Comparison of Selected Fast Orthogonal Parametric Transforms in Data Encryption

Transcription

1 JOURNAL OF APPLIED COMPUTER SCIENCE Vol. 23 No. 2 (2015), pp Comparison of Selected Fast Orthogonal Parametric Transforms in Data Encryption Dariusz Puchala Lodz University of Technology Institute of Information Technology Wolczanska 215, Lodz, Poland dariusz.puchala@p.lodz.pl Abstract. In this paper, we present the results of experimental comparison of fast parametric orthogonal transforms with three popular computational structures with respect to their practical applications to data encryption. The presented results concern the experimental determination of: (1) probability distribution of generating private keys that differ by the given number of bits, (2) probability distribution of signal reconstruction error during the simulation of brute force attack and (3) expected reconstruction error in the function of Hamming distance between private keys. Keywords: parametric linear transforms, data encryption. 1. Introduction Fast parametric orthogonal transforms (FPOTs) find many practical applications in the tasks of digital signal processing and analysis. Typical applications involve signal denoising with Wiener filtering scheme, lossy compression of data or data encryption [1, 2, 3, 4]. In the field of data encryption parametric transforms are very promising and some of their variants found practical applications in joint encryption and compression of images and video sequences for JPEG and MPEG standards respectively (c.f. [5, 6]). The main advantage of FPOTs over well known

2 56 Comparison of Selected Fast Orthogonal Parametric Transforms... transforms with fixed bases is their parametrization that allows for adaptation of basis vectors to the specific characteristics of signals being considered. This feature together with known online-mode adaptation algorithms [7, 8] make FPOTs to be very powerful and flexible tools for data processing. Furthermore, having in mind fast computational structures of FPOTs that are oriented for mass-parallel [9] and pipeline computations we gain tools that are not only powerful but also computationally effective. In this paper, we compare three selected types of FPOTs with different computational structures in terms of their capabilities for data encryption applications. The considered structures are: (I) the generalization of Bene s network which has the capability to realize any permutation of elements of input data vectors [10], (II) the Walsh-Hadamard like transform structure and (III) the novel lattice structure for calculation of two-channel orthogonal filters introduced in [11]. The experimental results in the form of statistical analysis of the: (1) probability distribution of generating private keys that differ by the given number of bits, (2) probability distribution of signal reconstruction error during the simulation of brute force attack and (3) expected reconstruction error in the function of Hamming distance between private keys are presented and discussed in the experimental part of the paper. 2. The considered variants of parametric transforms In this paper, we consider three variants of FPOTs that differ in the shape of computational structures and also in the number of parameters for the given size N of input data vectors. Following [2] any orthogonal transform can be described in the form: M V = P M i+1 U M i P 0, (1) i=1 where P i are permutation matrices (i = 0, 1,..., M), U i are block diagonal matrices with 2 on 2 element matrices on main diagonals which represent rotations in R 2 subspaces (i = 0, 1,..., M 1). Hence, U i matrices define operations being performed on data vectors on each stage for i = 0, 1,..., M 1, while P i matrices describe data flow paths between neighbouring stages (P 0 describes permutation of input data). A single rotation matrix O i j (called rotation operator, butterfly operator or shortly an operator) can be described in several forms but the following

3 D. Puchala 57 notation is assumed in this paper: [ cos(α O i j = i j ) sin(α i j ) sin(α i j ) cos(α i j ) ], (2) where α i j are rotation angles for i = 0, 1,..., M 1, j = 0, 1,..., N/2 1. Hence, we have U i = diag(o i0, O i1,..., O i( N 2 1) ), where diag( ) is a diagonal matrix building operator. Since O i j operators are orthogonal then U i matrices must be orthogonal. It should be noted that P i matrices are orthogonal too. Hence, V transform matrix being a product of orthogonal matrices is also orthogonal and it fulfils the property VV T = I, where ( ) T describes matrix transposition and I is an identity matrix. Due to this property an inverse matrix is simply the transposition of V. The parameter M defines a number of stages, which are described by the following U i matrices. Hence, it also determines the computational complexity of the resulting transform V. By taking into account the complexity of a single stage (i.e. the complexity of a single U i matrix), it can be concluded that the overall complexity is of order O(MN). However, in this paper we are interested in fast transformations and that is the reason of choosing M to be of order O(log 2 N). Such values of M would produce V transforms with linear-logarithmic complexities, i.e. the complexities of order O(N log 2 N). If we would confront it with the complexity of direct matrix-by-vector multiplication which equals O(N 2 ), it would be clear that fast transformations can be characterized by the computational complexities smaller by one order of magnitude The generalization of Beneš network The Bene s computational structure introduced in [10] has high combinatorial capacity since it allows to realize any permutation of input data. In this paper, we adopt such structure but in place of simple two-element switching operations we employ already defined by (2) rotation operators O i j. The generalized structure of that type for N = 8 element transformation is shown in Fig. 1. In this case the precise numbers of multiplications L I MUL and additions LI ADD can be described by formulas: L I MUL = 2N(2 log 2 N 1), L I ADD = N(2 log 2 N 1). Since each operator O i j is described by a value of one parameter α i j then it is obvious that for this type of computational structure the total number of parameters

