Security analysis of the public key algorithm based on Chebyshev polynomials over the integer ring ZN

Security analysis of the public key algorithm based on Chebyshev polynomials over the integer ring ZN

Information Sciences 181 (2011) 5110–5118 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/i...
Download PDF
344KB Sizes 16 Downloads 94 Views
Report

Information Sciences 181 (2011) 5110–5118

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Security analysis of the public key algorithm based on Chebyshev polynomials over the integer ring ZN Fei Chen ⇑, Xiaofeng Liao, Tao Xiang, Hongying Zheng State Key Laboratory of Power Transmission Equipment and System Security, College of Computer Science, Chongqing University, Chongqing 400044, PR China

a r t i c l e

i n f o

Article history: Received 30 June 2010 Received in revised form 10 May 2011 Accepted 1 July 2011 Available online 13 July 2011 Keywords: Public key algorithm Chaos Period distribution Security analysis Periodic orbit Dynamical system

a b s t r a c t Recently Kocarev and Tasev [20] proposed to use Chebyshev polynomials over real numbers to design a public key algorithm by employing the semigroup property. Bergamo et al. [4] pointed out that the public key algorithm based on Chebyshev polynomials working on real numbers is not secure and devised an attack which permits to recover the corresponding plaintext from a given ciphertext. Later Kocarev et al. [19] generalized the Chebyshev polynomials from real number fields to finite fields and finite rings to make the public key algorithm more secure and practical. However, we analyzed the period distribution of the sequences generated by the Chebyshev polynomials over finite fields [21]. When the modulus N is prime, we found this algorithm was also not secure and proposed an attack on this algorithm over finite fields. We then proposed some schemes to improve the security. In this paper, we further analyze in detail the period distribution of the sequences generated by Chebyshev polynomials over the integer ring ZN when N is composite. It turns out that the period distribution is poor if N is not chosen properly and there are many small periods, which are not secure in the sense of cryptology. Based on these findings, we devise an attack on the public key algorithm based on Chebyshev polynomials over the integer ring ZN. We also propose some suggestions to avoid this attack. Ó 2011 Elsevier Inc. All rights reserved.

1. Introduction Since 1976 when Diffie and Hellman published their epoch-making paper ‘‘New directions of Cryptology’’ [9], there have been tremendous efforts to construct public key algorithms. Over the past 30 years, some famous public key algorithms, such as RSA [30], Rabin [29], ElGamal [11] and ECC [26,18], have been proposed, studied and applied extensively. RSA is based on the concept of an exponentiation cipher that employs multiplication to generate the ciphertext. RSA and Rabin algorithms depend on the difficulty of factoring large numbers for their security while the ElGamal cipher [11] developed by ElGamal relies on the difficulty of solving the discrete logarithm problem. In 1985, both Koblitz and Miller in their separate researches suggested the use of elliptic curves in the development of a new type of public key cipher [26,18]. Compared with RSA, systems based on the discrete logarithm over elliptic curves are able to maintain the same security level with shorter key sizes. Hence, elliptic curve cryptography (ECC) seems to be suitable for low computational devices such as smart cards. In recent years, there are many sparking works using chaos to construct cryptosystems [17,33,5,24,40,1,2,23,16, 20 ,19,41,36,28,12,42], most of which are symmetric algorithms [17,33,5,24,40,1,2,23], but there are also some efforts to design asymmetric algorithms [16,20,34,19] and key agreement protocols [41,42,36,28,12]. It is worthy to note that many chaotic systems are defined over real numbers while traditional cryptography deals with systems mainly defined over finite fields. This

⇑ Corresponding author. Tel.: + 86 23 65125420. E-mail addresses: [email protected] (F. Chen), xfl[email protected] (X. Liao), [email protected] (T. Xiang), [email protected] (H. Zheng). 0020-0255/$ - see front matter Ó 2011 Elsevier Inc. All rights reserved. doi:10.1016/j.ins.2011.07.008

