m, and mod is the h,2 modulus of this bits plus 1 which gives an integer between 1 and h.2.
  • n 2 ' may be the binary representation of consecutive blocks of k-2 bits in m (i.e., the [(z -l)-& 2 +l,z -k 2 ] bits in ns), and the indexing scheme to be guided accordingly by the rounded results of log 2 ( « 2 +l)+l (i.e., rounding the result to the closest integer).
  • the process proceeds to step 906, in which the noise signal m is added to the ciphertext of the second layer C_> to obtain the final signal (mod 2) to be transmitted in step 907.
  • the ciphertext Ci may be easily revealed now by subtracting m from C, as illustrated in step 914.
  • ni and m can be chosen to be dense and all operations related to these additional ingredients may be chosen to scale linearly with N.
  • RSA encryption is only an example and in general it can be replaced by any standard method.
  • the noise signal ni plays a crucial role in this method. With the lack of ni the opponent may try to reveal the plaintext, by first guessing a partial invertible portion of the public-key [Ek]' 1 , and then all k ⁇ possible short RSAiVp, (which can easily be broken for small N P ). Although the revealed plaintext will be slightly noisy in this method, due to n ⁇ , most of the plaintext will be recovered. Furthermore, the probability that two different RSAv/j will generate legal text (up to a small noise) is negligible. In order to ensure that all the k ⁇ different RSA will be chosen with equal probabihty, a dense (or heavily dense) n2 is preferred.
  • the complexity of the encryption/decryption process is dominated by the behavior of the RSA complexity but with the reduced size from N to N/k 0 . Therefore, one may easily combine traditional methods with this new linear and secure system.
  • the RSA method is brought here only to exemplify the method of the invention, of course any other acceptable method may be used for the first layer.
  • the complexity for the generation of a new code scales as 0(iV 4 ) where N is the size of the plaintext.
  • the complexity for the generation of a new code is mainly dominated by the complexity of inverting the matrix [23], which is bounded from above by 0(] ⁇ ) for a dense matrix.
  • sparse matrices for sparse matrices
  • an advantage of the method of the invention is that the cryptosystem may be easily designed to be time -dependent.
  • the complexity of finding the inverse matrix can be reduced even further to 0(N) (i.e., to scale linearly with the size of the plaintext) and the modular block matrices along the diagonal is only one simple example.
  • Another possibility is to change only a small number of elements in the matrix [23] from 0/1 to 1/0. In this case, wherein the matrix is perturbed only slightly, the complexity of finding the inverse matrix from the knowledge of the unperturbed matrix is much simplified.
  • one may use the same noise signal for a long message s constructed from a sequence of blocks Si (i l,2,...,k').
  • the decryption of the first block si is carried out as was described above, following one of the methods of the invention.
  • This equation for Z can be solved either by belief propagation, for instance, or it can be shown to be equal to the product of a matrix with a vector (like linear filtering), using standard matrix algebra.
  • the encryption of each block is obtained from the. product of the noisy plaintext by a matrix [Ei] of the size TVxiV, where the noise added to the plaintext is a vector of rank N (obtained from the fixed noise of length M, which is added to the first block).
  • the decryption is obtained from the product of the received message by the inverse matrix [Ei] ⁇ . It should be noted that both [Ei] and its inverse [Ei] ⁇ can be chosen to be sparse, or even to be a fixed universal matrix which is used by all the users in the network..
  • the noisy plaintext is transmitted solely.
  • the first block si is encrypted utilizing one of the methods that were described here, utihzing an ECC for encryption, and a private noise signal for ciphering.
  • the encryption of all other blocks is simply carried out by adding the private noise signal (utilized for the ciphering of the first block) to each of the other blocks S2,...,sk: Since the noise added to the plaintext is dense, the level of security remains unaltered.
  • Fig. 10 is a flow chart illustrating a method for a DS according to another embodiment of the invention.
  • a message s is encrypted, in step 1001, utilizing the recipient public-key E , and private noise n, utilizing one of the methods that were previously described.
  • the encrypted message r r s,n,E ⁇ B ) is transmitted in step 1002, and received by the recipient, in step 1010.
  • the recipient Upon receipt, in step 1011, the recipient decrypts r utilizing his private-key E ⁇ , thereby revealing the plaintext s and the sender's private noise n.
  • the recipient produces an identifier D(n,s) by following a procedure (which is also known to the sender) in which the plaintext and the sender's private noise are utilized.
