This paper introduces and evaluates the performance of a novel cipher scheme, Ambiguous Multi-Symmetric Cryptography (AMSC), which conceals multiple coherent plain-texts in one cipher-text. The cipher-text can be decrypted by different keys to produce different plain-texts. Security analysis showed that AMSC is secure against cipher-text only and known plain-text attacks. AMSC has the following applications: 1) it can send multiple messages for multiple receivers through one cipher-text; 2) it can send one real message and multiple decoys for camouflage; and 3) it can send one real message to one receiver using parallel processing. Performance comparison with leading symmetric algorithms (DES, AES and RC6) demonstrated AMSC’s efficiency in execution time.
Deniable encryption prevents attackers from knowing with certainty whether or not a particular sender or receiver can be linked to a specific plain-text message. This paper addresses the deniable encryption problem by proposing a new cipher scheme, Ambiguous Multi-Symmetric Cryptography (AMSC), which conceals multiple plain-texts, each with its own key, in one cipher-text. The deniable encryption problem is important because most encryption schemes are defenseless against an attacker once she possesses the key. Deniable encryption provides an additional layer of protection. With multiple plain-texts concealed in one cipher-text, an attacker cannot be certain which plain-text is genuine even if she possesses the cipher-text and one or more of the keys.
Several recent efforts in the area of deniable encryption have demonstrated the possibility of hiding/protecting the sender or receiver from revealing the decryption key when force is used. Following the early work of Canetti et al. [
Ideally, we want a deniable encryption scheme that: 1) Defends both communication parties against decryption key exposure. 2) Has good performance in both encryption and decryption. 3) Is secure against different attack models. For a), AMSC defends both sender and receiver by providing multiple decoy keys. As for b), AMSC has an initialization phase that speeds up the original encryption [
This problem is non-trivial due to the complexity of concealing multiple messages into one message. This problem can simply be solved by encrypting n messages and concatenating the sub cipher-texts into one cipher-text. However, this could lead to rubber-hose cryptanalysis [
AMSC’s applications include multicast messaging and broadcast encryption. One video channel could generate multiple unique channels for different receivers. A second application is to deny the correct plain-text and key from the adversary by providing decoys. The third application is to use parallel computing to split one message into chunks and encrypt it using AMSC. This is possible due to the independent encryption operations that can run on different cores in parallel. This allows for faster encryption of a single message.
The primary contributions of this paper are as follows. First, compared with [
The remainder of this paper is organized as follows: Section 2 provides background and related work, and compares our scheme to others. Section 3 defines the scheme. Section 4 proposes a new algorithm and presents its applications. Section 5 studies the security and possible attacks and shows a probabilistic solution. Section 6 examines the time complexity. Section 7 shows the results of our experiments.
Finally, Section 8 concludes.
Canetti et al. [
1) multi-distributional deniability, requires the users to know in advance which messages they might want to conceal, whereas
2) full deniability, allows the user to decide afterward
Canetti presented a sender deniable scheme, using this first model. They also constructed a receiver deniable scheme that requires an additional round of interaction, and a sender-receiver-deniable protocol that relies on third parties.
One proposed scheme for denying symmetric encryption by Canetti would be to give n alternative messages to encrypt, and use n different keys, then construct the cipher-text as the concatenation of the encryption of all messages as shown in
incomplete and would not reveal any information about any message. Concatenation could also lead to rubber-hose cryptanalysis [
Kamouflage system [
Juels and Ristenpart [
ONeill et al. [
Sahai et al. [
A secret sharing scheme [
Our scheme conceals various plain-texts into one cipher-text, hence the name “Multi-Symmetric”.
1Keys exchanges are out of scope of this paper.
1) Alice exchanges a number of AMSC co-prime keys with Bob. For added security, Alice can also exchange X which is the multiplication of all keys.1
2) Alice generates cipher-text:
C = E A M S C ( [ K 1 , K 2 , ⋯ , K n ] , [ P 1 , P 2 , ⋯ , P n ] ) .
3) Bob decrypts C using key K i and gets P i .
In this section, we present a new algorithm (AMSC v3) that satisfies the previous scheme. This algorithm enhances the performance of the two algorithms presented in [
The AMSC algorithm is based on the Chinese Remainder theorem (CRT) [
CRT Theorem: Suppose that K 1 , K 2 , ⋯ , K n are pairwise relatively prime positive integers, and let P 1 , P 2 , ⋯ , P n be integers. Then the system of congruences, C ≡ P i ( m o d K i ) for 1 ≤ i ≤ n , has a unique solution modulo X = K 1 ∗ K 2 ∗ ⋯ ∗ K n , which is given by:
C ≡ P 1 X 1 s a + P 2 X 2 s 2 + ⋯ + P n X n s n ( m o d X ) , where X i = X / K i and s i ≡ ( X i ) − 1 ( m o d K i ) for 1 ≤ i ≤ n .