F. Chen et al. / Information Sciences 181 (2011) 5110–5118

5111

yields some immediate consequences. Some ordinary design strategies and standard cryptanalytic methods cannot be applied to cryptosystems based on chaotic systems working over real numbers. Just to exemplify, traditional cryptosystems have secure parameters taking values over a large finite field and hence a brute force attack which simply tries all elements of the field in searching the secret values might be infeasible but possible. But if the range of the parameters of a cryptosystem is a continuous infinite interval, i.e. the parameters are defined over real numbers, an exhaustive search is just impossible. However, at the state of current knowledge, the security of chaos-based cryptosystems defined over real numbers is not well understood both in theory and practice. In [16], the author presented the first chaotic public key algorithm by employing a one dimensional difference equation, i.e. a quadratic difference equation which is first defined over real numbers and then generalized to finite fields. His system also makes use of ElGamal’s scheme to accomplish the encryption process. In particular, a one-dimensional difference equation (i.e. iteration map) is well suitable to be a one-way function. Viewing this, a trapdoor is built by letting the legitimate owner know iteration times of the difference equation. Note that the security of this system depends on the infeasibility of solving discrete logarithm over finite fields. It is exactly the same as ElGamal public key encryption algorithm except adopting another one-way function. However, this algorithm is not useful and practical because for general digital chaotic maps, there are no efficient algorithms to compute the n-th iteration value of the map when n is large such as n = 2160. Another asymmetric algorithm called DDE (distributed dynamical encryption) [34] was proposed which distributes a high dimensional chaotic system between the transmitter and receiver, and characterizes the binary information by different attractors formed in the whole system. The two subsystems are timely and mutually coupled by integrating signals through different functions. The dynamics of the transmitter, including the function which generates the coupling signal to the receiver, are regarded as the public key. However, to improve the security, one has to alter the dynamics of the receiver at the beginning of each transmitted bit and construct the attractors off line. This increases dramatically the computation load for the receiver. The improvement of bit error rate also compromises the security. In [20], Kocarev and Tasev proposed a public key algorithm based on Chebyshev polynomials over real numbers by replacing the multiplications in conventional algorithms with the iterations of Chebyshev polynomials defined on real numbers. One advantage is that this algorithm enriches the current public key family and opens new research directions in the cryptography field. Another advantage is that the underlying mathematical problem is different with traditional RSA. Here the hard mathematical problem is that given an initial point x0 and the sth iteration value Ts(x0), to find the large integer s is difficult, while RSA is based on the integer factorization problem which is also hard. However, more and more sophisticated algorithms have been proposed to solve the problem and the trend is continuing [39]. Moreover, this algorithm can also be used in authentication applications such as in key distribution center (KDC) systems [27]. Chebyshev polynomials are also employed in some key agreement protocols [41,36]. The paper [20] claimed that the proposed algorithm was both secure and practical and could be used both for encryption and digital signature. Unfortunately, this algorithm was quickly analyzed and attacked by Bergamo et al. [4] and others [25,6]. The fundamental defect of this algorithm is that the Chebyshev polynomial of order n has an explicit algebraic expression over real numbers which makes this kind of algorithm vulnerable to some sophisticated attacks. To avoid this attack, Kocarev et al. improved their algorithm by extending the definition of Chebyshev polynomials to finite fields and finite rings [19]. Obviously in this situation, explicit algebraic expression over real number fields of the Chebyshev polynomial of order n does not help to find n over finite fields (rings) giving an initial value x0 and a final iteration value Tn(x0). Furthermore, Kocarev et al. pointed out that the problem of computing n reduces to a DLP (discrete logarithm problem). But this is not always true and it depends on the choice of N as the analysis in [21]. There the authors analyzed the period distribution of sequences generated by Chebyshev polynomials over finite fields when the modulus N is prime. An attack on the public key algorithm was also proposed, followed by an improvement of the algorithm to make it fit for real world applications. The situation when N is prime has been studied in [21] while its security over the integer ring still remains to be an open problem which is this paper’s concern. Here we continue to study the situation when N is composite and investigate the security of the algorithm over the integer ring ZN. Although the algebraic structures of ZN are quite different between a prime N and a composite N, it turns out that the period distribution is also not good if the composite N is not chosen properly, the case in which there are many small periods which is not secure from the point of cryptology. Based on these findings, we then propose an attack on the public key algorithm over the integer ring ZN and give some suggestions to make the public key algorithm more secure and practical. It is well known that in the study of chaotic maps a central problem is the calculation and classification of periodic orbits. However, the detailed information about these orbits is buried so deep in the structure of a given system that there is no systematic method which can extract it analytically. But general information concerning, for example, their density in phase space and the distribution of their periods, can be partially obtained for Chebyshev polynomials via the approach in this paper. This is another contribution of this paper. This paper is organized as follows. To make this paper self-contained, Section 2 presents some preliminaries that help to understand our analysis. Some classical recurrence equation theory is also introduced. In Section 3, detailed analysis of the period distribution of the sequences generated by Chebyshev polynomials over the integer ring ZN is given. Then Section 4 introduces an attack on the public key algorithm based on Chebyshev polynomials according to the analysis of sequences’ period distribution and gives some suggestions to avoid this attack. Finally, conclusion and some suggestions for future work are made in Section 5.

5112

F. Chen et al. / Information Sciences 181 (2011) 5110–5118

2. Preliminaries This section gives the definition and properties of Chebyshev polynomials and reviews the public key algorithm based on Chebyshev polynomials over ZN. In order to handle recurrence equation over finite fields and finite rings, the classical algebraic approach which plays a key role in analyzing the period distribution is also presented. Please refer to [21] for more details but the material here is enough for this paper. For basic theory of abstract algebra and number theory, please refer to [15,22,13]. Suppose N is a positive integer, either prime or composite, in this preparing section. 2.1. Chebyshev polynomials Definition 1. Let n P 0 be an integer and a variable x 2 R. Chebyshev polynomial of order n is recursively defined by