4 58 Comparison of Selected Fast Orthogonal Parametric Transforms... x(0) O 20 y(0) O 10 O 30 x(1) y(1) x(2) O 00 O 11 O 31 O 21 O 40 y(2) x(3) O 01 O 41 y(3) x(4) O 02 O 22 O 42 y(4) x(5) O 03 O 12 O 32 O 43 y(5) O 13 O 33 x(6) O 23 y(6) x(7) y(7) Figure 1. The generalization of Beneš network for N = 8 elements. would equal: L I PAR = N 2 (2 log 2 N 1) The Walsh-Hadamard like structure The Walsh-Hadamard (WH) like computational structure adopts the structure of WH transformation which is popular in the tasks of signal processing [12]. It can be characterized by simpler layout and lower computational complexity than the generalization of Bene s network (see Fig. 2). In this case the precise number of required multiplications and additions can be calculated with aid of the following formulas: L II MUL = 2N log 2 N, L II ADD = N log 2 N. Here, once again the number of parameters corresponds to the number of operators O i j which for this type of computational structure can be defined as: L II PAR = N 2 log 2 N.

5 D. Puchala 59 x(0) O 00 y(0) O 10 x(1) y(1) x(2) O 01 O 11 O 20 y(2) O 21 x(3) y(3) O 22 x(4) O 02 y(4) x(5) O 12 O 23 y(5) O 13 x(6) O 03 y(6) x(7) y(7) Figure 2. The Walsh-Hadamard like computational structure for N = 8 element transformation Lattice structure for two-channel bank of filters Lattice structures of the considered type introduced in paper [11] are novel computational structures devised for effective calculation of two-channel banks of orthogonal filters. Except computational effectiveness they can be characterized by highly homogeneous structures which require at each stage the same way of attachment of butterfly operators. In addition the permutations between consecutive stages are trivial and can be implemented in the form of one-element cyclic shifts of data buffers (see Fig. 3). The mentioned features translate directly into the simplicity of hardware implementations of the structure in the pipeline as well as in parallel mode. It is a reason for this type of FPOTs to be interesting from the point of view of various practical applications including data encryption. It should be noted, however, that in the case of lattice structures the parameter M describes the order of filters, i.e. a number of taps of filters equals 2M. In this paper in order to obtain lattice structures with higher combinatorial capabilities we choose M = log 2 N which results in the following number of parameters: L III PAR = N 2 log 2 N,

6 60 Comparison of Selected Fast Orthogonal Parametric Transforms... while the precise numbers of multiplications and additions can be calculated as: L III MUL = 2N log 2 N, L III ADD = N log 2 N. It can be concluded that lattice structures considered in this paper can be also characterized by computational complexities of order O(N log 2 N). x(0) O 00 O 10 O 20 y(0) x(1) y(1) x(2) O 01 O 11 O 21 y(2) x(3) y(3) x(4) O 02 O 12 O 22 y(4) x(5) y(5) x(6) O 03 O 13 O 23 y(6) x(7) y(7) Figure 3. Lattice structure for two-channel bank of filters and N = 8 element input vectors. 3. Data encryption with aid of parametric transforms The aim of this paper is to compare three different computational structures of fast parametric transforms regarding the specifics of data encryption process. In order to make our considerations more general we choose the basic data encryption scheme which does not include any additional operations, e.g. an additional stage of lossy data compression. The mentioned scheme can be depicted in the form of block diagram shown in Fig. 4. Let x be the N - element input data vector. Such vector represents the plain data that will undergo the encryption process. The encryption process itself is realized as the product of the form y = V x, where V denotes the parametrized orthogonal

