ASYMMETRIC ENCRYPTION METHOD AND APPARATUS
TECHNICAL FIELD
The present invention is related to the field of public key generation for cryptography.
BACKGROUND ART
The development of public key/private key cryptography has eliminated the expense of distribution and safeguarding conventional cryptography keys. As a result, people can encrypt, transmit, and decrypt messages with a high level of security .at a minimal cost. In basic operation, a message receiver generates a public key/private key pair. The public key is then transmitted to a message sender, usually through unsecured channels or posted on a public bulletin board. The message sender uses the public key to encrypt a message to produce a cipher text (encrypted message). Unsecured channels may then be used to transmit the encrypted message to the message receiver. Finally, the message receiver uses their private key to decrypt the encrypted message to recover the original message.
Use of unsecured channels and bulletin boards to transmit and post public keys makes public key /private key cryptography inexpensive to distribute the public keys. Here, anyone obtaining a copy of the public key can only use it to encrypt messages intended for the message receiver. Public key construction is designed to make reverse engineering of the private key from the public key extremely difficult, although possible. Consequently, possession of the public key makes decryption of any message encrypted with that public key extremely unlikely.
Several public key/private key methods have been developed over the years. Examples of public key /private key methods include RSA (Rivest, Shamir and Adleman), Diffie-Hellman, DSA (Digital Signature Algorithm) and PGP (Pretty
Good Privacy ®, from Network Associates, Inc. of Santa Clara, California). Most
of these methods have evolved in recent years to produce larger and larger public keys. This evolution has been made necessary by improved computational power that makes public keys more vulnerable to brute force attacks. Modern supercomputers can be used to break simple pubic keys in a modest amount of time. As a result, more computational power is required to generate and use large public keys that are still unrealistic to break. For example, the RSA encryption method currently requires approximately one million integer operations to compute a public key. What is desired is an efficient approach for generating public keys/private keys that are simple to generate, that can be used to encrypt, and to decrypt messages.
DISCLOSURE OF INVENTION
The present invention is a method of generating a public key from a private key for cryptography purposes, an information recording medium containing a computer program that implements the method, an apparatus that implements the method, and a public key /private key pair generated by the method. Generation of the public key in accordance with the present invention requires a relatively small amount of computational power as compared with many existing public key generation methods.
Given a private key that defines a vector, generation of a public key begins with providing a first set of one or more polynomials that may be evaluated on the vector. A second set of polynomials is then constructed from the first set of polynomials such that each polynomial of the second set vanishes on the vector. The second set of polynomials is inserted into a record to create the public key in a tangible form.
The first set of polynomials may be selected to generate an ideal with a doubly exponentially complex Grδbner basis in a given number of variables. Sets of polynomials having a complex Grobner basis are very difficult to solve for one or more vectors that cause all of the polynomials to vanish to zero simultaneously. This makes the resulting public key very difficult to break.
A doubly exponentially complex Grδbner basis may be achieved where there the number of variables are lOn variables s(m), fim), C; ( ), and bj (m) defined by 10n-6 generators s (m) _ s (m-i) Cι (m-i) for 2 < m < n, m) - s {m-p4 {mA) for 2 < m < n,
Ci (m
)f (m-i
) b2 (m-i
) _ fo
r 2 ≤ HI ≤ n a d 1 < i < 4,
f m)
Cι(m
) bι(m) _
S(m)- W f
OT 1 < m ≤ n-1 , f
m)c
2 (m) - f
m)c
3 (m) for 1 ≤ m ≤ n-1, s
(m)c
3 (m)b
1 (m) - s
(m)c
2 (m)b
4 (m) for 1 ≤ m ≤ n-1, and s
(m)c
3 (m) -
m)c
4 (m)b
4 (m) for 1 ≤ m ≤ n-1, where l < i < 4, l < m < n, and superscripts (m) and (m-1) are indexing numbers
2n of the variables s, f, ci5 and b This produces a 2 + 1 lower bound for the degrees of all higher order relationships of the ideal.
Accordingly, it is an object of the present invention to provide a method for generating a public key from a private key defining a vector wherein the public key is a set of polynomials that vanish on the vector.
Another object of the present invention is to provide an information recording medium and an apparatus that implement the method of the present invention.
Yet another object of the present invention is to provide a public key /private key pair generated by the method of the present invention.
