Abstract
A new attack algorithm is proposed for a secure key generation and management method introduced by Yang and Wu. It was previously claimed that the key generation method of Yang and Wu using a keystore seed was information-theoretically secure and could solve the long-term key storage problem in cloud systems, thanks to the huge number of secure keys that the keystone seed can generate. Their key generation method, however, is considered to be broken if an attacker can recover the keystore seed. The proposed attack algorithm in this paper reconstructs the keystore seed of the Yang–Wu key generation method from a small number of collected keys. For example, when and , it was previously claimed that more than secure keys could be generated, but the proposed attack algorithm can reconstruct the keystone seed based on only 84 collected keys. Hence, the Yang–Wu key generation method is not information-theoretically secure when the attacker can gather multiple keys and a critical amount of information about the keystone seed is leaked.
1. Introduction
Data storage and transmission have been frequently used in recent public cloud systems. It is important to use secure keys in the cloud system, because users using a password can be vulnerable to dictionary attacks []. It is well known that secure keys reveal less user information than the password method. Thus, secure keys have been used in various fields such as file encryption, access to virtual private networks, and user authentication []. However, conventional key generation methods have many problems in terms of long-term file management, where each file should be independently encrypted with random secure keys since it has the characteristics of long-term file storage and frequent user access. Otherwise, cloud systems are not secure for ciphertext-only attack or chosen-plaintext attack []. To make one-key-for-one-file secure encryption for long-term data protection, a new secure key generation method using the keystore seed was proposed in [] claiming that their method could make many information-theoretically -secure keys. In this paper, we propose a new method to break their key generation by reconstructing the keystore seed using a small number of collected keys.
This paper is organized as follows. In Section 2, the secure key generation and management methods are reviewed. In Section 3, we propose an attack algorithm of the information theoretically -secure key generation method in [] and show the successful attack probability. In Section 4, we analyze the modified Yang-Wu’s scheme with the hashed key [], where information is not theoretically -secure, but has only computational security. Finally, Section 5 concludes this paper.
2. Key Generation and Management Based on Keystore Seed
In this section, we briefly explain the secure key generation and management methods in [].
2.1. Key Generation
There is a keystore seed , which is a randomly generated L-bit binary sequence, where is the i-th bit of the keystore seed for . Let be a sub-sequence of length l of the keystore seed and let be a keystore seed index of the first element of , where . Then, is represented as . The key of length l is generated as , where ⊕ denotes the bit-wise exclusive OR. The set of all possible keys generated from the keystore seed K is denoted as , where is . This key generation method is expressed as the -key generation scheme, where l is the length of each key and t is the number of subkeys of keystore seed for the generation of each key.
2.2. Key Management
After key generation, the generated keys can be used in the following way:
- A file is encrypted using a key randomly selected from set .
- Attach the key index information into the encrypted file and send it.
- To decrypt an encrypted file, the encryption key is regenerated from the secure stored keystore seed and the received file using is decrypted using the attached key index information i.
The keystore seed should be protected in a secure memory that cannot be accessed by outside users. Even though the key index information is available, any information on the keystore seed should not be disclosed.
2.3. Information-Theoretically -Secure Keystore
The information-theoretically -secure for arbitrarily small is defined according to the following specifications.
Definition 1
([]). A keystore of keys of length l generated from a keystore seed K is said to be information-theoretically ϵ-secure for , if the properties in the following theorems hold.
Theorem 1
([]). For and arbitrarily small , all keys are randomly and uniformly distributed over as
Theorem 2
([]). For all pairs of independent indices ,
Yang and Wu [] stated that Theorem 2 can be extended to the following argument.
Argument 1 (n-th order of Theorem 2).
For all independent , where , we have
In this paper, we will demonstrate that this argument is only true for a very small n.
