Design of public key cryptosystems using idempotent elements

Design of public key cryptosystems using idempotent elements

297 Design of Public Key Cryptosystems Idempotent Elements 1. Introduction Jbzef P. Pieprzyk and Dominik Department A. Rutkowski of Communicatio...
Download PDF
1002KB Sizes 0 Downloads 64 Views
Report

297

Design of Public Key Cryptosystems Idempotent Elements 1. Introduction

Jbzef P. Pieprzyk

and Dominik Department

A. Rutkowski

of

Communication

Gduizsk, Mujakowskiego

S_vsttvns. Techtlccul

I I. 80 - 95’ Gdutisk.

L’ntrerstt!

o/

Polctnd

The description of a new method of designing a public key cryptosystem using idempotent elements is given. This method is connected with the Merkle-Hellman method and is illustrated by three versions of the design that show the properties of the cqptosystem obtained and its advantages as compared to the cryptosystem of Merkle-Hellman. Kyrwrds: Cryptography, cryptosystems. Knapsack

Enciphering algorithms, Cipher. Encryption

Public

key

The development of computer cryptography has. for the past few years, been closely connected with the idea of public key cryptosystems (PKC) elaborated in 1976 by Diffie and Hellman [2]. Two years after the publication of the paper by these authors. there appeared in the literature two solutions of this idea. namely, the system of RivestShamir-Adleman [7] and the system of MerkleHellman [j]. One must emphasize that the essential difference between classical cryptosystems and public ones is the way the cryptographic keys are distributed between the transmitter and receiver. In the case of classical cryptosystems the keys are usually transmitted over a channel that is not accessible to an unauthorized user (CU). Clearly.

A. Rutko-ski received b1.S.. Ph.D. and Doctor of Science degrees in electronic engincermg from Technical University of GdAhsk. Poland. in 1963. 1968 and 19-5. respectively. Since 1963 he has been with Technical University of Gdansk first teaching electronics and later s>stsm science. In 1968 he became assistant professor in the Department of Control System. Since 1975. he has been an associate professor in the Department of Com^ mumcatton Systems. From 1963 to 1975 his scientific and technical activities were focused mostly on problems of optimization of automatic control systems and especially on problems of optimal control in stochastic environment. optimal identification of control systems, adaptive systems. and to some extent on measurement systems. From 1970 to 1972 he participated in the international project sponsored by the Food and Agriculture Organization of the United Nations concerning the fisheries research vessel that was built in Gdahsk shipyard. His activities mere concentrated on the real-time system used in this vessel. Since 1973 he has become more and more engaged in computer communications and especially in the analysis and design of computer communication networks. His interests were particularly focused on routing, congestion control. structure and performance systems and computer networks. for one year, 1975/76. he was a Fulbright-Hays fcllo* engaged in research in computer communications at the Department of Electrical Engineering and Computer Science. Columbia University, sew York. After coming back to Poland he worked on the analysis and design of computer communication networks and conducted a research group in that field. He has published more than sixty papers in journals and conference proceedings. He is the author of a few patents and a book on the methods of optimization of control systems. Dominik

P. Pieprzyk was born in Bydgoszcz. Poland, in 1949. He received the MS. degree in electrical engineering from Technical Academy of Bydgoszcz in 1972. the MS. degree in pure mathematics from Universitv of -Torun in 1975. and the Ph. 6. degree from Institute of Computer Science, Polish Academy of Sciences. at Warsaw in 1980. Currently, he is an Assistant Professor in the Department of Telecommunication, Technical Academy of Bydgoszcz. doing research in data security. cryptography and communication theory. He is the author of over twenty publications. most of which deal with computer security. Jdzef

North-Holland Computers & Security 0167-4048/85/53.30

Using

4 (1985) 297-308 D 1985, Elsevier Science Publishers

B.V. (North-Holland)

while using the classical cryptosystem the keys may be sent over the same channel that is used for transmission of cryptograms. but they must also be fomarded in the form of cryptograms [6]. In the case of PKC both cryptograms and keys’ are transmitted over the same channel ‘. The keys. however. are generated by a receiver an their public parts are forwarded to the transmitter. In this paper we will concentrate on some modification of PKC, based on the knapsack problem [l]. This modification concerns the generalization of PKC invented by Merkle and Hellman [5]. To specify our considerations we first recall some properties of idempotent elements in algebraic rings [4].

2. Theoretical

Foundation

Let us assume that a ring Z,v (the ring of nonnegative integers with addition and multiplication modulo 1%’defined) is given, where IV = :V, . IV, and IV,= pp, (a, E { 1,2,. . . })

and the number p,(i = 1, 2.. . , r) are the primes (p, f p, for i #j). It turns out [4] that each number x E Zv can be written down in the form x = LCM(x(mod f [x(mod

IV,).. ..,

iv/) ,...,

x(mod

x.(mod

IV,), . . ., y(mod

One can define. on these elements. the operation of addition and multiplication according to the expressions given below. (x +y)(mod =[(x,

4’)

+J,)(mod

iv,) ,....