These and other objects, features and advantages will be readily apparent upon consideration of the following detailed description in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF DRAWINGS
FIG 1 is a flow diagram of a method for generating a public key;
FIG. 2 is a block diagram of an apparatus that implements the method for generating the public key;
FIG. 3 is a flow diagram of a method for encrypting and decrypting a message using the public key and private key; and
FIG. 4 is a flow diagram of a method for encrypting and decrypting a message using the public key, private key and a conventional key.
BEST MODE FOR CARRYING OUT THE INVENTION
The following definitions are used in this document:
A field is any set of elements that satisfy the standard properties of addition, subtraction, multiplication, and division. Real numbers are an example of a field.
A ring is a set of elements that satisfy additive associativity, additive commutativity, additive identity, additive inverse, multiplicative associativity and left and right distributivity. Integers are an example of a ring.
An ideal is a subset of elements of a ring that form an additive group and has the property that wherever x belongs to the ring, and y belongs to the ideal, then xy and yx belong to the ideal. Even integers are an example of an ideal for a ring of integers.
A Grδbner basis for a set of polynomials is an equivalence set of polynomials that possess useful properties. One useful property is that the set of polynomials in a Grobner basis have the same collection of roots as the original set
of polynomials. Another useful property is that a Grδbner basis provides a measure of complexity of the original set of polynomials.
An affine space has a coordinate system such that every point within that space can be represented by an n-tuple of the coordinates.
FIG. 1 is a flow diagram for a method of generating a public key from a private key. The method begins by selecting a finite field k and a polynomial ring k{x,, ... ,xn} in n variables to work within, as shown in block 100. An element r is selected from affine space kn (r e kn) as the private key, as shown in block 102. Affine space kn contains field k. This private key r is a vector from the coordinate origin of kn and has n variables. In the preferred embodiment, the private key r is chosen at random. In alternative embodiments, the private key r may be a specifically selected element of affine space kn.
A first set G= {g1,... ,gm} having m polynomials, where m≥ l, is provided as shown in block 104. Each first polynomial g( of G has the same n variables as the private key r such that each first polynomial gs may be evaluated on the private key r. First polynomials gj through gm may be selected at random, or established with specific generators to generate a high degree of interdependency between the variables of the polynomials. The higher the degree of interdependency between the variables, the more difficult it is to solve all for roots of the polynomials so that all of the polynomials vanish to zero simultaneously.
The public key is defined as a second set H = {hj,... ,hm} having m polynomials, where m≥l . The public key is constructed from the first set G of polynomials and the private key r, as shown in block 106. In the preferred embodiment, each second polynomial is defined by equation 1 as:
In alternative embodiments, other constructions may be used to produce the second polynomials S; from the first polynomials fj and the private key r.
What is required is that each of the second polynomials Sj vanish when evaluated on the private key r.
One advantage of the preferred embodiment for constructing the second set H is that a limited amount of computational power is required. Once the first set G and private key r have been established, construction of the second set H only requires calculating each first polynomial gj at the private key r, and then subtracting the results from the respective first polynomial gj. Doubling the number of variables n in the first polynomials g{ doubles the number of calculations. Tripling the number of variables n triples the number of calculations. The computational power required to generate the second set H grows linearly with the desired number of variables n, instead of growing exponentially.
As each second polynomial h; is constructed, or after all of the second set H is constructed, the second polynomials h{ are written into a record, as shown in block 108. This record is the public key for the private key r. Once created, the record may be copied into portable media and physically transported to other people for their use in encrypting messages. For example, a person wishing to receive an encrypted message may copy their public key record into a floppy disk and then give that floppy disk to the person they want to send the encrypted message. The record may also be read into transmission channels and transmitted to others. An example of this approach is for the person wishing to receive the encrypted message to attach or embed a copy of the public key record in an e-mail message addressed to the person that will send the encrypted message. Copies of the record may be posted on public and/or private bulletin boards making it available for other people to copy. In an alternative embodiment, where the ordering of the variables for the second polynomials b^ is per a predetermined sequence, then the public key record need only contain the coefficient for the second polynomials h;. Here, the person sending an encoded message may generate the second set H by inserting the coefficients recorded in the public key into the second polynomials hs in the predetermined sequence.