  • This identifier may be comprised from the sender's private noise solely. Or alternatively, a sophisticated identifier may be produced from a linear combination of the plaintext s and the sender's private noise n, or by performing some permutations and/or bit manipulation to those signals (or to one of them) or to their combination.
  • the modified identifier, d is then encrypted in step 1014 utilizing the sender's pubhc-key E , thereby obtaining the encrypted identifier, r'
  • the encrypted identifier, r' is transmitted to the sender in step 1015, and received by the sender, in step 1003.
  • step 1020 the sender produces the identifier D n,s) following the (known/publicized) procedure utilized by the recipient in step 1012.
  • the sender decrypts r', in step 1004, utilizing his private-key, E p , thereby reveahng recipient's modified identifier d.
  • the sender can now reveal the recipients private noise n as described in step 1005, simply by subtracting the identifier D ⁇ n,s) from the modified identifier that was obtained in step 1004.
  • the sender encrypts - D- -
  • This DS procedure may be implemented to be even more sophisticated by adding private noise signals to the encrypted identifiers ,r' and r" in steps 1014 and 1006 respectively.
  • This private noise signal will be later revealed, due to the ECC feature of the cryptosystem, and the verification will conclude as it was originally described.
  • the sender transmits r" to the recipient in step 1007, and it is received by the recipient, in step 1016.
  • the recipient can now complete the verification by decrypting the transmission r" with his private-key E , step 1017, to reveal his private noise signal n
  • the recipients verifies the sender's integrity by comparing the private noise signal obtained in step 1017, and his original private noise that was utilized in step 1013.
  • the user has both the private and the pubhc keys (which also are private).
  • this method may be used to defend the computer's operating system from damages that may be caused by cookies and other possible attacks.
  • the public key and the private keys may be kept as a file in the computer; and/or on a diskette, (as an immobilizer in cars, but with the advantage that one can easily change it from one immobilizer to another).
  • the cryptographic keys may be split between two or more computers, such that it is plausible to recover the code only from all of them or part of them. For instance, let us assume that the code is split among 5 computers wherein the code can be constructed from any 3 of them.
  • Another possible embodiment utilizing the method of the invention may be exploited to initialize a secret communication channel, by encrypting and sending the communication parameters to the recipient, utilizing the method of the invention.
  • a range of 27V (for an N bits long message) parameters (numbers) are utilized to define the code with rate V.
  • the sender chooses a set of 2N numbers defining the desired Turbo code.
  • the set of 22V numbers, defining the codes are encrypted and transmitted via the channel, utilizing the public-key [Ek] and a private noise signal to encrypt (conceal) the transmitted data.
  • the recipient decrypts the transmission, and utilizes the 2ZV numbers or parameters to initialize the Turbo code, (if more than 2ZV bits are required to represent the 22V parameters, than more than one block is required to submit the parameters) It is important to note that this method is applicable to all other methods of ECC, including other versions of the Turbo code, recursive, irregular, and of different rates, and also other methods of ECC wherein the method is based on a list of parameters which define the code among a huge class of possible ECC prescriptions.
  • the private noise is revealed by the decryption of the ciphertext, as was discussed earher.
  • the dynamical Spread Spectrum may be also used to improve the capacity and efficiency of the channel in the case of a communication network, wherein the spreading code (numbers) and types of subscribers participating in the network, fluctuate over time. For instance, in case of limited bandwidth, one may give a fixed spread spectrum for each subscriber of the communication network. However, in such events an overlap among the transmissions of different subscribers may occur, since at any given time the type and the number of subscribers fluctuates. Therefore, utilizing the method of the invention, a scheme for a time-dependent spread spectrum, as well as time dependent ECC, may be easily implemented. This will also help to reduce the overlap among the users and therefore enhance the channel capacity. It should be also noted that the noisy plaintext can serve also to create permutation among the bits, which is a built-in ingredient in many ECC methods. - OO -
  • the time dependent ingredients of the method of the invention, and the substantial low computational effort, are making it a very attractive candidate for End-to-End Security implementations.
