Systems and Methods for Hiding Private Cryptographic Keys in Multimedia Files

Abstract

A system and method for encryption of data. The system and method utilizes a cryptographic function that provides asymmetric encryption/decryption and digital signing capabilities that are hardened against cyber attack from quantum computers.

Claims

1. A computer-implemented method for hiding some private data (PD) in a set of operable data, the method comprising: generating a key pair, comprising an encoding key (EK) and a decoding key (DK); obtaining the PD; encoding, using the EK, the obtained PD in the operable data to generate one or more steganographic files; extracting or decoding, using the DK, the PD from the steganographic file(s); and outputting the extracted or decoded PD.

2. The method of claim 1, further comprising: using a Goppa code to perform the encoding of the PD.

3. The method of claim 1, wherein the operable data appears, to a user over a user interface, substantially unaltered after the encoding.

4. The method of claim 1, wherein the operable data comprises at least one set of pictures, audio, or video.

5. The method of claim 1, wherein the PD is a private key or a secret key in a public key infrastructure (PKI).

6. The method of claim 1, wherein the PD is a post-quantum cryptography (PQC) secret key.

7. A cryptographic system, comprising: an input device configured to receive one or more multimedia files; and a processor configured to hide some private data in the one or more multimedia files using steganography implemented via an error-correction determined based on a Goppa code.

8. The system of claim 7, wherein the processor is further configured to input, via a user device, seed data or a personal identification number (PIN), and wherein the hiding is performed based on the seed data or the PIN.

9. The system of claim 7, wherein the processor is further configured to digitally sign the hidden private key as a proof of identify or ownership.

10. The system of claim 7, wherein the processor is further configured to store the one or more steganographic files among a plurality of other files of a same type as the one or more steganographic files.

11. The system of claim 7, wherein the PD is a private key or a secret key in a PKI.

12. The system of claim 7, wherein the PD is a PQC secret key.

13. A computer-implemented method for hiding some PD in one or more multimedia files, the method comprising: deriving an EK, DK, and a symmetric key based on a PIN; encrypting the PD using the symmetric key; and hiding the encrypted PD in the one or more multimedia files using the EK.

14. The method of claim 13, further comprising: performing a restoration, using the PIN, to retrieve both the DK and the symmetric key, wherein the DK is used to extract the encrypted PD.

15. The method of claim 14, further comprising: after the restoration, performing a decryption to retrieve the PD using the symmetric key.

16. The method of claim 15, wherein the encrypted and encoded PD is recovered, after processing multimedia containers holding the encrypted and encoded PD.

17. The method of claim 16, wherein the hiding is operable without the one or more multimedia files being of a quality that satisfies a criterion.

18. The method of claim 13, wherein the PD is a private key or a secret key in a PKI.

19. The method of claim 13, wherein the PD is a PQC secret key.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0043] FIG. 1 is a block diagram of a system for carrying out a cryptographic method in accordance with one embodiment of the present invention whereby the system is used for encryption, decryption, generating digital signatures, verifying digital signatures, etc.

[0044] FIG. 2 is a block diagram of a system for carrying out a cryptographic method in accordance with an additional embodiment of the present invention whereby the system provides further security through use of a trusted platform module (TPM) or a universal serial bus (USB) interface.

[0045] FIG. 3 is a block diagram of a system for carrying out a cryptographic method in accordance with another embodiment of the invention whereby the system generates a public key and a private key based on a set of input parameters.

[0046] FIG. 4 is a block diagram of a system for carrying out a cryptographic method in accordance with another embodiment of the invention whereby a Post-Quantum Blockchain (PQBC) is created so that data security of the PQBC is strengthened against cyber attacks from quantum computers and classical computers.

[0047] FIG. 5 is a flowchart illustrating a process of generating a private key and a corresponding public key in a public key cryptographic device in accordance with an embodiment of the present invention.

[0048] FIG. 6 is a flowchart illustrating the process of encrypting data using a public key in the public key cryptographic device in accordance with an embodiment of the present invention.

[0049] FIG. 7 is a flowchart illustrating the process of decrypting an encrypted data using a corresponding private key in a public key cryptographic device in accordance with an embodiment of the present invention.

[0050] FIG. 8 is a flowchart illustrating the process of digital signing data using a private key in a public key cryptographic device in accordance with an embodiment of the present invention.

[0051] FIG. 9 is a flowchart illustrating the process of verifying a digital signature using a corresponding public key in a public key cryptographic device in accordance with an embodiment of the present invention.

[0052] FIG. 10 is a flowchart illustrating a way of hiding a private cryptographic key in one or more multimedia files using steganography and an error-correction method in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION

[0053] The invention will now be described with reference to the drawing figures in which like reference numerals refer to like parts throughout. In FIG. 1, a public key cryptographic device 100 in accordance with an exemplary embodiment of the invention is depicted. The cryptographic device 100 to receives an encryption key from memory 102, which can be a public key or private key. The cryptographic device also receives from an input device 104, data that is to be encrypted. The data can include, but is not limited to, a message vector to be securely transmitted from a sender to a receiver, or data from a network interface, a data storage device such as a hard drive, a key board, and the like. As described below, the data to be encrypted can also be the hash value of data to be digitally signed.

