I am not a theoretical cryptographer, but I encountered the subject of classical cryptography while working with network security. A while ago, I unintentionally began developing unconditionally secure (i.e., information-theoretically secure) solutions after learning about the problems associated with computationally secure cryptographic methods. After a long period of development, I believe I have generated good results. However, my findings faced strong opposition when they were submitted for review.
I frequently saw the reasons of rejection citing the famous results by Maurer, such as the papers as follows:
U. M. Maurer, Secret key agreement by public discussion from common information, IEEE Trans. Inf. Theory, 39(3) 733-742 of 1993
Daniel Jost, Ueli M. Maurer, and João L. Ribeiro. Information-theoretic Secret-key Agreement: The Asymptotically Tight Relation Between The Secret-key Rate And The Channel Quality Ratio. In Proceedings of the Theory of Cryptography Conference (TCC), pages 345-369, 2018.
The results covered in these papers demonstrate the impossibility of information-theoretically secure key agreement in the absence of pre-shared secrecy. In the 2018 paper by Jost et al., it was claimed that the presence of pre-shared secrecy is very rare in practice.
The main idea of my work is to establish correlated randomness through a purely cryptographic approach by constructing an algebraic entanglement structure shared between a pair of legitimate parties. The algebraic entanglement structure is publicly known to all parties because it is an algorithm. Correlated randomness can be established between the legitimate parties when each party runs this algorithm using its private random numbers, which are never disclosed. The random numbers are independently determined by each party and are used only once in each session of key agreement. Several helper values need to be exchanged between the legitimate parties as part of the public discussion over an authenticated, noiseless public channel. In this sense, the setting of my purely cryptographic solution fits into the source model proposed in Maurer’s 1993 paper. However, my result was ruled as impossible based on the impossibility results covered in the aforementioned two papers.
Without getting into too much technical details, I want to ask the following questions:
- Under the assumption that the algebraic entanglement structure has been correctly devised, can the correlated randomness produced by my method be considered a form of "pre-shared secrecy" in the sense of Maurer's 1993 paper?
- What is the precise meaning of "a legitimate party"? Does "Alice" refer to an entity with the claimed identifier "Alice," or does it refer to the true Alice? My solution can only achieve the effect of establishing a common secret key between two entities with the claimed identifiers of "Alice" and "Bob," respectively. It cannot ensure that the two parties are the true entities themselves. I have a feeling that information-theoretically secure solutions tend to interpret "a legitimate party" as referring to a legitimate entity.
I would appreciate any help or clarifications that could assist in getting my results accepted for publication eventually. I have noticed the earlier posts as follows.
Secret key agreement by public discussion from common information Secret key agreement by public discussion from common information
What is the difference between information-theoretic and perfect types of security? What is the difference between information-theoretic and perfect types of security?
Below is a high-level description of the system setting and the basic idea of my solution.
Two legitimate parties, Alice and Bob, wish to establish a correlated randomness through interactive discussions over an authenticated and noiseless public channel. We study an algebraic solution for tackling this problem in the framework of source model [Maurer1992-crypto,Maurer1993-IEEETOIT]. Alice and Bob possess their individual vectors of random values, which are symbolized as $\vec{X}$ and $\vec{Y}$, respectively. An eavesdropper, Eve, possesses her own vector of random values which are denoted as $\vec{Z}$. A correlated randomness shared between Alice and Bob is defined as a functional result of $\vec{X}$ and $\vec{Y}$ and is symbolized by $f(\vec{X}, \vec{Y})$ with $f()$ denoting a function. The value of $f(\vec{X}, \vec{Y})$ remains unknown to any party when each party can only access its own vector of random values without knowing the random values owned by others, while each party knows the existence of the value of $f(\vec{X}, \vec{Y})$ when legitimate Alice and Bob are involved in establishing a correlated randomness using their own respective vectors of $\vec{X}$ and $\vec{Y}$. This correlated randomness can be used in supporting the covert communications between the two legitimate parties or in facilitating them to agree upon a common secret key. The prominent feature of this algebraic solution is that the value of $f(\vec{X}, \vec{Y})$ can only be established under the participation of legitimate Alice and Bob.
