l t t t IKANSACTIONS ON INtOK\LATION I'HEOKY, VOI.. 36. NO. 1. J A N ~ J A K Y 1990

~

31

Cryptographic Systems Using Redundancy

Ahtract -The problem of ensuring recoverabilib of encrypting data in a file \torage system i\ examined. In this situation, the original data (plaintext) will be removed from the system after encryption. In the event of errors either in the initial processing or in the storage of the data, the file mal be rendered unrecoverable. A model of a file storage system is developed that incorporates errors in these areas. A two stage coding system involving error correcting codes and interleaving is then introduced. The performance of this 5ystem is then analyzed for various siLes of encryption blocks and error correcting codes.

I . INTRODUCTION

HE APPLICATION of encryption techniques to pro- T vide communications system security has been prac- ticed for many years. More recently, these techniques have been applied to secure data storage systems. The purpose of a secure data storage system is to allow the user to encrypt a file, store the enciphered image, destroy the original, and reliably recover the file at a later date.

Typically, the same encryption methods are applied to both situations. This leads to some problems if the data are damaged during storage or the encryption process. In current systems these two problems are handled sepa- rately. To prevent encryption errors, the data generally are enciphered twice, by two separate devices, and the outputs compared. This prevents any spurious errors in the en- crypted data. but increases the complexity of the system.

Reliable storage of the data is provided by using the same error-recovery techniques applied to any other form of stored data (e.g., multiple copies, error correctim tech- niques, etc.). The objective of this paper is to study ways of applying coding to provide both secure and reliable stor- age.

Cryptosystem Models

Cryptosystems usually are modeled as shown in Fig. 1 [l] with the transmission path (insecure communication channel) assumed error-free. A more accurate model of the cryptosystem incorporates a channel that is not error-free. The usual model assumes an additive whte Gaussian noise

Manuscript received February 18, 1987; revised June 8, 1989. This work was supported in part by the Natural Sciences and Engineering Research Council of Canada under Grant A-4708. The material in t h s paper was partially presented at EUROCRYPT'86. Linkoping, Sweden, May 1986.

The author is with the Department of Electrical Engineering. Univer- sity of Waterloo. Waterloo. ON, Canada N2L 3Gl.

IEEE Log Number X933052.

(AWGN) channel which, in turn, is assumed to be mod- eled accurately as a memoryless binary symmetric channel with crossover probability P,. In such systems mechanisms (protocols) must be present to detect and recover from such errors [2]. As shown in Fig. 2, some form of redun- dancy is added to the ciphertext (such as cyclic redun- dancy checks (CRC), error-correcting codes, etc.) by the channel coding process before transmission. The model may be further refined by including a step to remove plaintext redundancy before secrecy coding is performed (source coding).

Fig. 1. Basic model of cryptosystem. M is plaintext message, C is ciphertext mcssage. ~ is nonsecure channel, - is secure kcy passing channel.

A W G N

CODING CODING / / , , , , , , , , , , \:pL-H=ljF] DECODE DECODE

Fig. 2. Model of cryptoaystem with communication channel.

Two underlying assumptions are made in connection with this type of model. First, we assume that the error- correcting power of any channel-coding process (if pres- ent) is limited and that a feedback path exists for request- ing that blocks with errors exceeding the correction power of the code be retransmitted. This usually is incorporated into the channel transmission protocol [3]. (Some channels may not have such protocols, in which case the source information must be sufficiently redundant to allow errors to occur [4].) This assumption requires that the time be- tween encoding and decoding be relatively short and that a copy of the original message be available for retransmis- sion. The second underlying assumption is that the only

0018-9448/90/0100-0031$01 .OO 01990 IEEE

-

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 36, NO. 1, JANIJARY 1990 /

AWGN

C D DEC so

p.