[0054] The encryption key and encrypted data may be received from inside a computing device, such as a personal computer, from one or more devices within a network or from third party devices outside the network. As described in more detail below, it will be readily understood that the public key cryptographic device can be any device capable of performing the processes described herein whether integrated into a single semiconductor package or distributed amongst several semiconductor devices contained within a single computer or server or distributed over multiple devices within one or more networks.

[0055] The cryptographic device 100 includes an input/output device 106, which can, for example, be a network communication interface, for receiving the plain data from the input device 104 and receiving the encryption key. The plain data and encryption key are then forwarded to an Input/Output Bridge 108 and a Memory Bridge 110 for storage in system memory 112. In exemplary embodiments the System Memory 112 may contain operating instructions such as, but not limited to, the Operating System 114. In addition to the operating system as well as other operating instructions 114 that are stored in system memory 112, the system memory includes the processing instructions of a cryptographic engine 116. The cryptographic engine 116 provides the operational instructions for the cryptographic functions such as encryption, decryption, digital signature, verification of digital signature, etc.

[0056] The cryptographic processing of the encrypted data is performed in the CPU 118 that is linked to system memory 112 via a Memory Bus. The CPU 118 can be implemented as a parallel co-processor, a field programmable gate array (FPGA), microprocessor, or the like, as is well understood.

[0057] Where all components of the system are contained within a single device, as depicted in FIG. 1, the cryptographic device 100 can be implemented as a single purpose computing device, e.g., a special device performing one or more special cryptography function like a secure key device, a credit card chip, passport chip, etc.) Alternatively, the components and functioning depicted in FIG. 1 can be can be distributed within a multiple purpose computing device, e.g., a general computer or server, or distributed over multiple devices within a network. For example, the functioning can be implemented on a cluster of server computers in a manner that is well-known.

[0058] The embodiment of FIG. 1 can be implemented on a computer network such as the Internet that is strengthened against cyber attack from both classical computers and quantum computers and has a manageable key size and improved computational efficiency using a variant of the McEliece and Niederreiter schemes. In the classical McEliece and Niederreiter algorithms, the scheme parameters are determined by two key elements m and t and the error correcting code is considered in the classical, i.e., un-weighted, Hamming metric. In one embodiment of the scheme of the present application there is significant flexibility in choosing the parameter of the code length n based on a third key parameter r and the use of Goppa codes in a weighted Hamming metric. In this embodiment, a special type of locator set, L*, is used that is a set of rational functions of degree not greater than r where r is greater than 1, and with coefficients from a finite field GF(2.sup.m). This is contrasted with the classical scheme, in which the elements of the field GF(2.sup.m) are used as the locator set. This change in the locator set significantly increases the length of the code, while the calculations remain in the field GF(2.sup.m).

[0059] In this embodiment, a special representation of the parity check matrix H, and the generator matrix G of the code, a special selection of the error vector, and/or a special selection of the codeword presentation by the additional field(s) inclusion are utilized. In an embodiment a parity check matrix H is generated for an n, k, d binary generalized (L, G) code wherein n, k, and d, are positive integers, n is a code length, k is a number of information symbols and d is a minimal distance n≤Σ.sub.i=1.sup.rI.sub.2.sub.m(i),k≥n−tm. Where I.sub.2.sub.m(i) is a number of irreducible polynomials of degree i with coefficients from GF(2.sup.m). It is also possible to present transformation A×H×P=H* (or S×G×P=G*) as a special permutation of the support set L. Therefore, matrix G* or H* can be obtained directly, without matrix S or A and P, from L* and G(x), where L* is a special secret permutation of support set L. In such case we can interpret L* as a second part of a secret key. This embodiment of the invention can be applied to make changes in the main components of, including, but not limited to, the encryption and signature schemes.

[0060] In this embodiment, by using the L* support set directly instead of L with matrix S and P, we can obtain the following variant of McEliece scheme:

[0061] Private key: (Decoding algorithm, L*, G(x))

[0062] Public key: G*

[0063] Encryption: Let m be a k-bit message, and let e be a random n-bit vector with Hamming weight W.sub.H(e)≤t. Then c=m×G*⊕ e is a ciphertext.

[0064] Decryption: Obtaining m by using decoding algorithm (error correcting) with knowledge L* and G.

[0065] In the Niederreiter scheme, by using the two matrices and parity check matrix H, obtained from L and G(x), a public key matrix H*=A×H×P is calculated. As with the McEliece scheme, by using the L* support set directly instead of L with matrix A and P, we can obtain the following variant of Niederreiter scheme:

Private Key: (Decoding Algorithm, L*, G(x))

[0066] Public key: H*

[0067] Encryption: Let m be a message, with Hamming weight W.sub.H(e)≤t. Then c=m×H*.sup.T is a ciphertext.

[0068] Decryption: Obtaining m by using decoding algorithm (error correcting) with knowledge L* and G(x).

[0069] This implementation allows for: 1) the expansion of the selection of a support set, thereby expanding the available private keys; 2) use of rational functions of degree greater than one to keep the calculation in a finite field with a comparable code length. For example, for rational functions of degree 2 with coefficients from the field GF(2.sup.m), the code length is n=2.sup.2m−1+2.sup.m−1. The practical benefits of using rational functions with different degree are: 1) reducing the amount of CPU cycles needed in the encryption, decryption, and key generation processes; and 2) increasing the security for codes with the same parameters (n, k, d), as in classical Goppa codes.