The operations of establishing a correlated randomness is introduced in the context of finite fields which have been widely adopted in the definitions of many cryptographic schemes. Without specifying a concrete finite field, a pair of abstract additive and multiplicative operators are symbolized by $\oplus$ and ${\otimes}$, respectively. ${\otimes}$ is only defined on non-zero elements of the finite set. The operators ${\otimes}$ and $\oplus$ are required to be commutative operators in the sense that $v_1 \otimes v_2 = v_2 \otimes v_1$ and $v_1 \oplus v_2 = v_2 \oplus v_1$ for $v_1$ and $v_2$ being two elements of the finite set. The multiplicative operator ${\otimes}$ is also required to be distributive over the additive operator $\oplus$. In a finite field, the multiplicative inverse for each non-zero element is guaranteed to exist. $(v_1)^{-1}$ denotes the modular multiplicative inverse of a non-zero element $v_1$.
The establishment of a correlated randomness requires two legitimate parties to conduct bi-directional discussions over a public, authenticated, and noiseless channel which is accessible by an eavesdropper who cannot tamper the discussions between the pair of legitimate parties. Interaction is more powerful than one-way transmission in enabling information-theoretically secure solutions [Maurer1993-IEEETOIT]. Each legitimate party transmits a number of helper values to the counter legitimate party with each helper value being calculated as a functional result taking the input of its own random values and the already publicly disclosed helper values. The values that are publicly disclosed by Alice and Bob are symbolized as vectors $\vec{P}_a$ and $\vec{P}_b$, respectively. The probability for Eve to establish the same correlated randomness as the pair of legitimate parties is negligible when Eve attempts to reversely calculate the undisclosed random values owned by the legitimate parties based on the publicly disclosed helper values.
Each legitimate party can derive a disguised version of $f(\vec{X}, \vec{Y})$ through local computations. The disguised version of $f(\vec{X}, \vec{Y})$ derived by Alice and Bob are symbolized as $g(\vec{X}, \vec{P}_b)$ and $g(\vec{Y}, \vec{P}_a)$, respectively, with $g()$ being a function used by a party to individually derive its disguised version of $f(\vec{X}, \vec{Y})$. Meanwhile, $h(\vec{X})$ and $h(\vec{Y})$ denote the disguises that can be directly calculated by Alice and Bob, respectively, with $h()$ denoting a function. The disguised versions of $f(\vec{X}, \vec{Y})$ satisfy the following relations. \begin{alignat}{5} \mathrm{Alice}:\quad & g(\vec{X}, \vec{P}_b) \; = \; \left(h(\vec{Y})\right)^{-1}{\otimes}f(\vec{X}, \vec{Y}),\\ \mathrm{Bob}:\quad & g(\vec{Y}, \vec{P}_a) \; = \; \left(h(\vec{X})\right)^{-1}{\otimes}f(\vec{X}, \vec{Y}). \end{alignat} Each legitimate party cannot infer the value of $f(\vec{X}, \vec{Y})$ without knowing the disguise calculated by the counter legitimate party. When Eve pretends to be Alice, she is symbolized as $\mathrm{Alice}^{\mathrm{sim}}$ and can derive the vector $\vec{X}^{\mathrm{sim}}$ representing the simulated $\vec{X}$ that is reversely calculated from $\vec{P}_a$. Similarly, when Eve pretends to be Bob, she is symbolized as $\mathrm{Bob}^{\mathrm{sim}}$ and can derive the vector $\vec{Y}^{\mathrm{sim}}$ representing the simulated $\vec{Y}$ that is reversely calculated from $\vec{P}_b$. Eve can derive the following disguised values: \begin{alignat}{5} \mathrm{Alice}^{\mathrm{sim}} : \quad & g(\vec{X}^{\mathrm{sim}}, \vec{P}_b) \; = \; \left(h(\vec{Y})\right)^{-1}{\otimes}f(\vec{X}^{\mathrm{sim}}, \vec{Y}),\\ \mathrm{Bob}^{\mathrm{sim}} : \quad & g(\vec{Y}^{\mathrm{sim}}, \vec{P}_a) \; = \; \left(h(\vec{X})\right)^{-1}{\otimes}f(\vec{X}, \vec{Y}^{\mathrm{sim}}). \end{alignat}
If the probability of the occurrence of event $f(\vec{X}^{\mathrm{sim}}, \vec{Y}) = f(\vec{X}, \vec{Y})$ is very small, legitimate Bob can detect the participation of a fake Alice pretended by Eve when Eve uses $g(\vec{X}^{\mathrm{sim}}, \vec{P}_b)$ in the subsequent operations with legitimate Bob for conducting covert communications or agreeing upon a common secret key. If the probability of the occurrence of event $f(\vec{X}, \vec{Y}^{\mathrm{sim}}) = f(\vec{X}, \vec{Y})$ is very small, legitimate Alice can detect the participation of a fake Bob pretended by Eve when Eve uses $g(\vec{Y}^{\mathrm{sim}}, \vec{P}_a)$ in the subsequent operations with legitimate Alice.
