Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Kobe University Repository : Kernel
タイトルTit le
All-or-Nothing Transform Based on a Linear Code(Special Sect ion onDiscrete Mathematics and Its Applicat ions)
著者Author(s) Kuwakado, Hidenori / Tanaka, Hatsukazu
掲載誌・巻号・ページCitat ion
IEICE transact ions on fundamentals of electronics, communicat ionsand computer sciences,E85-A(5):1084-1087
刊行日Issue date 2002-05-01
資源タイプResource Type Journal Art icle / 学術雑誌論文
版区分Resource Version publisher
権利Rights Copyright(c)2002 IEICE
DOI
JaLCDOI
URL http://www.lib.kobe-u.ac.jp/handle_kernel/90001320
PDF issue: 2020-01-23
1084 tEICE TRANS . fUNDAMENTALS, VO L.ES5-A, NO.5 MAY 2%2
LETTER Special Section on Discrete Mathematics and Its Applications
All-or-Nothing Transform Based on a Linear Code
Hide nori KUWAKADOta) and Hatsukazu TANAKA t, Regular Membe~
SUMMARY An all-or-nothing transform (AO:-lT), which has been proposed by Rivest, is one of encryption modes. The AONT is intended to increase the cost of brute-fore attacks on a block cipher. This paper provides the revised definition of an unconditionally secure AONT, and shows the instance of an optimal unconditionally secure AONT. In addition, we propose a computationally secure AONT such that any information on a message cannot be obtained regardless of the position of the lost block due to a linear code. key words: cryptography, information security, all-or-nothing tromform, encryption mode, linear code
1. Introduct ion
The security of encryption schemes can be improved by pre-processing a message appropriately before encrypting it. Such a message transformation is called an encryption mode. As examples of encryption modes, the cipher block chaining mode (CBC mode) and the optimal asymmetric encryption padding (OAEP) [1) are widely used.
An all-or-nothing transform (AONT), which has been proposed by Rivest in [5], is one of encryption modes. The AONT is intended. to increase the cost of brute-fore attacks on a block cipher. Similar to other encryption modes, the AONT itself has no function of the encryption. The original concept of the AONT by Rivest is summarized as follows [5J. A transformation f mapping message blocks (ml , m2 , ... , m~ ) into pseudomessage blocks (Xl , X2 , ••. , x 3') is said to be an AONT if the following conditions are satisfied..
(A 1) The transformation f is reversi ble: gi ven the pseudo-met>sage blocks, one can obtain the message blocks.
(A2) Both the t ransformation f and its inverse are efficiently computable.
(A3) It is computationally infeasible to compute any function of a.ny message block if anyone of the pseudo-message blocks is unknown.
The CBC mode is not an AONT because it does not satisfy (A3).
Manuscript received August 30, 200l. Manuscript revised November 11, 200l. Final manuscript received January 20, 2002.
' The authors are with the Faculty of Engineering, Kobe University, Kobe-shi , 657-8501 Japan.
a) E-mail: [email protected]
Due to (A3) , if the output of the AONT is encrypted block by block, the resulting ciphertext ha~
the following property: an adversary cannot learn any information on any message block without decrypting all the ciphertext blocks. Such an encryption mode is called to be strongly non-separable [5J. We note that a strongly non-separable encryption mode can be COllstructed without an AONT, for example, the variableinput-length mode [2J. The advantage of the strongly non-separable encryption mode based on the AONT is as follows. The construction and analysis are fre<' from any dependency on the peculiarities of the encryption algorithm which is used to encrypt pseudo-messag(' blocks. Namely the strongly non-separable encryption mode based on the AONT permits the immediate use of existing and widely available hardwares/ softwares which the encryption algorithm is implemented on.
There are two approaches to construct an AONT: one is based on t he unconditionally secure model (or the information-theoretic model), and the other is based on the computationally secure model. Stinson [71 showed the definition of an unconditionally secure AONT, and efficient AONTs based on a linear transform. On the other hand, Rivest's AONT is based on the computationally secure model [5). Boyko [3] proved that the OAEP was a computationally secure AONT.
