Public Key Cryptosystems Based on Boolean ... - CiteSeerX

Download PDF
3 downloads 147926 Views 234KB Size Report
Comment
to digital signatures and shared signatures. Key words: Public Key Cryptography; Boolean Permutation; Digital Signatures. 1 Introduction. Since the original ...
Public Key Cryptosystems Based on Boolean Permutations and Their Applications Chuan-Kun Wu

Vijay Varadharajan

School of Computing & Information Technology, University of Western Sydney (Nepean), PO Box 10, Kingswood, NSW 2747, Australia.

fc.wu,

[email protected]

Abstract.

In this paper we propose the use of Boolean permutations to design public key cryptosystems. The security of the cryptosystems is based on the diculty of inverting Boolean permutations. Using two Boolean permutations for which the inverses are easy to nd, one can construct a composite Boolean permutation which is hard to invert. The paper proposes three such Boolean permutation based public key systems. The paper also consider applications of a Boolean permutation based public key system to digital signatures and shared signatures. Key words: Public Key Cryptography; Boolean Permutation; Digital Signatures

1 Introduction Since the original proposal of public key concept by Die-Hellman [8] and the development of RSA public key cryptosystem [21], there have been numerous papers on the design, analysis and applications of public key based cryptosystems. Any fucntion without information expansion is actually a permutation, and the RSA cryptosystem is just one particular way to express large permutations; other ecient expression of permutations are also possible. It is well known that any permutation can be expressed in terms of a collection of Boolean functions, known as a Boolean permutation, and certain permutations of very large order can also be easily represented as Boolean permutations. In addition, implementation of Boolean functions is easy and fast, particularly in hardware. Note that to date there have been no direct applications of Boolean permutations to asymmetric cryptography. Boolean permutations have been studied in the context of S-boxes design in algorithms such as DES [1], though their practical use has been limited as S-boxes can be implemented more eciently using look-up tables instead of Boolean permutations. We believe that Boolean permutations could provide a useful approach for designing public key cryptosystems. This paper proposes such an approach and it is anticipated that more cryptographic applications of Boolean permutations will be developed. This paper is organised as follows. Section 2 gives a brief overview of the relevant properties of Boolean permutation and the design of applicable Boolean permutations. This section provides the necessary background required in later sections. Section 3 describes the design of public key cryptosystems based on Boolean permutations. Section 4 considers some of the applications of Boolean permutation based public key cryptosystems. 1

2 Boolean permutations 2.1 Preliminaries

Let F2 = f0; 1g be the binary eld. A Boolean function of n variables is a mapping from an ndimensional vector space over F2 to itself. A Boolean function of n variables can be treated as a machine with one bit output and n-bit input. If a Boolean function can be written as f(x) = c0  c1 x1  c2 x2    cn xn; where ci 2 F2,  is the modulo 2 addition, and x = (x1; x2; :::; xn) is a shorthand of all the variables, then f(x) is called an ane function. In particular, when c0 = 0, f(x) is also called linear. A Boolean function can be expressed in a polynomial form (algebraic normal form) or in the form of a truth table. The Hamming weight of a Boolean function f, denoted by WH (f), is the number of ones in its truth table. This is similar to the Hamming weight of a vector which is equal to the number of ones in it. A Boolean function is said to be balanced if there are equal number of zeros and ones in its truth table. The degree of a Boolean function is the maximum number of variables appearing in a product term in its polynomial expression. The function is said to be nonlinear if the degree of the function is at least equal to 2. We will use Fn to denote the set of all Boolean functions of n variables and Ln to represent the subset of ane ones. A mapping from F2n to F2m is called an (n; m)-Boolean function. An (n; m)-Boolean function can always be expressed as a collection of m functions in Fn . A particular class of this type of multiple output Boolean functions occurs when m = n and that di erent inputs yield di erent outputs. By treating each input/output as the binary expression of an integer within the range S = f0; 1; :::; 2n?1g, the above functions perform permutations on S and are called Boolean permutations. We call a permutation on S in Boolean function expression a Boolean permutation of order n. Since any Boolean permutation can be expressed as a collection of Boolean functions of n variables, we write it as P = [f1 (x); f2(x);    ; fn(x)]: (1) If every component function fi 2 Ln, then we refer to the permutation P as a linear Boolean permutation.

2.2 Properties of Boolean Permutations

It can be seen that not every collection of Boolean functions results in a Boolean permutation. The following lemma expresses the condition under which a collection of Boolean functions is a Boolean permutation. The proof of this lemma can be found in either [1] or [24].

Lemma 1 Let fi(x) 2 Fn, i = 1; 2; :::; n. Then [f1 (x); f2(x);    ; fn(x)] forms a Boolean permutation if and only if any nonzero linear combination (X-or) of f1 (x), f2 (x),    ; fn (x) is a balanced Boolean function. Here are some useful properties of Boolean permutations. They can be used to construct new Boolean permutations using old ones.