The reason that the probability of $\vec{X} = \vec{X}^{\mathrm{sim}}$ (alternatively, $\vec{Y} = \vec{Y}^{\mathrm{sim}}$) is small is that $\vec{P}_a$ forms an under-determined system of equations with more number of free variables than the number of equations. When the unknown values of the private random numbers are modeled as random variables, each value included in $\vec{P}_a$ can be viewed as a function in variables of the random variables. There are many possible solutions to satisfy an under-determined system of equations. The $\vec{X}$ (alternatively, $\vec{Y}$) is only one of the many possible solutions.
The key distinction between my approach and RSA or DH is the absence of criterion for distinguishing $\vec{X}$ from all other possible solutions. There is no criterion for singling out $\vec{X}$ from all other possible solutions when Eve is only presented with $\vec{P}_a$. In comparison, there are criteria for distinguishing a private secrecy from all other possible values in RSA and in DH. Using RSA as an example, $n=p{\times}q$. The attempted values of $p$ and $q$ are denoted by $p'$ and $q'$, respectively. We know that $n=p'{\times}q'$ if and only if $p'=p$ and $q'=q$. This criterion can be utilized to speed up finding the values of $p$ and $q$ when Eve is given $n$ and has unbounded computing capabilities to be used in factorizing $n$.
Applying The Disguised Correlated Randomness To Facilitate Bipartite Key Agreement Between A Pair of Legitimate Parties
When the disguised correlated randomness is used in facilitating the agreement upon a common secret key between the pair of legitimate parties, the schematic specification of the establishment of a common key is described as follows. Keying materials in addition to $\vec{P}_a$ and $\vec{P}_b$ are necessary to be exchanged between a pair of legitimate parties over an authenticated, noiseless, and public channel for facilitating the individual calculations by each legitimate party toward reaching a common key. Each legitimate party needs to use an additional random value for calculating its keying material that is disclosed to the counter legitimate party. $w_a$ and $w_b$ denote the additional random values used by legitimate Alice and legitimate Bob, respectively. The keying materials disclosed by legitimate Alice and legitimate Bob are symbolized as $r_1(w_a, h(\vec{X}), g(\vec{X}, \vec{P}_b))$ and $r_1(w_b, h(\vec{Y}), g(\vec{Y}, \vec{P}_a))$, respectively, with $r_1()$ denoting a function used for calculating the keying materials. The calculations of the keying materials at Alice and Bob are symbolized as follows. \begin{alignat}{5} \mathrm{Alice}\;\; :\quad & r_1(w_a, h(\vec{X}), g(\vec{X}, \vec{P}_b)) \; = \; w_a{\otimes}\left(g(\vec{X}, \vec{P}_b) \oplus h(\vec{X})\right),\\ \mathrm{Bob}\;\; :\quad & r_1(w_b, h(\vec{Y}), g(\vec{Y}, \vec{P}_a)) \; = \; w_b{\otimes}\left(g(\vec{Y}, \vec{P}_a) \oplus h(\vec{Y})\right). \end{alignat} By denoting $r_2()$ as the function of key calculation, the individual calculations by legitimate Alice and legitimate Bob are symbolized as follows. \begin{alignat}{5} \mathrm{Alice}\;\; :\; K_a & = r_2\left(w_a, h(\vec{X}), r_1\left(w_b, h(\vec{Y}), g(\vec{Y}, \vec{P}_a)\right)\right)\\ & = w_a{\otimes}h(\vec{X}){\otimes}r_1\left(w_b, h(\vec{Y}), g(\vec{Y}, \vec{P}_a)\right),\\ \mathrm{Bob}\;\; :\; K_b & = r_2\left(w_b, h(\vec{Y}), r_1\left(w_a, h(\vec{X}), g(\vec{X}, \vec{P}_b)\right)\right)\\ & = w_b{\otimes}h(\vec{Y}){\otimes}r_1\left(w_a, h(\vec{X}), g(\vec{X}, \vec{P}_b)\right). \end{alignat} $K_a$ and $K_b$ can be developed into a common expression as specified as follows. \begin{alignat}{5} K_a & = && K_b = w_a{\otimes}\left\{f(\vec{X}, \vec{Y}) \oplus \left(h(\vec{X}){\otimes}h(\vec{Y})\right)\right\}{\otimes}w_b. \end{alignat}
The rest of my work is to describe the concrete construction of the key agreement protocol and the demonstration of satisfying the requirements of information-theoretically secure solutions.