T n ðxÞ ¼ 2xT n1 ðxÞ  T n2 ðxÞ

ð1Þ

where T0(x) = 1 and T1(x) = x. From the definition, it is easy to verify that first several Chebyshev polynomials are T0(x) = 1, T1(x) = x, T2(x) = 2x2  1, T3(x) = 4x3  3x and T4(x) = 8x4  8x2 + 1. When x is over real number fields, Tn(x) always has an explicit algebraic expression [38]

(

T n ðxÞ ¼ cosðn cos1 ðxÞÞ

x 2 ½1; 1

1

T n ðxÞ ¼ coshðncosh ðxÞÞ x 2 ½1; 1Þ

ð2Þ

Some important properties of Chebyshev polynomials are as follows. Proposition 2 (38). 1. Tr(Ts(x)) = Ts(Tr(x)); 2. T n



xþx1 2



¼x

n þxn

2

Proposition 2 can be easily deduced from the explicit algebraic expression (2) and it is this commutative property that is employed by Kocarev et al. to construct a novel public key algorithm [20,19]. The explicit algebraic expression of Tn(x) over real number fields is not secure in the sense of cryptology. Thus, Kocarev et al. generalized the definition of Tn(x). Definition 3. Let n P 0 be an integer, a variable x 2 ZN and N be a positive integer. Chebyshev polynomial of order n is recursively defined by

T n ðxÞ ¼ 2xT n1 ðxÞ  T n2 ðxÞmodN

ð3Þ

where T0(x) = 1 and T1(x) = x. It is easy to verify that Proposition 2 also holds over ZN. 2.2. Public key algorithm based on Chebyshev polynomials over ZN The public key algorithm proposed by Kocarev et al. in [19] is as follows. Suppose Alice wants to communicate with Bob. They do the followings. 1. Bob generates a large integer s, selects a random number x 2 ZN and computes Ts(x) mod N, then sets the public key to (x, Ts(x)) and the private key is s. 2. In order to send a message to Bob, Alice gets Bob’s authentic public key (x, Ts(x)), represents the message as a number M 2 ZN, generates a large random integer r and computes C1 = Tr(x)modN, C2 = M  Tr(Ts(x)) mod N, then sends the ciphertext C = (C1, C2) to Bob. 3. Upon receiving the ciphertext, Bob uses his private key s to compute Ts(C1) = Ts(Tr(x)) = Trs(x) = Tr(Ts(x)) mod N, thus recovers the plaintext by computing M ¼ T s ðTCr2ðxÞÞ modN. It is obvious that this algorithm is correct when N is a prime. But when N is a composite, this algorithm encounters a problem: the inverse of Ts(Tr(x)), say (Ts(Tr(x)))1 mod N, does not always exist which is the same problem with Rabin public key algorithm [29]. This problem is equivalent to that the solution for M is not unique if Ts(Tr(x)) is not invertible, i.e. Ts(Tr(x)) and N have common divisors. However, this problem is trivial. There are two simple methods to solve it.

F. Chen et al. / Information Sciences 181 (2011) 5110–5118

5113

1. Add extra information to indicate which plaintext is encrypted. 2. When the random r is chosen, if it is found that Tr(Ts(x)) and N have common divisors, then choose another r in such a way they are coprime. 2.3. Algebraic theory handling recurrence equations over finite fields and finite rings Let N be a positive integer. A typical recurrence equation over ZN is

an þ c1 an1 þ    þ cL anL ¼ 0 mod N

ð4Þ

where ai 2 ZN. When N is a prime, (ZN, + ,) forms a finite field (i.e. Galois field) in which the modulo N operation is performed both in addition and multiplication. (4) also forms the basis of classical stream ciphers constructed by linear feedback shift registers (LFSRs) and has been analyzed in detail [32,10,31]. When N is a composite, (ZN, +, ) forms a finite ring. In this case, (4) has also been studied partially [37,7,8,14] although the operations and the theory of recurrence equations in finite rings are more complicated than those in finite fields. P Let (an)nP0 be a sequence generated by (4). Its generating function is defined as SðtÞ ¼ 1 a t n . Let f(t) = c0 + c1t +  cLtL  n¼0 n PL1 Pj j where c0 = 1, then multiplying f(t) and S(t) gets f(t)S(t) = g(t) where gðtÞ ¼ j¼0 i¼0 c i aji t . Thus it holds that

SðtÞ ¼

gðtÞ : f ðtÞ

ð5Þ

The polynomial f(t) is called a characteristic polynomial of the recurrence Eq. (4). If f(t) and g(t) are coprime over ZN[t], f(t) is called the minimal polynomial of (4). Suppose the period of (an)nP0 is T, i.e. an+T = an for n P 0. Then it is easy to verify P i ð1  tT ÞSðtÞ ¼ T1 i¼0 ai t which leads to another form of S(t), i.e.

