U.S. patent application number 13/673461 was filed with the patent office on 2013-03-28 for method and apparatus for establishing a key agreement protocol.
This patent application is currently assigned to SecureRF Corporation. The applicant listed for this patent is SecureRF Corporation. Invention is credited to Iris Anshel, Michael Anshel, Dorian Goldfeld.
Application Number | 20130077783 13/673461 |
Document ID | / |
Family ID | 37499152 |
Filed Date | 2013-03-28 |
United States Patent
Application |
20130077783 |
Kind Code |
A1 |
Anshel; Iris ; et
al. |
March 28, 2013 |
METHOD AND APPARATUS FOR ESTABLISHING A KEY AGREEMENT PROTOCOL
Abstract
A system and method for generating a secret key to facilitate
secure communications between users. A first and second and a
function between the two monoids are selected, the function being a
monoid homomorphism. A group and a group action of the group on the
first monoid is selected. Each user is assigned a submonoid of the
first monoid so that these submonoids satisfy a special symmetry
property determined by the function, a structure of the first and
second monoids, and the action of the group. A multiplication of an
element in the second monoid and an element in the first monoid is
obtained by combining the group action and the monoid homomorphism.
First and second users choose private keys which are sequences of
elements in their respective submonoids. A first result is obtained
by multiplying an identity element by the first element of the
sequence in a respective submonoid. Starting with the first result,
each element of the user's private key may be iteratively
multiplied by the previous result to produce a public key. Public
keys are exchanged between first and second users. Each user's
private key may be iteratively multiplied by the other user's
public key to produce a secret key. Secure communication may then
occur between the first and second user using the secret key.
Inventors: |
Anshel; Iris; (Tenafly,
NJ) ; Anshel; Michael; (New York, NY) ;
Goldfeld; Dorian; (Tenafly, NJ) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
SecureRF Corporation; |
Westport |
CT |
US |
|
|
Assignee: |
SecureRF Corporation
Westport
CT
|
Family ID: |
37499152 |
Appl. No.: |
13/673461 |
Filed: |
November 9, 2012 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
13293664 |
Nov 10, 2011 |
|
|
|
13673461 |
|
|
|
|
12632207 |
Dec 7, 2009 |
|
|
|
13293664 |
|
|
|
|
11148748 |
Jun 8, 2005 |
7649999 |
|
|
12632207 |
|
|
|
|
Current U.S.
Class: |
380/44 |
Current CPC
Class: |
A61K 33/14 20130101;
H04L 9/14 20130101; A61K 9/08 20130101; A61K 33/00 20130101; H04L
9/30 20130101; A61K 31/7004 20130101; H04L 9/0841 20130101; H04L
9/0861 20130101; A61K 31/194 20130101; H04L 9/0869 20130101; H04L
63/0428 20130101; H04L 2209/12 20130101; A61K 33/06 20130101; A61M
1/1654 20130101; H04L 9/3013 20130101; A61M 1/14 20130101 |
Class at
Publication: |
380/44 |
International
Class: |
H04L 9/08 20060101
H04L009/08 |
Claims
1. A method for securing communications from a user, the method
comprising: selecting a first monoid; selecting a second monoid;
selecting a function, the function being a monoid homomorphism that
maps the first monoid to the second monoid; selecting a group;
selecting an action of the group on the first monoid; determining a
semi-direct product of the first monoid and the group to produce a
third monoid; selecting a first and second submonoid of the third
monoid, a pair of the first and second submonoids satisfying a
criterion, the first submonoid being defined by a first set of
generators, wherein the criterion satisfies a property determined
by the function, a structure of the first and second monoids, and
the action; and selecting a plurality of generators of the first
set of generators to produce a private key.
2.-23. (canceled)
Description
BACKGROUND OF THE INVENTION
[0001] 1. Field of the Invention
[0002] The invention relates to cryptography and, more
particularly, to a system and method for facilitating cryptographic
applications.
[0003] 2. Description of the Prior Art
[0004] Key Agreement Protocols
[0005] It is sometimes desirable for individuals to be able to
communicate with each other in a way in which third parties are
unable to listen to the communication. A simple way for these
individuals to communicate is to have the communications themselves
proceed in private. For example if party A and party B desire to
communicate in a way which will not be heard by party C, A and B
can simply meet at a designated location unknown to C. Similarly, A
and B can set up a designated communication line between them which
excludes C. Such communication lines are expensive and inconvenient
especially if A and B are geographically far apart from one
another.
[0006] A first approach to facilitating private communications
between A and B is to give A and B a secret key that may be used to
encrypt and/or decrypt messages sent between A and B. If C does not
know what the key is, it may be very difficult for C to both get a
hold of a message sent between A and B and try to understand it.
However, giving A and B such a key is also cumbersome, expensive
and time consuming. Issues to be addressed include secretly
transmitting such a key to A and B and generating a new key each
time two individuals need to communicate. Also, if C does ascertain
the secret key, then all communications between A and B can be
decrypted and read by C.
[0007] Another approach for facilitating private communications
between A and B is to assign A and B secret mathematical functions
f.sub.a,f.sub.b respectively. The functions f.sub.a and f.sub.b are
chosen from a set of functions, S, all of whose elements are
designed so as to be commutative: applying f.sub.a followed by
f.sub.b yields the same result as applying f.sub.b followed by
f.sub.a (i.e., given an element x,
f.sub.a(f.sub.b(x))=f.sub.b(f.sub.a(x))). Assuming the element x is
known by both A and B, A can then send f.sub.a(x) to B, and B can
send f.sub.b(x) to A over public channels. The secret key that can
be evaluated and shared by both A and B is then,
f.sub.a(f.sub.b(x))=f.sub.b(f.sub.a(x)). To insure that the system
is secure (from an adversary C who knows x and can listen to all
communication between A and B) it is necessary that the functions
f.sub.a and f.sub.b satisfy the following property: given the value
f.sub.a(x) (respectively f.sub.b(x)) it is computationally
difficult to determine the function f.sub.a (respectively f.sub.b).