Fig. 3. Cryptosystem model including channel and processing errors. SC is source coder, ENC is encryption device, CC is channel coder, CD is channel decoder, DEC is decryption device, SD is source decoder.

source of errors is the channel and that all coding devices (in their physical realization) are perfect, i.e., the probabil- ity of coding errors is zero. In light .of the increases in device density, complexity and speed for VL$I implemen- tations, this may be an unrealistic constraint [5]-[7]. While there are no absolute figures available on error rates within VLSI architectures, various systems such as very dense memories incorporate redundancy or error correcting tech- niques to reduce the impact of errors. As a general rule, the more complex the device, the more likely an error is to occur (this is especially true for asymmetric-key cryptosys- tems such as RSA which require large modular calcula- tions).

The storage of messages may require that the plaintext be enciphered and only the ciphertext image be stored. This removes the possibility of retransmitting a message block with errors created by either the channel or the encrypting process. This motivates us to develop a model applicable to communication channels and storage systems where errors may occur in the enciphering process or the transmission (storage) channel and no feedback path exists between the transmitter and receiver. We will tactfully ignore the possibility of pre-encryption coding errors for now; we will rationalize this by assuming that, since the pre-encryption coding step is relatively simple, the proba- bility of an error occurring at this point will be many times smaller than in the more complex processes such as en- cryption. In addition, we only consider errors in the encod- ing portion of the system. This is justified since, if an error occurs during the decoding operations, that portion of the file can simply be put back into the decoding section. This leads us to the channel model of Fig. 3 where we associate a nonzero probability of error Pp with the encryption process.

,

I

11. THE PRE-ENCRYPTION CODING PROCESS

We shall only consider block encryption methods. Er- rors introduced either in the encryption process or by the channel will be considered independent and nonpropagat- ing. This is the case if the electronic code book (ECB) mode of the data encryption standard (DES) algorithm is used for block encryption of a file [8]. By nature, single-bit errors in an enciphered block will render that block unre- coverable but will not affect other blocks. T h s is analo- gous to burst errors in nonsecure links [2] and, as we have indicated, our method of dealing with these errors is also analogous. In what follows we look only at the ECB mode for block encryption. A common practice in the encryption

of multiple block files is to use either cipher feedback (CFB) or cipher block chaining (CBC) (see [l] or [8] for details of these modes). This is done to prevent the addi- tion, deletion, or reordering of the enciphered blocks as well as to prevent an attacker from detecting the presence of identical plaintext blocks. Unfortunately, both of these techniques lead to error propagation which may render more than the original block unrecoverable. In the sum- mary we discuss how these results can be extended to consider the other modes.

The procedure involves expanding an M-bit block of plaintext to a J-bit intermediate block using an error-cor- recting code that allows us to correct up to a errors (a! < ( J - M ) / 2 ) . If we were now to encrypt the resultant J-bit blocks directly, there would be no gain; in fact, our only accomplishment would be to weaken the security of the system. Instead, we select i among {1,2,- . ., a } , so that the system can tolerate errors in up to i blocks; we take a group of I intermediate blocks and interleave the bits in such a way that no more than \ a ! / i ] bits of any block are encrypted together (see Fig. 4) ( \ * I denotes the floor function). As a simple example, if J = 64 (as in DES), and a! = 2, then I = 32 blocks would be interleaved in such a way that no more than 2 bits of each of the intermediate blocks appeared in the interleaved output blocks. Once the blocks have been interleaved, they are then enciphered in the usual fashion. Now errors in up to i blocks will be within the error-correcting capabilities of the system. In the example given, only one block could contain errors and still produce a recoverable file. If I = 64 were used and only one bit from each intermediate block were used in the interleave process, then two blocks could contain errors and still produce a recoverable file. Normally, interleaving is done in a deterministic fashion; in our application, though, this may allow the cryptanalyst to take advantage of the redundancy added to the plaintext. Instead, we assume that the interleave will be performed in a key dependent fashion, thus compensating for the‘ added re- dundancy (this could be considered as extending the key size and thus “cheating” a little). The number of interleave patterns possible for J-bit blocks with at most b-bits selected from an individual block of the I input J-bit blocks is at least

e

for

I = [;I where [ * 1 denotes the ceiling function).