A’,))

N,)II E & Z,v, (2.2) I=1

= Ux,y(mod

A’,) ,...,

= [[x,,p,(mod

x = [x(mod

having

IV,)] E & Z,,,, I=1

x(mod

A’,)1 (2.7)

To clarify the notions and definitions introduced we will consider an example. Example I. Let Z,, be a ring, where X, = 2, N, = 3, N, = 5 and let two numbers x, J E Z?,, take on the values s = 29. y = 3. we can then write these numbers in the form

Y = 3 = 11.0.3n where vectors [1.2.4& u1,0,3n E 3;=, z,, = z2 63 Z, @ Zj. The sum of numbers x and )’ can be calculated alternatively as:

2. x +Y = 11.2.41 + ul,o,3j = [2(mod

2),2(mod

x,1 (2.4)

and keys [6].

5)ll

= 80.2.20 It is apparent that [0,2,2j = Z(mod 30). The multiplication of the numbers x and J can also be found in two ways, namely:

= [l(mod

.u1,0,3n Z),O(mod

3),12(mod

5)I

Let us take into account a set of elements of the ring @i_, Z,, in the form of the following vectors:

fl,o,o ,..., on + = I[o,I,o,.. .,on

e, =

e, = UO.O,O,.. . .

’ That is. the public parts of the keys.

3).7(mod

= [l,O.Zn = 27 E Z,,

x, ): E Z,,

N,)lI A Ux ,,...,

’ So UU has access to both cryptograms

A;)1

=u~,~,,.... -u,y,n

(2.3)

the form

N,) ,...,

x,y(mod

iv,) . . . . . x,I;(mod

2. xY = ui,2.4n

are given

(2.6)

AJ)

q(mod

1. x,v=29,3=87=27(mod30)

Let us assume further that two elements

lV,)ll

1. x +y = 29 + 3 = 32 = Z(mod 30)

IV)) = x(mod

(x,+);)(mod

_r,+J,n

= [I,~, + v,,....

g(x(mod

N,) ,....

1;]1 (2.5)

where LCIM stands for least common multiple and the ring ED,‘=,Z,v consists of all the elements of the ring Z,v defined in the form (2.2) and this representation is mutually equivalent. Thus, the rings Z,. and t~,!=,z,~, are isomorphic and the isomorphism g: Z,& + @,‘=,Zv, is defined as follows:

[x(mod

N,)jl f I[J ,.....

x = 29 = [1.2.41] (2.1)

fori=l,...,t

): = [.v(mod

We

see

(2.8)

in

that they generate

all the elements

of the

ring B,‘=, Z, for each represented by

element

s E Zv

can

be

(e) e,(mod

!\I,) = 1 and e,(mod

fori=l.....r. =[x,.O =

1

. . . . . on + ..’ x,e,

(2.9)

where IO.. . , I, ,O.. . . ,O] = x,e, = xe, (mod

N) (2.10)

and i = 1.. . t, x, E Zv,, x E Z,. this way, a proof of the following Theorem 1. For a given ring Z, (N, = pp,, where p, is a prime. p, fp, for i Zj, a, = 1.2.. . .) every can be represented in the form

I=1

x. e, = i

We obtain. in theorem: ~ N = iv,. . . . . IV, i = 1,. , t, and element z E Z,

x, . e,

(2.11)

l=l

e,’ = e, (mod N )

(2.12)

Otherwise, the numbers e,, i = 1,. . . , t, are the idempotent elements of the ring Z,.. C2 The basic idempotent elements3 have the following properties: (a)

C3. To every numerical ring Z,. where .V is defined according to (2.1). there corresponds the ring B,‘=,Z, for which vve can define some linear vector space using basic vectors e,. . e,. Euunzple 2.Let Z, be a numerical ring and IV, = 3, V, = 4. :V? = 5. then e, = [l.o,on e2 = lo.1 e3 =

= 40

.on = 45

go.o.ln

= 36

It is easy to check that the following are valid:

congruences

40’ = 1600 = 40( mod 60)

36 2 = 1296 = 36( mod 60) and e, +e-. +ej = 40 + 45 + 36 = 121 = l(mod 60). _ Summing up we will describe an algorithm for finding the basic idempotent elements e: E Z, (i = 1.. . . t ) in the case when N = /Vi .I:. and !V, (j=l . . . r) are defined by (2.1). Algorithm: l Calculate the multiplication ,l3,= iV-, ,y_, lv,&2...‘v, l Find the reminder of the division of ,I!$by IV. hence 7, = P,(mod

,g,e, =l(mod NJ

(2.13)

1%:)

l If y, = 1 then e, = p,, otherwise find a number y,-’ E Z,, such that

Y,Y,- ’ = l(mod

(b) N);

k= 1,2....

