A Generic Algebraic Model for the Analysis of Cryptographic Key Assignment Schemes

A Generic Algebraic Model for the Analysis of
Cryptographic-Key Assignment Schemes
Sabri and Khedri (FPS 2012)
Dhruv Gairola
Algebraic Methods in CS, Ridha Khedri
gairold@mcmaster.ca ; dhruvgairola.blogspot.ca
March 31, 2014
Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 1 / 25

Overview
1 Problem and Motivation
2 Brief Mathematical Background
3 Proposed structures
4 Akl-Taylor Technique
5 Generalizing Akl-Taylor
6 Chinese Remainder Technique
7 Veriﬁcation of security properties
8 Conclusion

Problem and Motivation
Problem : Many key assignment schemes. How to evaluate them?
Crampton et. Al. advocate the adoption of generic key assignment
model.
Proposed Solution : Algebraic model to analyse these schemes.
Beneﬁt : asserting correctness in preserving conﬁdentiality of info;
better understanding of key assignment.

Brief Mathematical Background
Semigroup : (S, ·) where · is an associative binary operator.
Semiring : (S, +, ·)
(S, +) is a commutative semigroup with identity 0s
(S, ·) is a semigroup with identity 1s
· distributes over + on the left and right
0s is absorbing in (S, ·) i.e., (∀x|x ∈ S : 0s · x = x · 0s = 0s)

Brief Mathematical Background (2)
Poset : (C, ) where is a partial order relation (reﬂexive, transitive,
antisymmetric).
Antisymmetry : x y ∧ y x =⇒ x = y
Quasi-ordered set : is only reﬂexive and transitive.

Proposed key structure
Key structure : K = (K, +k, ∗k, 0k, 1k)
Interpretation : +k and ∗k can be seen operators which combining
keys.
Can represent Cesar cipher, Vigenere cipher, Boyd’s RSA cipher using
the structure.

Proposed scheme structure
Key assignment scheme : S = (K, C, , a)
K is key structure
(C, ) is poset
a ⊆ K → C is an onto function (assignment function)
C is the set of security classes
k1 d k2 : info revealed by k1 can also be revealed by k2.

Proposed scheme structure (2)
Given d (key derivation relation) S is said to be :
Cluster secure : low class keys cannot reveal info of higher classes
Class secure : cluster secure and (C, ) is a chain
User secure : scheme contains independent keys s.t. no key can reveal
info that can be revealed from other keys
We have our structure. What about theories? (Axioms are obvious)

Proposed scheme structure (3)
Theories ( is a quasi-order relation):
1 k1 ≤k k2 =⇒ k1 k2
2 k1 ∗k k2 k2
3 k1 k2 =⇒ k1 +k k3 k2 +k k3
4 k1 k2 =⇒ k1 ∗k k3 k2 ∗k k3
5 k 1k
Now we have structure and theories. We can analyze speciﬁc key
assignment schemes and construct models.

Akl-Taylor Technique
Each user assigned a key, ki where ki = κti (mod m).
κ is a private number
m is a product of 2 large primes
ti is a product of n primes
Key idea : one key can be derived from another.

Akl-Taylor Technique (2)
Simple math : ki = κti (mod m)
(Hint- j:=i) kj = κtj
(mod m)
(Hint- LHS) κtj
(mod m) = (κti
)tj /ti
(mod m)
(Hint- LHS) (κti
)tj /ti
(mod m) = k
tj /ti
i
Therefore kj = k
tj /ti
i
Conclusion (key derivation) : kj can be derived from ki iﬀ tj is
divisible by ti

Akl-Taylor Example
Example : ki = κti (mod m), let m = 11 × 17 = 187, κ = 13
User i : ki = 135×7
(mod 187) = 21
User j : kj = 133×5×7
(mod 187) = 98
k
tj /ti
i = kj
213
(mod 187) = 98

Generalizing Akl-Taylor
The sever that distributes keys determines κ and keeps it private.
Once κ and m are ﬁxed, ti determines ki . This is given by log ki
log κ = ti .
We can view ti as the key.
Can we generalize ti ? Yes!
ti = {2 × 3 × 7} can be represented as {{2 × 3 × 7}} ∈ P(P(Np)) for
a ﬁxed κ and m.

