United States Military Academy, West Point, NY 10-11 June. Public Key Cryptography with Matrices. Mukesh Kumar Singh, Texas Instruments Inc. Abstract- We ...
Proceedings of the 2004 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY 10-11 June
Public Key Cryptography with Matrices Mukesh Kumar Singh,
Texas Instruments Inc.
discussed commutative Ring. concludes this paper.
Abstract- We discuss how Public Key cryptography can be
And,
lastly Section
(7)
achieved using simple multiplication of matrices over a given commutative Ring. We propose a trapdoor function, which is one of the fastest one in the cryptographic literature known to the author.
II. THE MATHEMATICS BEHIND THE TRAPDOOR FUNCTION
Using this trapdoor function we describe algorithms for Key Agreement and Public key Encryption whose security is based on
This section defines few terms and discusses few lemmas required to formulate the trapdoor function. Following are definition of some of the terms which will be used throughout this paper.
solving a system of multivariate quadratic equations over the given Commutative Ring. This is the first public key cryptosystem with constant complexity (fIXed number of multiplications) irrespective of the key size taken for the case of commutative ring of integers modulo a composite.
A. Circulant Matrix
Index terms - Cryptography, Matrices, Public Key, Encryption, Decryption, Signature, Key agreement, Commutative Ring and
An N XN matrix whose rows are composed of cyclically shifted versions of a length-N list L is called Circulant Matrix. For example, the 3 X 3 Circulant matrix on the list L= {a, b, c} is given by
Circulant matrix
I. INTRODUCTION Many cryptographic algorithms have been proposed based on difficulty of solving a system of multivariate polynomial equations including HFE [1). We propose a novel method for public key encryption and key agreement, which is one of the fastest one in the cryptographic literature which might be comparable with the symmetric key cryptography in terms of processor time utilization. We discuss a trapdoor function on which we base our Key Agreement and Public Key Encryption algorithms. The security of the proposed system is based on the difficulty in solving a system of multivariate quadratic equations over a specified Commutative Ring [2]. The trapdoor function F takes two Circulant matrices [3] of any dimension denoted by A and B and a base matrix denoted by G of conformable dimension as arguments and calculate F( A B ) A G B (throughout this paper dot denotes the Ring multiplication of matrices). We discuss this trapdoor function in great detail in section (2) which examines actually how difficult is getting A and 8 from A.G.8 and G over a Commutative Ring. ,
=
.
.
The remaining sections of this paper are organized as such. Section (2) discusses the Mathematics of the trapdoor function and definition of few terms. Section (3) discusses the actual key agreement algorithm using this trapdoor function. Section (4) discusses the Public key encryption/decryption algorithm using this trapdoor function. Section (5) discusses about the security aspect of the trapdoor function over various commutative Rings. Section (6) gives a small example of key agreement and public key encryption with each of the
[: : !]
The commutative property of ring multiplication for circulant matrices is used to fonnulate the Trapdoor function. B.
Prime
146
Circulant Matrix
An N XN Circulant Matrix over a commutative Ring R (R will be used for commutative ring throughout this paper), whose rows are composed of cyclically shifted versions of a Iength-N list L is called a Prime Circulant Matrix if gcd (L) = I (unity of the ring) if 1 eR or gcd (L) does not belong to R. If gcd is undefined for a particular ring then L should consist of unique ring elements without repetitions. For example, the 3 X 3 Circulant matrix over the commutative Ring of Integers on the list L {a, b, c} is Prime Circulant Matrix if gcd (a, b, c) I. =
=
C. Doubly Circulant Coefficient Matrix Gc
The coefficient matrix corresponding to a matrix G denoted by G. is a doubly Circulant matrix formed as follows. RI
IfG=
R2
where, Rj's are the raw vectors ofG.
Rn Then Gc =
0-7803-8572-1/04/$20.00 ©2004 IEEE
And &noloo by oko (', b, oj
eirc (MRI> MR2, MRJ . . . MRn)
means
Go is a
Proceeding s of the
2004 IEEE
Workshop on Infonnation A ssura nce
United States Military A cademy, West Point, NY
Circulant matri x with respect to (MRi> M R2, MR3 ... MRn) as a
list wher e each MRi', are Circulant matrices whose rows are compo sed of cyclically shi fted versions ofRi. For example if
G
MRI =
M R2 =
gs
195
R3 = [g7
M R3 =
f
C (i+l)
g 7 g9
g g7
gs
g9
g2
(3(i+I)(k+1) b(k+l)(j+I})
(j+l) = cg. So C is Circulant.
