ACE Encrypt explained

ACE (advanced cryptographic engine) is the collection of units, implementing both a public key encryption scheme and a digital signature scheme. Corresponding names for these schemes — «ACE Encrypt» and «ACE Sign». Schemes are based on Cramer-Shoup public key encryption scheme and Cramer-Shoup signature scheme. Introduced variants of these schemes are intended to achieve a good balance between performance and security of the whole encryption system.

Authors

All the algorithms, implemented in ACE are based on algorithms developed by Victor Shoup and Ronald Cramer. The full algorithms specification is written by Victor Shoup. Implementation of algorithms is done by Thomas Schweinberger and Mehdi Nassehi, its supporting and maintaining is done by Victor Shoup. Thomas Schweinberger participated in construction of ACE specification document and also wrote a user manual.

Ronald Cramer currently stays in the university of Aarhus, Denmark. He worked on the project of ACE Encrypt while his staying in ETH in Zürich, Switzerland.

Mehdi Nassehi and Thomas Schweinberger worked on ACE project in the IBM research lab in Zürich, Switzerland.
Victor Shoup works in the IBM research lab in Zürich, Switzerland.

Security

The encryption scheme in ACE can be proven secure under reasonable and naturalintractability assumptions.These four assumptions are:

The Decisional Diffie-Hellman (DDH) assumption
Strong RSA assumption
SHA-1 second preimage collision resistance
MARS sum/counter mode pseudo-randomness

Basic Terminology and Notation

Here we introduce some notations, being used in this article.

Basic mathematical notation

— The set of integers.

F_2[T]

— The set of univariate polynomials with coefficients in the finite field

F₂

of cardinality 2.

A\operatorname{rem}n

— integer

r\in\left\{0,...,n-1\right\}

such that

A\equivr\pmodn

for integer

n>0

and

A\in\Z

A\operatorname{rem}f

— polynomial

r\inF_2[T]

with

\deg(r)<\deg(f)

such that

A\equivr\pmodf

with

A,f\inF_2[T],f\ne0

Basic string notation

A^\ast

— The set of all strings.

Aⁿ

— The set of all strings with length n.
For

x\inA^\astL(x)

— length of string

. The string of length zero is denoted

λ_A

.
For

x,y\inA^\ast

x\|y

— the result of

and

concatenation.

Bits, Bytes, Words

b\overset{def

}\left\ — The set of bits.
Let us take all sets of form

	n₁
b

	n₁
(b

	n₂
)

,...

. For such a set A we define the "zero element":

We define

B\stackrel{def

}b^8 as a set of bytes, and

W\stackrel{def

}b^ as a set of words.

For

x\inA^\ast

with

A\in\left\{b,B,W\right\}

and

l>0

we define a padding operator:

Conversion operator

	dst
I
	src

:src\todst

makes a conversion between elements

	\ast
Z,F
	2[T],b

,B^\ast,W^\ast

Encryption Scheme

Encryption Key Pair

The encryption scheme employs two key types:
ACE public key:

(P,q,g_1,g_2,c,d,h_1,h_2,k_1,k₂₎

.
ACE private key:

(w,x,y,z_1,z₂₎

.
For a given size parameter

, such that

1024\lem\le16384

, key components are defined as:

— a 256-bit prime number.

— a m-bit prime number, such that

P\equiv1\pmodq

g_1,g_2,c,d,h_1,h₂

— elements

\left\{1,...,P-1\right\}

(whose multiplicative order modulo

divides

w,x,y,z_1,z₂

— elements

\left\{0,...,q-1\right\}

k_1,k₂

— elements

B^\ast

with

L(k_1)=20l'+64

and

L(k_{2)=32\left\lceil}l/16\right\rceil+40

, where

l=\left\lceilm/8\right\rceil

and

l'=L_{b(\left\lceil}(2\left\lceill/4\right\rceil+4)/16\right\rceil)

Key Generation

Algorithm. Key Generation for ACE encryption scheme.
Input: a size parameter

, such that

1024\lem\le16384

.
Output: a public/private key pair.