7 D. Puchala 61 transform and y is the resulting ciphered data. In order to ensure the required protection of the ciphered data the form of encryption transform V is described by the sequence of bits constituting a private key K. In paper [13] a simple mapping of individual bits of the private key to the values of the transform parameters α i j for i = 0, 1,..., M 1, j = 0, 1,..., N/2 1 was proposed. It assumes in the first place that the interval [0, 2π) of parameters variation is divided into a number of 2 k b subintervals of equal lengths α = 2π/2 k b. Then the discrete values of those parameters would be calculated as α i j = k i j α, where k i j denotes the decimal integer value (from interval [0, 2 k b 1]) encoded with aid of the subsequence of private key bits assigned to a given parameter. It is obvious that the size of a private key K can be calculated as L K = k b L PAR bits. private key K private key K x V y V T x encryption decryption Figure 4. Data encryption and decryption scheme. The decryption of the ciphered data requires an inverse transformation which in case of orthogonal V is simply its transposition V T. Then the decrypted data vector is calculated as x = V T y. Such scenario takes place only if the decryption process uses the same private key. Otherwise, we obtain z = V T y, where z x. 4. Experimental studies The subject of experimental research was statistical verification of the effectiveness of the considered FPOTs with different computational structures covering such aspects as: (1) probability distribution of generating private keys that differ by the given number of bits, (2) probability distribution of signal reconstruction error

8 62 Comparison of Selected Fast Orthogonal Parametric Transforms... during the simulation of brute force attack and (3) expected reconstruction error in the function of Hamming distance between private keys. For the sake of the simplicity of description we will refer to the considered structures with their ordinal numbers, i.e. (I) the generalization of Bene s network, (II) the Walsh-Hadamard like transform and (III) lattice structure. A number of experiments based on the model first order Markov signal with variance σ 2 = 1 and the correlation coefficient ρ = 0.9 were carried. For the encryption and decryption process we used scheme from Fig. 4 and FPOTs of all considered types I, II and III for N = 16 points and k b = 4 bits. It gave the following numbers of parameters: L I PAR = 56, LII PAR = LIII PAR = 32, what resulted in the following lengths of private keys: L I K = 224, LII K = LIII K = 128 bits. The first analysis concerns the probability distribution of generating private keys that differ by the given number of bits, i.e. they have a specified Hamming distance, wherein the uniform distribution of key generation is assumed. It is simple to show that the aforementioned distribution is the binomial Bernoulli distribution with the probability of success equal 1/2, i.e. it can be described by the formula p k = ( ) L K k 2 L K, where k is the Hamming distance and p k is the probability of drawing a key distant by k bits. The obtained experimental results for L K = 224 bits are presented in Fig. 5. It can be concluded that the probability of selecting a key that is distant by 70 to 90 bits from any key K is close to 0.9. The results presented in Fig. 5 regard the computational structure of type I (N = 16, k b = 4 and hence L K = 224). In the case of the structures of types II and III the probability distribution would be of course identical with regard to the power of the private key space. The second part of the study involves the experimental determination of the probability distribution of signal reconstruction error during the simulation of brute force attack. As a measure of signal reconstruction error we adopt the mean square error (MSE) expressed as a percentage of mean signal energy. Such relative MSE can be defined as: N 1 N 1 ɛ MS E = 100 (x(i) z(i)) 2 / x(i) 2 [%], i=0 i=0 where x is a plain data vector, and z = V T 2 y with y = V 1x, while V 1 and V 2 are two different encrypting transforms obtained for two different private keys K 1 and K 2. By a brute-force attack we mean here not the exhaustive search of the whole space of private keys (since even for N = 16 and k b = 4 we would have keys

9 D. Puchala 63 Figure 5. The probability distribution of drawing keys with the specified Hamming distances relative to any fixed key K for L K = 224. for the structures of type II and III) but the random guessing of the encrypting key. The experimental results obtained for all three types of structures are shown in Fig. 6 in the form of relative MSE errors which are averaged over 10 6 trials. It should be noted that the relative MSE have the possible range of its variation from 0% to 400%, where 0% means z = x and 400% means z = x. The obtained experimental results show that the most probable value of MSE for all types of structures is close to 200%. It means that the expected value of MSE during bruteforce attack equals 200%. In addition, in the total number of 10 6 trials we could record MSE values only in the range of 60% to 340%. The smallest variance of the probability distribution can be attributed to the structure of type III. In the case of the remaining two structures the obtained plots are almost identical. It can be concluded that structures of types I and II have equivalent properties in the sense of MSE generated during trials of guessing the private key, while the structure of type III guarantees statistically lower deviations from the mean value of reconstruction error. In the last part of the study we were interested in experimental determination

10 64 Comparison of Selected Fast Orthogonal Parametric Transforms... Figure 6. The probability distribution of relative MSE of signal reconstruction during random trials of guessing the private key K. of the plot of expected reconstruction MSE in the function of Hamming distance between private keys. The results obtained in this experiment are presented in Fig. 7 and in Fig. 8 for the structures of type I and types II and III respectively. In this study the encrypting private key was constant while the decrypting keys were randomly generated. The observed values of MSE of signal reconstruction in the function of the Hamming distance (the number of different bits) between private keys are depicted in the aforementioned Figures. Based on the resulting plots from Figs. 7 and 8 it can be concluded that the expected value of the MSE in the experimentally probable range of the Hamming distance is close to 200% for all types of the structures. By experimentally probable range we understand here such an interval of distances which are probable to be observed within 10 6 trials. For example it can be calculated on the basis of the cumulative distribution function of the Bernoulli distribution that for L K = 128 bits the probability of random generation of a key which is distant to a given key by less than 38 bits (or more than 90 bits) is less than An analysis of obtained results in the view of previous discussion allows to make a final remark for this