JONES ANI) HYRNF: GFNFRAL ENTROPY CRITFRIA FOR INVERSk PROBLEMS 33

I BLOCKS

J BITS J BITS

Fig. 4 Interlace process for pre-encryption coding.

111. ANALYSIS

We now compare aspects of recoverability, throughput, and security for the three schemes to be described.

I ) Post-Encryptton (Channel) Coding Only: In this case the plaintext is enciphered into J-bit blocks, then ex- panded to an L-bit code.

2) Pre-Encryption Coding (with Interleave): T h s scheme expands M-bit plaintext blocks into J-bit ciphertext blocks for encryption. (Note: The difference in encryption block size will provide equal throughput on the transmission channel.)

3) Pre-Encryption und Post-Encryption Coding: This scheme will use one code to combat encryption errors and a second coding process to deal with channel errors.

A . Performunce Calculation

In our performance calculations we shall use the follow- ing notation:

probability of a channel error (per bit), probability of a processing error (per bit), length of message after channel coding process (bits), size of message before the coding/interleave process (bits), size of message after the coding/interleave process and before channel coding (plaintext/ciphertext size) M I J I L , number of blocks over whch interleave is per- formed (note that 12 [J , /al) , total size of message in blocks (we will assume s 2 I ) , error correcting power of the code used before en- cryption, error correcting power of channel code, number of blocks over which error correcting is spread (1 I i 5 a) .

Also, we shall assume that channel errors and processing errors are independent. To compare the various schemes, we introduce the notion of a message being unrecoverable. A ciphertext message is recoverable if all of its blocks can be reconstructed to form the original plaintext; otherwise, it is unrecoverable.

1) Case I - Post-Encryption Coding: In this case we are applying error-correcting codes after encryption. The input

messages are of size M bits and M = J . The output blocks are of size L bits, and we assume that up to f l errors can be corrected using the coding scheme. Thus a message will be unrecoverable if there are more than p bits in error in a single block or if there is a single processing error in the S blocks of the message. Thus

Upost=Pr( { at least one block has more than f l bits in error}

OR{ at least one processing error has occurred in

( S * J ) bits}).

This can be calculated as

q,,,, = PI + p2 - (PI * p2) where

P, = 1 - ( P3)

and (.;,) is the binomial coefficient and is defined as 0 for x < y .

2) Case 11 - Pre-Encryption Coding: In this case we calculate the probability of unrecoverability U,,, using the pre-encryption coding scheme. Messages blocks of M bits are encoded using a code that will correct up to a bits then interleaved in such a way that at most a / i bits of each input block are in the output blocks (see Fig. 4). In this case, J = L. This process allows us to recover from up to i blocks in error as mentioned previously. For pre- encryption coding, a message is unrecoverable if more than i blocks of I are in error (either by processing errors or channel errors). Thus

Upre = Pr(more than i blocks of I contain errors)

= l - ( P , + P , )

where

P4 = (1 - P s ) ( J * r )

Ps=P,.+ P,-(P,.*P,)

P5= [ ; ) * ( l - P s ) J * ( r - J ) * ( 1- ( 1 - P s Y ' . 1 = 1

In pre-encryption coding, S = n l , that is, only messages in multiples of I blocks can be coded. This may require padding of the input blocks in an actual implementation. The probability of success for an S-block message then becomes the joint probability of all subsets of I blocks being correct:

IS/fl U& =1 - (1 - U,,,) .

