1. Introduction
In this paper we present the improvement of the matrix power function (MPF) asymmetric cipher published in [
1]. The purpose of this improvement is the prevention of discrete logarithm attack (DLA), which allows us to transform the initial system of MPF equations to the matrix multivariate quadratic (MMQ) system of equations. So far, it has not been proved that the MMQ problem is also NP -complete, but nevertheless we are making a conjecture that this problem is hard, since, in general, the corresponding system of MMQ equations is neither underdefined, nor overdefined. It is known that a certain class of underdefined or overdefined systems of MQ equations can be solved in polynomial time.
MPF was previously used to construct cryptographic primitives in [
2,
3]. Implementation of these primitives in computationally restricted environments was analyzed in [
4,
5]. The results have shown that suggested protocols can be effectively implemented in Internet of Things (IoT) systems.
Formally, MPF used in our construction can be defined as a function of matrix
Q as a parameter and matrices
as function arguments parameters denoted by
and expressed by the formula
where
E is a matrix representing the function value.
In the previous protocol, the entries of matrix Q were chosen in the specially constructed multiplicative group of integers with multiplication operation performed modulo n. In this paper we would like discuss some aspects of this structure and present an alternative algebraic structure, which can be used to execute the proposed protocol more efficiently and prevent discrete logarithm attack.
The cryptographic protocols and algorithms constructed on the base of MPF (see [
1,
2]) belong to the branch of non-commutiative cryptography. The survey of non-commutative cryptography can be found in [
6]. Some initial investigation in this field can be found in [
7,
8,
9] where the authors investigated the so-called Sakalauskas, Tvarijonas, Raulynaitis (STR) key agreement protocol published in [
3]. Moreover, in [
8] it is shown that STR protocol can be effectively realized in microprocessors.
In
Section 5 we present a proof of our protocol resistance to chosen plaintext attack (CPA) and chosen ciphertext attack (CCA).
The prevention of DLA attack is also presented in subsequent sections.
2. Our Previous Work
Let us recall some definitions from our previous paper.
We consider a commutative multiplicative semigroup . The multiplicative order of semigroup is defined as the smallest integer t, such that , where e is a neutral element in . Hence the powers of elements of can be defined in a commutative numeric ring , where addition and multiplication are defined modulo t.
We construct a semigroup of square matrices with entries defined in semigroup and denote it by . We call this matrix semigroup a platform semigroup. Analogously we construct a ring of square matrices with entries of these matrices defined in numerical ring . This ring is called a power ring.
The matrix power function (MPF) for a fixed parameter matrix
is a mapping
which is denoted as follows:
where matrices
and
are defined in a power ring
and matrix
is defined in a platform semigroup
. The entries of matrix
are calculated in a following way:
To demonstrate further clarity, let us assume that all matrices are the square of second order. The elements are then computed as follows:
We will refer to matrices
X and
Y as
matrix powers or
power matrices,
Q as
a base matrix and
E as
a matrix power value. Recall from our previous paper, that under chosen algebraic structures the following properties hold for MPF:
To define a platform semigroup we previously considered a multiplicative semigroup
=
, where
is a composite integer and
p,
q are distinct odd primes with
. We defined an ideal of this semigroup
and used it to construct a new multiplicative semigroup
in a following way:
where
is a multiplicative group consisting of elements coprime with
n. It is well-known, that the multiplicative order of elements of
is determined by Carmichael function
. For our goals we suggested to use
, since in this case
and hence
where
denotes the cardinality of the set. The latter identity makes it possible to define power ring over ring
.
The protocol suggested in [
1] is described below. We name this protocol as Matrix Power Asymmetric Cipher (MPAC) protocol.
3. Previous Asymmetric Cipher Protocol
Alice and Bob agree on the following public data:
Alice randomly selects non-singular secret matrix
X in
and two sets of coefficients (not necessarily distinct) in numerical ring
to define two polynomials
and
. To construct her private and public data she performs the following actions:
computes a secret matrix U as a product of two polynomials of and i.e., U = ;
computes matrices .
Alice keeps her private key = a secret and publishes her public key .
Bob takes Alice’s public key
and performs a following encryption protocol:
Bob chooses randomly a non-singular matrix Y in ;
He selects two sets of coefficients in numerical ring to define two polynomials and and computes a secret matrix V = ·. Then he takes matrices and and computes a matrix · = ;
He raises matrix to the obtained power matrix on the left and obtains since ;
He raises the result matrix to the power matrix
Y on the right and obtains
=
K and converts it to a bit string. One of the possible ways to do this is to write all the elements of matrix
K in a string of the form
and convert every
into its binary representation. Then bit string of matrix
K is a concatenation of all binary representations of
. The obtained bit string is used as a key to encrypt the message
M and compute the ciphertext
C;
Bob computes the ciphertext C = , where ⊕ is bitwise sum modulo 2 of all entries of bitstings K and M;
Bob computes three matrices which we denote by encryptor ε and sends it to Alice together with C.