This is called the general Diffie-Hellman key agreement
protocol.
[0008] Many specific instances of the general Diffie-Hellman
protocol for sending secure communications between A and B are
known in the prior art (see Alfred J. Menezes, Paul C. van
Oorschot, and Scott A. Vanstone, "Handbook of Applied
Cryptography," CRC Press (1997)). They all differ by their choice
of the set of functions. The original Diffie-Hellman key agreement
protocol is an example of the above described techniques (see W.
Diffie and M. E. Hellman, "New directions in cryptography," IEEE
Transaction on Information Theory, vol. IT 22 (November 1976), pp.
644-654). Using an algorithm like the one first introduced by
Diffie-Hellman, parties A and B can obtain a common shared secret
by communicating over a public channel. The security of the system,
in this instance, rests on the computational difficulty of
computing discrete logarithms in the multiplicative group of the
finite field. In more general cases the security is based on the
notion of a one-way function. A function f from a set X to a set Y
is termed one-way if f(x) is easy to compute for all x.epsilon.X
but for essentially all elements y it is computationally difficult
to find x.epsilon.X such that f(x)=y. To date a diverse array of
mathematical techniques (including geometric and algebraic ones),
have been used to create systems for secure communication whose
security is based on one-way functions.
[0009] A problem with some of the prior art algorithms, is that
most of them rely on a cost-risk analysis when generating the
one-way function. That is, in order to produce a more complex and
more difficult to determine secret key, each party would need to
spend more time in generating such a key and may need to invest in
more expensive devices. With rapidly evolving technologies,
implementing the current algorithms in a cryptographically secure
manner is becoming difficult. Furthermore, there are instances of
resource limited devices where current algorithms are difficult to
implement. Thus, there is a need in the art for a system and method
which can produce a secure key relatively quickly and without
employing expensive devices.
SUMMARY OF THE INVENTION
[0010] An aspect of the invention is a method for securing
communications from a user. The method comprises selecting a first
monoid, selecting a second monoid and selecting a function, the
function being a monoid homomorphism that maps the first monoid to
the second monoid. The method further comprises selecting a group,
selecting an action of the group on the first monoid, and
determining a semi-direct product of the first monoid and the group
to produce a third monoid. The method further comprises selecting a
first and second submonoid of the third monoid, a pair of the first
and second submonoids satisfying a criterion, the first submonoid
being defined by a first set of generators, wherein the criterion
satisfies a property determined by the function, a structure of the
first and second monoids, and the action. The method still further
comprises selecting a plurality of generators of the first set of
generators to produce a private key.
[0011] Another aspect of the invention is a method for securing
communications from a user. The method comprises receiving a first
submonoid, the first submonoid being produced by selecting a first
monoid, selecting a second monoid, selecting a function, the
function being a monoid homomorphism that maps the first monoid to
the second monoid, selecting a group, selecting an action of the
group on the first monoid, determining a semi-direct product of the
first monoid and the group to produce a third monoid, selecting a
first and second submonoid of the third monoid, the pair of the
first and second submonoids satisfying a criterion, the first
submonoid being defined by a first set of generators, the criterion
satisfying a property determined by the function, a structure of
the first and second monoids, and the action. The method further
comprising selecting a plurality of generators of the first set of
generators to produce a private key. The method still further
comprising applying the second component of an identity on a
non-group component of a first generator of the private key to
produce a result, wherein the identity comprises a first component,
the first component being an identity of the second monoid, and the
identity comprises a second component, the second component being
an identity of the group. The method still further comprising
applying the function to the result to produce a first modified
result, multiplying the first component of the identity by the
modified result to produce a first further modified result,
multiplying the second component of the identity with a group
component of the first generator to produce a first still further
modified result, and combining the first further modified result
with the first still further modified result to produce a public
key.
[0012] Still another aspect of the invention is a method for
securing communications among two users. The method comprises
selecting a first monoid, selecting a second monoid, and selecting
a function, the function being a monoid homomorphism that maps the
first monoid to the second monoid. The method further comprising
selecting a group, selecting an action of the group on the first
monoid, and determining a first semi-direct product of the first
monoid and the group to produce a third monoid. The method still
further comprising selecting a first and second submonoid of the
third monoid, a pair of the first and second submonoids satisfying
a criterion, the first submonoid being defined by a first set of
generators, the second submonoid being defined by a second set of
generators, the criterion satisfying a property determined by the
function, a structure of the first and second monoids, and the
action. The method further comprising at a first user, receiving
the first submonoid, selecting a plurality of generators of the
first set of generators to produce a first private key, and
applying the second component of an identity on a non-group
component of a first generator of the first private key to produce
a first result, wherein the identity comprises a first component,
the first component being an identity of the second monoid, and the
identity comprises a second component, the second component being
an identity of the group. The method further comprising at the
first user applying the function to the first result to produce a
first modified result, multiplying the first component of the
identity by the modified result to produce a first further modified
result, multiplying the second component of the identity with a
group component of the first generator of the first private key to
produce a first still further modified result, and combining the
first further modified result with the first still further modified
result to produce a first public key. The method still further
comprising at the first user a. applying a group component of the
first public key on a non-group component of a second generator of
the first private key to produce a second result, b. applying the
function to the second result to produce a second modified result,
c. multiplying a non-group component of the first public key by the
second modified result to produce a second further modified result,
d. multiplying the group component of the first public key with a
group component of the second generator of the private key to
produce second still further modified result; and e. combining the
first further modified result with the second still further
modified result to produce a second public key. The method further
comprising at a second user receiving the second submonoid,
selecting a plurality of generators of the second set of generators
to produce a second private key, applying the second component of
the identity on a non-group component of a first generator of the
second private key to produce a third result, applying the function
to the third result to produce a third modified result, multiplying
the first component of the identity by the third modified result to
produce a third further modified result, multiplying the second
component of the identity with a group component of the first
generator of the second private key to produce a third still
further modified result, and combining the third further modified
result with the third still further modified result to produce a
third public key. The method still further comprising at the second
user f. applying a group component of the third public key on a
non-group component of a second generator of the second private key
to produce a fourth result, g. applying the function to the fourth
result to produce a fourth modified result, h. multiplying a
non-group component of the third public key by the fourth modified
result to produce a fourth further modified result, i. multiplying
the group component of the third public key with a group component
of the second generator of the second private key to produce a
fourth still further modified result; and j. combining the fourth
further modified result with the fourth still further modified
result to produce a fourth public key.