3. Linear Attack on Key Generation and Management
3.1. Linear Attack Algorithm
In this section, we propose an attack algorithm to reconstruct a keystore seed from a number of collected keys. For example, assume that we have some keys with as presented in []. Each key has 5 indices and consists of 5 binary exclusive OR subkeys of length l starting at given indices. Each key can make submatrix shown on the left side of Figure 1. Each consists of l indicator vectors to generate key . For example, we have one key with index . Then, the indicator vector is (All 0 except indices 1,3,4,6,7). Next, the indicator vector is a circular shift to the right of . Rows of consist of and rank because it has l independent indicator vectors. If the condition is not satisfied, there are dependent indicator vectors due to overlap by cyclic shift. The indicator matrix M is made by stacking up . Consequently, we stack up submatrices until M satisfies rank. Finally, we find keystore seed using the system of linear equations as Figure 1 because M becomes full rank and it is invertible. The attack algorithm is summarized in Algorithm 1. If the indicator matrix M has rank L by stacking up several indicator submatrices, Argument 1 is not correct for a sufficiently large n to make M full rank. Thus, their key generation method is not secure.
Algorithm 1 Successful attack probability with R keys |
Input: Variables Output: True if the indicator matrix rank is larger than or equal toL fori from 1 to Rdo Randomly select t integers in range of (0, ) indicator vector of of length l for j from 1 to do circular cyclic shift right once of end for if rank then return True end if end for |

Figure 1.
Matrix operation to find keystore seed.
Let Z be a random variable defined as
With this random variable, the left-hand side of (1) can be rewritten as
where means that keystore seed is reconstructed and key’s entropy goes to 0 because is automatically determined with key index i. Therefore, (2) only contains the case. Since , we have
According to numerical analysis, becomes almost 0 when the number of collected keys increases, which means that the lower bound of entropy in the n-th order expansion in Argument 1 is not correct for a large n. Although Argument 1 is correct for very small n, it is not useful in that they could not generate many secure keys because the purpose of their proposed method is to deal with one-key-for-one-file in cloud systems. In other words, when the entropy of the generated keys becomes 0, the keystore seed cannot be used to generate secure keys anymore. Thus, attackers can reconstruct the keystore seed with high probability, which means that their key generation method is no longer information-theoretically -secure. In the next subsection, we will show the number of collected keys to make rank by numerical analysis.
3.2. Successful Linear Attack Probability
The successful attack probability with R keys is given as a probability that an indicator matrix M has rank larger than or equal to L by using R keys as in Algorithm 1. Clearly, at least keys are required to make M with full rank. Figure 2 shows that the successful attack probability of the key generation algorithm in [] is numerically derived for , respectively, when . Table 1 lists the successful attack probability in Figure 2 for several numbers of R.

Figure 2.
Successful attack probability of the proposed attack algorithm when: (a) , , (b) , .

Table 1.
Successful attack probability of the proposed attack algorithm.
4. Information Theoretic Weakness of Modified Yang-Wu’s Schemes with Hashed Keys
The forward secrecy is a property such that if a secret key is compromised, past keys are not compromised. According to the key generation method in [], several keys are generated from one keystore seed through a linear combination. If the number of generated keys is large enough, the newly generated key will have only a very small entropy from previously generated keys. This idea can be checked via the following observation.
For binary independent random variables X and Y, suppose that and . Then, we have
This can easily be extended and applied to Yang and Wu’s algorithm intended to provide independent and uncorrelated secret keys for the one-key-for-one-file long-term secure system. Assume that we have one key generated from bits of keystore seed as in Figure 3. If we know the subkeys for , we can derive the subkey since we know the key . As t increases, the number of subkeys generating a key becomes large. This becomes a weak point when giving the indicator matrix M a full rank in Section 3. As the simulation results show that the successful attack probability of the proposed attack algorithm for increases abruptly compared to when the number of collected keys becomes large. In addition, the successful attack probability becomes very large as t increases. Therefore, a large value of t for the key generation scheme should be avoided.