The AMSC algorithm prepares X i ∗ s i , i = 1 , ⋯ , n from above in the initialization step (calculated once). Afterwords, the encryption multiplies all plain-texts P 1 , ⋯ , P n with the initialization values and calculates the cipher.
The first part initializes AMSC values that are used in encryption. We calculate X (the multiplication of all keys) and a set of numbers s i ∗ X / K i for each key K i , i = 1 , ⋯ , n .
These values are calculated only once and not per encryption. These are the steps needed to initialize:
1) Multiply keys K i , ⋯ , n to get a number X.
2) Use the extended Euclidean algorithm to find the roots r , s for every key K i such that:
r i ( K i ) + s i ( X / K i ) = 1 (1)
Algorithm 1 shows AMSC v3 Initialization.
After initialization, subsequent cipher-texts are calculated by:
C = ∑ i = 1 n P i s i X / K i (2)
where s i X / K i is calculated in the initialization step. There is an option to XOR the final cipher-text C to X. This will make AMSC secure against known plain-text attacks as discussed in detail in Section 5.
C = ( ∑ i = 1 n P i s i X / K i ) ⊕ X (3)
Algorithm 2 shows the steps for AMSC v3 Encryption.
The decryption simply takes the cipher-text c and mods it with the corresponding key K i . If the xOR operation is used in the encryption to strengthens the cipher, then the input for decryption needs X besides the cipher-text. One important note: If all keys are primes, and the receiver knows x and her key K i , it is not possible to know the rest of the keys as this is a factorization problem. Algorithm 3 shows the steps for AMSC v3 Decryption.
Let n = 4 , P a = 64 bits and K a = 65 bits.
Assume we use prime keys (we can use co-primes as well): K 1 = 36893488147419103183 , K 2 = 36893488147419103153 , K 3 = 36893488147419103117 , K 4 = 36893488147419103091 and plain-texts P 1 = 5407036729192671602 , P 2 = 12217864333306969557 , P 3 = 9169178348075514855 , P 4 = 8659079797496077286 .
Using AMSC with no XOR operations, we calculate cipher-text
C = 16394186300320500502435771192868738239953 − 75900079267888735899798043807086216329 .
In this section, we evaluate our algorithm under a variety of security attack models, including a thorough study on prime and co-prime keys. Then, we present a probabilistic solution for the encryption process.
When one cipher-text is intercepted, a brute force attack [
1) Primes: The prime number theorem states that there are approximately C / l n ( C ) primes < = C . The size of the cipher-text depends on three factors: the average block size Pa, the number of blocks n, and the average key size Ka.
2) Co-primes: For any cipher-text C, the number of sets of positive integers ≤ C in which two elements are co-primes lies between
2 Π ( C ) ∗ e ( 1 / 2 + O ( 1 ) ) ∗ C and 2 Π ( C ) ∗ e ( 2 + O ( 1 ) ) ∗ C (4)
by Theorem 3.3 of Cameron and Erdos [
counting function of c.
Nathanson [
2 C − 2 ⌊ C / 2 ⌋ − C ∗ 2 ⌊ C / 3 ⌋ < = F ( C ) < = 2 C − 2 ⌊ C / 2 ⌋ (5)
where F ( C ) is the number of relatively prime subsets of { 1,2, ⋯ , n } .
Furthermore, Nathanson derived an approximation F n ( C ) for the number of n-elements sets of positive integers ≤ C in which two elements are co-primes:
( C n ) − ( ⌊ C / 2 ⌋ n ) − C * ( ⌊ C / 3 ⌋ n ) < = F n ( C ) < = ( C n ) − ( ⌊ C / 2 ⌋ n ) (6)
Using Equation (6), we construct
To find all elements of the co-prime sets we can use different methods:
・ n = 2: if we want to find all pair sets that are co-primes ≤ C, we can use the Farey sequence [
・ n = 3: if we want to find all triplet sets that are co-primes ≤ C, we can use the primitive Pythagorean triples [
・ n > 3: In this case we can examine all subsets where n = 2 and chain them together to generate the subsets with the required n.
3) The XOR operation has been widely used in cryptography, especially in symmetric key cryptography [
In this work, we introduce an XOR between the cipher-text c with X (The multiplication of all keys). This is done to break the mathematical pattern. In
other words, if there is any kind of attacks that uses mathematical operations to break the cipher-text c and extract the keys, then it will be of no use after the XOR operation. Moreover, XOR defends against the known plain-text attacks as discussed in Section 5.1.2.
