A Public Key Crypto System On Real and Com. Complex Numbers

Transcription

1 A Public Key Crypto System On Real and Complex Numbers ISITV, Université du Sud Toulon Var BP 56, La Valette du Var cedex May 8, 2011

2 Motivation Certain rational interval maps can be used to define a cryptographically difficult problem based on entropy. This is exploited to define a fast and efficient block cipher with a public key, i.e. a Public Key Cryptosystem. The strength of the system will be studied. Parameters requirements will be derived. Implementation details will be presented.

3 Structure of the Presentation 1 The concept of One Way Function for Real Numbers. 2 Trap Door 3 The Interval Maps. 4 The New crypto-system. 5 Complex Field Case

4 One way Functions The concept of one way function (OWF) was introduced in the seventies, linking mathematical considerations of a mapping and its converse with two different computational complexities. The two most studied OWF are : The discrete exponential and the discrete logarithm function on a finite prime field The RSA problem linking a specific couple of exponentiations on a certain finite ring linked to the factorisation problem of factoring two integers.

5 One way Functions 2 These OWF are linked to a computationally hard problem. This means that, in each instance, finding a solution requires testing all ( or nearly all) the elements of a set to see if it is a solution to the problem. The set is of very large cardinality, without any possible strategy of converging to a solution and thus reducing the computational effort.

6 Entropy Based One Way Functions We introduce another kind of computationally hard problem which relies on another paradigm: The Entropy Based Pre-image Search Problem. It is applied using iterated interval maps. Suppose there is a function f(), real valued defined on the unit interval, computable in polynomial time, such that for any y of the unit interval the set A y of preimages of y is a set of (arbitarily) large cardinality, with computation parameters that are tractable. Such a mapping is called an entropy based OWF.

7 Computing the value f(x) is done in polynomial time. Finding a pre-image of a given element is done in polynomial time by the well known algorithms. However, with adequate parameters, finding all the pre-images is not possible with available memory resources, in a fixed reasonable interval of time.

8 Quadratic Curve

9 Cubic Curve

10 The Polynomial Interval Maps The new scheme requires interval maps with, for each element, a large set of pre-images. The scheme starts with polynomial interval maps: f(x) = α.x 2 mod 1 g(x) = β.x 3 mod 1 The coefficients must satisfy α > 2 and β > 2. The variable x belongs to the unit interval I = [0, 1]

11 Properties of f() The mapping f() has the functional property f(λ.x) = λ 2 f(x) mod 1 for all real valued λ < 1. The mappings f() is surjective (onto).

12 Properties of g() The mapping g() has the functional property g(λ.x) = λ 3 g(x) mod 1 for all real valued λ < 1. The mappings g() is surjective (onto). This property will serve as a trap door in the PKC.

13 Existence and Computational Problems Associated to Interval Maps To these mappings two algorithmic problems can be deduced. These will be used in a cryptographic context with adequate parameters.

14 Computational Problem for Iterated Polynomial Maps CPPM Given a set of values consisting in the evaluation of two points on the unit interval with the two mapping f(), g() defined in the preceding section, Given (f(a), g(a), f(b), g(b)) compute the values (f(a.b), g(a.b)). The solution of the problem is the following. The set of pre-images of an element a in the unit interval for f(), E f (a) = {x [0, 1] s.t. f(x) = a} is a set with α points lying in the unit interval. Computation of individual elements is possible in polynomial time. The same can be said for the set E g (a) = {x [0, 1]s.t. g(x) = a} for the mapping g(). In this setting the search for the element a is equivalent to computing the intersection of E g (a) and E f (a).

15 Computational Problem for Polynomial Maps CPPM If another pre-image of f(a) say a is used instead of a the inequality g(a.b) g(a.b) will be true and the problem will not be solved. The same can be said with b another pre-image of b for the mapping g().

16 The Decisional Problem for Polynomial maps DPPM The decision problem associated to the iterated interval maps can be defined as follows for a couple of iterated interval maps f() and g(). Given a set of values for three points of the unit interval a, b, c. (f(a), g(a), f(b), g(b), f(c), g(c)) Decide if c = a.b. The decisional problem is solved if an instance of the existence problem are solved. Therefore solving the decision problem is at least as hard as the computational problem.

17 Encoding Data on the Unit Interval Suppose that the words of plaintext are n -bit sequences which must be coded. Pre-compute the sequence a i = 2 i+1 i = 0,..., n 1 With the help of the sequence a i, a block of n bits x 0,..., x n 1 is encoded into the floating point number: n 1 y = x i a i 0 This coding method is efficient if the a i are pre-computed, since the computation of y involves only sums.

18 Decoding Numbers into Bit Sequences To obtain the bit sequence x 0,..., x n 1 associated to a floating point number y, one uses a knapsack linear decoding algorithm which runs as follows: Input y, output x 0,..., x n 1 for( i=0,i<n;i++) { if y > a i { x i =1 y=y-a i } else x i =0; } The floating points used to represent the binary data must be coded on at least n bits. However the precision must be 2 n bits in order that computational noise does not interfere with significant data.