Generate a random prime

, such that

2²⁵⁵<q<2²⁵⁶

Generate a random prime

2^m-1<P<2^m

, such that

P\equiv1(modq)

Generate a random integer

g₁\in\left\{2,...,P-1\right\}

, such that

	q\equiv1(mod
g
	1

Generate random integers

w\in\left\{1,...,q-1\right\}

and

x,y,z_1,z₂\in\left\{0,...,q-1\right\}

Compute the following integers in

\left\{1,...,P-1\right\}

Generate random byte strings

k₁\inB^20l'+64

and

k₂\inB^2\left\lceil

, where

l=L_B(P)

and

l'=L_{B(\left\lceil}(2\left\lceill/4\right\rceil+4)/16\right\rceil)

Return the public key/private key pair

Ciphertext Representation

A ciphertext of the ACE encryption scheme has the form

where the components are defined as:

u_1,u_2,v

— integers from

\left\{1,...,P-1\right\}

(whose multiplicative order modulo

divides

— element

W⁴

— element

B^\ast

s,u_1,u_2,v

we call the preamble, and

— the cryptogram. If a cleartext is a string consisting of

байт, then the length of

is equal to

l+16\left\lceill/1024\right\rceil

.
We need to introduce the function

CEncode

, which maps a ciphertext to its byte-stringrepresentation, and the corresponding inverse function

CDecode

. For the integer

l>0

, word string

s\inW⁴

, integers

0\leu_1,u

	l

	2,v<256

, and byte string

e\inB^\ast

,
For integer

l>0

, byte string

\psi\inB^\ast

, such that

L(\psi)\ge3l+16

Encryption Process

Algorithm. ACE asymmetric encryption operation.
input: public key

(P,q,g_1,g_2,c,d,h_1,h_2,k_1,k₂₎

and byte string

M\inB^\ast

.
Output: byte string — ciphertext

\psi

Generate

r\in\left\{0,...,q-1\right\}

at random.

Generate the ciphertext preamble:
1. Generate

s\inW⁴

at random.

1. Compute

u₁\leftarrow

	r
g
	1

remP

u₂\leftarrow

	r
g
	2

remP

1. Compute

\alpha \leftarrowUOWHash^\prime(k_1,L_B(P),s,u_1,u₂₎\inZ

; note that

0<\alpha <2¹⁶⁰

1. Compute

v\leftarrowc^rd^\alpha rremP

Compute the key for the symmetric encryption operation:

\tilde{h_1}\leftarrow

	r
h
	1

remP

\tilde{h_2}\leftarrow

	r
h
	2

remP

1. Compute

k\leftarrowESHash(k,L_B(P),s,u_1,u_2,\tilde{h_1},\tilde{h_2})\inW⁸

Compute cryptogram

e\leftarrowSEnc(k,s,1024,M)

Encode the ciphertext:
Return

\psi

.Before starting off the symmetric encryption process, the input message

M\inB^\ast

is divided into blocks

M_1,...,M_t

, where each of the block, possibly except the last one, is of 1024 bytes. Each block is encrypted by the stream cipher. For each encrypted block

E_i

16-byte message authentication code is computed. We get the cryptogram Note that if

L(M)=0

, then

L(e)=0

.Algorithm. ACE asymmetric encryption process.
Input:

(k,s,M,m)\inW⁸ x W⁴ x Z x B^\ast

m>0

Output:

e\inB^l

l=L(M)+16\left\lceilL(N)/m\right\rceil

M=λ_B

, then return

λ_B

Initialize a pseudo-random generator state:
Generate the key

k_AXUAXUHash

e\leftarrowλ_B,i\leftarrow0

While

i<L(M)

, do the following:

r\leftarrowmin(L(M)-i,m)

1. Generate mask values for the encryption and MAC:

(mask_m,genState)\leftarrowGenWords(4,genState)

(mask_e,genState)\leftarrowGenWords(r,genState)

1. Encrypt the plaintext:

enc\leftarrow

	i+r
l[Mr]
	i

⊕ mask_e

1. Generate the message authentication code:
  1. If

i+r=L(M)