  • the transmission should remain concealed from any arbitrating devices in the network.
  • one of the main difficulties is the substantial computational effort required for ciphering/deciphering the data, utilizing standard methods. Therefore, to allow ciphering, methods of low computational complexity are utihzed, and as a consequence, the security of the transmission is relatively low.
  • arbitrating devices in the network are deciphering the transmission received from one subscriber, and then ciphering it for transmission to another subscriber.
  • the method of the invention may be utihzed to initiate and to configure the ECC and/or the frequency bandwidth and spectrum spreading of the communication.
  • the time dependent ingredients (i.e., private noise signals) of the invention may be easily and efficiently utilized to randomly select "the communication parameters (i.e., bandwidth, spreading code, etc.). So that the communication it self may be concealed.
  • noisy plaintext is to improve data compression in the following sense. Let us assume that the bit stream has some structure in it (prior knowledge of the sender, for instance, or the data has some non-trivial structure in the power spectrum). One can choose to add a special noise to the plaintext such that the data of the noisy plaintext can be better compressed than the non-noisy plaintext. In this scheme, a noise is added to the plaintext to create a noisy plaintext. The noisy plaintext is compressed and then encoded for transmission through the channel.
  • the tasks of the cryptosystem of the invention can be extended to other functions of the secure channel, such as an undeniable signature.
  • an undeniable signature Let us characterize the following possible scenarios which may appear in different circumstances.
  • the sender is using an undeniable signature with/without notifying the recipient in advance or, vice versa, the recipient has a request for undeniable signatures again with/without notifying the sender in advance.
  • the main idea is that the private-noise is added to the ciphertext such that the decryption cannot terminate successfully without the sender partially revealing the private noise.
  • the sender can also add private-noise out of the allowed range by the recipient, or the recipient purposely defines a too large range for the private-noise, which is beyond the capability of his decryption process to ensure a successful termination.
  • the enlargement of the regime of the private-noise can be done by the sender/recipient with/without notifying the partner.
  • the sender has to keep all previous DSs as public information.
  • the list of the signatures may load the sender resources, and furthermore it may take a long time for the recipient to find the appropriate signature among many. Removing the signature into an archive after the recipient performs verification may be one way to alleviate this drawback.
  • Some of the advantages of the cryptosystem of the invention over methods based on numbers theory, such as an RSA cryptosystem are: a) the matrix operations and the belief network algorithm decoding in the decryption/encryption process can be carried out and implemented in parallel; b) a one-time success by an eavesdropper (even by a prior knowledge of the plaintext) to reveal a plaintext does not automatically help or ensure the recovery of other plaintexts that the sender sent to the same recipient; c) in the RSA method the eavesdropper's task requires a check of many possible trails, where each trail can be examined by the same algorithm. Hence, the task of an eavesdropper can be easily split among many resources.
  • the inventions' cryptosystem is based on many stochastic ingredients with time dependent features of the sender and the recipient. Hence the strategy of the eavesdropper may need to vary between different messages and users of the channel.
  • All the method that where described here, for encryption decryption utilizing a parity check error correcting code, may be utilized efficiently to construct secure communication in which the coding rate is dynamic. More particularly, one may use a set of public-keys of dimensions M- x ⁇ N, and a set of the corresponding private keys, to encrypt/decrypt each transmission utilizing a different pair of keys, thereby continuously changing the coding rate. To improve security, one may further utilize the private noise of the previous transmission to select the cryptographic key for the next transmission. Thereby allowing a random selection of cryptographic keys, and rates.
  • Such a scheme may be one in which the plaintext is encrypted many times with different rates, making the situation more and more complex. For instance, utilizing Q different keys, [E k J (l ⁇ j ⁇ Q), each of which is
  • ciphertext C y - is obtained as follows — l ⁇ YYYY» Y ⁇ e ) .
  • [C 0 ] WX1 J is the original plaintext
  • M 0 N is said plaintext's length.