We know from Lemmal that C =AB is circulant, so we will Then, for j
C\ .. .
==0 .. (N -1), .
CN.I)'
cr (AB)oj k=N-1 =
g4
L
«A)ok (B)kj)
k=O
g9] and
k=N-l =
g
g3
2
denote C = circ (co,
L k=O
(ak bO k») '
k=N-1
I k=O
Gc=circ(MR"MR2,MR3)
g'
I
k=-I
Proof:
g6] and
gg
k
Lemma2: Circulant matrices commute under multiplication. Let A and B be N X N Circulant matrices. Then AB ==BA.
g\
g6
(3(i+l)k bk(j+I))
Since a (/+1) (HI) =aik and b (/ Bl}
solution of the system P = AG.B. Let us denote the circulant matrices A, A' and B, B' as follows. A =(aJ, a 2, a3.' . aN), B =(bb b2• b3 ... bM), 0-7803-8572-1/04/$20.00 1©2004 IEEE
Gets {P2}
Calculates S= AI.P2. A2
148
Aland A2, he will
calculate AI.P2. Az::: AI.BI.G.B2• A 2 = AI.BI.G.Az.B2•
Calculates S=BI.PI.B2
Proceedings of the 2004 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY 10-11 June including Grobner bases Technique [6] and homotopy method [7].
The calculated value of S on both sides is the shared secret.
All
these
algorithms
have
very
large
exponential
complexity in number of variables. Thus, if we select an N
X G whose rows are elements of this Ring in such a way that the rank of the coefficient matri x Gc is N*M - min (N, M)+1. By taking such a G any attack based on Gauss
M base matrix
IV. ENCRYPTIONIDECRYPTION ALGORITHM The actual public key encryption is similar to EI-Gamal public key encryption scheme A.
[5].
Let us analyze this problem with a 3
Take one publicly known base matrix denoted by G. And , take B and calculate P=A.G.B, which is made public. Private Key: (A, B) Public Key: (P, G) ENCRYPTION ALGORITHM
Let the data matrix to be encrypted be S.
Generate two random Circulant mat rice s X and
Y and
calculate
C]= X.G.Y and C2= {(X.P.Y) ® M S} The vector {CI> C2} forms the encrypted data. Here 0 M denotes direct XOR product of matrices defined as follows.
A and B are two matrices of same dimension then B = C, where Cij = Aij ® Bij, where ® denotes
the
"bitwise exclusive or" operator.
C.
relies
on
the
commutatIVIty
of
matrix
mUltiplication for circulant matrices over a commutative ring. In particular, with public key P and
G plus the received
encrypted message matrices C] and C2, recover S as follows:
A.C].B0 M C2
=
[�
b a
b
c
a
= A.X.G.Y.B® M A.X.G.Y.B@ M S 0 @ M S (0 denotes Zero Matrix) =S
g21
g31
form. Let us take F
Here the commutative property of the matrix multiplications
AX and Y.B is used.
F (A, B)""
In this section we discuss the security of the trapdoor for
p33
::: :::1 lr� ; gn
g33
f
e
A. When the commutative Ring taken R is commutative Ring of Integers modulo a larg e prime p (GFp) of solving a system of multivariate
p o lynomial equations. This problem is NP-hard over any field.
There are quite a few algorithms for solving a system of multivariate polynomial equations modulo a large prime
149
/7
0, where 0 is a
/8
b, c, d, e and! Where b * gZI+ c * gJl)*d + (a * gil + b * gn+ c * g31)*f+ (a *glJ +b *gZJ+c *gJ3)*e-PIl} =0
= {(a * g/J
c,
d, e,j)
fi (a, b,
c,
d, e,j) = {(a * gil + b * g]i+ c * gJ})*e + (a * gil + b ... gzz+ C * gJl) "'d + (a * gl3 + b * g13+ c * g33)*j- pu}
.h (a, b, c, d, e,j)
.It (a, b,
Is (a,
The security of many of the recently proposed cryptosystems
[�:
=
Here each /; is a function of a,
c,
d, e,j)
different cases of the commutative rings.