In this paper, we discuss both approaches to construct an AONT. The results of this paper are as follows.
1. We provide a new definition of an unconditionally secure AONT, and propose an AONT satisfying our definition. In addition, we show our AONT is optimal in the sense that the lower bound of the size of a pseudo-message block is achieved. Stinson's definition does not completely represent Rivest's concept in the unconditionally secut1' model. Boyko first pointed out this fault, but did not show a revised definition in the unconditionally secure model. From our definition, the lower bound of the size of a pseudo-message block can J>(>
derived.. Then we show that the optimal AON'T can be constructed with an ideal secret sharing scheme.
2. As an AONT based. on the computationally secure model, we show an AONT based on a linea.r code· Different from Rivest's AONT and the OAEP, the
proposed AONT ensures that the loss of a pseudomessage block causes the uncertainty of the used key in the information theoretic sense. As a result, the information of the message blocks cannot be obtained.
2. Preliminaries
:2.1 Stinson's AONT
Stin~on's AONT on the unconditionally secure wadel is a deterministic linear transform. Let (m !> m:2 , ... > ms) E (GF(q» $ be message blocks, and (.r\. X:2, . . . , Xs) E (GF(q»8 pseudo-message blocks . Let M be an invertible s by 8 matrix with elements from GF(q) such that no element of M is equal to O. Then, t he transformation is defined as
(x \ , X2 , · .. > xs) = (ml' m2, . . . , m s) M - } over GF(q).
This transformation satisfies the definitions (81), (82) stated in Sect. 3.1.
2.2 OAEP and Rivest's AONT
We mention two AONTs on the computationany secure model. First, the optima.! asymmetric encryption padding (OAEP) is described here [I]. Let (m},m2, . . . ,ms) be message blocks, and (x\, X2, . .. , x s) pseudo-message blocks. For parameters n, ko, suppose that there exist two random oracles C h G2:
G I , {O,I}kO _ {O, I} n, G" {o,I}n _ {O, I} ko .
Then the OAEP is defined as, for m = ml II m2 II ... II
x ~ XI II X, II ... II X ,
~ (mEBGI(r)) II (rEBG,(mEBGI(r))),
where II indicates the concatenation, m is n bits and r is a ko-bit random string. Boyko [3] proved that it was infeasible to obtain mi if Xi for any i was lost. Namely, the OAEP satisfies the concept of an AONT (A1)-(A3).
Next, Rivest [5] has proposed an AONT called the package transform. The package transform is viewed as a special case of the OAEP, for
GI(r) ~ E(r, 1) II E(r,2) II .. . II E(r, s), G2(m') = EB:=I E(Ko , m~ Ell i),
Where E is a block cipher, T is chosen randomly, and Ko is a public value.
3. Uncondition a lly Secu re AONT
:l.I Revised Definition
Stinson [7] has defined an unconditiona.!ly secure
1085
AONT. St inson's definition differs from Rivest's one in which the transform is unconditionally secure, as compared to t he computationally secure transform. Stinson [71 rephrased Rivest's definitions (Al)-(A3) in terms of the entropy function H as follows. Let ml, m2, ... , m", XI ,X2,' . . ,Xs be random variables taking on values in the finite set. These random variables define an AONT provided that the following conditions are satisfied:
(SI) H(XI ,X2, .. "xsiml,m2, ... ,ms) = 0 and H (mt> m2, ... , m" lxI,x2," . ' Xs) = 0
(52) H(mdxI, X2,··· ,Xj-l, Xj+b Xj+2,··· ,x,, ) H(md for i,j = 1,2, ... ,8 .