SðtÞ ¼

ST ðtÞ=ðST ðtÞ; 1  t T Þ ð1  tT Þ=ðST ðtÞ; 1  tT Þ

ð6Þ

P i where ST ðtÞ ¼ T1 i¼0 ai t . Suppose f(t) 2 ZN[t] is a polynomial with deg(f) P 1 and f(0) – 0, then define its period, denoted as per(f), as the least positive integer T such that f(t)j1  tT. (5) and (6) imply that there is a relation between the minimal polynomial and the period. In detail, (5) and (6) give

gðtÞ f ðtÞ

T

S ðtÞ T T ¼ ð1t T Þ ; thus f(t)j(1  t )g(t). If f(t) and g(t) are coprime, it must hold that f(t)j1  t . Thus the

following proposition holds. Proposition 4. Let T be the period of (an)nP0, f(t) and g(t) be as (5) . If f(t) and g(t) are coprime, then T = per(f). Here are some examples that help to illustrate these concepts. Example 5. Suppose N = 15. 1. Let x = 0. Then (an)nP0 generated by (3) is 1, 0, 1, 0, 1, 0, 1, 0,  . Its period is T = 4. The generating function is SðtÞ ¼ t21þ1 and the minimal polynomial is f(t) = t2 + 1jt4  1. It holds that per(f) = 4 = T. 1t 1 2. Let x = 1. Then (an)nP0 is 1, 1, 1, 1,   and its period is T = 1. The generating function is SðtÞ ¼ 12tþt 2 ¼ 1t and the minimal polynomial is f(t) = t  1jt  1. It holds that per(f) = 1 = T. 3. Period distribution of the sequences generated by Chebyshev polynomials over the integer ring ZN In this section, suppose N is a composite. Then, (ZN, +, ) is a finite ring with a characteristic of N. Its structure is more complicated compared with a Galois field. ZN is not a domain which means there exist m, n 2 ZN, m – 0 and n – 0 such that mn = 0 in (ZN, +, ). First, we list some notations which will be used in the following discussion. Definition 6. Let n P 0 be an integer, x 2 ZN and N be a composite. Chebyshev polynomial of order n is Tn(x) = 2xTn1(x)  Tn2(x) mod N where T0(x) = 1 and T1(x) = x. (an)nP0 is defined as the sequence generated by the Chebyshev polynomials, i.e. an = Tn(x). Let T be the period of (an)nP0 and S(t) be its generating function. Let f(t) = t2  2xt + 1 then it is easy to get f(t)S(t) = 1  xt 1xt . Let g(t) = 1  xt. If f(t) and g(t) are coprime then the period T = per(f); else f(t) and g(t) must have which gives SðtÞ ¼ t2 2xtþ1 common divisors, in which case special attention is needed to analyze the period distribution. In the following discussions, two situations are considered, i.e., one is f(t) can be factorized by two polynomials’ product both with degree 1 and the other is that f(t) cannot be factorized. However, typical experimental results on the period distribution serve to firstly give a direct impression on what the period distribution looks like.

5114

F. Chen et al. / Information Sciences 181 (2011) 5110–5118

3.1. Typical experimental results Figs. 1 and 2 are histograms about the period distributions for two typical composite N’s. The X axis denotes the value of period and the Y axis denotes how many initial values of the Chebyshev polynomial (3) possessing such a period there are. The histograms show there are many small periods which are not secure from the point view of cryptology. We will analyze later the period distribution theoretically and give answers to the cause of this phenomena. We first present a top level theorem which can reduce the complexity of the period distribution problem for a general composite N. Q Theorem 7. Let (an)nP0 be a sequence with period T generated by (3) and N ¼ li¼1 pki i where pi is prime. Suppose Ti is the period of (an)nP0 when it is considered as a sequence over Z pki . Then it holds that T = [T1, T2, . . ., Tl]. i

Proof. This can be shown in two steps. (i) On one hand, ai+T = ai over ZN implies ai+T = ai over Z pki . On the other hand, aiþT i ¼ ai over Z pki . Thus it holds that TijT and i i [T1, T2, . . . , Tl]jT. (ii) Consider the following set of equations

8 > x ¼ m1 modpk11 > > > < x ¼ m2 modpk22 > > > > : k x ¼ ml mod pl l P k By the Chinese Remainder Theorem [13], it has a unique solution with x ¼ li¼1 mi M i M 0i modN where N ¼ pi i M i and  i ki 0 Mi M i ¼ 1modpi . Let an nP0 denote the sequence of (an)nP0 when it is considered as a sequence over Z pki . Then P P P i an ¼ li¼1 ain M i M 0i modN. From ainþ½T 1 ;T 2 ;...;T l  ¼ ain , it holds that anþ½T 1 ;T 2 ;...;T l  ¼ li¼1 ainþ½T 1 ;T 2 ;...;T l  M i M 0i modN ¼ li¼1 ain M i M 0i modgN ¼ an . Therefore Tj[T1, T2, . . . , Tl]. Combining (i) and (ii), T = [T1, T2, . . . , Tl]. h This Theorem shows that the problem of period distribution over ZN can be reduced to period distribution over Z pki . i ðZ pe ; þ; Þ denoted as GR(pe) is a Galois ring with a local unique maximal ideal (p) [35]. There are u(pe) = pe  pe1 elements in Z pe which are invertible and these elements form the multiplicative group of GR(pe), denoted as Z  . Now we will deal with e p period distribution on Z pki in two cases, i.e. the case that f(t) can be factorized and the case that f(t) cannot. i

3.2. If f(t) can be factorized When f(t) = t2  2xt + 1 can be factorized, the analysis is as follows. period distribution: N = 3

8

1800 1600 1400

frequency

1200 1000 800 600 400 200 0

0

1000

2000

3000

4000 5000 period

6000

7000

Fig. 1. Histogram of period distribution when N = 38.

