An Introduction to the Applications of Geometry in Cryptography

 

There are two main goals in cryptography. 

  1. Guaranteeing  confidentiality of information.  – ENCIPHERING
  2. Providing methods that make error detection and evidence of tampering possible. – AUTHENTICATION

 

Consequently, since cryptosystems are typically based on secret keys, the storing and distribution of these secret keys is a central part of cryptography.

 

Geometry fits into the development and study of cryptosystems in the following ways. As opposed to relying on unintelligible complexity or unproven assumptions, the cryptosystems based on geometric methods provide provably high levels of security that are simply realizable. 

 

What follows is an introduction to basic notions and terms in cryptography.  Once the basics have been established, a method for enciphering using a hyperplane of a d-dimensional projective space of order 2 will be introduced.

 

Basic Notions and Terms

 

We have the following set-up.

 

A sender wants to send data to a recipient  in such a way that confidentiality is ensured, and if this confidentiality is compromised, there must be a way of recognizing this.  Enter cryptography.

 

We have essentially two distinct motives for intercepting the data sent.

  1. A third party – which will be called an attacker – wants only to read the data.  – PASSIVE ATTACK
  2.  A third party wants not only to read the data, but also wants to alter that data.  – ACTIVE ATTACK

 

Protection from a passive attack can be attained using the method of enciphering.  In order to talk about enciphering we must have a few terms.  The data as it sits in the hands of the sender before it is sent under the protection of the ‘encipherment’ will be referred to as plaintext (or cleartext).  A key will be used to encipher the plaintext which will then be sent as ciphertext (which may be referred to as the message).  The key will be produced using an algorithm. 

 

To realize the mechanism of ‘encipherment’ we must make the following properties inherent in the parameters described above.  Let   f   : =   algorithm,   k   : =   key,   d  : =   data,   c : =   cleartext.   For each    k   there is an invertible function   fk   which maps a plaintext    d    onto a ciphertext   c = fk(d).  In other words:

 

The sender computes   c = fk(d)  and the recipient computes   fk-1(c) = fk-1(fk(d)) = d. 

 

We will think of the algorithm having the following two properties.

  1. f –1 is easily computed and applied.
  2. Not knowing    k   makes it very difficult to reconstruct   d   which corresponds to   c.   

 

An active attack requires that the recipient employ an  authentication code  to   d = fk-1(fk(d)).  Typically this is done by applying a cryptographic algorithm    to   d   which verifies that there is in fact some cleartext mapped to    d   under   f. 

 

Clearly     must have the following properties.

  1.   is easily applicable.
  2.    must be such that it is difficult for an active attacker to create a message that will get past it.

 

This topic will discussed in another section.

 

Security considerations, in regards to cryptography, are based on the principle of Kerckhoffs, which says one must deal with the possibility that the attacker knows the algorithm.  The attacker must never know the key. 

 

Security considerations, and therefore the construction of cryptosystems, must deal with the following three basic means of attack.

  1. The known ciphertext attack: the attacker knows a (possibly large) number of messages.
  2. The known plaintext attack:  the attacker knows a set of the data together with the corresponding message.
  3. The chosen plaintext attack is one in which the attacker has control over what data together with its corresponding ciphertext she gets.

From the above the importance of both enciphering and authentication  becomes clear.  One could consider both being used together as the optimal way to ensure both secrecy and certainty of messages transmitted over potentially public media.

 

Enciphering

 

What follows is a representation of how secrecy can be attained and proven using projective geometry as a tool.  Using the first representation theorem, PG(d,2) will be constructed using GF(2d+1) in such a way that the generation of our key will be known to have the properties needed that ensure optimal secrecy.   In order to accomplish this, the following concepts will be introduced:  stream ciphers (data, messages, and keys will be thought of as streams of 0’s and 1’s), the one-time pad (a cryptosystem in which a given key is used only once), and Singer cycles (if GF(2d+1) is one we will be happy).  Also the concept of perfect secrecy will be defined.