  • the method of the invention is exemplified herein by the Gallager-type code. It should be clear that the invention is applicable to parity check codes in general, including MN code, and also convolutional codes. Additionally, the method of the invention may be generalized to the case of transmitting symbols (finite set alphabet), instead of bits (i.e., "0"s and "l”s), as is the case in the BSC. Thus, the invention may be implemented in many other (than the BSC) types of communication channels, such as the Gaussian channel.
  • the method of the invention can serve as an intermediate step in any existing method. For instance, one may first encrypt a plaintext utilizing RSA method, and then encrypt it utilizing the present invention method, utilizing an ECC.
  • the decryption in this case, is comprised from the method of the present invention for decryption first, and then applying "enveloped" method (i.e., RSA or any preferred method).
  • "enveloped" method i.e., RSA or any preferred method.
  • the method can also serve as an ECC tool, in addition to a cryptosysytem. If a "real" noise is added to the regime of the artificial noise during the transmission, the system is capable to clean this noise up to some level (also plausible if the noise is added out of the regime of the artificial noise).
  • the proposed Cryptosystem enables hiding the transmission itself (in addition to scrambling the information) by applying a Cryptographic time varying Spread Spectrum modulation.
  • the Spread Spectrum modulates the transmitted signal in order to widen its spectral bandwidth or widen its time domain behavior.
  • the receiver performs a matched demodulation to recover the original signal.
  • the first plaintext (and/or the noise) includes the information on the particular Spread Spectrum modulation of the forthcoming plaintexts, the message.
  • the first plaintext is encrypted utilizing the method of the invention, and then transmitted.
  • the receiver decrypts the plaintext and reveals the current Spread Spectrum modulation.
  • Data is sent (encrypted by the cryptosystem of the invention) through the well-established Spread Spectrum modulation link, indicating how the information is hidden (or made wider in time domain) within the spectral bandwidth.
  • the transmission is Spread Spectrum modulated in accordance with the established Spread Spectrum modulated link.
  • the receiver demodulates the Spread Spectrum signal utilizing the data that was previously received.
  • the time-dependent Spread Spectrum modulation can be encoded in the first transmitted block or by the structure of the additive time dependent noise, n a , or by any combination of the plaintexts and noise signals.
  • n a the structure of the additive time dependent noise
  • the Spread Spectrum modulation can be varied between different transmitted blocks.
  • the first plaintext indicates the parameters (i.e. the Spread signal) utihzed for the modulation of the next block.
  • the modulation of the third block is some hnear (or nonlinear) combination of the modulation and the content of the last block. This may also be used to improve data compression on a given bandwidth.
  • the main purpose of the Spread Spectrum modulation is to hide the communication (without replacing the cryptosystem).
  • the Spread Spectrum modulation parameters that are encrypted in the first block can be used for the timing of forthcoming messages, by adding the time difference from the received data of the first block. More precisely, the first block in such a case will comprise the broadcasting time of the rest of the message.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Detection And Prevention Of Errors In Transmission (AREA)
  • Error Detection And Correction (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de cryptographie à clé publique sécurisée employant un code de correction d'erreurs de contrôle de parité et des signaux sonores, ledit procédé consistant à a) créer un canal de communication, b) produire une série de clés cryptographiques privées qui sont attribuées à chacune des entités utilisant cette cryptographie publique sécurisée, chacune desdites clés cryptographiques privées pouvant être accédées uniquement par l'entité à laquelle la clé a été attribuée, c) produire une série de clés cryptographiques publiques attribuées aux entités utilisant cette cryptographie à clé publique sécurisée, et d) produire une série de signaux sonores privés aléatoires, ou générer la même série au moyen d'un générateur de signaux sonores privés aléatoires. Le procédé consiste en outre à chiffrer des vecteurs d'information par addition d'un signal sonore au vecteur d'information avant et/ou après le cryptage.
PCT/IL2000/000865 1999-12-29 2000-12-28 Systeme cryptographique a cle publique securise et lineaire base sur un code de correction d'erreurs de controle de parite WO2001050675A2 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU20228/01A AU2022801A (en) 1999-12-29 2000-12-28 A secure and linear public-key cryptosystem based on parity-check error-correcting code
US10/169,468 US20030223579A1 (en) 2000-07-13 2000-12-28 Secure and linear public-key cryptosystem based on parity-check error-correcting