0-7803-8572-1/04/$20.00 ©20041EEE
p32
=
fi (a, b,
SECURI TY OF THE TRAPDOOR FUNCTION
difficulty
p31
(A, B) =AG.B - P 3 X 3 Null matrix then
=
is based on the
r�:: �:: :::]
gij represent the element at the ilh row and colunm of the matrices P and G respectively.
AX.G.Y.B® M X.P.Y® M S
= A.X.G.Y.B® M XA.G.B.Y0 M S
V.
C1 [gil
P = A.G.B =>
Here Pij and
=>
DECRYPTION ALGORITHM
Decryption
Then
/b
Let us rewrite the above matrix equation in the following
S up pose
A ®M
X 3 matrix. X 3 Circulant matrices over this Ring represented by A= (a, b, c) and B= (d, e, t) and G is such that Gc is of rank = 3 *3 -min (3,3) + 1 = 9-3+1 = 7. Suppose A and B are two 3
KEY GENERA TION
two private Circulant matrices A and
B.
reduction of the coefficient matrix would not work.
b, c, d,
16 (a, b,
c,
+
{Ca * gil + b * g2i+ c * gil)*! + (a * gl2 + b * gl]+ C '" g32)"'e + (a * gJJ + b * g23+ c • g33)·d- plJ}
0
=
=
a
{( c * gil + a * g21+ b * g3[)*d + (c * gil + a * g12+ b * gd*! + (c • gil + a * g]J+ b • g3J)* e- P11} = a
==
e,j) = {(c * gil + a * glJ+ b • g3J)*e + (c * gl2 + a * g12+ b * g32)*d + (c * gil + a * g}3+ b * gnY1- pd
d, e,j)
=
=
a
{(c • gil + a '" g],+ b * gJI)*! + (c * gl1 + a '" g]z+ b * gJ2)*e + (c '" glJ + a * g23+ b '" gjJ)"'d- P23} = 0
'"
f7 (a, b, c, d, e,j) ::: {(b '"gil +C '"g2J+ a'" gJJ)"'d + (b '" gJ2 +C '"g12+ a'"gJ2)"'f+ (b '"glJ + C '"g23+ a'"g3J)"'e- PJJ} :::
Is (a, b, c, d, e, /)
Proceedings of the 2004 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY 10-11 June singular with rank N"'M - min (N, M) +1, we ensure that Gauss-Reduction does not work.
a
{(b '" gll + c '" g21+ a '" g31)"'e + (b '"g12 +C '"g)2+a '"gJ2)"'d + (b '"go +c'"g2J+ a '"gJ3)"'f- PJ2} ::: a :::
f9(a, b, c, d, e,/)::: {(b "'gll +c "'g21+a *g 3J)+.!+ (b •g12 +C *gn+ a '"g32)*e + (b *gn + c *g2J+a '"g3J)*d- PJJ} ::: a The symbol "*,, and "+" denote the Ring multiplication and addition operators respectively. The symbol "-" denotes the additive inverse. Here each of the above Jj (a, b, c, d, e, /) has (p-l i solutions out of which (P-l) will satisfy F (A, B)::: O. As proved earlier one variable can be assigned any arbitrary value. Let us treat a in all theJi's as constant then each of the aboveJiwill have (p I) 4 solutions out of which one will satisfy F (A, B) ::: O. So, any cryptanalyst can't resort to exhaustive search. Now let us try to simplify the above system of equations. We can reduce the above system of equations to another system of equations in three variables only by applying Cramer's rule. Since the above system is linear in d, e, and); we solve for d, e, andffrom the three {{fj,h,h}, {j4,/s,/6 } and if,,/s,h}} equations taken at a time. We get three values for each d, e, and f since there are nine equations and we equate them and solve them by assigning a any arbitrary value. To solve this reduced system we require solving the non-linear equations in two variables band c of degree three that will have only one solution as proved above. We took G such that Gc is of rank 7, thus solving by Gauss-Reduction would require that 9-7=2 variables be taken arbitrary. But as we got above, the system reduces to only two variable band c. Thus usi ng Gauss-Reduction does not give any advantage. We discuss below how Gauss-Reduction could be applied on the above system ofJi'$' After rearranging the above system of equations we get.