11 D. Puchala 65 Figure 7. The expected values of MSE in a function of the Hamming distance between private keys for the structure of type I. experiment that the difference between considered structures lies only in the sizes of private keys. 5. Conclusions In this paper, we present the results of experimental comparison of fast parametric orthogonal transforms (FPOTs) with three selected computational structures, i.e.: (I) generalization of Bene s network, (II) Walsh-Hadamard like structure and (III) lattice structure for two-channel orthogonal filter banks. The comparison is made from the viewpoint of application of mentioned FPOTs to the practical tasks of data encryption. The presented results concern the experimental determination of the (1) probability distribution of generating private keys that differ by the given number of bits, (2) probability distribution of signal reconstruction error during the simulation of brute force attack and (3) expected reconstruction error in the function of Hamming distance between private keys.

12 66 Comparison of Selected Fast Orthogonal Parametric Transforms... Figure 8. The expected values of MSE in a function of the Hamming distance between private keys for the structures of type II and III. In view of the obtained results collected in Figs. 4 to 8, and on the basis of their analysis we may draw the following final conclusions: all of the considered structures can be characterized by a very low probability of random guessing of the encryption key (brute-force attack). This probability is described by the Bernoulli distribution and depends on the length of the private key. By definition the structure of type I allows for the highest number of parameters (i.e. allow for longer private keys with the same number of bits per parameter than structures of type II and III) and hence can be characterized by the highest combinatorial complexity; the considered computational structures guarantee large expected values of signal reconstruction errors (relative MSE) in the case of different private keys used at the encryption and decryption stages. The structure of type III can be characterized by the lowest value of variance of MSE probability distribution; It can be concluded that all three considered computational structures offer good

13 D. Puchala 67 and comparable level of combinatorial complexity what translates into the security of encryption methods. Hence, we state that the considered computational structures can be attractive from a point of view of their practical application to the tasks of data encryption. References [1] Agaian S., Tourshan K., Noonan J. P., Parametric Slant-Hadamard Transforms With Applications, IEEE Signal Processing Letters, Vol. 9, No. 11, 2002, pp [2] Minasyan S., Astola J., Guevorkian D., On unified architectures for synthesizing and implementation of fast parametric transforms, 5th International Conference, Information Communication and Signal Processing, 2005, pp [3] Bouguezel S., Ahmad M. O., A New Class of Reciprocal-Orthogonal Parametric Transforms, IEEE Transactions On Circuits and Systems, Vol. 56, No. 4, 2009, pp [4] Yatsymirskyy M. M., Encryption on the base of FFT algorithm graph, Journal of East Ukrainian National University, No. 9, 2010, pp [5] Tang L., Methods for Encrypting and Decrypting MPEG Video Data Efficiently, 4th ACM International Multimedia Conference, 1996, pp [6] Bhargava B., Shi C., Wang Y., MPEG Video Encryption Algorithms, Multimedia Tools And Applications, Vol. 24, No. 1, 2004, pp [7] Puchala D., Yatsymirskyy M. M., Fast Neural Networks Learning Techniques For Signal Compression, Electrical Review, No. 1, 2010, pp [8] Puchala D., Approximating the KLT by Maximizing the Sum of Fourth-Order Moments, IEEE Signal Processing Letters, Vol. 20, No. 3, 2013, pp [9] Puchala D., Szczepaniak B., Yatsymirskyy M.M., Lattice structure for parallel calculation of orthogonal wavelet transform on GPUs with CUDA architecture, Electrical Review, No. 7, 2015, pp

14 68 Comparison of Selected Fast Orthogonal Parametric Transforms... [10] Bene s E.V., Mathematical Theory of Connecting Networks and Telephone Traffic, Academic Press, [11] Jacymirski M., Szczepaniak P.S., Neural realization of fast linear filters, Mislav Grgić, editor, 4th EURASIP-IEEE Region 8 International Symposium on Video/Image Processing and Multimedia Comm., 2002, pp [12] Ahmed N., Rao K.R., Orthogonal Transforms For Digital Signal Processing, Springer-Verlag, New York, [13] Puchala D., Stokfiszewski K., Parametrized Orthogonal Transforms For Data Encryption, Computational Problems of Electrical Engineering, No. 2, 2012.