, then

lastBlock\leftarrow1

; else

lastBlock\leftarrow0

mac\leftarrowAXUHash(k_AXU,lastBlock,enc)\inW⁴

1. Update the ciphertext:

e\leftarrow

	B^\ast
e\|\|enc\|\|I
	W^\ast

(mac ⊕ mask_m)

i\leftarrowi+r

Return

Decryption process

Algorithm. ACE decryption process.
Input: public key

(P,q,g_1,g_2,c,d,h_1,h_2,k_1,k₂₎

and corresponding private key

(w,x,y,z_1,z₂₎

, byt e string

\psi\inB^\ast

.
Output: Decrypted message

M\inB^\ast\cup{Reject}

Decrypt the ciphertext:
1. If

L(\psi)<3L_B(P)+16

, then return

Reject

1. Compute:
  note that

0\leu_1,u

	l

	2,v<256

, where

l=L_B(P)

Verify the ciphertext preamble:
1. If

u₁\geP

u₂\geP

v\geP

, then return

Reject

1. If

	q
u
	1

\ne1remP

, then return

Reject

reject\leftarrow0

1. If

u₂\ne

	w
u
	1

remP

, then

reject\leftarrow1

1. Compute

\alpha\leftarrowUOWHash^\prime(k_1,L_B(P),s,u_1,u₂₎\inZ

; note that

0\le\alpha\le2¹⁶⁰

1. If

v\ne

	x+{\alpha
u
	1

y}remP

, then

reject\leftarrow1

1. If

reject=1

, then return

Reject

Compute the key for the symmetric decryption operation:

\tilde{h_1}\leftarrow

	z₁
u
	1

remP

\tilde{h_2}\leftarrow

	z₂
u
	1

remP

1. Compute

k\leftarrowESHash(k_2,L_B(P),s,u_1,\tilde{h_1},\tilde{h_2})\inW⁸

Compute

M\leftarrowSDec(k,s,1024,e)

;note that

SDec

can return

Reject

Return

.Algorithm. Decryption operation

SDec

.
Input:

(k,s,m,e)\inW⁸ x W⁴ x Z x B^\ast

m>0

Output: Decrypted message

M\inB^\ast\cup{Reject}

e=λ_B

, then return

λ_B

Initialize a pseudo-random generator state:
Generate the key

k_AXUAXUHash

M\leftarrowλ_B,i\leftarrow0

While

i<L(e)

, do the following:

r\leftarrowmin(L(e)-i,m+16)-16

1. If

r\le0

, then return

Reject

1. Generate mask values for the encryption and MAC:

(mask_m,genState)\leftarrowGenWords(4,genState)

(mask_e,genState)\leftarrowGenWords(r,genState)

1. Verify the message authentication code:
  1. If

i+r+16=L(M)

, then

lastblock\leftarrow1

; else

lastblock\leftarrow0

mac\leftarrowAXUHash(k_AXU

	i+r
,lastBlock,l[er]
	i

)\inW⁴

1. 1. If

	i+r+16
l[e]r
	i+r

\ne

	B^\ast
I
	W^\ast

(mac ⊕ mask_m)

, then return

Reject

1. Update the plaintext:

M\leftarrow

	i+r
M\|\|(l[er]
	i

) ⊕ mask_e)

i\leftarrowi+r+16

Return

Signature Scheme

The signature scheme employs two key types:
ACE Signature public key:

(N,h,x,e',k',s)

.
ACE Signature private key:

(p,q,a)

.
For the given size parameter

, such that

1024\lem\le16384

, key components are defined the following way:

—

\left\lfloorm/2\right\rfloor

-bit prime number with

(p-1)/2

— is also a prime number.

—

\left\lfloorm/2\right\rfloor

-bit prime number with

(q-1)/2

— is also a prime number.

—

N=pq

and has either

m-1

бит.

h,x

— elements

\left\{1,...,N-1\right\}

(quadratic residues modulo

— 161-bit prime number.

— element

\left\{0,...,(p-1)(q-1)/4-1\right\}

— elements

B¹⁸⁴

— elements

B³²

Key Generation

Algorithm. Key generation for the ACE public-key signature scheme.
Input: size parameter

, such that

1024\lem\le16384

.
Output: public/private key pair.