[0013] Yet still another aspect of the invention is a transmitter
comprising a memory including a first submonoid, the first
submonoid being produced by selecting a first monoid, selecting a
second monoid, selecting a function, the function being a monoid
homomorphism that maps the first monoid to the second monoid,
selecting a group, selecting an action of the group on the first
monoid; determining a semi-direct product of the first monoid and
the group to produce a third monoid, selecting a first and second
submonoid of the third monoid, the pair of the first and second
submonoids satisfying a criterion, the first submonoid being
defined by a first set of generators; the criterion satisfying a
property determined by the function, a structure of the first and
second monoids, and the action. The transmitter further comprising
a processor wherein the processor is effective to select a
plurality of generators of the first set of generators to produce a
private key. The processor is further effective to apply the second
component of an identity on a non-group component of a first
generator of the private key to produce a result, wherein the
identity comprises a first component, the first component being an
identity of the second monoid, and the identity comprises a second
component, the second component being an identity of the group. The
processor is further effective to apply the function to the result
to produce a first modified result. The processor is effective to
multiply the first component of the identity by the modified result
to produce a first further modified result. The processor is
effective to multiply the second component of the identity with a
group component of the first generator to produce a first still
further modified result; and the processor is effective to combine
the first further modified result with the first still further
modified result to produce a first public key. The processor is
effective to a. apply a group component of the first public key on
a non-group component of a second generator of the private key to
produce a second result, b. apply the function to the second result
to produce a second modified result, c. multiply a non-group
component of the first public key by the second modified result to
produce a second further modified result, d. multiply the group
component of the first public key with a group component of the
second generator of the private key to produce second still further
modified result, and e. combine the first further modified result
with the second still further modified result to produce a second
public key.
[0014] Still another aspect of the invention is a system for
securing communications between users. The system comprises a
communications center, the communications center effective to
select a first monoid, select a second monoid, select a function,
the function being a monoid homomorphism that maps the first monoid
to the second monoid, select a group, and select an action of the
group on the first monoid. The communications center further
effective to determine a first semi-direct product of the first
monoid and the group to produce a third monoid; and select a first
and second submonoid of the third monoid, a pair of the first and
second submonoids satisfying a criterion, the first submonoid being
defined by a first set of generators, the second submonoid being
defined by a second set of generators, the criterion satisfying a
property determined by the function, a structure of the first and
second monoids, and the action. The system further comprising a
first transmitter comprising a memory including the first submonoid
and a first processor. The first processor effective to select a
plurality of generators of the first set of generators to produce a
first private key and apply the second component of an identity on
a non-group component of a first generator of the first private key
to produce a first result, wherein the identity comprises a first
component, the first component being an identity of the second
monoid, and the identity comprises a second component, the second
component being an identity of the group. The first processor
further effective to apply the function to the first result to
produce a first modified result, multiply the first component of
the identity by the modified result to produce a first further
modified result, multiply the second component of the identity with
a group component of the first generator to produce a first still
further modified result and combine the first further modified
result with the first still further modified result to produce a
first public key. The first processor is further effective to a.
apply a group component of the first public key on a non-group
component of a second generator of the private key to produce a
second result, b. apply the function to the second result to
produce a second modified result, c. multiply a non-group component
of the first public key by the second modified result to produce a
second further modified result, d. multiply the group component of
the first public key with a group component of the second generator
of the first private key to produce second still further modified
result; and e. combine the first further modified result with the
second still further modified result to produce a second public
key. The system further comprises a second transmitter comprising a
memory including the second submonoid and a second processor. The
second processor effective to select a plurality of generators of
the second set of generators to produce a second private key, apply
the second component of the identity on a non-group component of a
first generator of the second private key to produce a third
result, apply the function to the third result to produce a third
modified result, and multiply the first component of the identity
by the third modified result to produce a third further modified
result. The second processor further effective to multiply the
second component of the identity with a group component of the
second generator to produce a third still further modified result
and combine the third further modified result with the third still
further modified result to produce a third public key. The second
processor is further effective to f. apply a group component of the
third public key on a non-group component of a second generator of
the second private key to produce a fourth result, g. apply the
function to the fourth result to produce a fourth modified result,
h. multiply a non-group component of the first public key by the
fourth modified result to produce a fourth further modified result,
i. multiply the group component of the third public key with a
group component of the second generator of the second private key
to produce fourth still further modified result and j. combine the
fourth further modified result with the fourth still further
modified result to produce a fourth public key.
BRIEF DESCRIPTION OF THE DRAWINGS
[0015] FIG. 1 is a system diagram illustrating a .PI.-Function
module in accordance with an embodiment of the invention.