Applications Claiming Priority (8)

Application Number Priority Date Filing Date Title
US17347899P 1999-12-29 1999-12-29
US60/173,478 1999-12-29
US18465700P 2000-02-24 2000-02-24
US60/184,657 2000-02-24
IL13730900A IL137309A0 (en) 2000-07-13 2000-07-13 A secure and linear cryptosystem using error-correcting codes
IL137309 2000-07-13
IL139186A IL139186A (en) 2000-10-22 2000-10-22 Secure and linear public-key cryptosystem based on parity-check error correcting code
IL139186 2000-10-22

Publications (2)

Publication Number Publication Date
WO2001050675A2 true WO2001050675A2 (fr) 2001-07-12
WO2001050675A3 WO2001050675A3 (fr) 2002-03-28

Family

ID=27452523

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2000/000865 WO2001050675A2 (fr) 1999-12-29 2000-12-28 Systeme cryptographique a cle publique securise et lineaire base sur un code de correction d'erreurs de controle de parite

Country Status (2)

Country Link
AU (1) AU2022801A (fr)
WO (1) WO2001050675A2 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7349540B2 (en) 2002-05-07 2008-03-25 Interdigital Technology Corporation Generation of user equipment identification specific scrambling code for high speed shared control channel
WO2011131950A1 (fr) * 2010-04-22 2011-10-27 Martin Tomlinson Système de cryptageà clé publique reposant sur des codes goppa et génération aléatoire basée sur puf
WO2012066328A1 (fr) * 2010-11-16 2012-05-24 Martin Tomlinson Chiffrement à clé publique utilisant des codes correcteurs d'erreur
US8909544B2 (en) 2010-12-27 2014-12-09 Industrial Technology Research Institute Method for encoding or decoding digital data, data disseminating device and data managing device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5054066A (en) * 1988-11-16 1991-10-01 Grumman Corporation Error correcting public key cryptographic method and program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5054066A (en) * 1988-11-16 1991-10-01 Grumman Corporation Error correcting public key cryptographic method and program