In a classical attack, the adversary can examine one plain-text to its cipher-text and tries to reveal the key. In AMSC, however, the adversary has multiple inputs and one output. We will study two cases. One, where the adversary only knows one plain-text and the rest are unknown, and the second, we assume that all plain-texts are known going into the oracle.
1) one plain-text is known: The adversary does not know the total number of plain-texts n or their contents. The oracle generates the final cipher-text c. The adversary has to solve the equation: P i = C mod K i , where P i and c are known. No one solution is possible. If keys are primes, then a possible prime factorization (computationally infeasible) of C − P i might reveal one possible key K i .
2) n plain-texts are known: The adversary examines n plain-texts and their cipher-texts for each encryption. We end up with n equations for each cipher:
C 1 ≡ P i 1 ( mod K i ) , i = 1 , ⋯ , n C 2 ≡ P i 2 ( mod K i ) , i = 1 , ⋯ , n ⋮ C z ≡ P i z ( mod K i ) , i = 1 , ⋯ , n
We know that:
K i is a divisor of ( C 1 − P i 1 , C 2 − P i 2 , ⋯ , C z − P i z )
therefore:
K i | G C D ( C 1 − P i 1 , C 2 − P i 2 , ⋯ , C z − P i z ) (7)
where GCD is the greater common denominator. We have to find the GCD of z − 1 numbers which has a computational complexity of O ( z − 1 ∗ ( log ( C 1 − P i 1 ) ) ) .
As more ciphers are calculated and z approaches ∞ , the gcd gets close to K i . To mitigate this issue, we do C ⊕ X in the last step of encryption.
This case is very similar to Section 5.1.2. However, XOR can not help in this case because the adversary can feed their own plain-texts. The adversary can reveal X in such a simple way:
Let all plain-texts P 1 , ⋯ , n = 0 , then
C ⊕ X = 0 ⊕ X = X
Once X is known, subsequent oracle cipher-texts can be XORed with X to produce the original cipher-texts. Afterwords, the GCD can be used to reveal the keys as stated previously. We conclude that AMSC is not secure against this attack if the adversary chooses all plain-texts. We know that chosen plain-text attack and chosen cipher-text attack fail with all deterministic algorithms. Hence we have to use probabilistic approaches as discussed in Section 5.2.
This attack happens when the adversary has access to the decryption oracle.
AMSC is not CCA immune in the current form. We can start with C = 1 (
To mitigate this, when we can add the XOR operation C ⊕ X at the end of encryption, then we would have two cases for X:
1) X is odd: The adversary can find the key by feeding the oracle C = 1 . The reason is:
( C ⊕ X ) = X − 1 . This is due to the add without carry in the XOR operation. Ex:
if X = 9 = ( 1001 ) 2 and C = 1 then ( C ⊕ X ) = ( 1000 ) 2 = X − 1 .
We also know that:
( X − 1 mod K i ) = K i − 1 , since K i is a divisor of X. Therefore:
P i = ( C ⊕ X ) mod K i
P i = ( X − 1 mod K i ) = K i − 1
K i = P i + 1
2) X is even: The previous case will not work. We can choose X to be even by having only one of the keys K i as even. This will strengthens the security of AMSC against CCA attacks.
AMSC is deterministic. We present two approaches to make AMSC probabilistic [
・ First approach: We construct:
C = C 0 + t ∗ L C M ( K 1 , K 2 , ⋯ , K n ) (8)
where C 0 is a base solution using CRT, t is any random integer and LCM is the least common multiplier of all keys. Note that L C M ( K 1 , K 2 , ⋯ , K n ) = K 1 ∗ K 2 ∗ ⋯ ∗ K n / G C D ( K 1 , K 2 , ⋯ , K n ) = K 1 ∗ K 2 ∗ ⋯ ∗ K n
We can use variable t as a random Initialization vector (IV) to yield different cipher-texts:
C 1 = E AMSC ( [ K 1 , K 2 , ⋯ , K n ] , [ P 1 , P 2 , ⋯ , P N ] )
C 2 = E AMSC ( [ K 1 , K 2 , ⋯ , K n ] , [ P 1 , P 2 , ⋯ , P N ] )
C i = E AMSC ( [ K 1 , K 2 , ⋯ , K n ] , [ P 1 , P 2 , ⋯ , P N ] )
where C 1 ≠ C 2 ≠ ⋯ ≠ C i i = 1 , ⋯ , n .