[0016] FIG. 2 is a system diagram illustrating a S-Action module in
accordance with an embodiment of the invention.
[0017] FIG. 3 is a system diagram illustrating an E-Function module
in accordance with an embodiment of the invention.
[0018] FIG. 4 is a system diagram illustrating the operation of an
E-Function iterator module in accordance with an embodiment of the
invention.
[0019] FIG. 5 is another system diagram illustrating the operation
of an E-Function iterator module in accordance with an embodiment
of the invention.
[0020] FIG. 6 is a system diagram illustrating a system for
determining a pair of E-commuting monoids in accordance with an
embodiment of the invention.
[0021] FIG. 7 is a system diagram illustrating a system for
determining a private key in accordance with an embodiment of the
invention.
[0022] FIG. 8 is a system diagram illustrating a system for
determining a public key in accordance with an embodiment of the
invention.
[0023] FIG. 9 is a system diagram illustrating a system for
determining a common agreed upon secret key in accordance with an
embodiment of the invention.
[0024] FIG. 10 is a flow diagram illustrating a method for
determining a common agreed upon secret key and transmitting a
message using that secret key in accordance with an embodiment of
the invention.
[0025] FIG. 11 is a system diagram illustrating a system for
determining a secret key in accordance with an embodiment of the
invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
[0026] The present invention introduces an algorithmically
efficient one-way function. The algorithm is both rapidly
computable and computationally hard to reverse. An overview in
accordance with the invention is provided in FIG. 10. Parties Alice
and Bob are each in possesion of a database from which they form
their respective private keys (Boxes 101 and 102). They then
proceed to produce their respective public keys based on their
respective private keys by applying an algorithm in accordance with
the invention (Boxes 103 and 104). Alice and Bob each have access
to a respective transmitter and receiver. Alice and Bob use their
respective transmitter and receiver to exchange their public keys.
By exchanging these public keys they are each in a position to
obtain a common agreed upon secret key by letting the received
public key act on the respective user's private keys (Boxes 105 and
106). Once the shared secret key has been obtained, Alice can then
encrypt a plaintext message, produce an encrypted message (Box
107), send the encrypted message (Box 108) to Bob, who can then
decrypt the encrypted message (Box 109) to obtain Alice's plaintext
message (Box 107).
[0027] Let M, N denote monoids and let S denote a group which acts
on M on the left. Given an element s.epsilon.S, and an element
m.epsilon.M, we denote the result of s acting on m by .sup.sm. The
semidirect product of M and S, MS is defined to be the monoid whose
underlying set is M.times.S and whose internal binary operation
:(M.times.S).times.(M.times.S).fwdarw.M.times.S
is given by
:((m.sub.1,s.sub.1),(m.sub.2,s.sub.2)).fwdarw.(m.sub.1.sup.s.sup.1m.sub.-
2s.sub.1s.sub.2).
Furthermore, we let N.times.S denote the direct product.
[0028] An algebraic eraser is specified by a 6-tuple (MS, N, .PI.,
E, A, B) where MS and N are as above, A, B are user submonoids of
M, .PI. is an easily computable monoid homomorphism
.PI.:M.fwdarw.N,
E is a function
E:(N.times.S).times.(MS).fwdarw.N.times.S
given by
E((n,s),(m.sub.1,s.sub.1))=(n.PI.(.sup.sm.sub.1),ss.sub.1),
and A, B are submonoids of MS such that for all (a,
s.sub.a).epsilon.A, (b, s.sub.b).epsilon.B
E((.PI.(a),s.sub.a),(b,s.sub.b))=E((.PI.(b),s.sub.b),(a,s.sub.a)).
Two submonoids satisfying the above identity are termed
E-Commuting.
[0029] An action of S on M does not induce an action of S on N, and
given knowledge of the elements
(n,s),E((n,s),(m.sub.1,s.sub.1)).epsilon.N.times.S
it is very difficult to obtain the element
(m.sub.1,s.sub.1).epsilon.MS. The action of the element s.epsilon.S
has been effectively erased by the algebraic eraser. A benefit lies
in the efficiency of the computation of the function .PI. and the
iterative nature of the method and apparatus for the computation of
the function E.
[0030] A preferred embodiment of an apparatus to perform an
algebraic key agreement protocol based on the algebraic eraser, is
depicted in FIGS. 1 through 11, and begins with an apparatus to
compute the function .PI.. The .PI.-Function module 13 is
responsive to the data from the .PI.-Function module library 11,
and the input element m.epsilon.M from 12. The .PI.-Function module
13 computes the element .PI.(m).epsilon.N.
[0031] In general a group S is said to act (on the left) on a
monoid M provided there is a homomorphism from S to the
endomorphisms of M which satisfies certain properties. Given
s.epsilon.S and m.epsilon.M, the element s maps m to a new element
in M, denoted .sup.sm. The required properties are
.sup.s(m.sub.1m.sub.2)=.sup.sm.sub.1.sup.sm.sub.2, .sup.1m=m,
.sup.s.sup.1.sup.s.sup.2m=.sup.s.sup.1(.sup.s.sup.2m)
Referring to FIG. 2, S-Action module 23 is responsive to the inputs
s.epsilon.S 21 and m.epsilon.M 22, and computes the image of m
under the action of s yielding .sup.sm as output.
[0032] An apparatus to compute the function E is depicted in FIG.