8000

9000

5115

F. Chen et al. / Information Sciences 181 (2011) 5110–5118

period distribution: N = 7500 3000

2500

frequency

2000

1500

1000

500

0 0

200

400

600

800

1000 1200

1400

1600

1800

2000

period Fig. 2. Histogram of period distribution when N = 7500. 1 Theorem 8. Suppose f(t) can be factorized as f(t) = (t  m)(t  m1) where m; m1 2 Z  pe and T is the period of (an)nP0. If m  m  is invertible in Z pe , then T = ord(m).

gðtÞ 1xt Proof. Here 2x ¼ m þ m1 ; SðtÞ ¼ ðtmÞðtm 1 Þ ¼ f ðtÞ and the discussion goes in two cases.

Case 1: f(t) and g(t) are coprime. T = per(f) and f(t) = (t  m)(t  m1). Since the order of m is ord(m), then mord(m) = 1 which implies that m is the root of 1 tord(m)  1. Thus t  mjtord(m)  1 and also t  m1 j t ordðm Þ  1. 1. If m – m1, t  m and t  m1 are coprime. m  m1 being invertible gives f(t) = (t  m)(t  m1)jtord(m)  1. Meanwhile ord(m) is the smallest positive number such that mord(m) = 1. It is also the smallest positive number l such that t  mjtl  1. Therefore T = per(f) = ord(m). 2. If m = m1, m  m1 is not invertible which contradicts with the assumption. Case 2: f(t) and g(t) are not coprime. 1 k S(t) must can be reduced to SðtÞ ¼ tm or SðtÞ ¼ tmk 1 where k 2 Z  ). In either case, pe . Then T = per(t  m) or T = per(t  m T = ord(m). Combining Cases 1 and 2, the proof is completed. h Remark 9. The condition of m  m1 being invertible is quite critical which raises the question how many initial x’s satisfy this condition. Let the p-adic expansion of m and m1 be m = a0 + a1p +    + ae1pe1 and m1 = b0 + b1p +    + be1pe1 respectively where ai, bi 2 Zp. Then m  m1 = (a0  b0) + (a1  b1)p +    + (ae1  be1)pe1. If a0  b0 is invertible in Zp, i.e. a0 – b0, then m  m1 will also be invertible. Notice that m  m1 = 1 in Z  pe which gives a0b0 = 1 in Zp. Considering this, a0 = b0 means a0 = b0 = 1 or p  1. So if a0 – 1, p  1, the condition of this theorem will be satisfied and there are so many x’s correspond to this situation. In the public key algorithm, x has great influence of the secret key. If x is not chosen well, this theorem exposes the insecurity of the public key algorithm because the period of the sequence Tn(x) is too small. Now the problem of period distribution of (an)nP0 is reduced to the problem of distribution of ord(m) in the multiplicative group Z  pe . n o where p is prime, then ord(m) goes over the set {t : Theorem 10. Let m go over the set m : m  m1 is invertible; m 2 Z  pe tj(p  1)pe1, 2-t, t has a divisor of p  1}. e e1 Proof. Z  . For any element m 2 Z  pe is a cyclic group and Z pe has a primitive g with ord(g) = /(p ) = (p  1)p pe , it can be n e1 expressed by m = g , where n = 0, 1, . . . , (p  1)p  1. Then it is trivial that ord(m) 2 {t : tj(p  1)pe1}. e1 Combining Remark 9, when m goes over {m : m  m1 is invertible, m 2 Z  , 2-t, t pe g, then ord(m) goes over {t : tj(p  1)p has a divisor of p  1}. h

The next step naturally is to count how many x’s there are in Z pe satisfying 2x = (m + m1), which is equivalent to the situation when f(t) can be factorized.

5116

F. Chen et al. / Information Sciences 181 (2011) 5110–5118

Theorem 11. Let p be prime and e be a positive integer, there are invertible.

