Asymmetric Cryptosystem on Matrix Algebra Over a Chain Ring

: The revolutionary idea of asymmetric cryptography brings a fundamental change to our modern communication system. However, advances in quantum computers endanger the security of many asymmetric cryptosystems based on the hardness of factoring and discrete logarithm, while the complexity of the quantum algorithm makes it hard to implement in many applications. In this respect, novel asymmetric cryptosystems based on matrices over residue rings are in practice. In this article, a novel approach is introduced. Despite the matrix algebra (, ℤ  ), the matrix algebra (,  ),   = ℤ  [] 〈  〉 as the chain ring is considered. In this technique, instead of exponentiation, the inner product automorphisms the use for key generation. The chain ring provides computational complexity to its algorithm, which improves the strength of the cryptosystem. However, the residue ring endangers the security of the original cryptosystem, while it is hard to break using   . The structure of the chain ring deals with the binary field ℤ  , which simplifies its calculation and makes it capable of efficient execution in various applications.


Introduction
Internet and network applications have become the basic necessity of the modern world. Cryptography techniques provide security for these applications. Cryptography is the deliberate attempt to scramble information so that adversaries fail to access secret data. Symmetric cryptography mainly focuses on private-key encryption. The key-distribution and key-management problems make it futile for today's world. A new approach is required to overcome these problems. Asymmetric cryptography provides a solution. Moreover, it gives a new direction to cryptography. The idea of key exchange protocol was initiated by Merkle, Differ, and Hellman [1] in the mid-1970s. One of the earliest asymmetric cryptosystems is the famous RSA. Later on, many more asymmetric algorithms were introduced, such as ElGamal and ECC [2,3], which were based on the complexity of the integer factorization problem. It was further modified by different cryptologists in [4][5][6]. The elliptic curve discrete logarithm problem (ECDLP) has been a prominently researched area, still under the analysis of many cryptographers [7,8].
Data confidentiality, integrity, and authenticity are the fundamental protection goals of cryptography. Hash functions and digital signatures improve message integrity and make it more authentic [9,10]. Nowadays, a critical problem that classical and modern cryptography fails to address is long term security. Quantum cryptography can resolve this problem as it is based on the law of quantum physics, which is valid forever [11,12]. The complexity of the quantum algorithm makes it difficult to be implemented in various applications. In this respect, asymmetric cryptosystems based on matrix algebra over residue ring have been studied for the last decade.
The main focus of this work is to ensure an improvement in Khan et al. ′s [13] proposed scheme, based on a commutative subgroup of the (2, ℤ ). Our goal is to increase the security of the algorithms by using a unique algebraic structure of the local chain ring = ℤ [ ] 〈 〉 and generalizing both the cryptosystems given in [13]. However, the local ring ℤ of integer modulo makes both cryptosystems insecure in the sense that an attacker that is efficient in solving linear equations in ℤ can easily break both schemes in a very limited period. In 2016, Jianwei Jia et al. [14] worked on schemes given in [13]; they conducted a detailed analysis of structural attack and deduced that both cryptosystems were breakable. In this article, we propose new asymmetric cryptosystems that are based on the abelian subgroup of the general linear group ( , ), as done for Cryptosystem 1 over residue ring in [15]. Chain ring has a special structure of polynomials; the coefficients of a polynomial are from ℤ which make its calculations easy but unfeasible for the attacker to decrypt it.
The rest of the article comprises as follows. In Section 2, we briefly define the chain ring. The details of the proposed scheme are given in Section 3, and then it is verified with an example in Section 4. Finally, some attacks are discussed in the security analysis in Section 5, and a conclusion is drawn in the end.

Chain Ring
Chain ring is a commutative ring, with identity having the property that under inclusion, each of its ideals forms a chain. More precisely, it is a finite local ring with radical of as a principal ideal. Roughly speaking, it is an extension over the Galois ring a basic irreducible polynomial of degree ℎ. The cardinality of the Galois ring is . Now, if is a maximal ideal of , then is residue field which is the Galois extension field ( ).
The finite chain ring is quotient ring

Proposed Cryptosystems
In the proposed asymmetric cryptosystems, the subgroup of ( , ) is the aim of the study, while in the original cryptosystems, the subgroup of (2, ℤ ) was under discussion. Hence, the proposed algorithm is a generalization of original cryptosystems, while the finite chain ring is used instead of a residue ring. We will discover later that this modification increases in the computational complexity of the proposed cryptosystem.
Let be the subgroup of ( , ). It can be easily proved that is an abelian subgroup of ( , ).
Proof of Proposition 1.