(2.14)

(c) V e,e, = O(mod N)

(2.16)

45’=2025=45(mod60)

where x = [x,. . . ~~1. x, E Z, and the elements e, (i = 1,2 ,... , I) are defined by (2.8). Conclusions. Cl. We see from the definition of vector e, E @:=, z,v) (i’l.,..., t) that there exists the number e, E Z,. corresponds to it which fullfils the congruence

V e,” =e,(mod ,=I . . . . . .

j+i

+[0 ,..., 0.x,]

!=I

x = i

N,) =0

. .x,II

x = [X ,..

(for

y, f 1)

,V,)

and so e, = p, y,- ’ As we see. finding the basic idempotent is easy even for a large number N.

elements

(2.15)

’ +J

(d) the sum of an arbitrary number of different basic idempotent elements is also an idempotent element.

’ The

notions “basic idempotent elements” and “basic idempotent vectors” are used here mutually equivalently.

3. Problem Statement In the following section we will assume that the cryptosystem considered is used to encipher messages in the form of a sequence x = (x,. . . . x,). where x,(i= l..... t) is some integer or a subsequence of x. For example, the message .\I = 1286

RECEIVER

CHANNEL

SENOER

/

pq?J

THE

INITIAL

BASIC

CONDITION

IDEMPOTENT ELEMENTS

IDEMPOTENT GENERATING

CRYPTOGRAPHIC

ELEMENTS A RING

2

N

KEY

CRYPTOGRAM

Y=

Fig. 1

may- be represented by x, = 12, x1 = 8. x3 = 6, and the message x = 0101011 may be composed of .Y= 010. xz = 10, x3 = 1. x4 = 1. As is known [l] the generation of a cryptographic key in PKC is carried out on the receiver’s side. from where it is forwarded to a transmitter. Let us assume that on the receiver’s side the numbers .V,, . . . , Pit ’ are chosen in such a way that the message x E Zv (N = N,. . IV,) and each of the numbers N, (i = 1,. . , t) are a power of a prime. Assume that we find for a given N the basic idempotent elements e, (i = 1,. . , , f). As a result we are able to determine a series of idempotent all the elements elements ( a,, . . , a,) generating of a ring Z, according to some transformation E, known only on the receiver’s side; thus E e=(e ,...., e,)-+a=(a ,,..., a,)

’ They can be chosen randomly from some set. A series which is !V,..... IV, can be treated as an initial condition known exclusively in the receiver and is kept out of UU’s reach.

For the series(a,.....

a,) we find the number

K = max. C x,u,

x

(3.1)

I=1

for which we choose randomly a pair of numbers (q, r) so that a > K and r E 2,. The numbers 4, r can be used to realize the transformation of each idempotent element a, as follows: V ,=I.....[

u,r(mod

4) = m,

(3.2)

Thus, we obtain a series m = (m,, . . . , m,). The elements of that series represent the cryptographic key which is being sent from the receiver to the transmitter where a cryptogram is generated for a message x(x,. . . , x,) according to’ Y =

2 m,x,

(3.3)

1=l

s As we will see later, a substantial of the cryptogram can be carried

modification out.

of the form

Cryptogram the receiver congruence

Y is forwarded over the channel to where number _Yris assigned using a

Y, =Yr-‘(mod

Yr =Yr-‘(mod q)

(3.4)

where r- ’ 1san inverse element with respect to the element r in the Galois field Z,. Now, using (3.2) and (3.3). we obtain Yr=

i

This cryptogram is transmitted converted as follows:

m,x,r-‘(mod

q) = i

r=l

a,x,(mod

q)

(3.5)

r=l

Since q > K, we get

to the receiver and

q)

(4.4)

The knowledge of the number Y; enables us to determine the message since all its components are the same: t

x,=.Y~(modN~)fori=l,....

(4.5)

From the congruence (4.5) ue conclude obtain the message an inequahty r

x,<,V,fori=l,...,

that

to

(4.6)

number y, can be interpreted as a vector spanned over the vectors a,(i = 1.. , t). To obtain the message it is sufficient to project vector L; on vectors a,, . . , a,, which we may write down as

must be true. A procedure of enciphering and deciphering for that case is illustrated. Exunzple 3. Let us find PKC protecting 4-bit messages against disclosure. If vve have the numbers N, = 2, NJ = 3. NJ = 5. N’, = 7 (.V = 210) then the basic idempotent elements take on the following values:

Yr I ‘I, = x, for i = 1,.

e, = [l,O.O.O] = 105

Y, = i

a,x,

(3.6)

,=I

.,t

(3.7)

Knowing all the components x, of the message we can immediately get its public form. The way the PKC is defined, using idempotent elements, is similar to that elaborated by Merkle and Hellman [5]. The similarity results from the fact that both ideas are based on the solution of the knapsack problem (see Fig. 1).

