coded modulation and the arrival of signcryption yuliang zheng university of north carolina at...
TRANSCRIPT
Coded Modulation and the Arrival of Signcryption
Yuliang ZhengUniversity of North Carolina at Charlotte
Enhancing Crypto-Primitives with Techniques from Coding TheoryNATO Advanced Research Workshop
6-9 Oct. 2008, Veliko Tarnovo, Bulgaria
2
Outline
Exposure to coded modulation Motivations Signcryption Look into the future
Error Corr(Encoder)
Modulation
Error Corr(Decoder)
Security(Authen)
Security(Decryptor)
Security(Authen)
Security(Encryptor)
SourceDecoder
SourceEncoder
Communications system
3
Demodulation
Channel
Prof. Hideki Imai’s Lab,in the late 80’s
4
Error Corr(Encoder)
Modulation
Error Corr(Decoder)
Security(Authen)
Security(Decryptor)
Security(Authen)
Security(Encryptor)
SourceDecoder
SourceEncoder
Demodulation
Channel
Error Correcting (encoder) +Modulation
Error Correcting (decoder) +Demodulation
Coded modulation--- one of the hottest in 80’s
5
Security(Authen)
Security(Decryptor)
Security(Authen)
Security(Encryptor)
SourceDecoder
SourceEncoder
Channel
Coded modulation
Combination/Co-design of error-correcting codes Multi-level modulation
2 types Trellis-coded modulation (TCM)
Gottfried Ungerboeck, Proposed in1975; Published in IEEE Trans on IT in 1982
Block-coded modulation (BCM) Hideki Imai and Shuji Hirakawa
Published in IEEE Trans on IT in 19766
Goals of coded modulation
To transmit data as fast as possible, and as reliable (little errors) as possible
To achieve Shannon’s capacity limit:
C = B log2(1+S/N)
C: channel capacity (bps)(= max. data transmission rate without error)
B: channel bandwidth (Hz) S: power of signal (W) N: power of noise (W)
7
Challenges
Modulation Transmission rate can be increased by
Increase the number of waveforms (constellation points) for modulation
However, an enlarged waveform set will also decrease “spacing” between waveforms, resulting in larger chances of errors at receiver
Error-correcting codes Increasing error-correcting capabilities requires
appending more parity bits/symbols, whereby reducing effective transmission rate 8
Address the challenges
Co-design/integrate multi-level modulation and convolutional error-correcting code Assign waveforms to code words in such a way
that maximizes Euclidean distance between the waveforms that are the most likely to be confused
10
Ungerboeck’s set partitioning(16QAM constellation mapper)
Error Corr(encoder)
Modulation
Trellis coded modulation
The end result
Increase transmission rate
while at the same time, reduce errors at receiver
KILL 2 BIRDS IN 1 STONE
11
Importance of coded modulation
12
Musing on coded modulation
½ dozen of my fellow PhD students working on coded modulation
Doing Imai Lab’s ritual for 5 years weekly, long group seminars with students
working on a vast array of different projects Applicable to cryptography ? Continue to muse after moving to
Down Under
13
Major goals of cryptography
Authenticity Trusted parties --- symmetric/private key authentication Untrusted parties --- asymmetric/public key authentication (digital
signature, unforgeability) Confidentiality
Symmetric/private key encryption Asymmetric/public key encryption
Reduce cost/overhead Computation (over large integers) Expansion in length (=communication overhead)
14
In the paper & ink world:Signature-then-Seal
15
To achieve: authenticity(unforgeability & non-repudiation)
To achieve: confidentiality
In the digital world:Signature-then-Encryption
1616/65
1. Add Signature Alice signs a message m
using her secret key, i.e. creating sig on m.