To decrypt Bob’s message Alice does the following:
Using given matrices and Alice computes · = , since U = ·;
Alice raises matrix to the power on the right and then raises the result matrix to the power X on the left and hence obtains a matrix and converts it to a bitstring.
Alice can now decrypt a ciphertext
C using encryption key
K and relation
Since discrete logarithm can be applied to both sides of Equation (
1), it can be transformed to the following matrix equation
Security of this protocol relies on the following problem:
Definition 1. The problem of finding matrices X and Y, satisfying the following system of equationsfor some known values of T, S, A, B, C, D is called the matrix multivariate quadratic (MMQ) problem. Note, that in the case of our protocol ,, , , , .
An example of MPAC protocol is presented in [
1]. A minor modification we use in this paper is converting the obtained encryption key
K to a bitstring. An example of this transformation is presented below.
Example 1. Let us assume, that Bob has obtained the following encryption key KTo convert it to a bitstring we consider the stringWe convert each element to binary form to obtain a bitsringwhere the first four bits represent an element 1
, next four bits represent an element 2
and so on. 4. Improvements of the Asymmetric Cipher Protocol
Let the parameter
n of multiplicative group
be a composite integer (factors of this number are irrelevant) and let
be of the form
where
p is prime and
. According to the Sylow theorem [
10] the Sylow subgroup of the prime order
p exists in
. We denote this subgroup as
. Since, according to the Lagrange theorem, the order of the element
γ has to divide
p, the only orders possible in group
are 1 and
p. Therefore, every non-identity element
γ is the generator of
. We can use this group to ensure the maximum entropy of the entries of the result matrix
E. However, it can be shown (see
Section 5) that using a cyclic group as the platform makes MPF vulnerable to algebraic cryptanalysis. Consequently we have to construct a structure similar to
.
Let
j be an idempotent of semigroup
. Since the order of the element is a multiplicative function, we can multiply each element of group
by
j to obtain a new cyclic group
. The identity of this group is
j and the order of every non-identity element is
p. We construct a semigroup
as a union of
and
i.e.,
We can use this semigroup to avoid direct application of a discrete logarithm function to MPF, since is the ideal of . Note that no additional constraints for parameter n and the entries of Q are needed as compared to .
The main advantage of
is the prime order of non-idempotent elements. Since the order of
determines the modulo of entries of matrices of power ring
, we obtain a power ring defined over the field
. Therefore, conjugation constrains
are defined over the field
. Furthermore, this semigroup also provides security against chosen cipertext and chosen plaintext attacks (see
Section 5) since entries of matrix exponent are uniformly distributed either in
or in
depending on the entries of power matrices.
Note, that the set of solutions of the latter equations depends on the canonical Jordan form of matrices
and
. More precisely we have to consider Jordan blocks of Jordan matrix
and
, which are similar to matrices
and
respectively. It was shown in [
1], that if a Jordan matrix J is defined over the field
and has the form
i.e., it consists of a single Jordan block of size
m with eigenvalue
μ, then each equation in (
8) has exactly
solutions.
To construct we have to consider finding a suitable value of parameter n; and finding an idempotent j in the semigroup .
To find a suitable value of
n we can consider all odd square-free integers of the form
, where
and
are primes. It is known from the definition of the Carmichael function
, that
According to Sylow theorem, the multiplicative group
has a Sylow group of the fixed size
p, if
p divides
and
does not divide
. To satisfy this condition it is enough to find the value of
such, that
where
k is the least possible even number for
to be prime. To minimize the value of
n we can set
. The idempotent
j can be obtained by solving the following system of congruences:
The main parameters of the semigroup
are the following:
Size of the Sylow group p;
Parameter n, which defines the multiplicative semigroup ;
The prime factor of the parameter n;
Generator of the Sylow group γ;
Idempotent ;
Values of the main parameters of
for a fixed value of
p are presented in
Table 1.
The newly defined multiplicative semigroup
can be used to define a platform semigroup
. MPAC protocol is executed as presented in
Section 3.