We see that (51) corresponds to (AI) . Since the unconditionally secure model allows a user to use unlimited computational resource, there is no cond ition corresponding to (A2). One might consider that (52) cor4
responds to (A3) which is characteristic of an AONT. However, (S2) is not the unconditionally secure version of (A3); Boyko [31 stated that Stinson's definition considered the amount of information leaked about a particular block of the message. For example, let us assume 8 = 3. Even if H(ml lx },x2) = H{md and H(-m2 ix},x2) = H(m2), Il(m},m2ix},x2) is not always equal to H(m} ,m2)' In fact, Stinson's AONT, which is a linear transform, leaks the value of ml - m2 when x} and X2 are known , that is, H(ml,m2Ixl ,x2) < H(ml,m,).
We propose the revised definition of an unconditionally secure AONT as follows.
(11) H(xI ,x2, . . . , xs,lm}, m2,.·· , ms) = 0 and H(ml' m2, ... , m slx},x2,· · · , x s') = 0
(12) H(ml,m2 , ... ,msixl,x2,·· · ,Xj_l, Xj+l, Xj+2,···, xs') = H(m} , m2,··· , m s)
for j = 1, 2, .. . ,s'.
The condition (11) is same as (51) except for the number of blocks. The condition (12) means that any information on message blocks cannot be obtained even if almost all pseudo-message blocks Xl, X2 , ... , Xj -I, Xj+I, Xj+2, .. . , Xs are known. We notice that (52) is true if (12) is true, but (12) is not always true even if (52) is true.
3.2 Size Analysis and Proposed AONT
We examine the size of a pseudo-message block satisfying the definitions (11), (12) in Sect.3.1. Without the loss of the generality, we can assume that the lost pseudo-message block is XI . Then we can obtain the lower bound of the size of a pseudo-message block as follows:
H(x}) :?: H(x} lx2 ,x3,""xs')
2: H(Xl ix2,X3,···,Xs')
- H (xl lx2, X3,··· ,xs', m}, m2,···, m s)
1086
[ (ml' m2 , "" ms; xlix2 , X3, "" X$')
= H {ml ,m2, ... ,m,lx2,X3,""Xs' )
-H(ml , m2,.··, m S IXl,X2, X3,"" X s') = H(ml , m2, ... ,m,) .
The last equality is due to (11 ), (12). This inequality means that the size of a pseudo-message block is at least as large as the total size of message blocks.
Next, we show an uncondi tionally secure AONT satisfying the revised definition. Let (ml , m2, ... , m$) be message blocks and (Xl, X2, ... ,X,, ) pseudo-message blocks. Using an s-out-of-s ideal secret sharing scheme such as Shamir's scheme [6), mi (i = 1,2, . .. ,s) is di-vided into s shares , denoted by Yi,j (j = 1,2, . . . ,s). Then, a pseudo-message block Xk is, for k = 1, 2, ... , s,
Xk ~ Y',k II Y' ,k 11 · ·· 11 Y',k'
[f, fo r example, Xl is lost, then any information on all message blocks cannot be obtained due to the s-out-ofs ideal secret sharing scheme. Since the size of Yi,j is same as that of mj the size of Xi is s t imes as large as that of mi. Therefore, the proposed transform achieves the lower bound of the size of a pseudo-message block. We summarize the discussion above in the following theorem.
Theorem 1: In an unconditionally secure AONT satisfying the definitions (11), (12), the size of a pseudomessage block is not smaller than the total size of message blocks. Using an ideal secret sharing scheme, it is possible to const ruct an unconditionally secure AONT that achieves the lower bound of the size of a pseudomessage block.
Unfortunately, Theorem 1 means that an unconditionally secure AONT is not practical. Let us consider the following example. Suppose that. the total size of message blocks is IMBytes (= 8388608 bits). When the size of m.: is 128 bits, the number of blocks, 8, is 65536. Then, the size of a pseudo-message block is 1 MBytes, and the total size of pseudo-message blocks is 65536 MBytes. When the size of m j is 2048 bits , the total size of pseudo-message blocks is 4096 MBytes.