3. The E-Function module 36 is responsive to the inputs (n,s) 31
and (m,s) 34. Given an ordered list (x,y) of two elements x, y, the
first component projection of (x,y) outputs the first component x
on the list. Similarly, the second component projection outputs the
second component y. The input (n,s), 31, is sent to the second
component projection module, 32 and the input (m.sub.1,s.sub.1) is
likewise sent to a first component projection module, 33. The
resulting elements of S and M of the first and second component
modules 32, 33 are then forwarded to the S-Action module 23,
yielding the element .sup.sm.sub.1.epsilon.M. This resulting
element .sup.sm.sub.1 is forwarded to the .PI.-Function module, 13,
which outputs the element .PI.(.sup.sm.sub.1). The E-Function
multiplier, 35, is responsive to the input (n,s), 31, the element
.PI.(.sup.sm.sub.1).epsilon.N, and the result of the input
(m.sub.1,s.sub.1), 34, being entered into the second component
projection module, 32. The E-Function multiplier outputs the
element (n.PI.(.sup.sm.sub.1), ss.sub.1).epsilon.N.times.S which is
also the output of the E-Function module 36.
[0033] The semi-direct product of M and S, denoted MS, is defined
to be the monoid whose underlying set is the direct product
M.times.S and whose binary operation is given by
(m.sub.1,s.sub.1)(m.sub.2,s.sub.2)=(m.sub.1.sup.s.sup.1m.sub.2,s.sub.2).
It is noted that given an element (n,s).epsilon.N.times.S and two
elements (m.sub.1,s.sub.1), (m.sub.2,s.sub.2).epsilon.MS, that
E((n,s),((m.sub.1,s.sub.1)(m.sub.2,s.sub.2)))=E(E((n,s),(m.sub.1,s.sub.1-
)),(m.sub.2,s.sub.2)).
Hence computing the E-Function iteratively increases the system's
efficiency and speed.
[0034] FIG. 4 depicts an apparatus which may be used in performing
the above computation. An E-Function Iterator module 42 is
responsive to the input (n,s), 31, and to the input
(m.sub.1,s.sub.1), (m.sub.2,s.sub.2), . . . , (m.sub.k,s.sub.k),
41, and outputs
(n).PI.(.sup.sm.sub.1).PI.(.sup.ss.sup.1m.sub.2) . . .
.PI.(.sup.ss.sup.1 .sup.. . . s.sup.km.sub.k),ss.sub.1 . . .
s.sub.k).
[0035] A more detailed apparatus of the E-Function Iterator module
42, is depicted in FIG. 5, begins with the input (n,s) 31 being
sent to the E-Function module 36. In addition, an input
(m.sub.1,s.sub.1), (m.sub.2,s.sub.2), . . . , (m.sub.k,s.sub.k),
41, is sent to the choose t.sup.th component module, 53, which is a
module initialized at the value t=1 and repeatedly incremented by
the increment t module, 54. The t.sup.th component of the input
(m.sub.1,s.sub.1), (m.sub.2,s.sub.2), . . . , (m.sub.k,s.sub.k) is
precisely (m.sub.t,s.sub.t) which is the output of 53 and sent to
the E-Function module 36. Furthermore the value of t is sent to the
decision box 55 which also receives the value of the E-Function
(iterated t-1 times up to that point). The decision box 55
determines if t=k, at which point the computation stops, otherwise,
the output of decision box 55 becomes input 31 to the E-Function
module 36 to be used as the new first component of E together with
the incoming entry from choose t.sup.th component module 53. The
final value arrived at is given by
(n.PI.(.sup.sm.sub.1).PI.(.sup.ss.sup.1m.sub.2) . . .
.PI.(.sup.ss.sup.1.sup.1 . . .
s.sup.k-1m.sub.k),ss.sub.k)=(n.PI.((.sup.sm.sub.1)(.sup.ss.sup.1m.sub.2)
. . . (.sup.ss.sup.1 .sup.. . . s.sup.k-1m.sub.k)),ss.sub.1 . . .
s.sub.k).
[0036] Recall that two submonoids A, B are said to be E-Commuting
provided
E((.PI.(a),s.sub.a),(b,s.sub.b))=E((.PI.(b),s.sub.b),(a,s.sub.a))
holds for all (a,s.sub.a).epsilon.A, (b,s.sub.b).epsilon.B. FIG. 6
illustrates an apparatus which may be used in choosing a pair of
E-Commuting monoids, A, B which may be utilized in the invention. A
monoid is specified by a generating set, i.e., a subset of elements
of the monoid which have the property that every element of the
monoid can be expressed as a product of some of these generators
(in some order, with repetitions allowed). The Semidirect Product
Producer 60 is responsive to the monoid M and the group S and
produces the monoid MS. The monoid MS, together with the monoid N
and the function .PI. are sent to the E-Commuting Monoid Producer
63, whose output is sent to the Pairs of E-Commuting Monoid Library
64. A Pseudorandom Number Generator 61 produces a random number
.alpha., a Chooser 62 then accesses the .alpha..sup.th element of
the Pairs of E-Commuting Monoid Library 63 and outputs the pair of
E-Commuting monoids A.sub.1, B.sub.1 which are forwarded to Alice
and Bob, respectively. Additionally the pair A.sub.1, B.sub.1 is
forwarded to the User Submonoid Generator Database 65.
[0037] With the apparatuses for computing the S-Action, the
functions .PI. and E specified, and each users submonoid in place,
the algebraic eraser key agreement protocol can now be detailed. If
the E-commuting monoids A.sub.1, B.sub.1, are privately assigned to
Alice and Bob, then the invention functions, for example, as a
symmetric cryptosystem. If the monoid MS possesses a large library
of pairs of E-Commuting submonoids which are recursively enumerable
and whose internal algebraic structure is hidden then the invention
can function, for example, as an asymmetric cryptosystem.
[0038] FIG. 7 illustrates a mechanism which may be used in enabling
a user to generate a private key. Focusing on Alice (Bob case is
analogous) a second Pseudorandom Number Generator 72 responsive to
the input .alpha.*, 71, creates a list of integers e.sub.1,
e.sub.2, . . . , e.sub..alpha.* where each e.sub.i is generated in
such a way that e.sub.i.ltoreq.number of generators of (A.sub.1).