Let
Hence it is proved that is an abelian subgroup of ( , ). □ The probability ′ that any matrix ∈ ( , ) but does not exist in is The following is the main scheme proposed in this article. Now we discuss Cryptosystems 1 and 2 in detail.
: → , : → , ∀ ∈ ( ) 5. Compute another automorphism of ( ) by taking the composition of the above two automorphisms, Since and commute, therefore and also commute, and we have Choose a random matrix ∈ ( , ) such that does not belong to , and then calculate ℎ public key , ( ), ( ) and the private key ( , ). Encryption 1. Choose the plaintext ∈ ( ).
2. Choose random elements 1, + + 1 ∈ * (diagonal entries of upper triangular matrices and ) and + 1, , , + 1 ∈ (rest of entries of matrices). 3. Now the matrices , ∈ with ≠ .    Table 1. This demonstrates that we compute different public keys from the same private keys in both algebraic structures. Further detail is given in the security analysis section. (Note that we can convert elements from to ℤ and vice versa).

Security Analysis of the Proposed Cryptosystem
The essence of every cryptosystem lies in its security. So, to find the efficiency of any cryptosystem, security analysis plays a fundamental role in this aspect. Now we discuss some attacks. The proposed scheme has the potential to resist these attacks effectively.

Ciphertext-Only Attack
Suppose ( , ( ), ( ), , ) information is known to the adversary, and he wants to compute the message by using a ciphertext-only attack, as done by Jianwei Jia et al. [14] for ℤ . First of all, the attacker finds out the invertible element ∈ * by det( ) = ( ) ( ) , ∀ ( Note inverse of is hard to compute as compare with ℤ , since the square root of polynomials makes this step laborious for the attacker). Now, the cryptanalyst solves the system of homogeneous linear equations, After solving the system of Equation (1), he can compute the unknown matrix = for each = . Finally, he solves the system (2) and decrypts the corresponding message = .
= ( ) ( ) (Note that here, the systems consist of the polynomial matrices from ( , ) since equations have become nonlinear, so it becomes hard to find an unknown matrix for a large value of k. However, the attacker can easily compute this system in ℤ . On the other hand, if an attacker tries to compute the system in ℤ by converting the given information from to ℤ , it does not work because the public key generated in both cryptosystems differ and the attacker fails to compute as demonstrate in comparison Table  1 for and ℤ ). The cryptanalyst gets ( ) possibilities of since he has ( ) possibilities of diagonal entry and possibilities rest of upper diagonal entries of . Hence, it is clear that it becomes infeasible for the attacker to decrypt the plaintext for a large value of and .

Known-Plaintext Attack
In this case, the adversary gets access to some of the plaintext and its ciphertext . He fails to reveal any information about the key. Because for each plaintext , we choose a unique matrix , the cryptanalyst wants to find out all pairs ( , ), but, in this case, he cannot find a new pair from the known information. Hence the attacker is not able to retrieve any information and is incapable of this attack.

Chosen-Ciphertext Attack and its Prevention
Suppose Alice wants to send a message to Bob. She decrypts the message and finds the ciphertext = ( , ). The attacker intercepts during the communication and gets access to ciphertext . He selects a random matrix ̈∈ ( , ) and sends * = ( , ̈ ) to Bob. Now Bob deciphers the false ciphertext * and computes a new plaintext * = * . The cryptanalyst uses this information and finds the original message successfully.

( ̈) ( ̈ ) =
To protect the cryptosystem from this type of attack, one must replace the one-sided ciphertext with the two-sided ciphertext text. Now replace the ciphertext, In this case, one can decrypt the message by calculating = ( ) ( ) since the matrices and do not commute in general. Hence this attack is inefficient in this scenario.

Conclusions
In this article, asymmetric cryptosystems of [13] have been generalized and the residue ring has been replaced by a finite chain ring. The local ring ℤ resulted in the insecurity of the cryptosystem, as inferred by Jianwei Jia et al. [14] in their cryptoanalysis of the original scheme. It can be anticipated that the security of the proposed algorithm increased compared to the original one for various attacks. The finite local ring enhances the complexity of algorithms in a way that it becomes laborious for the attacker to decrypt it. Hence, it maximizes the computational security of the cryptosystem. The chain ring has the potential to resist the attacks and both cryptosystems are invulnerable in a sense that attackers unable to solve the system of equation in for large values of and . The use of a binary field in the local ring avoids the exponentiation approach, which makes it efficient to use in various applications.