4. Solutions of PKCs Using Idempotent Elements I. At first we will consider the simplest case of PKC when the series e and a are equivalent to one another (5 = I). Thus, following the choice of the initial condition for PKC (the numbers N,, . . . , N,) we assign the values of idempotent elements and convert them according to expression V r-l.....r

e,r = m,(mod

where the number q>max x

Cx,e,; ,-I

q)

(4.1)

q must satisfy the inequality x=(x

,,...,

x,)

(4.2)

and the number r is chosen randomly among all the elements of Galois field Z, (q is a prime). The series M=(M,,..., M,) is forwarded to the transmitter where for a message x = (x,. . . . , x,) we find the cryptogram y =

C

i=l

x,m,

(4.3)

e2 = to.1 .O.O] = 70 e, = [O.O.l,O] = 126 e, = [O,O.O.l] = 120 Therefore e = (e,. e2, e,, e,) = (105. 70. 126. 120).Now, we choose a prime q in such a way as to have q > X:;‘=,e, = 421, e.g. q = 431 and r = 108, (r-’ = 4). Thus, the components of the cryptographic key are as follows (see (4.1)): m, = e,r(mod

q) = 134

mz = e,r(mod

q) = 233

m3 = e,r(mod

q) = 247

mj = e,r(mod

q) = 30

The key m = (134, 233, 247. 30) is forwarded to the transmitter where the cryptogram is generated for a message x = (x,, x1. x1. x,) = (1, 0, 1, 1). We obtain y = 134 + 0.233

+ 247 + 30 = 411

At the receiver’s into a form

side the cryptogram

Y, =Yr-‘(mod

q) = 351

and x, =Y,(mod

N,) = 1

x1! =yr(mod

N2) = 0

x3 =)-;(mod

NJ) = 1

xq =y,(mod

N,) = 1

is converted

Thus. we have obtained the public form of message ,Y= (1. 0, 1. 1). Finally, we will find the redundancy of the cryptogram. Since the cryptogram J’ = 351 can be written down using 9-bit series and the message is a 4-bit series, the redundancy of the cryptogram is

To decrease the redundancy one may apply another way of finding the cryptogram. Thus. if we have the cryptographic key m = (m,. . , m,) and the message x(x,, . . , x,) we are able to two subseries (x,, . , s,,). determine l-u ,,,_,, . . , s,,) in an arbitrary way; we obtain u

c

I‘ =

x,,m,,

/=I

-

(4.7) /=11-l

The deciphering process and the problems to be solved are shown below. Example 4. Let all the data be the same as in the previous example and

It is easy to check that the redundancy of the cryptogram is R = 1.75. To obtain the message we must proceed according to the following steps: l Calculate two elements yY=yr-‘(mod q) = 84. 4(mod 431) = 332 and -L; = 99(mod 431). l Find the components of y, and -_Y~, that is

UOXJB

-Jr u I[1,0,4,1] = [[l,O.-

1,111= n - l,O.-

1,111

By comparing these two series the receiver can easily detect the message as a series (l,O,l,l). From the above example, it can be seen that the receiver can encounter the case when he will not be able to decipher the cryptogram. This case occurs for the cryptograms y, and --yr obeying the relations. v ,=I.....! r=l

v ,....c

_&,E (0, 1, ,$,E {O,l,

I,....

y=

i:

.r,,m,, -

i

(4.10)

x,,m,,

J=UTI

/=I

where the message I = (x,, . . . . x,) is a binary two subseries (x,,. . . x,,,) and series, and generated according to some (-x !,,_,, . . . . x, 1 are rule’ known’ on the transmitter’s side. Then and only then on the receiver’s side can one extract the message from the cryptogram if among the elements q, = q(mod iv,) (i = 1.. . . I) there exists at least one element such that qn E ( -2. - 1, 0. 1, 2) C Z,& (where numbers IV, (i = 1.. . f) are the powers of the odd primes and two different numbers N,, fV,: are relatively prime, i, f i,, i,, i2 = l,....[). Proof. A. Let ,_*y ,,,, 4,E

t-2,

-l.O,l,

(4.11)

2)

We convert a cryptogram of the form (4.10) according to the transformation (4.4) and get

>‘= -1.134+1.247-1.383

.“, -

m,) given by (2.8) and (4.1). the cryptogram formed as -

(m

11s z,.,

- 1) c Z,,

(4.8) (4.9)

where y,, = L;(mod Y) and Y,: = -y,(mod N, ) ( yr + ( -yr) = 4). Below we have given the conditions that will enable the receiver operating in PKC with idempotent elements to determine the message when the cryptogram is of the form (4.7). Theorem 2. Given PKC with idempotent elements, i.e. the series e = (e,, . . , e,) and m =

y, =y-‘(mod =

4)

x,,e,, -

i

i

x,,e,, (mod4)

(4.12)

J=U+-1

/=I

where m,,r - ’ = e,, for i = 1.. , . , t. The congruence (4.12) has two nonnegative solutions. namely

xbd

4)

(4.13) (4.14)

,Y: = -y,. = q - ,vr(mod q )

To find the message on the basis of the cryptogram, we project the numbers L; and y; on basic vectors and obtain y,=[y,(mod

N,),...,

y,(mod

N,)] (4.15)

= n Y,, ?. . . * ,$l y; = [y,‘(mod =uy:....,

X,), . . . , ,v;(mod

lL;)] (4.16)

y;,n

Clearly L; + y; = q and so yrc+y;=l(mod

N,)fori=l,...,r

(4.17)

’ In general. one can distinguish two classes of such rules: deterministic and probabilistic ones. Particularly interesting is such a rule that will result in minimum redundancy of cryptogram.