The Sequence Encoder 73 is responsive to the list e.sub.1, e.sub.2,
. . . , e.sub..alpha.* and the User Submonoid Generator database
65, is responsive to the submonoid A.sub.1. The Sequence Encoder 73
produces the list of the user generators
(m.sub.e.sub.1,s.sub.e.sub.1), (m.sub.e.sub.1,s.sub.e.sub.1), . . .
, (m.sub.e.sub..alpha.*,s.sub.e.sub..alpha.*) out of the generating
set of A.sub.1. The Private Key Generator 74 is responsive to
Encoder 73 and produces the user private key
M.sub.A=(m.sub.e.sub.1,s.sub.e.sub.1),(m.sub.e.sub.2,s.sub.e.sub.2),
. . . , (m.sub.e.sub..alpha.*,s.sub.e.sub..alpha.*)
which is sent to a memory 75. It should be observed that the
product of the elements, denoted (M.sub.A,s.sub.A),
( M A , s A ) = ( m e 1 , s e 1 ) ( m e 2 , s e 2 ) ( m e .alpha. *
, s e .alpha. * ) = ( ( m e 1 ) ( m e 2 s 1 ) ( m e .alpha. * s 1 s
.alpha. * - 1 ) , s e 1 s e .alpha. * ) ##EQU00001##
is an element of the submonoid A.sub.1.OR right.MS, but need not be
computed explicitly for key agreement.
[0039] Now that Alice and Bob have chosen their respective user
private keys, FIG. 8 depicts the apparatus which may be used in
computing the user public keys. The E-Function Iterator module 42
is responsive to the input (m.sub.e.sub.1,s.sub.e.sub.1),
(m.sub.e.sub.2,s.sub.e.sub.2), . . . ,
(m.sub.e.sub..alpha.*s.sub.e.sub..alpha.*), 81 and the element
(1.sub.N,1.sub.S)=(identity.sub.N,identity.sub.S).epsilon.N.times.S,
which is the identity of the monoid N in the first component and
the identity of S in the second component. The E-Function Iterator
module 42 produces the User Public Key
( N A , s A ) = E ( ( 1 N , 1 S ) , ( M A , s A ) ) = ( ( .PI. ( m
e 1 ) .PI. ( m e 2 s 1 ) .PI. ( m e .alpha. * s 1 s .alpha. * - 1 )
, s e 1 s e .alpha. * ) = ( .PI. ( ( m e 1 ) ( m e 2 s 1 ) ( m e
.alpha. * s 1 s .alpha. * - 1 ) ) , s e 1 s e .alpha. * ) = ( .PI.
( M A ) , s A ) , ##EQU00002##
which is sent to memory 83.
[0040] At this point Alice has the public key (N.sub.A,s.sub.A) and
private key <m.sub.A>, Bob has public key (N.sub.B,s.sub.B)
and private key <m.sub.B>, and they are now in a position to
utilize the apparatus depicted in FIG. 9 to obtain a common agreed
upon secret key. Alice transmits her public key (N.sub.A,s.sub.A)
input 91 via the transmitter/receiver 93, and likewise Bob
transmits his public key (N.sub.B,s.sub.B) input 92 via the
transmitter/receiver 94. The received public keys together with the
each users private keys are then forwarded to the respective
E-Function Iterator modules 42a, 42b, to yield
(N.sub.B.PI.(.sup.s.sup.BM.sub.A),s.sub.Bs.sub.A)=E((N.sub.B,s.sub.B),(M-
.sub.A,s.sub.A))=E((.PI.(m.sub.B),s.sub.B),(M.sub.A,s.sub.A))
(N.sub.A.PI.(.sup.s.sup.AM.sub.B),s.sub.As.sub.B)=E((N.sub.A,s.sub.A),(M-
.sub.B,s.sub.B))=E((.PI.(M.sub.A),s.sub.A),(M.sub.B,s.sub.B)).
Since (M.sub.A,s.sub.A) and (M.sub.B,s.sub.B) are contained in the
submonoids A.sub.1, B.sub.1 respectively, the original assumptions
regarding the structure of the algebraic eraser imply that the
above elements of N.times.S are equal and can serve as the common
agreed upon secret key, 97.
[0041] The above key agreement protocol can be enhanced by
combining it with the Diffie-Hellman protocol described in the
prior art. One such combination is given as follows. Referring to
FIG. 8, replace input 82 by the element (K.sub.A,identity.sub.S)
(for Alice) and (K.sub.B,identity.sub.S) (for Bob) where K.sub.A,
K.sub.B.epsilon.N are additional private keys chosen so that they
commute. The public keys for Alice and Bob are,
E((K.sub.A,identity.sub.S), (M.sub.A,s.sub.A)),
E((K.sub.B,identity.sub.S), (M.sub.B,s.sub.B)), respectively. In
this variation of the key agreement protocol, the common agreed
upon secret key is given by
E((K.sub.AK.sub.B.PI.(M.sub.B),s.sub.B),(M.sub.A,s.sub.A))=E((K.sub.BK.s-
ub.A.PI.(M.sub.A),s.sub.A),(M.sub.B,s.sub.B)).
[0042] Referring now to FIG. 11, there is shown a system 1130 which
could be used in accordance with an embodiment of the invention.
System 1130 includes a first transmitter/receiver 1102a and a
second transmitter/receiver 1102b. Transmitters/receivers 1102a and
1102b could be, for example, readers and tags in an RF-ID system.
Transmitters/receivers 1102 and 1102b may, for example, generate
information, receive information, or modulate received information
to transmit other information.
