Cryptography Reference
In-Depth Information
Note that the key
K
is only reconstructed within the secure combiner and not
output to the entities involved in the key derivation process. XOR is the 'best'
type of key derivation function since knowledge of even two of the components
does not leak any information about the derived key
K
. To see this, consider
the case where Alice and Bob are conspiring to try to learn something about
key
K
. Suppose that Alice and Bob XOR their components together to compute
R
K
C
. Thus
R
can be considered as the 'encryption' of
K
using a one-time pad with key
K
C
. We know from Section 3.1.3 that the one-time pad offers perfect secrecy,
which means that knowing
R
(the 'ciphertext') does not leak any information
about
K
(the 'plaintext').
=
K
A
⊕
K
B
. Observe that
K
=
R
⊕
K
C
, which means that
R
=
K
⊕
Thus Alice, Bob and Charlie are able to jointly generate a key in such a way
that all three of their components are necessary for the process to complete.
If only two of the components are present then no information about the
key can be derived, even if the components are combined. This process
easily generalises to any number of entities, all of whom must present their
components in order to derive the key. Even more ingenious techniques can
be used to implement more complex key generation policies. For example,
the
Shamir secret-sharing protocol
allows a key to be generated in component
form in such a way that the key can be derived from any
k
of
n
compo-
nents, where
k
can be any number less than
n
(in our previous example
k
3).
Component form can also be used in other phases of the key lifecycle, as we
will see in Section 10.4 and Section 10.5.
=
n
=
10.3.4
Public-key pair generation
Since key generation for public-key cryptography is algorithm-specific, we will
not treat it in detail here. As for symmetric key generation:
• Public-key pair generation often requires the random generation of numbers.
• Relevant standards should be consulted before generating public-key pairs.
However, in contrast to symmetric key generation:
• Not every number in the 'range' of the keyspace of a public-key cryptosystem is
a valid key. For example, for RSA the keys
d
and
e
are required to have specific
mathematical properties (see Section 5.2.1). If we choose an RSA modulus of
1024 bits then there are, in theory, 2
1024
candidates for
e
or
d
. However, only
some of these 2
1024
numbers
can
be an
e
or a
d
, the other choices are ruled out.
• Some keys in public-key cryptosystems are chosen to have a specific format.
For example, RSA public keys are sometimes chosen to have a specific format
that results in them being 'faster than the average case' when they are used to
compute exponentiations, thus speeding up RSA encryptions (or RSA signature