Generalizing Akl-Taylor (2)
P = {p1 × ... × pn|∃(p1...pn|pi ∈ Np : ∀(pi , pj |pi , pj ∈ Np : i = j =⇒
pi = pj ))}
P = {p1 × ... × pn|set of product of diﬀerent primes)
ti = {2 × 3 × 7} ∈ P
From example in prev slide, generalized tigen ∈ P(P(Np))

Generalizing Akl-Taylor (3)
Function rep :
rep : P → P(P(Np))
rep(p1 × ... × pn) = {{p1 × ... × pn}}
Each user is given a set of keys e.g., {{2 × 3 × 7}, {2 × 11 × 17}}.

Model for the key structure
F = (P(P(Np)), +k, ∗k, 0, 1). We have a model for key structure K!
∗k : P(P(Np)) × P(P(Np)) → P(P(Np))
A ∗k B = {a ∪ b : a ∈ A, b ∈ B}
+k : P(P(Np)) × P(P(Np)) → P(P(Np))
A +k B = A ∪ B

Model for the scheme structure
Generalized Akl-Taylor : S = (F, C, , a). Model for S.
In Akl-Taylor (C, ) is a tree but in generalized Akl-Taylor, (C, ) can
be a forest.

Generalized Akl-Taylor Usefulness
Useful if we need more than one key per user (e.g., user involved in
more than 1 key assignment scheme).
In Akl-Taylor, “one key can be derived from another” i.e., can we
show κti
d κtj ?
Use the relators d and which are present in our scheme S .
We can use the 5 theories deﬁned in slide 9 to obtain interesting
properties in our Generalized scheme.

Chinese Remainder Theorem
Given r, s ∈ Z+ and a, b are coprime, there ∃N ∈ Z s.t.
N ≡ a(mod r) and N ≡ b(mod s).
We can ﬁnd N using basic algebra.

Chinese Remainder Technique
Uses ideas from the solution procedure for chinese remainder theorem.
Key structure same as Akl-Taylor. Even ∗k, +k are deﬁned the same.
However, we have k1 d k2 ⇔ k2 k1 (dual), unlike for Akl-Taylor
where d and are the same.

Veriﬁcation of security properties
Properties can be veriﬁed :
Ability of user to get info intended for higher class.
Ability of using several keys to reveal info that can be revealed by using
another key.
Can use Prover9 to verify each property.

Veriﬁcation Example
Six classes get assigned keys :
Part-time nurses : key(cpn) = k1 ∗k k2 ∗k k4
Overnight nurses : key(cnn) = k1 ∗k k3 ∗k k4
Full-time nurses : key(cfn) = k1 ∗k k4
Part-time doctors : key(cpd ) = k2 ∗k k4
Overnight doctors : key(cnd ) = k3 ∗k k4
Full-time doctors : key(cfd ) = k4
Property : any doctor can get info of any nurse in the same class.
(key(cpn) d key(cpd )) ∧ (key(cnn) d key(cnd )) ∧ (key(cfn) d
key(cfd ))
(k1 ∗k k2 ∗k k4 d k2 ∗k k4)∧(k1 ∗k k3 ∗k k4 d k3 ∗k k4)∧(k1 ∗k k4 d k4)
Prover9 can verify such properties (automated).

Conclusion
Analyse key assignment schemes using algebraic structures.
Generalize existing key assignment schemes using model.
Automate veriﬁcation of security properties.
Future work : examine other key assignment schemes to assess
strengths and weaknesses.

References
“A Generic Algebraic Model for the Analysis of Cryptographic-Key
Assignment Schemes”, Sabri, Khedri, FPS (2012) pp. 62-77
“Algebraic Framework for the Speciﬁcation and Analysis of
Cryptographic-Key Distribution”, Sabri, Khedri, Fundamenta
Informaticae 112 (2011) pp. 305335
http://conferences.telecom-
bretagne.eu/fps2012/program/slides/24.pdf
http://mathworld.wolfram.com/ChineseRemainderTheorem.html

Thank you.

A Generic Algebraic Model for the Analysis of Cryptographic Key Assignment Schemes

More Related Content

What's hot (20)

Similar to A Generic Algebraic Model for the Analysis of Cryptographic Key Assignment Schemes (20)

More from dhruvgairola (8)

Recently uploaded (20)

A Generic Algebraic Model for the Analysis of Cryptographic Key Assignment Schemes