Generate random prime numbers

p,q

, such that

(p-1)/2

and

(q-1)/2

— is also a prime number, and

m_{1=\left\lfloor}m/2\right\rfloor

and

m_{1=\left\lceil}m/2\right\rceil

N\leftarrowpq

Generate random prime number

, где

2¹⁶⁰\lee'\le2¹⁶¹

Generate random

h'\in\left\{1,...,N-1\right\}

, taking into account

gcd(h',N)=1

and

gcd(h'\pm1,N)=1

, and compute

h\leftarrow(h')^-2remN

Generate random

a\in\left\{0,...,(p-1)(q-1)/4-1\right\}

and compute

x\leftarrowh^aremN

Generate random byte strings

k'\inB¹⁸⁴

, and

s\inB³²

Return public key/private key pair

Signature Representation

The signature in the ACE signature scheme has the form

(d,w,y,y',\tilde{k})

, where the components are defined the following way:

— element

B⁶⁴

— integer, such that

2¹⁶⁰\lew\le2¹⁶¹

y,y'

— elements

\left\{1,...,N-1\right\}

\tilde{k}

— element

B^\ast

;note that

L(\tilde{k})=64+20L_{B(\left\lceil}(L(M)+8)/64\right\rceil)

, where

— message being signed.
We need to introduce the

SEncode

function, which maps a signature into its byte string representation, and the corresponding inverse function

SDecode

. For integer

l>0

, byte string

d\inB⁶⁴

, integers

0\lew\le256²¹

and

0\ley,y'<256^l

, and byte string

\tilde{k}\inB^\ast

,
For integer

l>0

, byte string

\sigma\inB^\ast

, where

L(\sigma)\ge2l+53

Signature Generation Process

Algorithm. ACE Signature Generation Process.
Input: public key

(N,h,x,e',k',s)

and corresponding private key

(p,q,a)

and byte string

M\inB^\ast

0\leL(M)\le2⁶⁴

.
Output: byte string — digital signature

\sigma\inB^\ast

Perform the following steps to hash the input data:
1. Generate a hash key

\tilde{k}\inB^20m+64

at random, such that

m=L_{b(\left\lceil}(L(M)+8)/64\right\rceil)

1. Compute

m_h\leftarrow

	Z
I
	W^\ast

(UOWHash^\prime\prime(\tilde{k},M))

Select

\tilde{y}\in\left\{1,...,N-1\right\}

at random, and compute

y'\leftarrow\tilde{y}²remN

Compute

x'\leftarrow(y')^r'

	m_h
h

remN

Generate a random prime

2¹⁶⁰\lee\le2¹⁶¹

, and its certificate of correctness

(w,d)

(e,w,d)\leftarrowGenCertPrime(s)

. Repeat this step until

e\nee'

r\leftarrowUOWHash^{\prime\prime\prime}(k',L_{B(N),x',\tilde{k})}\inZ

; note that

0\ler<2¹⁶⁰

Compute

y\leftarrowh^bremN

, where
and where

p'=(p-1)/2

and

q'=(q-1)/2

Encode the signature:
Return

\sigma

Notes

In the definition of ACE Encryption process and ACE Signature process some auxiliary function (e.g. UOWHash, ESHash and some other) are being used, definition of which goes beyond this article. More details about it can be found in в.^[1]

Implementation, Utilization and Performance

ACE Encryption scheme is recommended by NESSIE (New European Schemes for Signatures, Integrity and Encryption) as asymmetric encryption scheme. Press-release is dated by February 2003.

Both schemes were implemented in ANSI C, with the use of GNU GMP library. Tests were done on two platforms: Power PC 604 model 43P under AIX system and 266 MHz Pentium under Windows NT system. Result tables:


Power PC		Pentium		-		Operand size(byte)		Operand size(byte)		-		512	1024	512	1024	-	Multiplication					-	Squaring					-	Exponentiation


Power PC		Pentium		-		Fixed costs (ms)	MBit/sec	Fixed costs (ms)	MBit/sec	-	Encrypt	160	18	230	16	-	Decrypt	68	18	97	14	-	Sign	48	64	62	52	-	Sign set-up	29		41		-	Verify	52	65	73	53

Literature

http://www.zurich.ibm.com/security/ace/ace_spec.pdf ACE: The Advanced Cryptographic Engine, T. Schweinberger and V. Shoup, manuscript 2000

ACE Encrypt explained

Authors

Security

Basic Terminology and Notation

Basic mathematical notation

Basic string notation

Bits, Bytes, Words

Conversion operator

Encryption Scheme

Encryption Key Pair

Key Generation

Ciphertext Representation

Encryption Process

Decryption process

Signature Scheme

Key Generation

Signature Representation

Signature Generation Process

Notes

Implementation, Utilization and Performance

Literature

External links