fl
12 17
f9
=
g21 g22 g23 g31
a*d
pll pl3
g\3
f3
gI2 gl3
g23 g2 1 g22 g 33 g31 g32 a"1 gl2 gl3 gil g22 g23 g21 g32 g33 g31 a*e g31 g32 g33 gIl gl2 gl3 g21 g22 g23 hOd
gIl
gIl
g33 g31
g l3
c'd
p21
g22 g33 g31 g32 gl3 gil gl2 cOl g31 gl2 gl3 gil c*e
p23
15
g22 g23 g21 g32 g 3 3
gl2 gl3
g21 g22 g23 g31 g23 g21
gil g22 g23 g21 h*e
g32 g33
gil gl2 gl3
=0
B. When the commutative Ring taken R is commutative Ring of Integers modulo a large composite n (Z,J
The security of many of the cryptosystems including RSA [11] is based on the difficulty in factoring a composite integer into its' component primes. This problem is assumed hard in the cryptographic literature for quite a long time. If we select an N X M base matrix G whose rows are elements of this Ring in such a way that the coefficient matrix Gc is singular i.e, Det Gc::: O. Thus any attack based on Gaussian reduction of the coefficient matrix would not work; since the size of n is so large that no one would try it by taking one variable arbitrary. Except for the case of 2 X 2 matrix every higher dimension matrix from 3 X 2 is secure. For the case of 2 X 2 Pollard's heuristic [12] can solve the underlying quadratic equations.
Take
p32
19l ]
G::: g3 g5
p22
Thus (a"'d), (a*/), (a*e), (b *d), (b *J) etc. can be solved uniquely by Gauss-Reduction if the coefficient matrix is non singular. But by taking G such that Gc (which is nothing but what we got as co-efficient matrix after re-arranging above) is
0-7803-8572-1/04/$20.00 ©2004 IEEE
rank N·M - min (N, M) +1 is not easy. This is still an open problem in this paper. But if our prime number is of the order of 64-bits then taking G such that matrix Gc is of rank N*M 2 is not a tough task, since we need to solve a system of equations in two variables only which can be solved by any of the known method. Since in this case we get a security of the order of2"]28 trials (since two variables are arbitrary) against solution by Gauss-Reduction. We really need not satisfy the rank ofN*M - min (N, M) +1 criteria. But, for smaller prime number we need to approach the rank of N*M - min (N, M) +1 criteria. We do encourage the reader of this paper to think in this direction. This problem can be tackled on the similar line as Inverse Eigen-value Problem [10]. Once this problem is solved we can specify the dimension of the matrix required to address the present day security requirement.
p31 - p33
gIl gl 2 g23 g21 g22
g32 g33 g31
Hence, for an N X N matrix the quadratic system will reduce to a system of equations in N-l variables ofdegree N. But for large N finding the base matrix G such that matrix Go is of
For example take the case of 3 X 2 matrix. Take two large prime numbers p and q and calculate n::: p.q
pl2
b* I
g32
fi 14
16
g32 g33
gl2
It should be noted that the direct attack by the method of relinearization [8] and eXtended Linearization [9] is not valid for this system.
150
g2
g4 , where each gi g6
EZn Such that DetGc:::
Del
gl
g2
g3
g 4
gs
g6
g2
gl
g
4
g3
g6
gs
gs
g6
gl
gz
g 3
g 4
g6
gs
g2
gl
g 4
g 3
g3
g4
gs
g6
gl
g2
g4
g3
g6
gs
gz
gl
�[: �l"�[� ;] [� ;] [[� cr l J
Proceedings of the 2004 IEEE Workshop on Infonnation Assurance United States Military Academy, West Point, NY 10-11 June only 1 and -1 are the two invertible elements so we need not take G such that det Go = 0 if the integers are large. To solve the system by Gauss-reduction one needs to tI)' all the factors.
mod n= 0 and Det
If we replace multiplication by BOOLEAN AND operator denoted by & and addition by XOR denoted by