 

Stream Ciphers

 

Data   d   must be encoded as a binary string, i.e.,   d = d1, d2, d3, . . . ,  where  di  is an element of {0,1}.

Our key  k  will also be a binary string, i.e.,    k = k1, k2, k3, . . . , where  ki  is an element of {0,1}; this will be called the key-stream

The data    d    will be enciphered using the one-time pad.

 

Definition: one-time pad.

 

Let     d   and   k  both be binary strings.   The ciphertext    c   will be generated by the vector sum of   d    and     k   modulo 2.

 

                c = (d1 + k1, d2 + k2, d3 + k3, . . . )mod2  =  c1, c2, c3, . . .

 

Decryption is identical to encryption.

 

                c = c1, c2, c3, . . .  implies   d =  (c1 + k1, c2 + k2, c3 + k3, . . .)mod2.

 

 

Remark:  Note that if the key-stream is random, then even if an attacker knows k1, . . . , kn the only way to get the next bit of the stream is to guess.  This is essentially the concept of perfect secrecy.

 

Definition:  perfect secrecy.

 

The probability of obtaining   ki   given either the corresponding    di     or the corresponding    ci    is no better than obtaining    ki    while not knowing either.

 

Using the one-time pad and the stream cipher it is clear that the key stream must be at least as long as the data-stream.  This is in fact a theorem by C. Shannon.

 

Theorem:  Shannon’s theorem.

 

In any perfect enciphering system the number of keys is at least as large as the number of the possible cleartexts.

 

Sketch Proof.  Observe that for each     d     and each   c    there must be at least one    k   that maps     d    onto    c.  If there were a    d   and a     c    that could not be mapped to each other by any key, an attacker, by observing    c, knows that the corresponding cleartext is  not    d.   This violates the definition  of  perfect secrecy.

                Fix   c’.  Since each possible cleartext can be mapped onto       by at least one key,  the number of keys must be as large as the number of cleartexts.  Otherwise there would be confusion as to whether       gets pulled back by   f-1  to   d  or to d’.

 

The focus here is on the use of the one-time pad together with the stream cipher, and the goal is to attain perfect secrecy.  With this and the remark from above in mind it is now time to consider the creation of the key-stream.  The key-stream, in order to attain optimal security, must be random.  However a truly random key-stream would have the following disadvantages: it would be impossible for a machine to generate such a sequence since the finiteness forces periodicity, and a truly random sequence would be difficult to use to pull back    c    to    d. 

In order to attain the security needed, and since   k   cannot be truly random, the concept of pseudo-random must be introduced.  A  pseudo-random sequence is a periodic sequence, which repeats forever, characterized by   n  the smallest positive integer such that the sequence repeats after the nth position.  Any periodic sequence is said to be generated by a cycle C of length n. 

 

Example. The sequence    001101011001101011001101011 . . .  is a sequence generated by the cycle (001101011).  Notice that, since the sequence is repeated forever, the cycle (011010110) also works; as does the cycle (101011001).

 

Now the issue of generating key-streams has been reduced to the construction of pseudo-random sequences.  In order to construct these sequences, the postulates of Golomb will be needed.

 

(G1)  The numbers of 0’s and 1’s  in C differ by at most 1.

 

To formulate the next postulate, the notions of string and  gap must be introduced.  A string is a sequence of 1’s preceded and followed by 0’s.  A gap is a sequence of 0’s preceded and followed by 1’s.

 

Example.  The sequence C = 011101100101000 has one gap of length 2, and two strings of length 1.

 

(G2)  For each nonnegative integer i, the number of  strings of length i and the number of gaps of length i differ by at most 1.

 

For the final postulate, consider the idea of taking a cycle C and performing a left (cyclic) shift of all the elements by a positions.  This shift will be denoted by C(a).  Refer to first example of a pseudo-random sequence, and note that this does not change the overall sequence.  However,  C and C(a) will differ term by term.  Define the out-of-phase-autocorrelation function by

 

                AC(a) = (Agreements - Disagreements)/n    where the sequence of period n is being compared with the shifted sequence C(a).  The autocorrelation is out-of-phase if n does not divide a. 