[0043] Transmitter/receiver 1102a includes a memory 1104a, a
processor 1110a, an action module 1112a, a .PI.-Function module
1108a an E-function multiplier 1106a and an antenna 1114a.
Similarly, transmitter/receiver 1102b includes a memory 1104b, a
processor 1110b, an action module 1112b, a H-Function module 1108b,
an E-function multiplier 1106b and an antenna 1114b. Action modules
1112a and 1112b could be, for example, S-action module 23 discussed
above. .PI.-Function modules 1108a and 1108b could be, for example,
.PI.-Function module 13 discussed above. E-Function multipliers
1106a and 1106b could be E-Function multipliers 35 as described
above.
[0044] Memories 1104a and 1104b each include monoids N and M, group
S and function .PI. which all could be determined using, for
example, the algorithms discussed above. Memory 1104a further
includes a submonoid A and memory 1104b further includes a
submonoid B. Submonoids A and B may be determined as discussed
above. For example, a semi-direct product of S and M may be
determined. A and B may then be E-commuting submonoids of this
semi-direct product. Monoids M and N, group S, function .PI. and
submonoids A and B may all be determined by a communications center
1132 in communication with a database 1134. Communications center
1132 may forward monoids M and N, group S, function .PI. and
sub-monoids A and B to transmitter/receivers 1102a, 1102b using,
for example an antenna 1136. Alternatively, monoids M and N, group
S, function .PI. and submonoids A and B, may be stored in memories
1104a, 1104 of transmitter/receives 1102a, 1102b respectively, when
the respective devices are manufactured.
[0045] In operation, processors 1110a and 1110b each select
generators of monoids A and B, respectively. The selection could
be, for example, through the use a pseudo-random number generators
1120a, 1120b. Processor 1110a then orders the generators to produce
a private key 1118a for transmitter/receiver 1102a.
[0046] Processor 1110a then forwards private key 1118a and an
identity element 122a to action module 1112a, .PI.-Function module
1108a and E-Function multiplier 1106a to produce a public key 1122a
for transmitter/receiver 1102a. Identity element 1122a includes a
first component which is the identity of monoid N and a second
component which is the identity of group S. The process through
action module 1112a, .PI.-Function module 1108a and E-Function
multiplier 1106a may be performed iteratively for each generator in
private key 1118a.
[0047] Similarly, processor 1110b orders generators of monoid B to
produce a private key 1118b for transmitter/receiver 1102b.
Processor 1110b then forwards private key 1118b and an identity
element 1122b to action module 1112b, .PI.-Function module 1108b
and E-Function multiplier 1106b to produce a public key 1122b for
transmitter/receiver 1102b. Identity element 1122b includes a first
component which is the identity monoid N and a second component
which is the identity of group S. The process through action module
1112b, .PI.-Function module 1108b and E-Function multiplier 1106b
may be performed iteratively for each generator in private key
1118b.
[0048] Transmitter/receivers 1102a and 1102b exchange their
respective public keys 1122a, 1122b using antennas 1114a and 1114b
respectively over a communication link 1128. Once the pub-lic keys
1122a, 1122b are received, a secret key may be ascertained.
Focusing on transmitter/receiver 1102a, for example, public key
1122b from transmitter/receiver 1102b is input to action module
1112a, .PI.-function module 1108a and E-Function multiplier 1106a
along with private key 1118a. Action module 1112a, .PI.-Function
module 1108a, and E-Function multiplier 1106a may operate on these
inputs iteratively for each generator in the private key from
transmitter/receiver 1102a, to produce a secret key 1124. A similar
operation is performed at transmitter/receiver 1102b. The secret
key 1124 may be then be used by transmitter/receivers 1102a and
1102b to communicate securely.
[0049] While the invention has been described and illustrated in
connection with preferred embodiments, many variations and
modifications as will be evident to those skilled in this art may
be made without departing from the spirit and scope of the
invention, and the invention is thus not to be limited to the
precise details of methodology or construction set forth above as
such variations and modification are intended to be included within
the scope of the invention.
Example
[0050] An instance of the algebraic eraser and its associated key
agreement protocol can be obtained in the case where the monoid M
is chosen to be the set of L.times.L matrices whose entries are
rational functions with integral coefficients in the variables
{t.sub.1, t.sub.2, . . . , t.sub..kappa.}, i.e., the entries
take
C ij ( t 1 , t 2 , , t k ) D ij ( t 1 , t 2 , , t k )
##EQU00003##
where 1.ltoreq.i,j.ltoreq..kappa., and C.sub.ij,D.sub.ij are
polynomials. The group S is chosen to be the symmetric group on
.kappa. symbols, denoted S.sub..kappa.. The action of the elements
of s.epsilon.S.sub..kappa. on the set of variables {t.sub.1,
t.sub.2, . . . , t.sub..kappa.}, given by
s:t.sub.it.sub.s(i),
can be extended to an action of the monoid M in a natural manner.
Given an element of M, input 22, (see FIG. 2) of the form
[ C ij ( t 1 , t 2 , , t k ) D ij ( t 1 , t 2 , , t k ) ] 1
.ltoreq. i , j .ltoreq. k ##EQU00004##
and an element s.epsilon.S.sub..kappa., input 21, the result of the
S.sub..kappa.-Action module 23 is the element of M given by
s [ C ij ( t 1 , t 2 , , t k ) D ij ( t 1 , t 2 , , t k ) ] 1
.ltoreq. i , j .ltoreq. k = [ C ij ( t s ( 1 ) , t s ( 2 ) , , t s
( k ) ) D ij ( t s ( 1 ) , t s ( 2 ) , , t s ( k ) ) ] 1 .ltoreq. i
, j .ltoreq. k . ##EQU00005##
[0051] Having specified the monoid M and the action of a group S on
M, we fix a prime p and let the monoid N be the set of L.times.L
matrices whose entries are integers mod p. Then to define the
homomorphism .PI. a set of integers (.tau..sub.1, .tau..sub.2, . .