I tend to believe that $f(\vec{X}, \vec{Y})$ can be treated as the "pre-shared secrecy" in the sense of [Maurer1992-crypto, Maurer1993-IEEETOIT]. The value of $f(\vec{X}, \vec{Y})$ can be established (while with its value being unknown to any party) when the pair of legitimate Alice and Bob have participated in the operations. When both the legitimate Bob and the bogus Bob (simulated by Eve) try to agree upon a common secret key with legitimate Alice, Alice will derive two different keys with the two other parties (true Bob and bogus Bob) with a very high probability. The reason lies in the different values of the keying materials calculated by true Bob and bogus Bob, respectively. $\vec{Y}^{\mathrm{sim}}$ is simulated based on using $\vec{P}_b$. \begin{alignat}{5} \mathrm{Bob}\;\; :\quad & r_1(w_b, h(\vec{Y}), g(\vec{Y}, \vec{P}_a)) \; = \; w_b{\otimes}\left(g(\vec{Y}, \vec{P}_a) \oplus h(\vec{Y})\right),\\ \mathrm{Bob}^{\mathrm{sim}}\;\; :\quad & r_1(w_b^{\mathrm{sim}}, h(\vec{Y}^{\mathrm{sim}}), g(\vec{Y}^{\mathrm{sim}}, \vec{P}_a)) \; = \; w_b^{\mathrm{sim}}{\otimes}\left(g(\vec{Y}^{\mathrm{sim}}, \vec{P}_a) \oplus h(\vec{Y})^{\mathrm{sim}}\right). \end{alignat} As a result, Alice agrees upon two keys agreed with true Bob and bogus Bob, which are symbolized as follows. \begin{alignat}{5} \mathrm{with\; Bob}\;\; :\; K_{a,b} & = r_2\left(w_a, h(\vec{X}), r_1\left(w_b, h(\vec{Y}), g(\vec{Y}, \vec{P}_a)\right)\right)\\ & = w_a{\otimes}h(\vec{X}){\otimes}r_1\left(w_b, h(\vec{Y}), g(\vec{Y}, \vec{P}_a)\right)\\ & = w_a{\otimes}\left\{f(\vec{X}, \vec{Y}) \oplus \left(h(\vec{X}){\otimes}h(\vec{Y})\right)\right\}{\otimes}w_b,\\ \mathrm{with\; Bob}^{\mathrm{sim}}\;\; :\; K_{a,b^{\mathrm{sim}}} & = r_2\left(w_a, h(\vec{X}), r_1\left(w_b^{\mathrm{sim}}, h(\vec{Y}^{\mathrm{sim}}), g(\vec{Y}^{\mathrm{sim}}, \vec{P}_a)\right)\right)\\ & = w_a{\otimes}h(\vec{X}){\otimes}r_1\left(w_b^{\mathrm{sim}}, h(\vec{Y}^{\mathrm{sim}}), g(\vec{Y}^{\mathrm{sim}}, \vec{P}_a)\right)\\ & = w_a{\otimes}\left\{f(\vec{X}, \vec{Y}^{\mathrm{sim}}) \oplus \left(h(\vec{X}){\otimes}h(\vec{Y}^{\mathrm{sim}})\right)\right\}{\otimes}w_b^{\mathrm{sim}}. \end{alignat} The probability of $K_{a,b} = K_{a,b^{\mathrm{sim}}}$ is very small. Hence, the legitimate Alice differentiate true Bob from bogus Bob. While Alice may not know which one is true Bob, she can label them as Bob #1 and Bob #2 because both true Bob and bogus Bob interact with legitimate Alice using the same identifier "Bob". In this sense, has my method violated the definition of being information-theoretically secure?
I want to receive constructive comments about the validity of my solution. Thank you very much.