For the public key to be effective, it must be impractical to reverse engineer the private key r or any other vector, if one exists, for which all of the second polynomials h; vanish simultaneously. As stated earlier, solutions for the public record can be made very difficult to find when there is a high degree of interdependency among the relationships (also referred to as "syzgies") between the variables of the polynomials. In particular, polynomials that have a complex Grόbner basis are extremely difficult to solve. Remember that one useful property of a Grόbner basis is that it shares the same roots as the original set of polynomials.
Ernst W. Mayer and Albert R. Meyer have shown in their paper "The Complexity of the Word Problems for Commutative Semigroups and Polynomial
Ideals", Advances in Mathematics 46, (1982), pages 305-329, that the amount of computational storage space grows doubly exponentially with the size of the problem instance. Their paper is incorporated herein in its entirety.
Based upon E. W. Mayer and A. R. Meyer's paper, the first set G can be constructed as follows. Let In be an ideal in lOn variables s(m , m Cj(ra), and bi(m) defined by the following 10n-6 generators: s(m) _ s(m-i)Cι(m-i) for 2 ≤ m < n, f<m) _ s (m-i) C4 (m,i) for 2 ≤ m < n,
Ci(m
)f(m-i)
b2(m-i) _ fo
r 2 ≤ HI ≤ n and 1 < i __ 4,
f
m>
Cl (ra)b,
(m) - s
(m)c
2 (m) for 1 ≤ m ≤ n-1 ,
m)c
2 (m) - f<
m)c
3 (m) for 1 ≤ m ≤ n-1 , s
(m)c
3 (m)b
1 (ra) - s
(m)c
2 (m)b
4 (m) for 1 < m < n-1 , and
s(m)
C3(m) _ f,m)
c M
b m fo
r 1 < m < n-1 , where 1 < i < 4, 1 < m < n, and superscripts (m) and (m-1) are indexing numbers for variables s, f, c
i; and b,. Note that this is only the preferred embodiment of many sets of generators that can be used to create the first set G of polynomials.
In general, let R be a polynomial ring in n variables over a field K.
Let I be an ideal of R generated by polynomials u, , ... ,uz of degree at most d. Two integers are considered: Ideal membership IM(I), the least integer such that any element u in I of degree at most d may be written as u= v^ + - + vzu2 with degree
(U;)<IM(I) for each i (ideal membership problem), and syzygies SYZ(I) (if I is homogeneous), the least integer such that the module of syzygies (relations between the Uj) may be generated by syzygies of degree at most SYZ(I). E. W. Mayer and A. R. Meyer's paper give a construction that IM(I) may be doubly exponential in n. In fact, they show that IM(I) and SYZ(I) may be greater than de with e=2n 1°.
The idea in the construction is as follows: Set N = d for d≥2. Then one can construct a polynomial ring R in lOn variables, and an ideal which effectively counts to N. As pointed out by D. Bayer and M. Stillman in their paper "On the Complexity of Computing Syzygies" , J. Symbolic Computation (1988) 6, pages 135-147, incorporated herein in its entirety, this type of construction realizes the halting problem for a bounded 3-counter machine as an example of the decision problem for ideal membership. Hence the ideal membership problem is exponential space complete over an arbitrary field. There are problems in exponential space which require exponential space, which leads to the aforementioned type of double exponential complexity result for syzygies.
Using the preferred embodiment generators to create the first set G and thus a second set H results in a very complex Grόbner basis that is extremely difficult to solve for even one root. Furthermore, based upon Mayer and Meyer, if 1^ is the homogenization of ideal In by adding an extra variable, and we define the homogeneous ideal Jn=(s(n), n), 1^) then the maximum degree of polynomial in a minimum set of generators for Jn is 4. Also, a lower bound for the degrees of all the higher order relations (syzygies) of the ideal is doubly exponential in the number of variables n as denoted by 2 2n + 1 . In other words, as the number of variables n increases, the complexity of the Grόbner basis for the public key increases as two to the power of two to the power of n. Enlargement of a public key by doubling the number of variables n results in an increase in the complexity of the Grόbner basis by a factor of 24 = 16. Tripling the number of variables n increases the complexity of the Grόbner basis by a factor of 28=256.