3) Case 111 -Combined Pre- and Post-Encryption Cod- ing: In the final case we consider, post-encryption coding is performed to combat channel errors and pre-encryption coding is applied to combat processing errors. In this scheme a message is unrecoverable if more than i blocks

34 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 36, NO. 1. JANUARY 1990

TABLE I CONSTANT ENCRYPTION BLOCK SIZE“

Input Encrypt Channel Source Channel Interlace Maximum Size Size Size Error Error Blocks Efficiency M J L a 8 I 0

13 16 19 1 1 - 16 0.68 13 16 21 1 2 16 0.62 11 16 19 2 1 8 0.58 11 16 21 2 2 . 8 0.52

“Message size S = 8/16 blocks.

have more than /3 bits corrupted by transmission errors or more than i blocks of I have a processing egror:

where Ucomb = ‘6 + ‘7 - ( ‘6 * ‘ 7 )

P , = l - i: ( ; ) * P p * ( l - P * ) j / = o

P , = 1 - c . *Pg’ - ’* ( l -&’ / = o ’ (:I

Px = (1 - PJ

P9= c P ( $ ) ( l - P c ) L - ’ * P :

/ = o

Again, messages must be encrypted in groups of I blocks; thus I

Ucbmb = 1 - (1 - ~comb)’s’’l~

Since we are dealing with extremely small error proba- bilities, results for usable block encryption sizes were not possible. For illustrative purposes, we compared the three schemes for a number of relatively small block sizes and error-correcting rates. These values demonstrate the princi- ples involved and allow us to draw conclusions based on these results. Table I presents a list of the parameters used in the initial comparison. In these tests the encryption block size J was held constant and input and channel

-1.5

-2

-2.6

-3

-3.5

-4

4 . 5

-5

-5.5

block sizes adjusted accordingly. The size of the codes was selected such that the distance was 2a+1 or 2p+1 for coding/interleave or channel coding respectively. The channel error probability P, ranged fro l o p 4 to while the processing error probability P, ranged from to lO- ’O. In Figs. 5-7, we compare the systems by holding P, constant and varying P, for a = p = 1. In Figs. 8-10, we increase the error-correcting power of the codes to two. Note that in cases where channel errors predominate, the post-coding scheme performs better than the pre-coding scheme. If processing errors predominate though, the pre- coding scheme is superior. Also note that the crossover point (i.e., the point where the pre-encryption scheme shows equivalent performance to the post-encryption scheme) occurs for channel error probabilities at least an order of magnitude higher than the processing error rate. This is due to the inability of the post-encryption scheme to recover from any processing errors. In an actual file storage system the error rate of the files stored in the system (channel) will increase with time. Thus we might expect the channel error rate to exceed the processing error rate. In all cases, the combined scheme gives better results, as one would expect. This is the case where the size of the encryption block determines the message and channel code sizes. In some systems the size of the input block is fixed, and the code is expanded to compensate. In Table 11, a second set of input values is presented. Here, the input message block size, M is fixed at 16 bits and the corre- sponding sizes of J and L are given for a, j? = 1,2. In Figs. 11-14, we see that similar improvements to those observed in the first case are available in the combined system if message length and efficiency of the throughput are not considered. In Fig. 15 we compare the various combina- tions of a and p. It appears that, in the combined case, more error correcting power should be placed before en- cryption than after encryption. This is not surprising since the pre-encryption coding is capable of correcting some of the errors not corrected by the post-encryption coding process.

0

I I I -4 -5 -e -0 -10

100 pc D upor1 + Upm 0 Ucomb

Fig. 5. Probability of unrecoverable message for fixed encryption block size. a = /3 = 1. M = 13. J = 16. L = 19

AGNI W: CRYPIOGKAPHIC SYSTtMS USING REDUNDANCY 35

0

t t

g

Fig. 6.

:Q f E - B

Fig. 7.

Fig. 8.

Pp = le-8 1

-10 I I

log PC 0 Ucomb 0 UpCa + upre

Probability of unrecoverable message for fixed encryption block size. a = /3 = 1, M = 13, J = 16, L = 19.

F'p = le-10 1 , I

-14 I r I I 4 5 d 8 -10

log PC 0 Ucomb 0 upst + Upre

Probability of unrecoverable message for fixed encryption block size. U = /3 = 1, M = 13, J = 16, I . = 19.