ðp3Þpe1 2

x’s in Z pe satisfying the condition that m  m1 is

1 being invertible gives a0 – 1, p  1 just as Proof. Let m be as m = a0 + a1p +    + ae1pe1. m 2 Z  pe means a0 – 0 and m  m the discussion in Remark 9. Thus the number of choices for a0 is p  3. However, a1, . . . , ae1 2 Zp. Then total choices for m are (p  3)pe1. 1 1 If there are two m’s such that 2x ¼ ðm1 þ m1 being 1 Þ ¼ ðm2 þ m2 Þ. Then (m1  m2)(m1m2  1) = 0. From m  m 1 invertible, it is easy to verify that m1 = m2 or m1 ¼ m2 . e1 Therefore, the total number of x’s is ðp3Þp . h 2

Remark 12. There are also some x’s with which f(t) can be factorized. The period of such x’s is not clear now. However the e1 and periods of f(t) with such x’s are also possible to be quite small. number of such x’s is very small compared with ðp3Þp 2 Summarizing the discussion above, we have the following theorem. Theorem 13. For each T 2 {t : tj(p  1)pe1, 2-t, t has a divisor of p  1} where p is prime, there exist x’s in Z pe with which period of (an)nP0 is T. 3.3. If f(t) cannot be factorized Now the remaining x’s in Z pe with which f(t) cannot be factorized are discussed. It is obvious that T = per(f). ðZ pe ; þ; Þ denoted as GR(pe) is a Galois ring with a local unique maximal ideal (p). Hensel lemma and Hensel lift are often adopted to discuss problems in Galois ring [37,14,35], which often firstly consider the questions in the Galois field GF(p) and then lift the results got in GF(p) to the Galois ring GR(pe). Let per(f) and perðf Þpe denote period of f(t) respectively in GF(p)[t] and GR(pe)[t]. We first present three well known Lemmas [8,14]. Lemma 14 ([8,14]). Let p be a prime, e be an integer, and perðf Þpi denote period of f(t) in GF(pi)[t], 0 6 i 6 e. The followings hold. 1. perðf Þ j perðf Þp2 j    j perðf Þpe . 2. perðf Þpe j p  perðf Þpe1 j    j pe1  perðf Þ. 3. perðf Þpe ¼ pi perðf Þ, for some i < e. Now it’s time to present some results on perðf Þpe . Theorem 15. If f(t) is irreducible, it holds that perðf Þpe ¼ Tpi ; i < e  1 where Tjp + 1. Proof. According to [21], we have per(f) = Tjp + 1. This gives perðf Þpe ¼ Tpi ; i < e  1.

h

Remark 16. Theorem 15 also exposes the vulnerability of the public key based on Chebyshev polynomials with small periods. From the discussions above, when N is a composite and not chosen properly, e.g. p  1 or p + 1 has many small factors, there are many small periods for (Tn(x))nP0 which are not secure from the cryptology point of view. So the modulus N should be chosen carefully to get a large period. Now we clarify these discussions with an example. Example 17. Let N = 73. We use a program to exhaust all possible initial x’s and compute its period. The detailed period distribution is as Table 1. The results are consistent with our theoretical analysis as Theorems 13 and 15.

4. An attack on the public key algorithm based on Chebyshev polynomials over the integer ring ZN Section 3 has analyzed in detail the period distribution of the sequences generated by the Chebyshev polynomials. The k analysis shows that if N ¼ pk11      pl l is chosen improperly, i.e. pi  1 or pi + 1 has small factors except 2, then the sequences have many small periods which are not secure in cryptology applications. Based on these findings, we propose an attack on the public key algorithm proposed by Kocarev et al. [19]. An attacker Malice who wants to break the cryptosystem can perform the following steps to achieve his goal. 1. Get Bob’s public key (x, (Ts(x)) and compute a series of (Tn(x))nP0 trying to find its period with this initial value x. If in permitted time Malice finds the period T⁄ which means the period of (Tn(x))nP0 with current x is not large, the attack continues to step 2, else the attack fails.

5117

F. Chen et al. / Information Sciences 181 (2011) 5110–5118 Table 1 Period distribution when N = 73. Period

1

2

3

4

6

7

8

14

21

Number of x’s Period Number of x’s

1 28 6

1 42 6

1 49 42

1 56 12

1 98 42

6 147 42

2 196 42

6 294 42

6 392 84

2. Given Bob’s public key (x, (Ts(x)) and Alice’s ciphertext C = (C1, C2) = (Tr(x), M  Tr(Ts(x))), find k1 < T⁄ and k2 < T⁄ such that T s ðxÞ ¼ T k1 þn1 T  ðxÞ and T r ðxÞ ¼ T k2 þn2 T  ðxÞ. 3. Compute T C 2 ðxÞ to recover the plaintext. k1 k2

Now we show the correctness of this attack. By T s ðxÞ ¼ T k1 þn1 T  ðxÞ and T r ðxÞ ¼ T k2 þn2 T  ðxÞ, it holds that

T r ðT s ðxÞÞ ¼ T rs ðxÞ ¼ T ðk1 þn1 T  Þðk2 þn2 T  Þ ðxÞ ¼ T k1 k2 þlT  ðxÞ ¼ T k1 k2 ðxÞ where l = k1n2 + k2n1 + n1n2T⁄. Thus,

C2 Tk

1 k2

ðxÞ

2 ¼ T rsCðxÞ ¼ M, getting the plaintext.