[0070] The generalized (L, G) code of an embodiment of the present invention is characterized by a set L where the proper rational functions of F.sub.2.sub.m[x] are chosen whose denominators are various irreducible polynomials from F.sub.2.sub.m[x] with degree less than or equal r(r>1), and whose numerators are formal derivatives of the denominators.

[0071] In an embodiment of the invention, a special support set L is used as a second part of the private secret key in the McEliece and Niederreiter method. In this embodiment, we have the following additional definitions:

[0072] Definition #5: Support set L is defined as follows:

[00002]$L=\left\{\frac{f_1^{\prime }\left(x\right)}{f_1\left(x\right)}\frac{f_2^{\prime }\left(x\right)}{f_2\left(x\right)},\mathrm{.Math.},\frac{f_n^{\prime }\left(x\right)}{f_n\left(x\right)}\right\},$

where f′.sub.i(x) is a formal derivative of f.sub.i(x) in GF(2.sup.m) and f.sub.i(x)=x.sup.l.sup.i+c.sub.l.sub.i.sub.−1,ix.sup.l.sup.i.sup.−1+ . . . c.sub.1,ix+c.sub.0,i,c.sub.j,i∈GF(2.sup.m), gcd(f.sub.i(x), f.sub.j(x))=1, gcd(f.sub.i(x), G(x))=1, ∀i, j, i≠j, deg G(x)=t .

[0073] Definition #6: Binary vector a=(a.sub.1,a.sub.2, . . . , a.sub.n) is a codeword of generalized (L, G) code if and only if the following equality is satisfied:

[00003]$\underset{i=1}{\overset{n}{.Math.}}{a}_i\frac{f_i^{\prime }\left(x\right)}{f_i\left(x\right)}=0\mathrm{mod}G\left(x\right)$ [0074] For such codes the design bound for the minimum distance:

[00004]$d_G\ge \frac{2t+1}{l},$

l=max l.sub.i and the decoding algorithm corresponding to it is determined. To construct a parity check matrix for such generalized (L, G) code the following presentation for rational functions

[00005]$\begin{array}{cc}\frac{f_i^{\prime }\left(x\right)}{f_i\left(x\right)}& \end{array}$

by modulo G(x) is used:

[00006]$\begin{array}{cc}\frac{{f^{\prime }}_i\left(x\right)}{f_i\left(x\right)}=s_i\left(x\right)=b_{i,t-1}{x}^{t-1}+b_{i,t-2}{x}^{t-2}+...+b_{i,1}{x}^1+b_{i,0}\mathrm{mod}G\left(x\right),b_{i,j}\in GF\left(2^m\right)& \end{array}$

[0075] The equation for the generalized Goppa code can then be rewritten as:

[00007]$\begin{array}{c}\underset{i=1}{\overset{n}{.Math.}}{a}_i\frac{{f^{\prime }}_i\left(x\right)}{f_i\left(x\right)}=\underset{i=1}{\overset{n}{.Math.}}{a}_i{s}_i\left(x\right)\\ =\underset{i=1}{\overset{n}{.Math.}}{a}_i{b}_{i,t-1}{x}^{t-1}+\underset{i=1}{\overset{n}{.Math.}}{a}_i{b}_{i,t-2}{x}^{t-2}+...+\\ \underset{i=1}{\overset{n}{.Math.}}{a}_i{b}_{i,1}{x}^1+\underset{i=1}{\overset{n}{.Math.}}{a}_i{b}_{i,0}\\ =0\mathrm{mod}G\left(x\right),\end{array}$

[0076] From this equation a parity check matrix H is obtained:

[00008]$H=\left[\begin{array}{cccc}{b}_{1,t-1}& b_{2,t-1}& ...& b_{n,t-1}\\ \mathrm{.Math.}& \mathrm{.Math.}& \ddots & \mathrm{.Math.}\\ b_{1,0}& b_{2,0}& ...& b_{n,0}\end{array}\right]$

[0077] From this parity check matrix we can obtain a generator matrix G for the generalized (L, G) code and by using matrix S and P to calculate the public key matrix G*=S×G×P.

[0078] In another embodiment we can also use the fractions

[00009]$\begin{array}{cc}\frac{{f^{\prime }}_i\left(x\right)}{f_i\left(x\right)}& \end{array}$

with different degrees of f.sub.i(x) for support set L. By using irreducible polynomials f(x) with degree not greater than r for support set we can obtain a generalized Goppa code with codeword length n≤Σ.sub.i=1.sup.rI.sub.2.sub.m(i), where I.sub.2.sub.m(i) is a number of irreducible polynomials of degree i with coefficients from GF(2.sup.m).

[0079] The following two examples are provided for illustration purposes:

[0080] Example 1: In this example m=6 and r=2. Since I.sub.2.sub.6(1)=64,

[00010]$\begin{array}{cc}{I}_{2^6}\left(2\right)=\frac{2^{12}-2^6}{2}& \end{array}$

we obtain n=2048+32=2080. Let d=61, t=30 then we have k≥2080−60.Math.6=1720.