4 . AONT Based on a Linear Code
4.1 Proposed AONT
Before describing the proposed AONT on the computationally secure model, we mention a theorem on a linear code [4).
Theorem 2 ([4]) : Let ai , a2, .. . ,at be fixed different values in GF(q). A set C is defined as
C ~ {(f(a,),!(a,), ... ,!(a,}}I' > s, [(x) is a degree s polynomial over GF(q)}.
Then C is a (t,8 + I, t - 8)- linear code where t is the
IEICE TRANS . FUNDAMENTALS, VOL.E85- A , NO.5 MAY 2002
length of a cordword, s+ I is the number of information symbols, and t - s is the minimum Hamming distance.
Using the bounded distance decoding, the error. correct ing ability of this linear code is given as follows:
2u + v$' t - $ - 1,
where u is the number of random errors and v is the number of erasures. We note that C is not a systematic code.
The proposed AONT is described below. LeI (m" m2, ... , m~) be message blocks. For simplicity, we assume that m, is i bits for i = 1, 2, ... , so ChoOSe an i -bit key k at random. Compute the sequence ZI,Z2 " " , Z~+ 1 as follows:
{ E(k eJ i ,m.} , -
,- ZlEE! z2 E9 ·· · E9 z8 $ k ifi = 1,2, .",$ ifi = 8 + 1,
(1 )
where E is a block cipher such as {O, IV x {O, IV -. {O, l }(, S < 2t. The other properties of E are described in the later paragraph. As (ZI ) Z2 , ... , Z8+ 1) can be considered as s + 1 information symbols over GF(2t), it is encoded with a (28 + I , s + 1, 8)-linear code of Theo. rem 2. The codeword is denoted by (YI , Y2,"" Y2H l) . Then pseudo-message blocks (Xl, X2, . . . , XH I) are the first 8+1 elementsof(Yl,Y2," .,Y2HI) , i.e. , X i = Yi for i = 1,2, ... , 8 + 1. In other words, the last s symbols in the cord word (Yl,Y2, ... ,Y2$+I) were erased. The total size of pseudo-message blocks is one block larger than that of message blocks.
It is easy to see that this transform is invertible. Using an erasure decoding, the information symbols (ZI,Z2, .. . ,ZHd are obtained from (XI,X2, ... ,XHd because the (28 + 1,s + l ,s)-linear code can correct s erasures. After computing k = Z\ Ell .. . ED z$ EEl Z$+I , TI1.j
is computed as m , = E - l(k$i,zd for i = 1,2, . .. , s. We assume that the block cipher E satisfies the
following properties.
(E1 ) When a message m and a ciphertext c are fixed, the key is uniquely determined if it exists. However, it
is unnecessary that there is an efficient algorithm for determining the key.
(E2) Alice chooges a bit b and a key k at randoJll. An adversary selects two different message blocks m (O) _ (m(O) m (O) m (O) m (O) ) and ,a( l ) :=
- I' 2 , 3 , ... , s+l
(m~l) , rn~l ) , m~l ) > ••• ,m~~ I) where m~O) =F m~l} for some j. Then, she encrypts m(!» as
Ci = E(k ffi i ,m)!») for i = 1, 2, . .. , 8+ L
Given the ciphertext blocks c = (c \ , C2 , " " C$+I) ' the adversary cannot decide the value of b without the key with the probability better t han 1/2 . More precisely, the following equation holds for any al· gorithm A in polynomial time on t.
U:;TTER
Ir, [A(m(O) m(i) c) = b]- ~ I < 1
" 2 poiy(I)'
where poly( £) is any polynomial of e. Namely, since it is difficult to distingu ish the ciphertext blocks of two message bloch without the key, the adversary cannot obtain any l*bit infor. mation on the message blocks from the ciphertext blocks.
Different from the unconditionally secure AONT, the data expansion of the above AONT is extremely small, i.e. , only one block. For example, when the total size of message blocks is 1 MBytes and £ IS
128 bits, the total size of pseudo-message blocks is ilbout 1.000015 MBytes.