Figure 3.
Key generation by subkeys.
In real applications, it is very important to provide a way of strong protection for the keystored seed. However, in a cloud environment, there is a possibility that some information can be disclosed during the processing such as key generation, file encryption, or decryption, due to undiscovered weakness of systems or side channel attacks as in []. In this paper, we show that it is possible to reconstruct the entire keystore seed even if a very small number of generated keys (i.e., 84 keys) are leaked compared to the total size of the possible keys (i.e., keys).
In order to reduce the risk of keystore seed reconstruction, the encryption using a hashed key was proposed in [], where k is a generated key from the keystore seed and is a one-way hash function. It is true that encryption with a hashed key could avoid the proposed linear attack of keystore seed reconstruction. However, avoiding the linear attack does not guarantee information-theoretically -secure since hashed keys are the same number of bits as original keys. If the original keystore is not information-theoretically -secure, hashed keys are not also information-theoretically -secure since hashing is one to one mapping. Hashing only increases computational complexity, but it does not guarantee key entropy.
The hashed key can be a countermeasure for the proposed linear attack. Moreover, by introducing a hash chain for key generation, it is possible to increase both the computational complexity of the linear analysis and the number of possible keys. Let us set each subkey as for . Then, the key is generated as , where is a subkey and is a one-way hash function from to . Note that if the order of applying is changed, the generated key is completely different when a cryptographic hash function such as SHA-2 or SHA-3 is used. Even though this type of countermeasure cannot guarantee information-theoretically -secure keys, but it can be a cryptographically secure way.
5. Conclusions
As the demand for long-term data over the public clouds increases, a large number of secure keys are needed. To deal with this problem, Yang and Wu proposed a new key generation method using the keystore seed []. In this paper, we proposed an attack algorithm for their key generation method, where a small number of collected keys can be used to reconstruct the keystore seed with high probability. Although the encryption using a hashed key could avoid the proposed reconstruction attack, it still does not guarantee the information-theoretically -secure in certain situations where some information is leaked. Therefore, a new secure key generation method with keystore seed can be studied in future research.
Author Contributions
S.C. firstly found the main issue of the previous scheme. Y.-H.K. proposed a methodology to analyze this issue. All authors carried out the formal analysis of the proposed attack. S.C. wrote a program in C and Y.-S.K. and J.-S.N. investigated the numerical data. All authors have read and approved the final manuscript.
Funding
This work was supported by Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (R-20160229-002941, Research on Lightweight Post-Quantum Crypto-systems for IoT and Cloud Computing).
Conflicts of Interest
The authors declare no conflict of interest.
References
- Morris, R.; Thompson, K. Password security: A case history. Commun. ACM 1979, 22, 594–597. [Google Scholar] [CrossRef]
- Monrose, F.; Reiter, M.K.; Li, Q.; Wetzel, S. Cryptographic key generation from voice. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 14–16 May 2001; pp. 202–213. [Google Scholar]
- Menezes, A.J.; van Oorschot, P.; Vanstone, S. Handbook of Applied Cryptography; CRC Press: Boca Raton, FL, USA, 1996. [Google Scholar]
- Yang, E.H.; Wu, X.W. Information-theoretically secure key generation and management. In Proceedings of the 2017 IEEE International Symposium on Information Theory (ISIT), Aachen, Germany, 25–30 June 2017; pp. 1529–1533. [Google Scholar]
- Wu, X.W.; Yang, E.H.; Wang, J.H. Lightweight security protocols for the Internet of Things. In Proceedings of the 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC), Montreal, QC, Canada, 8–13 October 2017. [Google Scholar]
- Bazm, M.-M.; Lacoste, M.; Sudholt, M.; Menaud, J.-M. Side Channels in the Cloud: Isolation Challenges, Attacks, and Countermeasures. 2017. Available online: https://hal.inria.fr/hal-01591808/ (accessed on 17 February 2019).
© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).