J. P. Pwprryk.

Since q(mod the form

/y) = q,, the equation

D.A. Rutkowski

(4.17) takes on (4.18)

Yr, + Y,: = q, : i = 1. . . . . f

We assume- in the following that number .r; corresponds to the message x (in other words on the basis of the number Y: we cannot extract the message). With this assumption and the fact that PKC is used for transmission of binary messages, we have Q Yr:,,E {-130, ,=I . . . ..I Taking

into account

/ Pubirc Kyr Cr?~ptoswrms

(4.18) and (4.19) we obtain

303

11. Our attention will now be focused on a solution that is based on different idempotent elements as compared to those already considered. Further. we will assume that vector e = (e,, . , . , e,) is given by (2.8) and the numbers N,, . . . , N, obey the conditions given by (2.1). The vector e can be written down in the form of a matrix

rl

rep

0

0 1

0 0

.. .

01 0 (4.24)

(4.19)

l}CZ,\,

Desrqn

0

0

0

1,

.

We can convert this matrix into a matrix some transformation 5 as follows:

A using

(4.20)

Y: E { 4, - 1. 4, ’ 4, + 11

For an arbitrary value of the number q, E (-2,-1,0,1,2} thesets (q,-l.q,,q,+l;i= 1,. . , t } and { - 1, 0, l} have common elements. Thus, the correct decipherment of a cryptogram” is impossible. This statement completes the first part of the proof. B. Let

bf qlE{-2,

1
.

(4.21)

-1.o.1,2}cz,,~

From the assumption that the number ; only corresponds to the message (i.e. 4;, E { - 1. 0, 1}) and from the previous considerations, we find that I;: E { 4, - 1. q,, q, + l} c Z,v,; i= l,..., Using

the expression

f

(4.22)

=

0

0 0

0

...

0

...

0 0

1 0

1 1

aI

=

I1 a2 .

(4.25)

at-1

(4.21), we obtain

a,

(4.23) Thus, it is possible in this case, to distinguish the number that does not carry the message, since, for that number. its k-th component does not belong to the set (-1, 0, I}. Conc&on. If the assumptions of the theorem are fulfilled, the decipherment in the receiver is carried on in the following way: Two numbers yr and y; (Yr > 0, Y,’ > 0) must be projected on the basic vectors e, , . . . , e, and from the two obtained series we choose the one that contains zeros and ones’ (see Example 4).

This assumption does not restrict the generality ations. The problem is which one of the two binary sents the message. The ones may have an arbitrary sign.

1 6

Now, knowing the values of elements LI, (i = 1,. . , t) we may find the elements of the cryptographic key (the choice of the numbers q and r needed to obtain the key using the numbers a, is given by (3.1) and (3.2) according to a congruence m,=a;r(modq),i=l,..., The cryptogram get from Y =

t

(4.26)

on the transmitter’s

C x,m,

side we can

(4.27)

I=1

As a result, number

on the receiver’s

side we obtain

the

of considerseries repre-

X,U,TT-’ =c I=1

= c x,a,(mod /=I

q)

(4.28)

After projecting the number e,. . . . e,. we have

.r; on basic

.r; = [ .L;. . , I; ]

vectors

(4.29)

where ?-; =.~~(rnod V,), i = 1.. . . r. To obtain public form of a message vve must proceed follows: Step 1. If Jo, = 0. then x, = 0 if .c; = 1. then X, = 1. Let us define numbers d, (I= 2,.... t) and let d, = J’, s,a,(mod N)=Ud? ,...., dl,l Srep 2. If dz2 = 0, then x2 = 0 if d zz = 1. then .Y? = 1. and d, = dl - .r2a2(mod N)

the as

A=

00

to

0

0

01

01 0

11 0

11 II= 246 316 I 11 L1201

the

r-‘(mod

=

rlOjl

After projecting

q) = 367(mod

719)

y; on basic vectors, we get

I;, =_vr(mod

N,) = 367(mod

2) = 1

_Y~:=y,(mod

Nz) = 367(mod

3) = 1

jr, =yr(mod

N3) = 367(mod

5) = 2

,Y~~ =)?,(rnod

N,) = 367(mod

7) = 3

the method

of decipherment,

we

.“?, = 1 - s I = 1 and d2 =.L, - .u,a,(mod

210) = [O,O.l.Z]

dl, = 0 + _r2 = 0 and 210) = [0,0,1,2]

dl, = 1 -+ .Y: = 1 and d, = d, - x?u,(mod

-

Since E:=,x,a, = 683, let q = 719 and r = 299 (r-’ = 101). We can find the cryptographic key after the appropriate transformation of the matrix A and obtain m = (299, 295, 216, 649). For .Y= (1011). we have ,Y= 1 .199 + 1 ,216 + 1 .649 = 1164. On the receiver’s side we first calculate the number yr =y.