.l.2 Security
We discuss the security of the proposed AONT described in Sect. 4.1. Using an erasure decoding, the information symbols (ZI, Z2, ... , Zs+ 1) are obtained from (Xl, X2, .. . , xHd· The essential computation of the erasure decoding is to solve the following system of c<juations over GF(2t).
{
Xl = Zl + Z2al + Z3a~ + ... + zs+laf
X2 = Zl + Z2a2 + Z3a~ + . .. + ZS+la~
Xs+l = Zl + Z2as+l + Z3a~+1 + .. . + Zs+la!+1
Suppose that Xj for some j is lost. Then, the above system of equations cannot be solved, that is, (Zl' Z2 , ... , Zs+l) are not determined uniquely. From the viewpoint of t he coding theory, it means that the nnmber of erasures is too many to decode it correctly. Formally, we have for i,j = 1,2, ... ,s+ 1
We focus on the case of i = s + I, I.e. ,
H(ZS+l lx l , X2, ... ,Xj-l, Xj+l, ... , X s+ l)
= H(Z,+l) (2)
fo, j = 1,2, ... ,,+ I. From Eq. (I) and Eq. (2), the loss of a pseudo-message block causes the uncertainty of the key k. In addition, the uncertainty of k is equal to H( zs+d from the assumption (E l ). Since k is information-theoretically undetermined, the adversary cannot overcome the uncertainty even if he has unlimited computational resource. Notice that the uncertainty of k is not always equal to H(zs+l) if (El) does
1087
not hold. For example, suppose Ci = E(ko EEl i, md = E(kl EEl i, mi) where ko =f k j • T hen the cost of finding the key such that Ci is correctly decrypted is less than the cost in the case of (El).
Next we examine whether the adversary can obtain information on the message blocks (m}, m2,···, ms) from (Zl' Z2, . .. , zs) when the key is unknown. From the assumpt ion (E2), the information on the message blocks does not leak out when the key is unknown. Although the key is information-theoretically undetermined, the proposed AONT is computationally secure because the assumption of E is computational.
5. Conclusions
In thii:i paper , we have discui:ised two wayi:i to achieve an AONT. First , we showed a. new definition of an AONT in unconditionally secure model, and proposed the optimal unconditionally secure AONT. Next, we proposed the computationally secure AONT based on a linear code. Due to the bound of the error-correcting capability of the linear code, the loss of a pseudo-message block causes the computational uncertainty of all message blocks.
Acknowledgm ent
The authors t hank to the anonymous reviewers for their useful comments.
Referen ces
[11 M. Betlarc and P. Rogaway, ~Optimal asymmetric encryption," Lecture Notes in Computer Science Advanced in Cryptology- EUROCRYPT'94, vol.9S0, pp.92- 111, 1994.
[2] M. Bellare and P. Rogaway, "On the construction ofvariabteinput-length ciphers," fast Software Encryption f SE'99, Lecture Notes in Computer Science, vo1.l636, pp.231 - 244, 1999.
[3] V . Boyko, ~On the security properties of OAEP as an all-ornothing transform," Advances in Cryptology-CRYPTO'99, Lecture Notes in Computer Science, vo1.1666, pp.503- 518, 1999.
[4] R.J. McEliece and O.V. Sarwate, "On sharing secrets and Reed-Solomon codes," Commun. ACM, vo1.24, no.9, pp.583-584, 1981.
[5] R.L. Rivest , "All-or-nothing encryption and the package transform," Fast Software Encryption FSE'97, Lecture Notes in Computer Science, vo1.l267, pp.21G-218, 1997.
[6] A. Shamir, "How to share a secret," Commun. ACM, vo1.22, no.ll , pp.612-613 , 1979.
[7] D.R. Stinson, "Something about all or nothing (transform)," http://cacr.math. uwaterloo.cardstinson/papers/, 1999.