・ Second approach: We define another probabilistic solution. Let K r , P r be a random key and a random plain-text accordingly. The cipher-text will become:
( ∑ i = 1 n P i ∗ s i ∗ X / K i ) + P r ∗ s r ∗ X / K r (9)
The random key and plain-text can be re-generated for every encryption. In the encryption phase, we only need to calculate P r ∗ s r ∗ X / K r once, and then add it to the cipher-text as a final step. This random key will make the cipher-text probabilistic with a small increase in size. Ex: for n = 4, where average block size P a = 32 and average key size K a = 33 . For a deterministic cipher-text, the average size is about 129 bits. For a probabilistic cipher-text using approach 2 by adding a random key, the size grows to about 163 bits, a difference of about 34 bits. For a probabilistic cipher-text using approach 1 by setting the random IV t = 150 , the cipher-text grows to about 139 bits. For t = 1500 the cipher-text grows to about 143 bits.
We compare Equations (8) and (9), and examine the cipher-text size. When
n = z , we calculate X z = ∑ i = 1 z K i . When we add a random key K r , n becomes
z + 1 . Thus we have:
X z + 1 / K r = X z . Therefore, Equation (9) will have a smaller cipher-text size than the Equation (8) iff P r ∗ S r < t .
We know that multiplication, division and modular operations take O ( d 2 ) [
・ In initialization, the first loop takes n ( ⌊ log ( X ) ⌋ + 1 ) 2 steps. In the second loop, the GCD takes ( log ( K i ) ∗ log ( X / K i ) ) [
・ In encryption, we loop n times and do an addition and a multiplication of numbers close to X. Therefore, the overall time complexity for encryption is O ( n ( ⌊ log ( X ) ⌋ + 1 ) 2 ) .
・ To decrypt cipher-text C using key K i , we have a time complexity of
O ( ( ⌊ log ( C ) ⌋ + 1 ) 2 ) , as the operation is P i = C mod K i .
2z is the number of solutions that has to be intersected using AMSC v1.
In this section, we evaluate the new algorithm AMSC v3 against different symmetric algorithms with different key sizes.
All experiments were done on an Intel Core i7 3610QM CPU with 8 GB memory. The AMSC core library and the symmetric algorithms comparison were implemented in .NET 4.0 using C# programming language. Each symmetric algorithm is measured in three different phases. The first, is initializing n cipher-text classes and creating n random keys that will be used for encryption/decryption. The second is encrypting n different random plain-texts using the previous keys accordingly, and then concatenating the sub cipher-texts. This gives us a fair comparison to AMSC. On the decryption side,
we decrypt each sub-cipher-text by the its key to get back the original plain-text. We run each operation a total of 100,000 times and take the average. The total time for each operation is measured. For AES and DES, we used the built in .Net crypto libraries AESCryptoServiceProvider and DESCryptoServiceProvider respectively which are both Fips certified [
DES uses 64-bit keys. AES and RC6 use both 128-bit and 256-bit keys. AS for AMSC, we pick 129-bit and 257-bit keys. These keys are very close to their counter part AES and RC6. Furthermore, they will be used in the encryption and decryption experiments. Recall that every AMSC key has to be greater than its plain-text block. In the case of DES, the plain-text block is 64-bit. AES and RC6, both use 128-bit plain-text block. Note that AMSC’s initialization time grows linearly as n increases. Nonetheless, it still has smaller initialization time than DES.
For symmetric algorithms we encrypt n plain-texts using n keys for the n cipher-text objects that were initialized, and then concatenate all the sub cipher-texts into one final cipher-text. This makes it fair to compare against AMSC.
DES using a 64-bit block size with three different size keys for AMSC. Note that AMSC’s encryption time is significantly less than that of DES. Furthermore,
The total AMSC time to decrypt the same cipher-text into n plain-text messages using n keys is measured. For the symmetric algorithms, n sub cipher-texts are decrypted and time is measured.
Deniable encryption offers an additional layer of protection for senders and receivers, who may be forced to give up encryption keys, or who may find it advantageous to have multiple plain-texts in one cipher-text. This paper showed that a novel system, ASMC, conceals multiple plain-texts in one cipher-text and performs competitively with more mainstream encryption techniques.
This paper showed that AMSC is a method for multi-key encoding and deniable encryption that withstands COA and KPA security attacks. AMSC’s performance in initialization is faster than DES 64-bit but a little slower than AES. In Encryption, however, AMSC 129-bit is about 42% faster than AES 128-bit. On the decryption side, AMSC 129-bit is about 110% faster than DES 64-bit and 16% faster than AES 128-bit for 5 plain-texts.
Our future work in this area includes applying parallel computing to AMSC. We also like to explore different applications of AMSC in TV and other broadcasts.
The authors would like to thank Dr. Kruk for giving feedback. This research work is partially supported by the National Science Foundation under Grants CNS-1338105, CNS-1343141, CNS-1460897, DGE-1623713. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Bassous, R., Mansour, A., Bassous, R., Fu, H., Zhu, Y. and Corser, G. (2017) Ambiguous Multi-Sym- metric Scheme and Applications. Journal of Information Security, 8, 383-401. https://doi.org/10.4236/jis.2017.84024