using

d3 = dz - .r2az(mod

Udl,..... d,,Il Step i. If d,, = 0, then x, = 0 if d,, = 1, then x, = 1, and d,,, = d, - x,a,(mod NJ= i[d,,_,,,, . ( d,! _,),I> i= 3 , . 3t To illustrate the PKC described. we will consider an example. Example 5. Let PKC be defined for enciphering of 4-bit messages and N, = 2. N, = 3, iV3= 5. IV, = 7. Thus the matrices A. E take on the form rl

Further, have

210) = [O.O.O.ll -+ xJ = 1

Thus the message represents a series s = (1011). One can easily notice that the redundancy of the cryptogram is R = 2.75. We see that the cryptogram can be calculated as in the previous version using the follouing expression: u y

=

C x,,m I/ -

i

/=I

xu,,m,,

(4.30)

J=Url

Some additional conditions that must be included while defining PKC are stated in theorem 3. Theorem 3. Given the PKC based on the numbers N,, . . . . N,, where ?J,( i = 1,. , t) is the power of an odd prime number and two different numbers /V,N, are relatively prime numbers for which the matrices E and ‘4 are defined by (4.24) and (4.25). and the cryptogram is produced according to (4.30), in order to carry out the decipherment it is necessary and sufficient that q, 4: ( -2, - 1, 0, 1, 2) c Z,,, (q, = q(mod IV’,), i = 1,. . . , f), where q is given in Section 3. Proof: The cryptogram on the receiver’s side is transformed according to (4.28) and so L; =yr-‘(mod

q)

(4.31)

Since that cryptogram

is of the form (4.30).

u

.b =

C x,,a,, ;=1

i

.~,,a,~ (mod4)

(4.32)

/=u+1

We see that number

c x,,a,) J=I

c -x,,a,;

/=Uil

may be positive as well as negative (the sign is not known on the receiver’s side). To determine the message we must first find two different numbers that fulfill the congruence (4.32) that is, yr and given by (4.15) .$ = q - );. Using the definitions

J. P. Pwpr:~k.

D.A. Rutkowskr / Public Key CTprosTsiems

However.

and (4.16). we get .L; = II.Vr.. . , JJl

(4.33)

_V;= 6 y;, , . . . . y,,n

(4.34)

We note that one of the elements ~~,or xi, carrying the first element of the message must contain an element belonging to the set { - 1, 0. l} c Z,\, (the message is a binary series). Thus, to determine the message correctly it is necessary and sufficient to have the first element of the series that does not carry the message belonging to the set Z,./{ -1, 0, l}. If y, contains the message. then

Now, since y,, + y,‘, = q,( 4, = q(mod ing into account (4.35) we obtain -1,o.

1

1

r.=O..r:=

x

r

side we calculate

q) = 592(mod

I;’ = -y, = 127(mod

.x,=1

X Although # 0 and

-+

no.o.o.on

r1

0

0

01

r1201

To choose a number q we must remember two conditions have to be fulfilled. 1. Ca,=547
2. q(mod

,V,) = q(mod

7) -1.0.1.2)

(X4)

As it is easy to check, the number q = 557 obeys those conditions. Further, let us pick out the number r = 268 (r - 1 = 106). Thus the cryptographic key is m = (268, 360, 112, 379)

_Y~and

L;’ and

719)

On the transmitter’s side one can calculate the cryptogram for the message x = (loll), and one can obtain y=

719)

mwn

.I-:’uo,o,o,in uo,o,o,zn

that

= (0, 1, 2, 5, 6}

Thus, y, = [0,1,2,4] and y; = [1,1,2,1]. Now, using the method of message extraction described above, we have x,=0.x,-l yr = [0,1,2,41 +-

+

I[o.o.o,in

=q,4.(-2.

y = 1 .299 + 1 .216 - 1 .649 = 134

-‘(mod

r,=l

I

+

11

where IV, = 2, N2 = 3, N, = 5, N4 = 7. For q = 719 and r = 299 the cryptographic key is M = (299, 295, 216, 649). Let x = (loll), and therefore

I;=yr

iIo,o,i.on

The calculation of the elements of series L;, I;’ will not be necessary in the case when we apply the method of finding a matrix A given in Theorem 3. Now, let X, = 7, IV? = 5. X: = 2. IV, = 3 and

q, E

On the receiver’s obtain

Y,=I -+

(4.36)

1, 2}

11

.V; = [1.1.2.in

N,)) and tak-

Note that the choice of q, accordingly to (4.36) results in the proper decision as to the series that carries the message in the first step of the calculation of yr and ,V:. Those statements are illustrated in the following example. Example 6. Let PKC be given as in Example 5; matrix A takes on the form r1

on the other side. we have

(4.35)

I;E{-l.O.l}andy~,~{-l.O,l}

q, G { -2,

305

Design

-268-112+379=1

On the receiver’s side, we have y, = yr-‘(mod

q)

=

106

y: = - 106 = 451(mod Projecting the numbers e,, e,, we get

=

d,

message x has been extracted, still d, series I; does not carry the message.