[0081] Example 2: For l=2 and f.sub.i(x)=(x−β.sub.i) (x−β.sub.i.sup.2.sup.m), β.sub.i ∈ GF(2.sup.2m)\GF(2.sup.m), G(x) which is an irreducible polynomial from the polynomial ring F.sub.2.sub.m[x]. The parity check matrix for this example is:

[00011]$\begin{array}{cc}\frac{1}{x-\beta }=\frac{G\left(x\right)-G\left(\beta \right)}{x-\beta }{G\left(\beta \right)}^{-1}\mathrm{mod}G\left(x\right)\mathrm{and}\frac{\beta +{\beta }^{2^m}}{\left(x-\beta \right)\left(x-{\beta }^{2^m}\right)}=\frac{G\left(x\right)-G\left(\beta \right)}{x-\beta }{G\left(\beta \right)}^{-1}+\frac{G\left(x\right)-G\left({\beta }^{2^m}\right)}{x-{\beta }^{2^m}}{G\left({\beta }^{2^m}\right)}^{-1}\mathrm{mod}G\left(x\right)\frac{G\left(x\right)-G\left(\beta \right)}{x-\beta }=g_t\left(x^{t-1}+x^{t-2}\beta +...+{\beta }^{t-1}\right)+g_{t-1}\left(x^{t-2}+x^{t-3}\beta +...+{\beta }^{t-2}\right)+...g_2\left(x+\beta \right)+g_1,& \end{array}$

where G(x)=Σ.sub.i=0.sup.tg.sub.ix.sup.i, g.sub.i ∈ GF(2.sup.m), g.sub.t≠0, g.sub.0≠0 and

[00012]$\begin{array}{cc}\frac{G\left(x\right)-G\left({\beta }^{2^m}\right)}{x-{\beta }^{2^m}}=g_t\left(x^{t-1}+x^{t-2}{\beta }^{2^m}+...+{\beta }^{2^m\left(t-1\right)}\right)+g_{t-1}\left(x^{t-2}+x^{t-3}{\beta }^{2^m}+...+{\beta }^{2^m\left(t-2\right)}\right)+...g_2\left(x+{\beta }^{2^m}\right)+g_1,& \end{array}$

The coefficients at x.sup.t−1,x.sup.t−2, . . . , x,1 in the sum

[00013]$\begin{array}{cc}\frac{G\left(x\right)-G\left(\beta \right)}{x-\beta }{G\left(\beta \right)}^{-1}+\frac{G\left(x\right)-G\left({\beta }^{2^m}\right)}{x-{\beta }^{2^m}}{G\left({\beta }^{2^m}\right)}^{-1}{x}^{t-1}:\left({G\left(\beta \right)}^{-1}+{G\left({\beta }^{2^m}\right)}^{-1}\right)g_t,x^{t-2}:\left({G\left(\beta \right)}^{-1}+{G\left({\beta }^{2^m}\right)}^{-1}\right)g_{t-1}+\left(\beta {G\left(\beta \right)}^{-1}+{\beta }^{2^m}{G\left({\beta }^{2^m}\right)}^{-1}\right)g_t.x^{t-3}:\left({G\left(\beta \right)}^{-1}+{G\left({\beta }^{2^m}\right)}^{-1}\right)g_{t-2}+\left(\beta {G\left(\beta \right)}^{-1}+{\beta }^{2^m}{G\left({\beta }^{2^m}\right)}^{-1}\right)g_{t-1}+\left({\beta }^2{G\left(\beta \right)}^{-1}+{\beta }^{2.Math.2^m}{G\left({\beta }^{2^m}\right)}^{-1}\right)g_t,x^0:\left({G\left(\beta \right)}^{-1}+{G\left({\beta }^{2^m}\right)}^{-1}\right)g_1+\left(\beta {G\left(\beta \right)}^{-1}+{\beta }^{2^m}{G\left({\beta }^{2^m}\right)}^{-1}\right)g_2+...+\left({\beta }^{t-1}{G\left(\beta \right)}^{-1}+{\beta }^{\left(t-1\right).Math.2^m}{G\left({\beta }^{2^m}\right)}^{-1}\right)g_t.& \end{array}$

[0082] A parity check matrix H is defined by:

[00014]$H=\left[\begin{array}{cccc}{G\left({\beta }_1\right)}^{-1}+{G\left({{\beta }_1}^{2^m}\right)}^{-1}& {G\left({\beta }_2\right)}^{-1}+{G\left({{\beta }_2}^{2^m}\right)}^{-1}& ...& {G\left({\beta }_n\right)}^{-1}+{G\left({{\beta }_n}^{2^m}\right)}^{-1}\\ {\beta }_1{G\left({\beta }_1\right)}^{-1}+{{\beta }_1}^{2^m}{G\left({{\beta }_1}^{2^m}\right)}^{-1}& {\beta }_2{G\left({\beta }_2\right)}^{-1}+{{\beta }_2}^{2^m}{G\left({{\beta }_2}^{2^m}\right)}^{-1}& ...& {\beta }_n{G\left({\beta }_n\right)}^{-1}+{{\beta }_n}^{2^m}{G\left({{\beta }_n}^{2^m}\right)}^{-1}\\ & \mathrm{.Math.}& & \\ {{\beta }_1}^{t-1}{G\left({\beta }_1\right)}^{-1}+{{\beta }_1}^{\left(t-1\right)2^m}{G\left({{\beta }_1}^{2^m}\right)}^{-1}& {{\beta }_2}^{t-1}{G\left({\beta }_2\right)}^{-1}+{{\beta }_2}^{\left(t-1\right)2^m}{G\left({{\beta }_2}^{2^m}\right)}^{-1}& ...& {{\beta }_n}^{t-1}{G\left({\beta }_n\right)}^{-1}+{{\beta }_n}^{\left(t-1\right)2^m}{G\left({{\beta }_n}^{2^m}\right)}^{-1}\end{array}\right]$

[0083] By way of the foregoing, a special generalization of Goppa codes is constructed with a support set L as a set of rational functions

[00015]$\begin{array}{cc}\frac{{f^{\prime }}_i\left(x\right)}{f_i\left(x\right)}.& \end{array}$

The special generalization of Goppa codes is neither a Reed Solomon (RS) code nor an alternate code.

[0084] For decoding these generalized Goppa codes, the Goppa polynomial G(x) and support set L must be known. A classical decoding algorithm (Euclidean, Berlekamp-Massey, Patterson, etc.) can then be used.

[0085] Using a set of position numerators of degree greater than 1, the degree of Galois field extension m for obtaining a support set L is reduced, thereby reducing the complexity of the calculations in the decoding process. The degree m of the field extension is reduced by r times, where r is the degree of the position numerators.

[0086] By way of example, a scheme (2060, 1720, t=30) can be constructed close in parameters to the classical McEliece and Niederreiter (2048, 1718, t=30) scheme by using elements from the Galois field GF(2.sup.6) instead of the field GF(2.sup.11) used in the original scheme. Therefore in the scheme of this example, all calculations in the decoding procedure can be done in the Galois field GF(2.sup.6) with only 2.sup.6 elements instead of the Galois field GF(2.sup.11) with 2.sup.11 elements required.

[0087] In the embodiment depicted in FIG. 1, after the cryptographic operations are performed, the result 120 of this computation is returned to the input/output device 106 and output from the cryptographic device 100. An embodiment in accordance with one aspect of the present invention provides a public key cryptographic system and method that can be used to build a highly secure system for data storage, access, encryption, decryption, digital signing, digital signature verification, etc.

[0088] FIG. 2 depicts an alternative embodiment of a system in which the foregoing encryption method can be employed. In the system of FIG. 2, the cryptographic engine 116 is implemented on a Chip 130, such as field programmable gate array (FPGA), operating as an independent processing module 132 such as, but not limited to, a TPM-Trusted Platform Module (TPM) or a Universal Serial Bus (USB) Module, rather than being stored in system memory. An advantage of implementing the cryptographic engine 116 on an independent processing module 132 is that the private key 124 is stored on the chip 130 and therefore separated from the operating system contained in the System Memory 114. This provides an added layer of security as the Private Key 124 is not directly exposed to the file system of the operating system which can be compromised as can the system memory 114.

[0089] In the alternative embodiment of FIG. 3, the public key cryptographic device 100 generates a private key 124 and its corresponding public key 126 using an input list of parameters 122. As previously described, the public key 126 (FIG. 3) can be used in encryption and decryption operations. In one embodiment, the public key cryptographic device 100 of FIG. 3 can be implemented as described in connection with FIG. 1 except for the instructions being implemented by the cryptographic engine 116.

[0090] An application of the foregoing systems is depicted in FIG. 4, in which the cryptographic engine can be applied to create a Post-Quantum Blockchain (PQBC) 140. In the exemplary embodiment of FIG. 4, the last data block 152 in the PQBC 140 is created by participant node 146 preceded by the data block 150 created by participant node 144 and further preceded by the data block 148 created by participant node 142. All participant nodes use a public key cryptographic device 100 for cryptographic functions. For example, when node 146 creates the last data block 152, node 146 digitally signs the block and records the hash value of the previous data block 150 in the PQBC using a digital signature function in the public key cryptographic device 100. Similarly the other participant nodes 142 and 144 perform the same steps when creating a new data block. Transaction data inside each of the data blocks can optionally be encrypted using the encryption function in the public key cryptographic device 100. End point security can be further enhanced by employing the system of FIG. 3 in which the private key 124 is maintained separate from the operating system.

[0091] Alternative instructions that can be implemented by the device of FIG. 3 are depicted in connection with FIG. 5 in which a method of generating a private and public key pair is shown. The private key 124 and its corresponding public key 126 are used for different functions in the public key cryptographic device 100 such as, but not limited to, encryption, decryption, digital signing, and digital signature verification. The code parameter selection engine 132 chooses m, r, t, n with the property that code length n≤Σ.sub.i=1.sup.rI.sub.2.sub.m(i), t>r and wherein: m is the degree of the field expansion GF(2.sup.m) in which the operations will be performed during decoding and signature calculations, and which will thereby determine the complexity of the circuit calculations; r is the maximum degree of the denominator of a rational function over F.sub.2.sub.m[x] in the set of L; and t is the number of errors in the weighted Hamming metric that can be corrected by the code. There is no limit on how m, r, and t are selected.

[0092] For illustration purposes, m determines the Galois field GF(2.sup.m) used in the calculations while r and m determine the size of support set L. Since code length n, r, and t determine a minimal distance of the code, therefore these parameters also determine the number of errors that could be corrected by such error correcting code. The private support set L generator 160 chooses or generates n elements (rational functions

[00016]$\begin{array}{cc}\frac{{f^{\prime }}_i\left(x\right)}{f_i\left(x\right)})& \end{array}$

to support set L. For the sake of clarity, f.sub.i(x) should be an irreducible polynomial of degree r. There are well-known methods to generate such polynomial, which are outside the scope of this invention. The Private Goppa Polynomial G(x) processor 162 chooses and/or generates primitive polynomial degree t from F.sub.2.sub.m[x]. For the sake of clarity, G(x) is an irreducible (separable) polynomial of degree t with coefficients from GF(2.sup.m). There are well-known methods to generate such polynomial, any of which can be used. The two elements G and L of Goppa code are defined unequally. Therefore, by using the (f.sub.i(x)).sup.−1 mod G(x) generator 164 and obtaining r.sub.i(x) using the i-th column r.sub.i(x) of parity check matrix H generator 166, it is now possible to use the i-th binary column of parity check matrix H generator 168 to obtain a number of binary elements equal to the multiplication oft and m (tm), and collect all necessary n columns and tm binary rows r.sub.i1, r.sub.i2, . . . , r.sub.imt of parity check matrix H from the i-th column r.sub.i(x)∈GF(2.sup.m), deg r.sub.i(x)=t−1 during n cycles of the process of steps 160, 164, and 166. For the sake of clarity, r.sub.i(x)=f′.sub.i(x) (f.sub.i(x)).sup.−1 mod G(x), where f′.sub.i(x) is formal derivative of fi(x). The binary parity check matrix H 170 is represented as a tm×n binary matrix. Together with a randomly selected mt×mt non-singular matrix S 172 and another randomly selected n x n permutation matrix P 174 the public key 126 can be obtained by performing a matrix multiplication of H*=S×H×P. On the other hand, the private key 124 can be obtained as K={S, P, L, G(x)}.

[0093] A method of encrypting a message in accordance with an embodiment of the present invention is depicted in FIG. 6 in which the Message 176 is presented as a binary vector e of length n and Hamming weight no more than t/r. The Encrypted Message 178 is obtained as an encrypted vector w of length mt by using matrix multiplication of the public key 126 and the message 176 whereby w=e×(H*).sup.T.

[0094] A method of decrypting an encrypted message in accordance with a preferred embodiment of the invention is depicted in FIG. 7 in which the encrypted message 180 of length mt is decoded by decoder 182 using a Berlekamp-Massey algorithm or an extended Euclidean algorithm or Patterson algorithm. The private key 124 and the elements of field GF(2.sup.m) 186 are provided to the decoder 182 for the decoding process. For the sake of clarification, in the private key 124 G(x) is an irreducible polynomial of degree t with coefficients from the field GF(2.sup.m) with support set L as a set of rational functions

[00017]$\begin{array}{cc}\frac{{f^{\prime }}_i\left(x\right)}{f_i\left(x\right)}.& \end{array}$

The decoded message 184 is an information vector e of the length n and weight in the weighted Hamming metric less than or equal to t.

[0095] A method of obtaining a digital signature for input data, using the cryptographic device 100, is depicted in FIG. 8. This method uses the secret Goppa code elements of a Goppa polynomial G(x) with support set L in a well-known digital signature generation process such as, but not limited to, the Courtois-Finiasz-Sendrier (CFS) signature scheme. Data 190 to be digitally signed is provided to a first hash process 192. The resulting hash value h is used by a second hash process 194 to generate hash value H using h and i (H=hash(h∥i) where the length of H is mt bits) where i is a looping incremental value starting at 1. The second hash value H is then used by the decoder 196 in a decoding process based on elements of a Galois field GF(2.sup.m) 198 and a private key 124 using an Berlekamp-Massey or Extended Euclidean algorithm. For the sake of clarification, in the private key 124, G(x) is an irreducible polynomial of degree t with coefficients from the field GF(2.sup.m)) with support set L as a set of rational functions

[00018]$\begin{array}{cc}\frac{{f^{\prime }}_i\left(x\right)}{f_i\left(x\right)}.& \end{array}$

The second hash process 194 and the decoder 196 are repeated with an incrementing i value until a successful decoding is reached. The resulting digital signature 120, represented as {s,i}, consists of two elements: 1) a vector s of the length n and weight in the weighted Hamming metric of less than or equal to t; and 2) a parameter i equal to the number of the successful steps.

[0096] A method of verifying a digital signature for given data, in the cryptographic device 100, is depicted in FIG. 9. In this embodiment, the digital signature 202 to be verified is represented as {s*,i}. The data 204, which is signed by the digital signature 202, is provided to a hash process 206 as w. Hash process 206 is operated so that the resulting hash value h*=Hash(h∥i), where Hash(w)=h and i is the parameter in the digital signature 202. From the digital signature 202 we can obtain the signature vector s* of length n and weight less than or equal to t in the weighted Hamming metric. A binary vector h** of the length tm, h**=s*×(H*).sup.T, can be obtained by using matrix multiplication of the public key 126 and the binary vector of the signature s from digital signature 202. The determination between valid signature 208 and an invalid signature 210 can be obtained by comparing the value h** and h*.

[0097] Blockchains are often implemented using a public/private key pair. In some embodiments, the private key may be used to sign transactions or other data, and the public key of that pair may be used to verify the signature (e.g., using elliptic curve cryptography, which is not quantum-safe). The sizes of keys used in blockchains are each typically about 32 bytes (B), which is smaller than the size of a key used in any quantum-safe method.

[0098] The output of hashing functions is typically a hash value having a size of 32 B. Some embodiments may perform a hashing function on the public key of a quantum-safe public key cryptographic device to be able to maintain use of a same-sized public key in the data structure or code of the blockchain by instead using that hash value of the public key of the quantum-safe public key cryptographic device.

[0099] In these or other embodiments, a look up table (LUT) may be used to look-up a hash value that may be inputted into this table, which may output the corresponding public key; inverse functionality is also contemplated whereby an inputted public key of a quantum-safe public key cryptographic device into the LUT may output a corresponding hash value. The LUT may thus be between the hash, which may be 32 B, and the full public key of the quantum-safe public key cryptographic device, which may be larger than 32 B. For example, the LUT may have two columns, one for the hash values and the other for the full public keys. As such, very little changes may be needed to existing blockchain code to adopt a quantum-safe method.

[0100] In a blockchain, the public key is published within the blockchain while the nodes use the private key to sign a transaction or block to be verified by others using the public key. As mentioned, many blockchains use elliptic curve as the cryptographic method. The problem to convert any blockchain to become quantum-safe is that the public key of any quantum-safe algorithm has a size that is greater than 32 B. Therefore, the heart of the code in the blockchain would otherwise have to be modified. The herein-disclosed approach may use a hash value and a LUT to obtain the public key. For example, the public key in the blockchain code may not be the real public key but instead it may be the hash of the public key. A database of public keys and corresponding hash values may be maintained to look-up the real public key. The hash value having a size of 32 B, it may fit well with implementations using a same-sized public key (e.g., the size of an elliptic curve public key).

[0101] In some embodiments, a cryptographic system may comprise a processor configured to: generate a public/private key pair for a quantum-safe cryptographic device; perform a hash function on the public key to obtain a hash value; and, responsive to a request or need for the public key to verify a signature of data from a blockchain, obtain a LUT comprising the public key and the hash value. In these or other embodiments, the public key may have a size that is greater than a size of the hash value.

[0102] In some embodiments, a cryptographic system may comprise a processor configured to: generate a public/private key pair for a quantum-safe cryptographic device; perform a hash function on the public key to obtain a hash value; and, responsive to a request or need for the public key to encrypt data to be added to a blockchain, obtain a LUT comprising the public key and the hash value.

[0103] In some embodiments, an existing blockchain may be converted to a PQBC. For example, a hash value of a public key of a quantum-safe algorithm may be used together with legacy elliptic curve keys such that the blockchain, before the conversion, may be validated against the legacy elliptic curve code. As a result, the system substantially becomes a hybrid one.

[0104] The disclosed approach further involves an algorithm for hiding private data in multimedia files (e.g., a set of images or a video) or another computer file (e.g., a message), by using steganography with an error-correction method (e.g., Goppa codes).

[0105] Steganography is the practice of concealing a message within computer file(s), another message, or a physical object. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program, or protocol.

[0106] Whereas cryptography is the practice of protecting the contents of a message alone, the herein-disclosed use of steganography may conceal the fact that a secret message is being sent and its contents, and the alteration to include the secret message or other data may be substantially subtle to the extent that an observer is not likely to notice it.

[0107] Contemplated herein is use of steganography to hide some private data (e.g., key) in an image (e.g., of JPEG or another format) or another set of data. And a passphrase or a personal identification number (PIN) code may be inserted thereat or otherwise used thereabout to later extract out the private key. For example, the PIN may be a code (e.g., alpha-numeric) or seed, e.g., used in a process for authenticating or securing data. As such, the PIN may dictate how the private data is distributed into the media file, e.g., by adding a suitable “error vector” into the media file for data hiding.

[0108] In this or another example, the same or similar Goppa code method disclosed above may be used but in reverse (e.g., to embed the private data into the image or the other set of data). For example, the image may be used in conjunction with the error vector of the herein-disclosed Goppa code technology. In this or another example, the error vector of the Goppa code may be used to insert an error into the image, and the private data may be considered as the secret data (which is disclosed above as being encoded). More particularly, the encoding key may be used to derive the error vector, and disclosed embodiments may use that to determine how to add that “error” into the picture.

[0109] As such, rather than using a set of words to retrieve otherwise inaccessible private data, herein-contemplated is an approach that involves inserting a private key into a captured image, other sensed data, or another simple type of object (e.g., which may not be derivable). The resulting image may appear substantially unaltered, and the inserted data may not be retrievable therefrom without the PIN.

[0110] In some embodiments, the image, having the private data secretly stored therein, may then be digitally signed as a proof of identify or proof of ownership.

[0111] The image having the embedded data may, as a result of the herein-disclosed concealing computer-implemented operations, not need to be stored in substantially secure storage, e.g., being instead downloadable upon a request at a later time. For example, this image may be stored in a more public space (e.g., in the cloud). In this or another example, the one or more steganographic files may be saved at a location, without disclosing the private key hidden inside of it. This approach may be more secure, e.g., when the PIN is preserved secretly and separately from their steganographic containers.

[0112] The herein-disclosed approach may involve the concept of “subliminal message,” e.g., by embedding the private data into a normal picture/audio/video file by using a PIN as the seed. For example, the picture/audio/video file may look normal even though the private data may be embedded in it similar to the concept of a subliminal message. In other words, the private data may not be re-derived without the PIN. Since the PIN may be much easier to remember than a 24-word list, it is feasible for the user to simply remember it. Even if the user prefers to write down the PIN for safety and store it in a safety box, someone knowing the PIN may still not be able to derive the private data without the encoded picture/audio/video file. Even losing the paper, it is much more feasible to remember the PIN than a 24-word sequence.

[0113] Many types of modern software systems (e.g., blockchains, crypto-wallets, email/file encryption solutions, virtual private networks (VPNs), etc.) rely on public key cryptography. In such systems, information is encrypted and decrypted and/or digitally signed and verified with the help of a public key and private key (or secret key (SK)), i.e., a key pair. The public keys may be distributed openly, but the SKs must be kept secretly (e.g., never being exposed).

[0114] In many embodiments of such cryptographic systems, SKs need to be backed up, to provide emergency recovery opportunities.

[0115] In some implementations, SKs need to be safely and securely replicated to other systems of the same owner. In these or other implementations, there are unfortunately opportunities for adversaries to intercept the SKs.

[0116] A set of words may be used as a seed for generating a private key such that if the key is lost it may be regenerated with said set of words. For example, when someone is creating a crypto wallet, the industry standard is to randomly create a list of English words (e.g. 24 words) as the seed words while using the seed words to derive a private key. The user will write down these 24 words as the secret and store them in a safe place. If anyone knowing these 24 words or the user loses the paper, the wallet problematically will be rendered inoperable.

[0117] To prevent any related damage or cyber security attack, a contemplated storage solution of the SK may involve encrypting them, e.g., by using a symmetric algorithm (e.g., AES), with the symmetric keys being derived from the PIN. But even this method may suffer from a number of potential vulnerabilities. For example, the PIN may not be strong enough, and it may be exploited by a vocabulary attack. In another example, even with a strong PIN, ways of deriving the symmetric key from them may contain one or more vulnerabilities that reduce the complexity of brute-force attacks. In another example, with upcoming quantum computing (QC), one may potentially attack via brute-force even a strongest PIN within a reasonable timeframe. There is thus a need in storage solutions for SKs to be backed-up or transferred, to mitigate such risks.

[0118] As mentioned, a herein-disclosed approach involves steganography and hiding the SKs in one or more multimedia steganographic files, such as a photographic image, video or audio file. Having the SKs hidden therein may significantly increase the complexity of a brute-force attack due to absence of knowledge of where the bits of the SK reside. In some embodiments, an error-correction system (e.g., Goppa codes) may be used to encode the bit positions of the SK hidden in one or more steganographic files using an encoding key (EK). The SK may only be extracted back using the decoding key (DK). An advantage is that the one or more steganographic files, which may appear as ordinary multimedia file(s), may operate as a secure backup of the SK.

[0119] Using more than one steganographic file may further increase the security due to absence of knowledge about which file(s) a collection contains the SK or their fragments.

[0120] In some embodiments, the PIN may be used to derive a pair of EK/DK. FIG. 10 depicts example flowchart 300, involving this operation. This way, during the restoration process, the PIN may be used to retrieve the DK in order to extract the SK back from the one or more steganographic files. An EK, as used herein, may be a public key of the Goppa codes used in steganography, and a DK, as used herein, may be the private key of the Goppa codes used in steganography.

[0121] Yet another embodiment is that the PIN is used to derive 302 both a pair of EK/DK as well as a symmetric key. The way gives an even higher security whereby the symmetric key may be used to encrypt the SK. The symmetric-encrypted SK may then be hidden 304, 306 in one or more steganographic files using the EK. During the restoration process, the PIN may be used to retrieve both the DK and the symmetric key, e.g., with the DK being used to extract 308 the symmetric-encrypted SK. This may be followed by performing decryption, using the symmetric key, to retrieve 310 the original SK.

[0122] In some embodiments, the herein-disclosed approach may recover the encrypted and encoded SK even after processing the multimedia containers that hold them, such as changing their compression rate.

[0123] In an example, to conceal 2 megabits, the herein-disclosed approach may need a block of (2.sup.2m+2.sup.m)/2−1 bits for Goppa-encoding. The herein-disclosed approach may use ¼ of a real image file (e.g., a bitmap image in BMP/RGB format) as an effective steganographic container, such as one of the color channels.

[0124] Therefore, the information rate of the herein-disclosed system may be about m/(2.sup.2m+2.sup.m). The EK for each block may be a Goppa polynomial of degree 2 from a Galois field GF(2.sup.2m). And a number of such polynomials may be: (2.sup.2m−2.sup.m)/2.

[0125] Therefore, if the herein-disclosed approach uses different Goppa polynomials for each k information blocks, said approach may obtain ((2.sup.2m−2.sup.m)/2).sup.k different values of the EK, since the length of the EK may be about (2m−1)k bits. This may allow a hiding of even potentially large post-quantum cryptography (PQC) SKs within any (e.g., even non-high definition (HD)) quality photographic images.

[0126] Although specific embodiments of the invention have been set forth herein, it is not intended that those be limiting. It should be understood that alternate embodiments, including variations and modifications thereto as well as various other features or functions, can be added to the present invention without departing from the scope of the present invention.