Remark 18 1. The attack is not always successful if N is carefully chosen. 2. If p is a prime with p  1 = 2p1 and p + 1 = 2p2 where p1 and p2 are also primes, p is called a strong prime. When N is a composite, we suggest N is the product of a series of strong primes with each power small. For example, N is a composite e of 256 bits and N ¼ pe11 pe22 pe33 . Then, pi i is averagely about 85 bits where i = 1, 2 and 3. If ei is 3 or 4 then pi is about 28 or 21 bits. All these will lead to a series of small periods according to the discussions in Section 3. To achieve a high level of security, the length of N needs to increase. Therefore, we suggest N is several (e.g. 2 or 3) strong primes’ product with small powers, for example, 1 and 2 are recommended exponents. Now we give an example to illustrate this attack. Example 19. Let N = 9797 = 97  101 and x = 32. Bob selects 4000 as his private key and T4000(32) = 3637. Then Bob’s public key is (32, 3637). Alice’s plaintext is 601. She selects a random r = 5000 and computes C1 = T4000(32) = 1213, T5000(T4000(32)) = 3637, C2 = 601  3637 = 1106. Then she sends the ciphertext (1213, 1106) to Bob. Malice wants to break the cryptosystem. He takes the following steps. 1. Computes a series of Tn(32), n P 0 and finds the period 1200. 2. Expresses T4000(32) = T400(32) and T5000(32) = T200(32). Thus, he has k1 = 400 and k2 = 200. 1106 1106 1106 3. Computes T C 2 ðxÞ ¼ T 400200 ¼ T 800 ¼ 3637 ¼ 601. ð32Þ ð32Þ k1 k2 He succeeds to recover the plaintext. This is only a simple example. In practical attacks, Malice needs to find the period T in permitted time. Based on the analysis in Section 3, we can conclude that Malice can break the cryptosystem successfully with a non-negligible probability when N is not chosen properly. It deserves to note that even N is chosen properly, the public key algorithm based on Chebyshev polynomials still needs to be padded and enhanced just as RSA-OAEP [3] in order to be a secure public key cryptosystem for real world uses. 5. Conclusions In this paper, we analyzed in detail the period distribution of the sequences generated by Chebyshev polynomials over the integer ring ZN when N is composite. To model the problem, the classical algebraic theory handling recurrence equations is employed in the paper to study the period distribution. It turns out that if N is not chosen properly, the period distribution is poor, resulting the consequence that the public key algorithm is not secure in the sense of cryptography. Thus, N should be carefully chosen such that the periods of the sequences generated by Chebyshev polynomials are large enough to make a brute force attack infeasible. Furthermore, the public key algorithm also needs to be enhanced as RSA-OAEP to be secure in practical uses. However, it is interesting to use dynamical systems to construct public key algorithms like the one based on Chebyshev polynomials. Indeed RSA, Rabin, ElGamal and ECC can also be regarded as simple dynamical systems. The difficulty is how to employ general dynamical systems to construct public key algorithms, which is challenging and deserves intensive study. Another important problem is to characterize the security properties of the proposed algorithms. These topics are interesting and need further research.