 

(G3)  The out-of-phase autocorrelation has the same value for all a.

 

The postulates of Golomb are essentially the best way we to formalize the concept of ‘random.’

 

Now we know what to make our pseudo-random sequences look like, but are there any methods for constructing them?  As promised the properties of projective spaces, focusing on the characteristics of hyperplanes within them, will be used to construct such sequences.  This construction requires the concept of the Singer cycle.

 

Theorem:  Singer cycles.

 

Let P = PG(d,2)  be a finite Desarguesian projective space of dimension d and order 2.  Then P has a collineation group S called the Singer cycle, with the following properties:

  1. S is a cyclic group.
  2. S is sharply transitive on the set of points (and on the set of hyperplanes) of P.

 

Proof.  By the first representation theorem we can represent P as P(V), where V is a (d + 1)-dimensional vector space over K = GF(2).  Because the field  F = GF(2d+1) is a (d + 1)-dimensional vector space over K, we can choose V = F = GF(2d+1).  The points of P are the vectors different from zero, hence F* = F \ {0}.

                In order to make his work, F must be constructed as follows.  Let   x   be a root of the field GF(2d+1).  Then   x   is a root of an irreducible polynomial  f(y) of degree n+1 over GF(2).  Let f(y) = yn+1 + cnyn +  . . . + c1y + c0,  ci is an element of GF(2).  From our discussion of finite fields, we know that, for any power of    x   we may write   xi =  a0 + a1x + . . . + anxn,  where aj is an element of GF(2).  We know that there is now a correspondence between the vector (a0, . . . , an) and   xi   over GF(2).  The 24 +1 – 1 different powers of   x  correspond to the 2d + 1 – 1 different vectors (a0, . . . , an) over GF(2), not the zero vector.   

                The generating element of the Singer cycle is   x.  Define the mapping    s(g) = x Χ g,  where g is an element of  F.  Now we have s(0) = 0, and s is a permutation of F \ {0}.  Since   x  is primitive,   s   generates a cyclic group

 S = {1, x, x2, . . . } of order 2d + 1 – 1.  Since   xi   and   xi + v, where v = 2d+1 – 1,  and  1, x, x2, . . . , xv correspond to different points,   s   permutes the points in a single cycle. 

                By construction,   s   is a bijection of the set of points of P onto itself.  It must be shown that   s

  maps triples of collinear points onto triples of collinear points.   Let   u,  v, and   w  be distinct elements of  F* such that the corresponding points of P are collinear.   Then  u + v = w.   So we have s(u) + s(v) = x Χ u + x Χ v = x Χ (u + v) = x Χ w = s(w).

Therefore   s  is a collineation of P.  Also by construction, the powers of   s   successively map the points of P onto each other.

                                                                                                                                                                                                Q.E.D.

 

 

If the points of P are labeled by the integers 1, 2, . . . , v, such that the map   corresponds directly to the generating element of the Singer cycle, then the following theorem provides a method for construction a pseudo-random sequence that can be used as our key-stream.

 

Theorem:  C from a hyperplane.

 

Let C = (a1, a2, . . . , av) be the incidence vector of a hyperplane  H  of   P  = PG(d,2)  with respect to the above labeling of the points of P.  Then the cycle C fulfils Golombs postulates.

 

Sketch Proof.  The number   y   of 1’s in C is equal to the number of points in  H;  therefore 

 

                y =  1+ 2 + 4 + . . . +  2d – 1. 

 

The number   z   of  0’s  in C is equal to the number of points not in   H;  therefore

 

                z = v – y = 2d + 1 – 1 – (2d – 1) = 2d.

 

Thus   z – y = 1, and   (G1) holds.

 

Claim 1:  The incidence vector  C  of  H  has one string of length   d  and   2i   strings of length   d – 1 – i  (i = 0, 1, . . . d -- 2).

Claim 2:  The incidence vector  C  of  H  has one gap of length   d + 1  and   2i   gaps of length   d – 1 – i  (i = 0, 1, . . . d -- 2).