2. Do Encryption Alice encrypts (m,sig)
using AES with k. Alice creates another
data so that Bob can recover k. (Typically, Alice encrypts k using Bob’s public key).
m sig m sig k
m
mod exp
mod exp
Signature-then-Encryption(based on Discrete Logarithm)
17
encrypted usinga private key cipher with k
used by the receiver toreconstruct k
m
sig
gx
communication overhead
EXP=3+2.17
Cost of Signature-then-Encryption
18
Cost Schemes
Comp Cost (No. of exp)
Comm Overhead
(bits) RSA based
sig-then-enc
2 + 2
|na| + |nb|
DL based Schnorr sig + ElGamal enc
3 + 2.17 (3 + 3)
|hash| + |q| + |p|
Questions on Efficiency
Can we do better than “signature followed by encryption” ? For resource-constrained applications
Wireless mobile devices Smart card applications
Can we learn from other disciplines such as Communication engineering
Imai-Hirakawa block coded modulation Ungerboeck trellis coded modulation
19
Co-design of digital signature and public key encryption ?
20
?
?Security(Authen)
Security(Decryptor)
Security(Authen)
Security(Encryptor)
SourceDecoder
SourceEncoder
Error Correcting (encoder) +Modulation
Error Correcting (decoder) +Demodulation
Channel
Goal: Signcryption (1996)
To achieve both confidentiality, authenticity
unforgeability & non-repudiation
With a significantly smaller comp. & comm. Cost
Cost (signcryption) << Cost (signature) + Cost (encryption)
21
22
How to co-design
Focus on discrete logarithm (DL) based schemes: ElGamal type public key encryption DSS/Schnorr type digital signature
Notice both use an “ephemeral public key”: gx
Let them share the same ephemeral public key !
Hide it, as long as it can be recovered by the recipient !
Signcryption -- public & secret parameters
23
Public to all p : a large prime q : a large prime
factor of p-1 g : 0<g<p & with
order q mod p Two 1-way hash functions:
G: {0,1}*→ {0,1}L
H: {0,1}* → Zq
(E,D) : private-key encryption & decryption algorithms
Alice’s keys : secret key : public keyxayay g pa
xa mod
xbyby g pb
xb mod
Bob’s keys : secret key : public key
Signcryption and Unsigncryption
24
Signcryption by Alice x ← {1,…,q-1}
at random T = yb
x mod p r = H(m, ya, yb, T) s = x/(r+xa) mod q k=G(T) c=Ek(m) Output (c, r, s)
Unsigncryption by Bob Compute
k=G(T) m=Dk(c) Check if
r = H(m, ya, yb, T) Output m if yes, and
Reject otherwise
pgyT bxsra mod)(
m (c, r, s) (c, r, s) m
Cost of Signcryption (based on Discrete Logarithm)
25
mencrypted usinga private key cipher with k
communication overhead
sig
EXP=1+1.17
Why 1.17 exponentiations?
26
pgy
pgy
pgy
qurv
qxsu
vua
xsrxsa
xsra
b
bb
b
mod)(
mod)(
mod)(
,Then
,mod
,mod
Let
This can be done in a smart way,costing only 1.17 exponentiationson average !D. Knuth,Seminumerical Algorithms,Vol. 2 of The Art of Computer Programming,2nd edition, Addison-Wesley,Exercise 27, Pages 465 & 637.
DL Signcryption v.s. sign-then-encrypt
27
0
1000
2000
3000
4000
5000
6000
7000
8000
1024 2048 4096 8190
RSA sign-encSchnorr + ELGamalDL Signcryption
|p|=|n|
# of multiplications (the smaller the better)
DL Signcryption v.s. sign-then-encrypt
28
0
5000
10000
15000
20000
25000
1024 2048 4096 8190
RSA sign-encSchnorr + ElGamalDL Signcryption
comm. Overhead ((# of bits, the smaller the better)
The end result
29
С един куршум - два заека(With one bullet - two rabbits)
Other developments
Extensions: pairing, factorization, …… Add “bells and whistles”
Multi-recipients, proxy, blind, threshold, ring, ID based, ……
Authenticated encryption (Authencryption) Co-design of shared key authentication and
encryption
30
Public or Private key
Authenticity Non-repudiation
Internationalstandards
Signcryption Public key Yes Yes On the way
Authencryption Private key Yes No On the way
Beyond coded modulationand signcryption ?
There is no crypto equivalent of “Shannon’s capacity limit” Good ? Or Bad ?
31UnsigncryptionSource
Decoder
SourceEncoder Signcryption Error Correcting (encoder) +
Modulation
Error Correcting (decoder) +Demodulation
Channel
32
33
Много благодаря !Thank you !