5118

F. Chen et al. / Information Sciences 181 (2011) 5110–5118

Acknowledgement This research was supported in part by the Fundamental Research Funds for the Central Universities (No. CDJXS10182215) and the National Natural Science Foundation of China (Nos. 60973114, 60703035), the Natural Science Foundation Project of CQ CSTC (Nos. 2009BA2024, 2008BB2193), and State Key Laboratory of Power Transmission Equipment & System Security and New Technology, Chongqing University (No. 2007DA10512709207). The Natural Science Foundation Project of CQ CSTC (No. 2008BB2193) and the Post-doctoral Science Foundation of China (No. 20100470817). The National High Technology Research and Development Program of China (No. 2006AA04A123), the Natural Science Foundation of Chongqing, China (No. 2008BB2182, 2008BB0173), the Innovation Ability Training Foundation of Chongqing University, China (No. CDCX021). References [1] J. Amigo, L. Kocarev, J. Szczepanski, Theory and practice of chaotic cryptography, Physics Letters A 366 (3) (2007) 211–216. [2] A. Bafghi, R. Safabakhsh, B. Sadeghiyan, Finding the differential characteristics of block ciphers with neural networks, Information Sciences 178 (15) (2008) 3118–3132. [3] M. Bellare, P. Rogaway, Optimal asymmetric encryption, in: Advances in Cryptology – EUROCRYPT’94, Springer, 1995, p. 92. [4] P. Bergamo, P. D’Arco, A. De Santis, L. Kocarev, Security of public-key cryptosystems based on Chebyshev polynomials, IEEE Transactions on Circuits and Systems I: Regular Papers 52 (7) (2005) 1382–1393. [5] G. Chen, Y. Mao, C. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos, Solitons & Fractals 21 (3) (2004) 749–761. [6] K. Cheong, T. Koshiba, More on security of public-key cryptosystems based on Chebyshev polynomials, IEEE Transactions on Circuits and Systems II: Express Briefs 54 (9) (2007) 795–799. [7] Z. Dai, Binary sequences derived from ML-sequences over rings I: periods and minimal polynomials, Journal of Cryptology 5 (3) (1992) 193–207. [8] Z. Dai, M. Huang, A criterion for primitiveness of polynomial over Z 2d , Chinese Science Bulletin 36 (1991) 892–895. [9] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) (1976) 644–654. [10] C. Ding, G. Xiao, W. Shan, The Stability Theory of Stream Ciphers, Springer, 1991. [11] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in: Advances in Cryptology – CRYPTO’84, Springer, 1985, pp. 10–18. [12] X. Guo, J. Zhang, Secure group key agreement protocol based on chaotic hash, Information Sciences 180 (20) (2010) 4069–4074. [13] G. Hardy, E. Wright, D. Heath-Brown, J. Silverman, An Introduction to the Theory of Numbers, Clarendon Press, Oxford, 1960. [14] M. Huang, Maximal period polynomials over Z pd , Science in China, Series A 35 (1992) 271–275. [15] T. Hungerford, Algebra, Graduate Texts in Mathematics, vol. 73, Springer-Verlag, 1974. [16] Hwu, F., 1993. The interpolating random spline cryptosystem and the chaotic-map public-key cryptosystem. Ph.D. Thesis, University of Missouri Rolla. [17] G. Jakimoski, L. Kocarev, Chaos and cryptography: block encryption ciphers based on chaoticmaps, IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications 48 (2) (2001) 163–169. [18] N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation 48 (177) (1987) 203–209. [19] L. Kocarev, J. Makraduli, P. Amato, Public-key encryption based on Chebyshev polynomials, Circuits, Systems, and Signal Processing 24 (5) (2005) 497– 517. [20] L. Kocarev, Z. Tasev, Public-key encryption based on chebyshev maps, in: Proceedings of the 2003 International Symposium on Circuits and Systems, 2003. [21] X. Liao, F. Chen, K. Wong, On the security of public-key algorithms based on Chebyshev polynomials over the finite field ZN, IEEE Transactions on Computers 59 (10) (2010) 1392–1401. [22] R. Lidl, H. Niederreiter, Introduction to Finite Fields and Their Applications, Cambridge University Press, 1994. [23] H. Liu, X. Wang, Color image encryption based on one-time keys and robust chaotic maps, Computers and Mathematics with Applications 59 (10) (2010) 3320–3327. [24] N. Masuda, G. Jakimoski, K. Aihara, L. Kocarev, Chaotic block ciphers: from theory to practical algorithms, IEEE Transactions on Circuits and Systems I: Regular Papers 53 (6) (2006) 1341–1352. [25] G. Maze, Algebraic methods for constructing one-way trapdoor functions. Ph.D. thesis, University of Notre Dame, 2003. [26] V. Miller, Use of elliptic curves in cryptography, in: Advances in Cryptology – CRYPTO’85, Springer, 1986, pp. 417–426. [27] MIT, visited in 2010, Kerberos: the network authentication protocol. . [28] Y. Niu, X. Wang, An anonymous key agreement protocol based on chaotic maps, Communications in Nonlinear Science and Numerical Simulation 16 (4) (2011) 1986–1992. [29] M.O. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Technical Report TR-212, Massachusetts Institute of Technology, Cambridge, MA, USA, 1979. [30] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM 21 (2) (1978) 126. [31] M. Robshaw, O. Billet, New stream cipher designs: the eSTREAM finalists, Lecture Notes In Computer Science 4986 (2008). [32] R.A. Rueppel, Analysis and design of stream ciphers, Springer-Verlag New York, Inc., New York, NY, USA, 1986. [33] R. Schmitz, Use of chaotic dynamical systems in cryptography, Journal of the Franklin Institute 338 (4) (2001) 429–441. [34] R. Tenny, L. Tsimring, L. Larson, H. Abarbanel, Using distributed nonlinear dynamics for public key encryption, Physical Review Letters 90 (4) (2003) 47903. [35] Z. Wan, Lectures on finite fields and Galois rings, World Scientific Pub. Co. Inc., 2003. [36] X. Wang, J. Zhao, An improved key agreement protocol based on chaos, Communications in Nonlinear Science and Numerical Simulation 15 (12) (2010) 4052–4057. [37] M. Ward, The arithmetical theory of linear recurring series, Transactions of the American Mathematical Society 35 (3) (1933) 600–628. [38] Wiki, visited in 2010. Chebyshev Polynomials. . [39] Wiki, visited in 2010, RSA. . [40] T. Xiang, K. Wong, X. Liao, Selective image encryption using a spatiotemporal chaotic system, Chaos: An Interdisciplinary Journal of Nonlinear Science 17 (2007) 023115. [41] D. Xiao, X. Liao, S. Deng, A novel key agreement protocol based on chaotic maps, Information Sciences 177 (4) (2007) 1136–1142. [42] D. Xiao, X. Liao, S. Deng, Using time-stamp to improve the security of a chaotic maps-based key agreement protocol, Information Sciences 178 (6) (2008) 1598–1602.