 

Thus, given these claims are true, it is easy to see that (G2) is satisfied.

In order to show (G3) we must show the out-of-phase autocorrelation is constant.  This will be done using the fact that s  is a collineation of P.  This means that C and C(a) are both incidence vectors of a the same hyperplane.  Moreover  C(a) is the incidence vector of  sa(H) = . 

 

(G3) easily follows.  Let A be the number of positions in which C and C(a) coincide.  I.e., A = the number common 1’s plus the number of common 0’s; which is equivalent to saying: the number of points that lie on both  H   and  plus the number of points that are not on either  H  or  .   Observe:

 

                A = 2d – 1 – 1 + 2d – 21 = 2d – 1.

 

We also have

 

                D (# terms of C and C(a) that disagree) = v – A = 2d + 1 – 1 – (2d – 1) = 2d. 

 

Given the above, the out-of-phase autocorrelation is given by   –1/(2d+1 – 1).  Therefore (G3) is satisfied.

 

                                                                                                                                                (sort of)  Q.E.D.

 

An example will make this theorem more clear.  The skeleton proof of the theorem was needed in order to establish the fact that Claim 1 and Claim 2 establish (G3).  This will be crucial for the example.

 

Example.   Make PG(3,2) from GF(24).   (Recall PG(d,2) is coordinatized by V = F = GF(2d +1).)  Let f(x) be a primitive polynomial, irreducible over the field, given by f(y) = y4 + y + 1.   Let f(x) be a root of the polynomial, hence f(x) = 0.

Thus   x 4 = x + 1,  the successive powers of   x  will determine the elements of PG(3,2).   The powers of   x  will correspond to some polynomial of the form  a3x3 + a2x2 + a1x1 + a0,  where ai  is an element of GF(2).  Thus we have a Singer cycle, and the elements of PG(3,2), which will be  4-tuples that correspond to the coefficients of the polynomial representation of the corresponding power of   x, will be labeled such that the map    is our generating element.  The following table is, on the left the powers of   x   and the corresponding polynomial representations, and, on the right, the coordinates (less the commas) of the elements of PG(3,2). 

 

x0 = 1                                      a1:  0001

x1 = x                                       a2:  0010

x2 = x2                                     a3:  0100

x3 = x3                                     a4:  1000

x4 = x + 1                                a5:  0011

x5 = x2 + x                               a6:  0111

x6 = x3 + x2                             a7:  1100

x7 = x3 + x + 1                         a8:  1011

x8 = x2 + 1                               a9:  0101

x9 = x3 + x                               a10:  1010

x10 = x2 + x + 1                       a11:  0111

x11 = x3 + x2 + x                      a12:  1110

x12 = x3 + x2 + x + 1               a13:  1111

x13 = x3 + x2 + 1                     a14:  1101

x14= x3 + 1                              a15:  1001

x15 = 1    

 

We have 24 – 1 elements different from zero. 

Now let   H  = < 0001, 0010, 0011, 0100 >,  and   C = (a1, a2, . . . , av) be the incidence vector of   H.

So by inspecting the  ai’s,  it is possible to determine what  C  will be for the pseudo-random sequence. 

Here we have  C = (111011001010000).  Verify that, in accordance with Claim 1 from the last theorem, there is 1 string of length 3,  there are 2 strings of length 1, and there is 1 string of length 2.   Also verify that, in accordance with Claim 2 of the above theorem there is 1 gap of length 4, there are 2 gaps of length 1, and there is 1 gap of length 2.  These claims establish (G2); (G3) and (G1) were established in the theorem.

 

In summary, in order to create a key-stream that looks random (but is actually pseudo-random) we must satisfy the postulates of Golomb.  This can be done by constructing PG(d,2) from a vector space over GF(2d + 1) using the Singer cycle to create and order the elements of PG(d,2).  C, the seed for the pseudo-random sequence, is the incidence vector of a hyperplane in P.   Cleary the longer the seed for the sequence, the better the security.  Therefore the security is in some sense a function of the dimension of our projective space, since the order is fixed at 2.