Lemma 2 Let P = [f ; f ;    ; fn] be a Boolean permutation, n be a permutation on set f0, 1, ..., ng. Then n(P) = [f ; f ;    ; f n ] (2) 1

2

n (1)

n (2)

n( )

is also a Boolean permutation.

Lemma 2 states that a permutation on the index of a Boolean permutation yields another Boolean permutation. A generalization of this result leads to the following lemma.

2

Lemma 3 Let P = [f ; f ;    ; fn] be a Boolean permutation, D = (dij ) an n  n binary matrix, and C = (c ; c ; :::; cn) 2 F n. Then 1

1

2

2

2

PD  C =

" n M

i=1

di1fi  c1 ;

n M i=1

di2fi  c2 ;    ;

is a Boolean permutation if and only if D is nonsingular.

n M i=1

dinfi  cn

#

(3)

Proof: It is easy to verify that P = [f1; f2 ;    ; fn ] is a Boolean permutation if and only if for any vector = (a1 ; a2; :::; an), P  = [f1  a1 ; f2  a2;    ; fn  an] is also a Boolean permutation. So we only need to prove the case when C = 0. Necessity: Suppose D is a singular matrix. Then there must exist a nonzero vector B = (b1; b2; :::; bn) such that DB T = 0. That is, we have

[f1; f2 ;    ; fn ]DB T =

n X j =1

bj

n X i=1

di;j fi = 0:

This indicates that the linear combination of components of [f1; f2 ;    ; fn]D with coecients B is zero rather than a balanced Boolean function. By lemma 1 we know that [f1 ; f2;    ; fn]D is not a Boolean permutation. Suciency: Suppose D is nonsingular. Then for any nonzero vector B 2 F2n, DB T 6= 0. Therefore n X n X [f1; f2;    ; fn ]DB T = fi di;j bj i=1

is a nonzero linear combination (with the coordinates of Boolean permutation, by lemma 1 we have

j =1 DB T

as coecients) of fi . Since P is a

n n X X WH ( fi di;j bj ) = 2n?1: i=1 j =1

Given the arbitrariness of B and using lemma 1 we know that [f1; f2 ;    ; fn ]D is a Boolean permutation. 2

Lemma 4 Let P = [f ; f ;    ; fn] be a Boolean permutation, D = (dij ) an n  n binary matrix, and C = (c ; c ; :::; cn) 2 F n. Then 1

1

2

2

2

P(xD  C) = [f1(xD  C); f2(xD  C); :::; fn(xD  C)] is a Boolean permutation if and only if D is nonsingular.

(4)

Proof: Let y = (y1 ; y2; :::; yn) = (x1; x2; :::; xn)D  C. Then it can be seen that y1 ; y2; :::; yn are n independent variables if and only if D is nonsingular. Since P = [f1 ; f2;    ; fn] is a Boolean permutation, [f1 (y); f2 (y);    ; fn (y)] is also a Boolean permutation if and only if y1 ; y2 ; :::; yn are n independent variables. 2 Lemma 3 and lemma 4 show that linear transformations on components or on variables of a Boolean permutation will yield a new Boolean permutation.

Lemma 5 Let P = [f1; f2;    ; fn] and Q = [g1; g2;    ; gn] be two Boolean permutations. Then their composition P(Q) = [f1 (g1; g2;    ; gn); f2(g1 ; g2;    ; gn);    ; fn (g1; g2;    ; gn)] is a new Boolean permutation. 3

(5)

Proof: This result comes from the fact that an (n; n)-Boolean function is a Boolean permutation if and only if it is a one-to-one mapping from its inputs and its outputs. 2 Now we introduce a new operation, concatenation of Boolean permutations. Concatenation of two functions F1 and F2 involves independent variables. For example, the concatenation of F1 = [x1; x1  x2] and F2 = [x1  x2x3; x2; x2  x3] forms a new function F = [F1; F2] = [x1; x1  x2; x3  x4 x5; x4; x4  x5 ].

Lemma 6 Let P = [f ;    ; fn1 ] and P = [g ;    ; gn2 ] be two Boolean permutations of order n 1

2

1

1

1

and n2 respectively. Then their concatenation P = [P1; P2] forms a Boolean permutation of order n = n1 + n2 .