. , .tau..sub..kappa.)(mod p), is chosen and is stored in the
.PI.-Function module Library 11. Given an element of M, Input 12,
the .PI.-Function module produces the element of N given by
[ C ij ( .tau. 1 , .tau. 2 , , .tau. k ) mod p D ij ( .tau. 1 ,
.tau. 2 , , .tau. k ) mod p ] 1 .ltoreq. i , j .ltoreq. k .
##EQU00006##
It is tacitly assumed that
D.sub.ij(.tau..sub.1,.tau..sub.2, . . . , .tau..sub..kappa.) 0(mod
p),
which can always be arranged by appropriate selection of
(.tau..sub.1, .tau..sub.2, . . . , .tau..sub..kappa.) for the
situation at hand.
[0052] With the above choices in place the E-Function 13 takes the
form,
E ( ( [ d ij ] , s ) , ( [ C ij ( t 1 , t 2 , , t k ) D ij ( t 1 ,
t 2 , , t k ) ] , s 1 ) ) = ( [ d ij ] [ C ij ( .tau. s ( 1 ) ,
.tau. s ( 2 ) , , .tau. s ( k ) ) mod p D ij ( .tau. s ( 1 ) ,
.tau. s ( 2 ) , , .tau. s ( k ) ) mod p ] , s 1 ) .
##EQU00007##
The E-Function Iterator module 42 may be evaluated via the
apparatus in FIG. 5.
[0053] A method for creating the library of pairs of E-Commuting
monoids will now be specified. Each monoid in such a pair will be
presented as a list of generators each of which is contained in MS.
A feature of the method is that the internal algebraic structure of
the pairs of E-Commuting monoids is difficult to determine from the
publicly announced list of generators. Choose two sets X, Y of
elements of M, and two sets U, V of elements of where the following
properties hold:
xy=yx
uv=vu
.sup.v.sub.x=x
.sup.uy=y,
for all x.epsilon.X, y.epsilon.Y and u.epsilon.U, v.epsilon.V.
There are many such choices for the sets X, Y, U, V. In fact, the
number of choices also grows exponentially with L.
[0054] One method to specifically choose the sets X, Y, U, V is
given as follows. Partition the set {t.sub.1, t.sub.2, . . . ,
t.sub..kappa.} into two disjoint subsets T.sub.1,T.sub.2 where
T.sub.i={t.sub.i.sub.1, t.sub.i.sub.2, . . . , t.sub.i.sub..kappa.}
for i=1, 2. Correspondingly, there will exist two distinct
subgroups U, V of S.sub..kappa., where an element of U permutes the
variables in T.sub.1 and fixes the variables in T.sub.2, and
similarly an element of V permutes the variables in T.sub.2 and
fixes the variables in T.sub.1. Observe that every element
u.epsilon.U commutes with every element v.epsilon.V. Next choose
positive integers l.sub.1 and l.sub.2 such that
L=l.sub.1+l.sub.2+1. The matrices in X are chosen to be of the
form
( 0 0 0 0 1 0 0 0 1 0 1 ) ##EQU00008##
where .sub.l.sub.1 is an l.sub.1.times.l.sub.1 matrix whose entries
are rational functions in the variables T.sub.1. All nonspecified
entries the above matrix are equal to 0. Similarly, the matrices in
Y are chosen to be of the form
( 1 0 1 0 0 0 1 0 0 0 0 ) ##EQU00009##
where .sub.l.sub.2 is an l.sub.2.times.l.sub.2 matrix whose entries
are rational functions in the variables T.sub.2. It is clear that
the above choices of matrices commute, and that an element
u.epsilon.U acts trivially on each matrix in Y, and an element
v.epsilon.V acts trivially on each matrix in X.
[0055] With this done choose an invertible element
(z,w).epsilon.MS. There are many such choices for (z,w), and in
fact, the number of such choices grows exponentially with L. One
can now define the submonoids as
A={(z,w)(x,u)(z,w).sup.-1|x.epsilon.X,u.epsilon.U},
B={(z,w)(y,v)(z,w).sup.-1|y.epsilon.Y,v.epsilon.V}.
It is readily verifiable that A, B are E-Commuting monoids. Note
that the search for (z,w) is more difficult than a standard
conjugacy search problem because the conjugated elements are
unknown.
[0056] In the key agreement protocol, there are two users, Alice
and Bob, each of whom has a public and a private key. The users
proceed with a public exchange, after which each is in a position
to obtain common agreed upon secret key which can then be used for
further cryptographic applications. The key agreement protocol
begins in this example with each user, Alice and Bob, being
assigned a user submonoid A.sub.1, and B.sub.1, respectively, from
a pair in the E-Commuting Monoid Library, 63. Each user, Alice and
Bob, proceeds to choose a private key which is the output of a
respective Private Key Generator 74. Each user public key is then
computed by directing the user private key, input 81 to the
E-Function Iterator module 42, along with the input 82. The
E-Function Iterator module 42 allows the users to compute their
respective public keys in a novel and rapid fashion. The
computations involved are 8-bit modular arithmetic operations
(addition, subtraction, multiplication, and division) and 8-bit
string search and replacement. These computations can be achieved
at low cost and high efficiency.
[0057] Finally, the public keys are exchanged via the
transmitter/receivers 93, 94. The results of this exchange, along
with the users private keys, are sent to the E-Function Iterator
module 42a, 42b, which outputs the common agreed upon secret key
97.
* * * * *