557) y,, y; on vectors

e,, e2,

Y, = 106 = [i, 1, 0, 11 y: = 451 = u3,L,i,in The series corresponding

to ,;’ contains

the first

element belonging to set {3,4} c Z,, so number J: does not carry the message .x. On the other hand, from the series F?. we have yr = Il.l,O,lD x

-

-)

xi=

I

the message

111. We will describe another way to form matrix A and to generate a cryptogram. We assume that E is given by (4.24) and matrix

q) q); i= l,....

t

(4.40) in the form

u

,v,=

C -r,,e,,/=I

matrix

a,=r’e,(mod

we can write down the equation

uo.o.o,1n -+ uo,o,o,al

Thus. on the receiver’s side we obtain in the form .r = (1, 0, 1, 1).

the congruences

= r’e,(mod

w, = m,m, = r’a,u, w,=m,_,m,=r-a,_,

.Vi! =I + iIo,o, - 1 *on

.r,=O.a,=l

Now, taking into account

A (E 5 A)

is of the form

A=

i

x,,e,, (mod4)

(4.41)

J=U+l

Clearly, the value of the number J; = q -y, must also be found. Thus, having found the pair (,v~, .$) we proceed further according to version I. We can extend the version being described, taking into account an arbitrary matrix A, the rows of.which allow us to find all the elements e,, . . , e, using arithmetic operations. Finally it is worth mentioning that implementation of idempotent elements for PKC design gives us large potential capabilities and all the considerations presented above can be extended to the case where messages are represented by arbitrary series (not necessarily binary ones).

5. The Evaluation of New PKCs Quality

Let the cryptographic key be obtained in the same way as previously, so m(m,. . . .,, WI,), where m, = a,r(mod q), i = l,.. . , t. However, q is a prime and fulfills the inequality r-1

C a,a,+, +~,a,

4 >

(4.38)

I==1

where a number r is picked out randomly from the elements of field Z,. The cryptogram for a message x1’ is produced on the transmitter’s side according to ’

Y=

u

cx,,w,,i /=!,+I I/=1

X,,Y,

(4.39)

and w, E where w, = m,m,, w, = m,_,m, w ,...., w!}, ‘t;, f t~,~ for jf k, j, k = l,..., f. { On the receiver’s side, we find the number y, =I.( r-‘)“(mod



(4.40)

q)

A message is represented

by binary series.

The fundamental parameters characterizing the quality of data security systems are as follows: l the probability of message disclosure to UU in case he knows a pair (cryptogram. cryptographic key) l the number of elementary processing operations needed to disclose the message in case UU knows a pair (cryptogram, cryptographic key). The first parameter useful when evaluating the quality of a classical cryptosystem, is not useful here. It results from the fact that the principle of operation of PKC is known to UU. Thus, he is faced with the problem of finding a message when the pair (cryptogram, cryptographic key) and the form of cryptographic function f: XY (where X, M, Y represent sets of messages, keys, and cryptograms respectively) are known to him. Since a cryptographic function must be reversible with respect to m E M, UU is always able to disclose the message with probability 1. Thus, the main parameter of the quality of PKC is the number of elementary processing operations that must be executed by UU to get the public form of the message when a pair (cryptogram, cryptographic key) is known to him. UU

J. P. Pwprqk.

a)

DA.

Rurkowskt

/

MH SYSTEfl

INITIAL

CONOITION

(a,,...,a,

) 1:

/ Public Key C~vptoswems

bl

SYSTEH

I

vi , -.

..

..t

INITIAL

xajcai j
WITH

CONDITION

Deqn

307

IOEflPOTENT

ELEMENTS

N=N,“‘N+

e-Ie,.....e+l

a-l a, .-...a,1 v PUBLIC

m=(m,,...,mtl

KEY

PUBLIC

I

-.__-.-.--..-_-._-

_._.

--.---.---

KEY

m-im,,...,m+l

-.-.--.--.-~

CHANNEL

-.-.-

-

-_-

._.__

.-.-_ I

CRYPTOGRAM

-.-

._._.