19 Computing a Random pre -image for f() The analytical expression for the modular mapping f() can be quite hard to obtain if α is large. However with the non modular version the algorithm becomes quite simple. Suppose you want to compute a pre-image of y for y = α.x 2. Choose a random integer r such that 0 < t = y + r < α Compute x = (t/α) the result x is a random pre-image of y Remark One must note that the random integer r can be chosen to be really random since it must never be recomputed.

20 The associated PKC With the usual convention we will suppose that Alice wants to encipher a message to Bob in such a way that only Bob can decipher it. The Secret Key Belonging to Bob The secret key and characteristic quantity of the destination of the message is a real number s in the unit interval. They can be associated is associated to 2 different n bit sequences as shown earlier. The real number s is specific to one user and can be used to encipher many plaintext messages. The images f(s) and g(s) must be computed and kept secret. The block size n must be specified by Bob. The usual values are 128,256,512,1024.

21 The Public Key of Bob The public key of Bob is made of the following data. 1 The block length n, as well as α and β. 2 (f(s), g(s)) which are the images by the mapping f() ang g() of the secret key s. 3 The function f(x) = α x 2 and g(x) = β.x 3.

22 How Alice computes a cryptogram(enciphering) Let M the plaintext (sequence of bits) and r m the real number associated to a block of n bits, less than 1 associated to the message to be enciphered, by the method described. Alice begins by choosing by computing a (random) pre-image x of r m for the mapping f(). She then computes g(x.s) using the trap door property of g(). She also computes g(x).

23 Encrypting 2 2 The real number c 2 = g(x.s) The cryptogram of r m is a couple of real numbers: 1 The real number c 1 = x.g(x).g(x.s).

24 (Deciphering) Let c 1, c 2 be the cryptogram of r m, message enciphered for Bob, who has the secret quantity r. The deciphering of cryptogram by Bob has two steps 1 He computes d = g(x) with the trap dooor and 1/s 2 He computes t = c1 /(d.c 2 ). The real number t is equal to x. 3 He computes the iterated image of the result using f(). r m = f(t) = f(x) He then extracts the binary plaintext sequence x i from r m with a knapsack algorithm.

25 Soundness of the System Any user knowing the public key can encipher a message to Bob. Only Bob can perform the first step of the deciphering algorithm since it involves using the secret key. The second step can which relies on the first one cannot be done.

26 The Zero Knowledge Property of the PKC The presented PKC can be made zero knowledge if enough redundancy is introduced. The algorithm becomes Zero knowledge when the entropy of x is as large as the entropy of m. This depends on te size of α. If α > 2 n The the number of possible pre-images of r m and hence of cryptograms, is at least as large as the number of possible plaintext. Thus the ZK property is obtained

27 The Complex Case Setting 1 Let x m, y m be two real numbers less than 1, associated to M a 2.n bit sequence. Let be the modulus and be the argument. ρ m = x 2 m + y 2 m θ m = argcos(x/ρ m ) Le D be the complex disc, centered at 0 with radius 2.

28 The Complex Case Setting 2 Let α and β be two complex numbers with large modulus. Let f(z) = α.z 2 Let g(z) = β.z 3

29 The Complex Case Setting 3 Let z = (ρ z, θ z ) and z = (ρ z, θ z ) be two complex numbers in the disc D. The modular product z.z is defined as follows: ρ zz = ρ z.ρ z mod 2 and θ zz = θ z + θ z mod 2.π

30 The Complex Case PKC With the above conventions, the PKC definition is transposed to the complex case. -The length of the key is 2.n bits for a block length of 2.n bits. -The number of pre-images for the function f() and g() is evaluated in the same way for the modulii of the complex numbers involved. -The cryptogram is made of 2 complex numbers. -The security analysis is transposable.

31 The Secret Key Belonging to Bob The secret key and characteristic quantity of the destination of the message is a couple of real number x s, y s in the unit interval. They can be associated is associated to 2 n bit sequences as shown earlier. The complex numbers z s is specific to one user and can be used to encipher many plaintext messages. The images f(s) and g(s) must be computed. The block size n must be specified by Bob. The usual values are 128,256,512,1024.

32 The Public Key of Bob The public key of Bob is made of the following data. 1 The block length n, as well as α and β complex numbers with large modulii. 2 (f(s), g(s)) which are the images by the mapping f() ang g() of the secret key s. 3 The function f(x) = α x 2 and g(x) = β.x 3.

33 How Alice computes a cryptogram(enciphering) Let M the plaintext (sequence of bits) and z m = (x m, y m ) the complex number associated to a block of 2.n bits, less than 1 associated to the message to be enciphered, by the method descrided. Alice begins by choosing by computing a (random) pre-image x of z m for the mapping f(). She then computes g(x.s) using the trap door property of g(). She also computes g(x).

34 Encrypting 2 The cryptogram of z m is a couple of complex numbers: 1 The complex number c 1 = x.g(x).g(x.s). 2 The complex number c 2 = g(x.s)

35 (Deciphering) Let c 1, c 2 be the cryptogram of z m, message enciphered for Bob, who has the secret quantities r. The deciphering of cryptogram by Bob has two steps 1 He computes d = g(x) with the trap dooor and s 1 2 He computes t = c1 /(d.c 2 ). The complex number t is equal to x. 3 He computes the iterated image of the result using f(). z m = f(t) = f(x) He then extracts the binary plaintext sequence x i y i from ρ m, θ m with a knapsack algorithm applied to the real and complex part.