As a direct corollary of lemma 6 and lemma 5 we have the following:

Corollary 1 Let P = [f ;    ; fn] be a Boolean permutation of order n, and Ri = [gi; ; :::; gi;n ] a Boolean permutation of order ni for i = 1; 2; :::; k, where n + n +    + nk = n. Then Q = [g ; (f ; :::; fn1 );    ; g ;n1 (f ; :::; fn1 ); g ; (fn1 ; :::; fn1 n2 );    ; g ;n2 (fn1 ; :::; fn1 n2 ); (6)    ; gk; (fn1 n2 ::: n ?1 ; :::; fn);    ; 1

1

1

11

21

1

1

1

+1

1

2

+

+

+

+ k

i

2

+1

+

+1

gk;n (fn1 +n2 +:::+n ?1 +1 ; :::; fn)] is a Boolean permutation of order n. k

k

2.3 Inverses of Boolean permutations

Like any permutation, a Boolean permutation has an inverse. The inverse of a Boolean permutation is also a Boolean permutation. Given a Boolean permutation P = [f1; f2 ;    ; fn ], the inverse of P is a solution of the following equation 8 > > < > > :

z1 = f1 (x1; x2; :::; xn) z2 = f2 (x1; x2; :::; xn)

    

zn = fn (x1; x2; :::; xn) i.e., an expression of each xi in terms of zj . Suppose that we have a solution of (7) in the form 8 > > < > > :

x1 = f1?1 (z1 ; :::; zn); x2 = f2?1 (z1 ; :::; zn);



xn = fn?1 (z1 ; :::; zn); then P ?1 = [f1?1 ; f2?1 ; :::; fn?1] is the inverse Boolean permutation of P.

(7)

(8)

Lemma 7 Let P = [f1 ; f2;    ; fn] and Q = [g1; g2;    ; gn] be two Boolean permutations. Then they are inverses of each other if and only if for every i 2 f1; 2; :::;ng, we have gi (f1 ; f2;    ; fn) = xi and fi (g1 ; g2;    ; gn) = xi. Lemma 7 can be used to check whether two Boolean permutations are inverses of each other. This is useful especially when the number of variables of the Boolean permutations is fairly large and it is computationally infeasible to check all the input-output pairs. It is known that when one of the functions in (7) is nonlinear, solving equation (7) is in general a hard problem. However, inverses of certain special classes of Boolean permutations can be easily found. The following are the inverses of Boolean permutations using lemma 2 to lemma5 respectively. 4

Lemma 8? Let P = [f ; f ;    ; fn], n and Q = n(P) be as de ned in lemma 2, and P ? = ? 1

1

2

[f1 (z); f2 (z); :::; fn?1(z)] be the inverse of P . Let z 0 = (zn?1 (1) ; zn?1 (2) ; :::; zn?1(n)). Then Q?1 = [f ?1(z 0 ); f ?1 (z 0 ); :::; fn?1(z 0 )]. 1

1

1

2

Lemma 9 Let P = [f1 ; f2;    ; fn] and Q = PD  C be de ned as in lemma 3, where D is a nonsingular matrix. Let z 0 = ((z1 ; :::; zn)  C)D?1 . Then Q?1 = [f1?1(z 0 ); f2?1 (z 0 ); :::; fn?1(z 0 )], where P ?1 = [f1?1 (z); f2?1 (z); :::; fn?1(z)]. Lemma 10 Let P = [f ; f ;    ; fn] and Q = P(xD  C) be de ned as in lemma 4, where D is a nonsingular matrix. Then Q? = P ? D?  CD? . 1

2

1

1

1

1

Lemma 11 Let P , Q and R = P(Q) be de ned as in lemma 5. Then R? = Q? (P ? ). 1

1

1

Now we consider the inverse of the composed Boolean permutation obtained in corollary 1, given ?1 ]; i = 1; 2; :::;n of the Boolean the inverses P ?1 = [f1?1 ; f2?1 ; :::; fn?1] and R?i 1 = [gi;?11 ; gi;?21; :::; gi;n permutations. Using i

8 z1 = g1;1(f1 ; :::; fn1)(x) > > > >      > > > > z > n1 = g1;n1 (f1 ; :::; fn1 )(x) > > > z > 1 +1 = g2;1 (fn1 +1 ; :::; fn1+n2 )(x) > <  n 

zn1 +n2 = g2;n2 (fn1 +1 ; :::; fn1+n2 )(x) > > > >      > > > > zn1 +n2 ++nk?1 +1 = gk;1(fn1 +n2 ++nk?1 +1 ; :::; fn)(x) > > > >      > > : z = g (f n k;nk n1 +n2 ++nk?1 +1 ; :::; fn)(x)

(9)

and the corresponding inverse of Ri , we have

8 f1 (x) = g1?;11 (z1 ; :::; zn1 ) = y1 > > > > >      > > > > fn1 (x) = g1?;n1 1 (z1 ; :::; zn1 ) = yn1 > > > > fn1 +1 (x) = g2?;11 (zn1 +1 ; :::; zn1+n2 ) = yn1 +1 > > <    

fn1 +n2 (x) = g2?;n1 2 (zn1 +1 ; :::; zn1+n2 ) = yn1 +n2 > > > >      > > > > > fn1 +n2 +:::+nk?1 +1 (x) = gk;?11(zn1 +n2 ++nk?1 +1 ; :::; zn) = yn1 +n2 +:::+nk?1 +1 > > > >      > > : f (x) = g?1 (z n k;nk n1 +n2 ++nk?1 +1 ; :::; zn) = yn :

(10)

By applying the inverse of P on equation (10), we have 8