-4 5 6 0 -10

log PC 0 Ucomb 0 upost + upre

Probability of unrecoverable message for fixed encryption block size. U = /3 = 2 , M = 11, J = 16, I . = 21

36

3

-4 - -5 -I

-e - -7 - -8 - -9 -

-10 - -11 - -12 - -13 - -14 - -15 -

IEEE TRANSACTIONS ON INFORMATION THEORY. VOL. 36, NO. 1, JANUARY 1990

pp = le-8

I -

?

Fig. 9.

Fig. 10.

-16 1 -4 -5 -6 -8

log pc u p s t + Upre 0 Ummb

I

Probability of unrecoverable message for fixed encryption block size. a = /3 = 2, M = 11, J = 16, L = 21

-3

-4

5

8

-7

-a -9

-10 :i -11

-12 g -13 ; -14 - -15

-16

-1 7

-18

-19

-20

-21

-22

Pp = le-10

-4 5 -6 a

log 0 upOS1 + upre 0 Ummb

-10

Probability of unrecoverable message for fixed encryption block size. a = P = 2, M = 11. J = 16, L = 21.

TABLE I1 CONSTANT INPUT BLOCK SIZE"

Source Channel Pre-Encoding Post Channel Comb Channel Interlace Message Error Error Block Size Block Size Block Size Blocks Blocks a P J L L I S

~

1 1 19 19 22 19 19 1 2 19 21 24 19 19 2 1 21 19 24 11 11 2 2 21 21 26 11 11 3 3 23 23 not used 8 8

"Input message M = 16 bits

AGNEW: CRYI”1~OGKAI’HIC SYSTI-MS IJSING MDUNDANCY

Pp = 10-8 1 .

-10 I

4 I

6 6 8

lag PC D UWLt + upre 0 Ucomb

Fig. 11. Probability of unrecoverable message for fixed input block sizc. cx = 2. B = 1.

Pp = le-8 2

4 6 6 8

loa pc 0 Ucomb 0 upOS1 + upre

Fig. 12. Probability of unrecoverable message for fixed input block size. a = 2, /3 = 1

1

2

3

4

7

8

0

-10

Fig.

31

0

-10

I I -4 6 6 e -1 0

lop Pc 0 upst + Upre 0 Ucomb

13. Probability of unrecoverable message for fixed input block size. a = 1, B = 2

38 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 36, NO. 1, JANUARY 1990

Fp = le-8 -2

-7 -

-9 - -10 - -11 - -12 - -13 -

-4 -6 -6 -8

log PC 0 upoa + Upre 0 Ucomb

Fig. 14. Probability of unrecoverable message for fixed input block size. a = 2, p = 2.

b = l e d

-4 -6 a a -10

log pc 0 1-1 + 2-1 0 1-2 A 2-2

Probability of unrecoverable message for combined scheme for various combinations of a and 8.

Pp = le-8 -4 . -6

-4

-7

-8

-9

-10

-1 1

-12

-13

-1 4

-1 6

-1 6

-17

-18

-1 9

-20

-21 -4 -6 -6 a

log PC 0 Ucomb 0 upOS1 + Upre

8

Fig. 16. Probability of unrecoverable message for equal coding efficiency case. a = 3 , = 3. acorn,, = 1, Pcolnh = 1

AGNLW: CKYPIOGKAPHIC SYSTEMS USING REDUNDANCY 39

In Fig. 16, we compare the case where the code efficien- cies are approximately equal. Here, an error-correcting value of a = p = 3 in the pre- and post-encryption coding schemes produces about the same coding efficiency as the combined scheme which has a = p = l . We see that the pre-encryption coding scheme is far superior to either of the two other schemes. This implies that, if the size of the codes and efficiency are limited, then the pre-encryption coding scheme should be used.

IV. CONCLUSION

As more and larger data sets are encrypted for storage, the need to ensure the recoverability of those data becomes increasingly important. This is especially true in systems where only the enciphered form of the data is kept.

Encryption devices are becoming smaller and faster due to increased use of VLSI technology. Along with these improvements in performance comes increased probability of errors due to processing. We have analyzed a more accurate model of a cryptosystem used for file storage that incorporates the notion of a nonzero probability of pro- cessing errors.