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
KANTER I ET AL: "Secure and linear cryptosystems using error-correcting codes" EUROPHYSICS LETTERS, 15 JULY 2000, EUR. PHYS. SOC. BY EDP SCIENCES AND SOC. ITALIANA FISICA, FRANCE, vol. 51, no. 2, pages 244-250, XP001009576 ISSN: 0295-5075 *
MOHSSEN ALABBADI ET AL: "A DIGITAL SIGNATURE SCHEME BASED ON LINEAR ERROR-CORRECTING BLOCK CODES" ADVANCES IN CRYPTOLOGY - ASIACRYPT '94. 4TH. INTERNATIONAL CONFERENCE ON THE THEORY AND APPLICATIONS OF CRYPTOLOGY, WOLLONGONG, AUSTRALIA, NOV. 28 - DEC. 1, 1994. PROCEEDINGS, PROCEEDINGS OF THE CONFERENCE ON THE THEORY AND APPLICATIONS OF CRYPTOLOGY, vol. CONF. 4, 28 November 1994 (1994-11-28), pages 238-248, XP000527599 ISBN: 3-540-59339-X *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7349540B2 (en) 2002-05-07 2008-03-25 Interdigital Technology Corporation Generation of user equipment identification specific scrambling code for high speed shared control channel
US7536013B2 (en) 2002-05-07 2009-05-19 Interdigital Technology Corporation User equipment identification specific scrambling
US7970127B2 (en) 2002-05-07 2011-06-28 Interdigital Technology Corporation User equipment identification specific scrambling
US9634801B2 (en) 2002-05-07 2017-04-25 Interdigital Technology Corporation User equipment identification specific scrambling
WO2011131950A1 (fr) * 2010-04-22 2011-10-27 Martin Tomlinson Système de cryptageà clé publique reposant sur des codes goppa et génération aléatoire basée sur puf
US8958553B2 (en) 2010-04-22 2015-02-17 Martin Tomlinson Public key cryptosystem based on goppa codes and puf based random generation
WO2012066328A1 (fr) * 2010-11-16 2012-05-24 Martin Tomlinson Chiffrement à clé publique utilisant des codes correcteurs d'erreur
US8891763B2 (en) 2010-11-16 2014-11-18 Martin Tomlinson Public key encryption system using error correcting codes
US8909544B2 (en) 2010-12-27 2014-12-09 Industrial Technology Research Institute Method for encoding or decoding digital data, data disseminating device and data managing device
US9088401B2 (en) 2010-12-27 2015-07-21 Industrial Technology Research Institute Method for decoding digital data and data managing device

Also Published As

Publication number Publication date
AU2022801A (en) 2001-07-16
WO2001050675A3 (fr) 2002-03-28

Similar Documents

Publication Publication Date Title
US20030223579A1 (en) Secure and linear public-key cryptosystem based on parity-check error-correcting
Rodriguez-Henriquez et al. A brief introduction to modern cryptography
Băetu et al. Misuse attacks on post-quantum cryptosystems
Simmons Cryptanalysis and protocol failures
US7200752B2 (en) Threshold cryptography scheme for message authentication systems
US5345507A (en) Secure message authentication for binary additive stream cipher systems
CN101779190B (zh) 信息传输和综合保护的方法
US20080137837A1 (en) Encryption method for message authentication
CN101179374B (zh) 通信设备、通信系统及其方法
CN108833390B (zh) 一种基于矩阵变换的分组物理层加密方法
US20100169658A1 (en) Elliptic curve-based message authentication code
Kitagawa et al. CCA security and trapdoor functions via key-dependent-message security
Dubrova et al. CRC-based message authentication for 5G mobile technology
Reyad et al. Key-based enhancement of data encryption standard for text security
US7349542B2 (en) Systems, methods and computer program products for encryption and decryption using wavelet transforms
Kelber et al. General design rules for chaos-based encryption systems
US6990200B1 (en) Encryption method, cryptographic communication method, ciphertext generating device and cryptographic communication system of public-key cryptosystem
EP1366594A2 (fr) Schema cryptographique a seuil destine a des systemes d'authentification de message
Sloane Error-correcting codes and cryptography
WO2001050675A2 (fr) Systeme cryptographique a cle publique securise et lineaire base sur un code de correction d'erreurs de controle de parite
Ahlswede Hiding Data-Selected Topics
Hudde Building stream ciphers from block ciphers and their security
Kulkarni et al. Neural Crypto-Coding Based Approach to Enhance the Security of Images over the Untrusted Cloud Environment. Cryptography 2023, 7, 23
AlDerai et al. A Study of Image Encryption/Decryption by Using Elliptic Curve Cryptography ECC
IL139186A (en) Secure and linear public-key cryptosystem based on parity-check error correcting code

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWE Wipo information: entry into national phase

Ref document number: 10169468

Country of ref document: US

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP