Encryption/decryption using key encapsulation/decapsulation
11601260 · 2023-03-07
Assignee
Inventors
Cpc classification
H04L9/0838
ELECTRICITY
H04L9/0618
ELECTRICITY
H04L9/0825
ELECTRICITY
International classification
H04L9/08
ELECTRICITY
Abstract
Systems and methods relating to the encryption and decryption of messages to be sent through a communications link. The system and method uses a random data source at the receive and transmit sides, along with a trusted random sampler that produces correlated random samples from the random data source to be used at the send and receive sides. At the transmit side, the correlated random sample is used to generate a symmetric key as well as a ciphertext. The symmetric key is then used to encrypt the message. The ciphertext is transmitted, along with the encrypted message, to the receive side. The receive side then uses the ciphertext, along with its own correlated random sample, to recover the symmetric key. The symmetric key is then used to decrypt the encrypted message.
Claims
1. A method for encrypting and decrypting a message, the encryption method comprising: a) sampling a random data source to result in a pair of correlated samples from said random data source; b) sending a first one of said pair of correlated samples to an encapsulation module to generate a symmetric key and a ciphertext; and c) encrypting said message using said symmetric key to result in an encrypted message; wherein the decryption method comprises: a1) sending a second one of said pair of correlated samples and said ciphertext to a decapsulation module to recover said symmetric key; b1) decrypting said encrypted message using said recovered symmetric key.
2. The method according to claim 1, wherein said encrypting method further includes the steps of: d) causing a transmission of said ciphertext to a receiver; and e) causing a transmission of said encrypted message to said receiver.
3. The method according to claim 1, wherein said decrypting method further includes a step of: prior to step a1), receiving said encrypted message and said ciphertext.
4. The method according to claim 1, wherein said method is embodied in machine readable and machine executable code stored on a non-transitory computer readable medium wherein, when said machine executable code is executed, said method is implemented.
5. A system for encryption/decryption of a message, the system comprising: a random data source sampler for sampling a random data source to produce a pair of correlated samples; an encapsulation module for receiving a first one of said pair of correlated samples and for generating a symmetric key and a ciphertext using said first one of said pair of correlated samples; a decapsulation module for recovering said symmetric key using said ciphertext and a second one of said pair of correlated samples; an encryption module for encrypting said message to produce an encrypted message, said encrypted message being encrypted using said symmetric key; a decryption module for decrypting said encrypted message, said encrypted message being decrypted using said symmetric key after said symmetric key has been recovered by said decapsulation module.
6. The system according to claim 5, further comprising at least one communications module for transmitting/receiving said messages to and from opposite ends of a communications link.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
(1) The embodiments of the present invention will now be described by reference to the following figures, in which identical reference numerals in different figures indicate identical elements and in which:
(2)
(3)
(4)
(5)
(6)
DETAILED DESCRIPTION
(7) To better understand the present invention, the reader is directed to the listing of citations at the end of this description. For ease of reference, these citations and references have been referred to by their listing number throughout this document. The contents of the citations in the list at the end of this description are hereby incorporated by reference herein in their entirety.
(8) The present invention relates to an encryption/decryption scheme that uses a random data source that produces pairs of correlated samples that are made available respectively to sender and receiver and which can be used to generate a symmetric key for encrypting/decrypting communications between the sender and receiver. To generate the symmetric key, the sender uses an individual sample X (the first one of a pair of correlated samples) that is sampled from the random data source (i.e., a private input from the sender). This results in a ciphertext C and the symmetric key K. The symmetric key K is then used to encrypt the plaintext to be transmitted to the receiver. The encrypted message can then be transmitted to the receiver along with the ciphertext C. Once received by the receiver, the receiver then retrieves the symmetric key K by using the ciphertext C and his own individual sample Y (the second one of the pair of correlated samples) from the random data source (i.e., his own private input). The retrieved symmetric key K is then used to decrypt the encrypted message from the sender.
(9) In the following discussion, the parties in communication may be referred to as Alice, Bob, and Eve, with Alice being the sender, Bob being the receiver, and Eve being an eavesdropper to the communications between the sender and the receiver.
(10) It should be clear that the random data source produces a joint distribution and, while the random data source is theoretically public, the samples are private inputs for the users (i.e., the sender and receiver). The present invention's scheme allows a sender and a receiver to use their samples of correlated randomness (from the random data source) and by the sender sending a single message to the receiver, obtain a shared key that is secure against an eavesdropper (e.g., a wiretapper) with the side information that is represented by its initial random sample.
(11) In other words, the present invention samples a public distribution P.sub.XYZ and gives the samples X, Y, and Z to Alice, Bob and Eve, respectively. This setting is known as the satellite setting [R4], where a satellite broadcasts a random beacon that is received by protocol parties through their (independent) noisy channels. In one embodiment of the present invention, a one-way two-party key agreement in which Alice sends a single message to Bob is used as a KEM, which together with a DEM can provide a hybrid encryption scheme with post-quantum security. Intuitively, using an information-theoretically secure KEM will establish a key whose security will not depend on the computational power of the adversary, and since the DEM component that is implemented using an algorithm such as AES-256, will be safe against quantum computers, the combination of the two will provide post-quantum security.
(12) The present invention uses private randomness samples (correlated random variables) of Alice and Bob to establish a shared key and, as such, is neither fully a public-key, nor a symmetric key system (which would require a shared secret key before the scheme is used) but will use private correlated samples of the two parties to establish a shared key.
(13) Referring to
(14) Once the encrypted message 70 has been produced, this, along with the value or ciphertext C, is transmitted to Bob. Bob can then use a decapsulation function 80 with his correlated random value Y and the value/ciphertext C to recover/reproduce the symmetric key K. The symmetric key K and the encrypted message 70 are then run through a decryption function 90 to produce the original message from Alice.
(15) As can be imagined, the present invention uses a one-way secret key agreement scheme [R5]. In the initial setup of a one-way secret key agreement scheme, Alice, Bob and Eve have instances of random variables X, Y and Z that are correlated through a public distribution P.sub.XYZ. These random variables represent private inputs of Alice and Bob, and the side-information of Eve, respectively. The key agreement is achieved by Alice sending a single message to Bob. In one scheme, a one-way secret-key agreement protocol is defined using three parameters: a security parameter λ, the secret key length l, and the number of instances of the initial random variables used n, where, for given l and λ values, n can be computed by a function n(λ, l). The goal of secret-key agreement is to establish a key k=k.sub.A=k.sub.B that appears uniformly random to Eve, where k.sub.A is the derived key by Alice and k.sub.B is the derived key by Bob.
(16) It should be clear that a process that generates a pair of correlated variables X and Y for Alice and Bob is used with the present invention. Random data sources such as atmospheric data or sun spots may be used in this process. As an example, a satellite broadcasts a random string and Alice and Bob receives this string through their respective receivers. The same random data source with a known probability distribution will be used to generate the correlated sampled of Alice and Bob, as well as the leakage variable Z.
(17) In terms of implementing the various functions used in the present invention as well as the sampler process and the data set, a number of points must be kept in mind.
(18) For the present invention, a number of algorithms or methods are used. Specifically, these are the correlated sample generation algorithm, the encapsulation algorithm, and the decapsulation algorithm. These may be defined as below. For greater clarity, [R6] may be consulted.
(19) Let P.sub.XYZ denote the public distribution that is used to generate correlated samples (values) of X, Y and Z, and let {h.sub.s: X.fwdarw.{0, 1}.sup.t}.sub.s∈S and {h′.sub.s: X.fwdarw.{0, 1}.sup.l}.sub.s′∈S′ be two strong universal hash families (UHFs) with parameters as defined below. Let C={0, 1}.sup.t×S×S′ and K={0, 1}.sup.l denote the sets of ciphertexts and keys, respectively.
(20) Let {h.sub.s: X.fwdarw.{0, 1}.sup.t}.sub.s∈S and {h'.sub.s: X.fwdarw.{0, 1}.sup.l}.sub.s′∈S′ be two strong universal hash families (UHFs).
(21) The three algorithms for the present invention are as follows.
(22) Generation algorithm Gen(1.sup.λ, P.sub.XYZ): For a distribution P.sub.XYZ, a trusted sampler samples the distribution independently n times, and gives the triplet vectors x, y and z of correlated samples, privately to Alice, Bob and Eve, respectively. It should be clear that t and t are both functions of A and are parametrized by P.sub.XYZ, the input probability distribution data set.
(23) That is, (x,y,z)=(x.sup.n, y.sup.x, z.sup.n)←.sup.$ Gen(1.sup.λ, P.sub.XYZ).
(24) Encapsulation algorithm Enc(x): The encapsulation algorithm Enc(⋅) takes as input x, samples s′←.sup.$ S′ and s←.sup.$ S for the seed of the strongly universal hash functions, and generates the key k=h′.sub.s′(x) and the ciphertext c=(h.sub.s(x), s′, s), Thus (c, k)=((h.sub.s(x), s′, s), h′.sub.s.Math.(x))←.sup.$ Enc(x).
(25) Decapsulation algorithm Dec(y, c): The decapsulation algorithm Dec(⋅, ⋅) takes the private input of Bob, y, and the ciphertext (h.sub.s(x), s, s) as input, and outputs the key hs′(x) or ⊥. We have:
k=(h′.sub.s′(x))←Dec(1.sup.λ,y,(h.sub.s(x),s′,s)).
(26) The decapsulation algorithm works as follows:
(27) 1) Parses the received ciphertext to (g, s′, s), where g is a t-bit string.
(28) 2) Defines the set,
T(X|y).sup.Δ={x: −log P.sup.n.sub.X|Y(x|y)≤v},
(29) and for each vector x{circumflex over ( )}∈T (X|y), checks g=.sup.? h.sub.s(x{circumflex over ( )}).
(30) 3) Outputs x{circumflex over ( )} if there is a unique value x that satisfies g=h.sub.s(x{circumflex over ( )}); Else outputs ⊥.
(31) The value v depends on the correlation of x and y where higher correlation corresponds to smaller v, and a smaller set of candidates.
(32) If successful, the decapsulation algorithm outputs a key k=h′.sub.s′(x{circumflex over ( )}); otherwise it outputs ⊥.
(33) For clarity, the sampler that samples the data set can be a randomness sampler. A randomness extractor maps a random variable with guaranteed min-entropy to a uniformly distributed random variable from a smaller set such that the two variables have small statistical distance. A random source is a random variable with lower bound on its min-entropy. We say a random variable X defined over {0, 1}.sup.n is an (n, d)-source if H.sub.∞(X)≥d.
(34) A well-known construction of randomness extractors uses Universal Hash Families (UHF) whose randomness property is given by the Leftover Hash Lemma (LHL). The present invention may use a variation of the LHL, called the generalized LHL (For further background, [R7] may be consulted).
(35) In one implementation, a system according to one aspect of the present invention is illustrated in
(36) In
(37) It should be clear that the various modules in
(38) Parameters of the system (such as the keys and the sampled values with correlated randomness from the data set) can be chosen to output a secure key of length, for example, 256 bits. This secure key can then be used to construct a pseudorandom sequence that will be XORed with the message for greater security.
(39) For clarity, the methods embodied in the description above may be summarized in the steps detailed in
(40) Referring to
(41) Referring to
(42) As noted above, for a better understanding of the present invention, the following references may be consulted. Each of these references is hereby incorporated in their entirety by reference. [R1] R. Cramer and V. Shoup, “Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack,” SIAM Journal on Computing, vol. 33, no. 1, pp. 167-226, 2003. [R2] P. W. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484-1509, October 1997. [R3] Y. Ishai, E. Kushilevitz, S. Meldgaard, C. Orlandi, and A. Paskin-Cherniaysky, “On the power of correlated randomness in secure computation,” in Theory of Cryptography Conference. Springer, 2013, pp. 600-620 [R4] U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733-742, May 1993. [R5] R. Ahlswede and I. Csiszar, “Common randomness in information theory and cryptography. I. Secret sharing,” IEEE Trans. Inf. Theory, vol. 39, no. 4, pp. 1121-1132, July 1993. [R6] S. Sharifian, A. Poostindouz, and R. Safavi-Naini, “A capacity-achieving one-way key agreement with improved finite blocklength analysis, (in proceedings of isita 2020),” in 2020 International Symposium on Information Theory and Its Applications (ISITA). IEEE, 2020. [R7] J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby. Construction of pseudo-random generator from any one-way function. SIAM Journal on Computing, 28(4):1364-1396, 1999.
(43) It should be clear that the various aspects of the present invention may be implemented as software modules in an overall software system. As such, the present invention may thus take the form of computer executable instructions that, when executed, implements various software modules with predefined functions.
(44) The embodiments of the invention may be executed by a computer processor or similar device programmed in the manner of method steps, or may be executed by an electronic system which is provided with means for executing these steps. Similarly, an electronic memory means such as computer diskettes, CD-ROMs, Random Access Memory (RAM), Read Only Memory (ROM) or similar computer software storage media known in the art, may be programmed to execute such method steps.
(45) As well, electronic signals representing these method steps may also be transmitted via a communication network.
(46) Embodiments of the invention may be implemented in any conventional computer programming language. For example, preferred embodiments may be implemented in a procedural programming language (e.g., “C” or “Go”) or an object-oriented language (e.g., “C++”, “java”, “PHP”, “PYTHON” or “C#”). Alternative embodiments of the invention may be implemented as pre-programmed hardware elements, other related components, or as a combination of hardware and software components.
(47) Embodiments can be implemented as a computer program product for use with a computer system. Such implementations may include a series of computer instructions fixed either on a tangible medium, such as a computer readable medium (e.g., a diskette, CD-ROM, ROM, or fixed disk) or transmittable to a computer system, via a modem or other interface device, such as a communications adapter connected to a network over a medium. The medium may be either a tangible medium (e.g., optical or electrical communications lines) or a medium implemented with wireless techniques (e.g., microwave, infrared or other transmission techniques). The series of computer instructions embodies all or part of the functionality previously described herein. Those skilled in the art should appreciate that such computer instructions can be written in a number of programming languages for use with many computer architectures or operating systems. Furthermore, such instructions may be stored in any memory device, such as semiconductor, magnetic, optical or other memory devices, and may be transmitted using any communications technology, such as optical, infrared, microwave, or other transmission technologies. It is expected that such a computer program product may be distributed as a removable medium with accompanying printed or electronic documentation (e.g., shrink-wrapped software), preloaded with a computer system (e.g., on system ROM or fixed disk), or distributed from a server over a network (e.g., the Internet or World Wide Web). Of course, some embodiments of the invention may be implemented as a combination of both software (e.g., a computer program product) and hardware. Still other embodiments of the invention may be implemented as entirely hardware, or entirely software (e.g., a computer program product).
(48) A person understanding this invention may now conceive of alternative structures and embodiments or variations of the above all of which are intended to fall within the scope of the invention as defined in the claims that follow.