All the methods studied here increase the storage re- quirements of the plaintext data. Our results show that the addition of redundancy to the message blocks before en- cryption may be necessary to improve the recoverability of the message after storage. A trade-off exists between the amount of storage required and the level of confidence the user has in the recoverability of the data. T h s is in some ways contrary to the notion of secrecy and message redun- dancy used in other communication systems.

While this study has dealt only with block encryption used in the electronic code book mode, the results can be extended to other modes of block encryption. In cipher block chaining [8], ciphertext block C, is formed by com- bining plaintext block P, and the previous ciphertext block C,-, as

C, = (C,-,@P,>

where E ( * ) is the encryption process and @ is a bitwise EXCLUSIVE-OR operation. Decryption follows as

P, = C,-,@D(C,)

where D( * ) is the decryption process. Then a storage error in block C, will affect that block and block C,,,. If pre-encryption coding were performed with an error-cor- recting power of at least two and the interleaving were done such that more than one block can be lost, then the system can recover from these storage errors. Processing errors, on the other hand, will affect only one plaintext block. This can be seen in the following way: if an error occurs in the generation of ciphertext block C,, then M,

will not be decrypted correctly (this will be resolved by the pre-encryption coding). Even ,though all subsequent ci- phertext blocks will be calculated using an incorrect ci- phertext block, the recoverability of subsequent blocks will not be affected as long as there are no storage errors (this is due to the fact that, even if an incorrect ciphertext block is used during encryption, its affect will be removed upon decryption).

In the cipher feedback mode the block sizes are reduced to k bits (1 5 k 5 64) for plaintext and ciphertext. The ciphertext block C, is formed as

c, = P , @ E ( I )

where I is the 64-bit input vector formed by shifting C,-, into the k least significant bits of the previous input vector (i.e., I is formed from previous C,). Once C, is calculated, it is shifted into I to form the next input vector. The purpose of this structure is to make the system self-syn- chronous. Thus, if an error occurs in transmission, the plaintext will be garbled until all of the bits of that block have been shifted out of the input vector (e.g., for k =16. the block with the error plus the next four blocks will be affected). In our case, storage errors and processing errors are indistinguishable (i.e., both will lead to incorrect recov- ery of input vectors). Thus, if the error-correcting power of the pre-encryption coding is sufficient to cover the affected blocks, the message will be recoverable.

ACKNOWLEDGMENT

The author would like to thank the reviewers for their comments and constructive criticism. Of special note were the comments of the editor who pointed out some proper- ties of the system I had overlooked and suggested changes which improved the technical quality of the paper.

REFERENCES

D. Denning, Ci:lprogrupllj mid Dutu Security. Reading, MA: Addi- son-Wesley. 1983, ch. 1. R. Gallager. Iilforniutro~i Theorv und Reliuhle Communicurion. New York: Wiley. 1968. ch. 1. A. Tanenbaum, Coniputer Networks. Englewood Cliffs, NJ: Pren- tice-Hall, 1981. ch. 4. J. Mark, “Priority scheduling for integrated voice/data services in local area networks.” Univ. of Waterloo, Waterloo, ON, Canada, CCNG Rep. E-111. Mar. 1983. B. Chappell. S. Schuster. and G. Sai-Halasz, “Stability and SER analysis of static RAM cells,” I E E E Trotis. Electron Deruces. vol. ED-32, no. 2. pp. 463-470. Feb. 1985. G. Sai-Halasz, “Alpha particle induced soft errors in VLSI circuits,” I E E E Truiis. Elecrroii Der.ices. vol. ED-29, pp. 725-731, Apr. 1982. J. Lohstroh. “Worst-case static noise margin criteria for logic cir- cuits and their mathematical equivalence,” I E E E J . Solid-State Ciruits. vol. SC-18, pp. 803-806, Aug. 1983. Dutu Eiicqptroii Sruiiduvd, Nat. Bureau of Standards, Washington, DC. FIPS PUB46, Jan. 1977.