-

__._.

-.-.-.-

CRYPTOGRAM

Fig. 2

trying to break a cipher” can apply two different methods. The first is based on the solution of the appropriate knapsack problem. As is known (11, that problem is a numerical one for which at the linear increase of the number of components defining it, increases exponentially the number of elementary processing operations needed to get a solution (so-called NP-complete problem). However, the solution of the knapsack problem for PKC, with idempotent elements, is more complicated, since to obtain a cryptogram we must calculate the expression

Y=

i&x,,- e m,,x,,

/=I

(5.1)

J=U+l

instead of (4.3). It must be emphasized that security of information assured by PKC is efficient as long as a suitable algorithm for finding of the



By breaking the cipher we understand finding the message on the basis of knowledge of a pair (cryptogram. key).

knapsack problem for (5.1) in a reasonable time has not been discovered. The most efficient algorithm [8] for solving the knapsack problem for (4.3) requires, on the average, O(G) elementary processing operations, where p is the number of all possible values taken on by y. Note (see Shamir [9]) that the number of elementary processing operations needed to obtain the solution of knapsack problem for (4.3) depends upon the dimension of the vector representing the message and increase rapidly as this dimension in creases. Thus, the most advantageous enciphering of messages seems to be in the form of binary series. Moreover. Shamir has proved [9] that each knapsack problem for t < 4 (see (4.3)) can be easily solved. The second method of message disclosure by UU is connected with finding the initial condition for PKC, i.e. the numbers N,, . . . , N, and a,, . , . , a, provided the cryptographic key is known. To protect the numbers a, (i = 1,. , . , t) against disclosure to UU we have proposed the multiplication of those numbers by r in the field Z, (see also Merkle and Hellman [5]), where r and 4 are

308

J. P. Pleprzvk,

D.A. Rurkowsk~ / Pubhc Key C~vpros_rrrems Desrpn

known exclusively on the receiver’s side. Thus. UU knowing the numbers m,. i = 1.. . . . t. faces the burdensome numerical problem that seems to be more time-consuming than the solution of the knapsack problem. Let us now compare PKC considered in this paper with that elaborated by Merkle-Hellman. First, the advantage of PKC with idempotent elements as compared to the Merkle-Hellman cryptosystem is in the elimination of the Herlestam method [3] that allows UU to find values of some bits of a message. However, both cryptosysterns have many common features that result from a similar structure (see Fig. 2). As one can see from Figure 2, PKC with idempotent elements has also the following advantages: the capability of each adaptation of PKC for transmission of messages having arbitrary form (not necessarily the form of a binary series) necessity for UU to solve a more complicated knapsack problem than in the case of a Merkle-Hellman cryptosystem decreasing the redundancy of the cryptogram, i.e. for PKC with idempotent elements the redundancy is R s 1.5 instead of R = 2 for LMerkle-Hellman cryptosystems. The disadvantage of both cryptosystems is that the length of the cryptographic key is of the order of a few thousand bits.

6. Conclusions We may consider the PKC with idempotent elements as a modification of the Merkle-Hellman cryptosystem [5]. However, the implementation of idempotent elements permits an elastic approach to the problem of the adjustment of the enciphering algorithm to the form of a message and allows simple deciphering of cryptograms. We can also

decrease the redundancy of a cryptogram while using PKC with idempotent elements. We can achieve this by an appropriate choice of sums X;=,flr,Jx,t. E:=I,_, rn, .Y! IMoreover, we can also make the solution of the knapsack problem more difficult for UU by addition or subtraction of an adequate number from the cryptogram. e.g. this number can be the multiplication m,m,(i +j), where m, = re,(mod 4) for k = i. j. since rn,~~, = r2 . e,e, = O(mod N); see also Version I. We have shown in examples the way the idempotent elements can be implemented for the design of PKC. These examples can be used in practice as they assure a high degree of security and show the simplicity of the generation of a cryptogram and the extraction of the message from it.

References PI D.W. Davies. W.L. Price and G.I. Pnrkin: Public Ke,v Cryp~os_wems. NPL Report

An Evaluation of CTU 1. March,

1979. W. Diffie and M.E. Hellman: 1Vew Dtrecrrons rn CTprogroph.v. IEEE Trans. on Information Theory, IT-X. November 1976. pp. 644-654. Crriical Remarks on some Public Key Cypro[31 T. Herlestam: sysrems. BIT, No. 18. 1975. pp. 493-496 Peoria Llc:6. PWN. Warszau-a. 1977. [41 W. Narkiewicz: Hiding Information and [51 R.C. Merkle and M.E. Hsllman: Signatures in Trap-door Knapsack. IEEE Trans. on Information Theory, IT-24. September 1978, pp. 525-530. and D. Rutkowski: K~progmujiczne Merody (61 J. Pieprzyk Ochrony In/ormacji. Rozprawy Elektrotechnicznc. ,-l Merhod /or ['I R.L. Rivest, A. Shamir and L. Adleman: Obtaining

Digrtnl Signatures

and Public- Key KTptosystems.

Comm. ACM. Vol. 21. No. 2. February 1978. pp. 120-126. PI R. Schroeppel and A. Shamir: A T.S’ = O(2”) Time/Space Tradeoff for Certain IVP-Complete Problems. 2O-th Symposium in Foundations of Computer Science. October, 1979. The Cryprographx Securiry of Compact Knap[91 A. Shamir: sack. Dept. of Mathematics. MIT. Cambridge, Preliminary Report, 1981.