FIG. 2 is a block diagram of an example apparatus that implements the present invention. In a practical application, the method described above will be
implemented in a computer program 200 stored in an information recording medium 202. The information recording medium 202 may be any conventional media such as magnetic disk, magnetic tape, optical disk, optical tape, solid state media, and the like. A microprocessor 204 reads the computer program 200 from the information recording medium 202 and executes the computer program 200.
Inputs for the first set G of polynomials may be provided from any of several sources. FIG. 2 shows one embodiment where the first polynomials & are entered through an input device 206 such as a keyboard. In other embodiments, the first polynomials g, of the first set G may be stored as part of the computer program 200, generated by the computer program 200, chosen from a super set of first polynomials gj, and the like.
Inputs for the private key r may also be provided from any of several sources. FIG. 2 shows one embodiment where the private key is generated by a random element generator 208. In other embodiments, the private key r may be entered through the input device 206, be selected based upon a tick of a clock 210 at some event (e.g. , a key being struck), calculated from a password entered through the input device 206, and so on.
Microprocessor 204 executes the computer program 200 along with the various inputs to generate the public key 212 that is then stored in second information recording medium 214, usually a hard drive. The microprocessor will also store the private key 216 in the second information recording medium 214 so that it is available for decrypting messages at a later time, and for generating a new public key 212 if desired.
An output device 218 is used to transmit the public key 212 to the public (not shown). The output device may be a media drive where the public key
212 is to be distributed on a moveable information recording medium. The output device may also be a network interface where the public key 212 is to be distributed via e-mail or posted to a network-based bulletin board.
FIG. 3 is a flow diagram of a method for encrypting and decrypting a message using the public key and private key. A person desiring to receive the encrypted message first generates a public key /private key pair, as shown in block
300. The public key is then transmitted to the person that is sending the encrypted message, as shown in block 302.
The person sending the encrypted message uses the public key to encrypt an original message, as shown in block 306. In this example, the original message q to be encrypted is an element selected from field k (q e k). Encryption may be accomplished by selecting m number of arbitrary polynomials a;. Using the second polynomials S; of the pubic key and the arbitrary polynomials ai selected by the message sender, the encrypted message p may be defined by equation 2 as: m
P = (∑ a,h,) + q (2) i=l
The encrypted message p is transmitted from the message sender to the message receiver, as shown in block 306. In one embodiment, the entire polynomial of the encrypted message is transmitted including all variables and coefficients of p, which is a polynomial. In other embodiments, the ordering of the variables may be in accordance with a predetermined sequence. Here, it is only necessary to transmit the coefficients of p in the same predetermined sequence.
The person receiving the encrypted message deciphers the original message, as shown in block 308. This may be accomplished by evaluating the encrypted message on the private key r, as shown in equation 3: m m
P(r) = (∑ ai(r)hi(r)) + q = (∑ a,(r) . 0) + q = q (3) i=l i=l
Since each second polynomial S; of the public key vanishes to zero on the private key r (hs(r) = 0), then the evaluation of the arbitrary polynomials a; on the private key r is not important.
A hybrid method of encryption/decryption may be used when dealing with other types of messages that are not elements of the field k. Examples of these other types of messages include, but are not limited to text, graphics, audio, video, and databases. Referring to FIG. 4, the hybrid approach to encryption/decryption involves the generation of the public key /private key pair and transmission of the public key, as shown in block 400 and 402. These are the same steps as shown in FIG. 3, blocks 300 and 302 respectively.
Hybrid encryption involves selection or random generation of a convention encryption key q' that is an element of field k (q' 6 k), as shown in block 404. This conventional key q' is then be used to encrypt the message using any conventional method, as shown in block 406. The conventional key q' is then encrypted using the public key to create an encrypted conventional key p', as shown in block 408. The encryption method is the same as shown in equation 2 with p' substituted for p and q' substituted for q.
Transmission now involves sending both the encrypted message and the encrypted conventional key p' to the person receiving the message, as shown in block 410. Both the encrypted message and encrypted conventional key p' may be transmitted together as a single item, or transmitted separately.
The person receiving the encrypted message and encrypted conventional key p' first decrypts the encrypted conventional key p' using the private key r to produce the conventional key q', as shown in block 412. Here, decryption is performed as shown in equation 3 with p' substituted for p and q' substituted for q. Decryption of the original message is then performed using the conventional key q', as shown in block 414.
While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specification are words of description rather than limitation, and it is understood that various changes may be made without departing from the spirit and scope of the invention.