5. Security Analysis
As it was pointed out above, by preventing DLA application to MPAC protocol [
1] we are forcing an adversary to deal with the initial MPF system of Equation (
2) to break our protocol. Hence the security of the improved version of the MPAC protocol relies on the complexity of the MPF problem, which is defined in the following way:
Definition 2. The problem of finding matrix powers X and Y, satisfying Equation (1), when Q and E are given, is called an MPF problem. In our research we are considering MPF problem with two conjugation constrains, i.e., the following system of matrix equations:
where matrices
Q and
E are in a platform semigroup and matrices
are in a power ring. These matrices are publicly known. The only unknown matrices are
X and
Y.
The NP-hardness of MPF problem in (
9) can be proved using the polynomial-time reduction of of known NP-hard problem to MPF problem. In previuos paper [
11] author proved that the so-called multivariate quadratic power problem is NP-complete. The reduction is provided using randomly generated MQ problem, which is NP-complete. Referencing to this result and the fact that MMQ problem is conceptually related to MPF problem the NP-completeness of MPF problem can be proved by proving that MMQ problem is NP-complete. Then reduction from MMQ to MPF problem can be constructed automatically referencing to [
11].
Unfortunately, the NP-completeness of MMQ problem remains an open question yet. We are making a conjecture, that the MPF problem is at least no less complex than the MMQ problem. Hence avoidance of transformation of MPF equations in protocol, presented here, should increase its security, since at this time well-known Grobner bases and other algorithms can be applied to try to solve MMQ system of equation and so far we have no knowledge of how to deal with the system of MPF equations. In this case unknowns are also multivariate quadratic monomials, but they are presented in the powers of entries of certain known matrix.
We provide the security considerations by proving that the proposed algorithm is secure against chosen ciphertext attack (CCA) and chosen plaintext attack (CPA). This analysis is performed by considering entropy of entries of matrix exponent E. For this purpose we use generators of some cyclic group . In this case we can estimate the statistical security of MPF using the following known propositions:
Proposition 1. For any generator g of group and chosen at random, the power term has the same distribution in G as α in [10]. Proposition 2. Let be an arbitrary element. Choosing at random and setting gives the same distribution for c as choosing random c [10]. We can now formulate the following corollary.
Corollary 1. For any two generators of group G and and two uniformly chosen elements the element z, computed by the expressionis uniformly distributed in . The latter corallary implies that element
z as a function of
is strongly universal
as defined by authors in [
12] (notation of strongly universal function is taken from the same paper), i.e.,
and
are two independent elements uniformly distributed in
. This result can also be generalized for any entry of the matrix exponent
E in (
1), i.e., each entry of this matrix is a strongly universal function. In [
13] this property is defined as a perfect
-wise decorrelation (as denoted by the author).
The statistical security of MPF in case of
and
is also considered in [
14]. The parameter
n is selected as a composite number of the form
, where
and both
p and
s are prime numbers. The main outcome of that paper is the following proposition:
Proposition 3. If a base matrix implying power matrices where , and if the entries of power matrices are chosen at random with uniform distribution, then the system (9) yields the matrix E which entries are also uniformly distributed. Note also, that the last step of our protocol is similar to the Vernam cipher. According to [
13] this cipher has perfect 1-wise decorrelation. Due to Proposition 3 if matrices X and Y are chosen randomly with uniform distribution of their entries then the key matrix K has perfect
-wise decorrelation. It was shown in [
13], that in this case our cipher is secure against CCA and CPA respectively (Theorem 7).
Corollary 2. MPAC protocol is CPA and CCA secure.
However, using a cyclic group
to define a platform semigroup does not provide any security against a specific algebraic attack. This so-called discrete logarithm attack (DLA) is based on a ordinary discrete logarithm function, which can be generalized to matrix semigroups. This generalization is performed as follows:
where
is the discrete logarithm function,
g is a generator of a semigroup
and
are square
matrices in
. Note, that we do not consider both ordinary and matrix discrete logarithm problems (DLP) as hard, since we will not use a large semigroup
S to define the platform semigroup and hence
can be obtained easily if
.
The generalized discrete logarithm function can be applied to MPF Equation (
1) to obtain
where
.
The way to break the presented asymmetric cipher specification is to solve either system of matrix Equation (
9) or an MMQ problem corresponding to an MPF problem with the same conjugation constrains, i.e., the system (
6), where all equations are defined in a power ring.
Despite the fact that a MMQ problem is a subclass of well-known multivariate quadratic (MQ) problems, which is NP-complete, the NP-completeness of MMQ problem has thus far not been proved. However, it was shown in [
11] that MQ power problem is NP-complete over any semigroup
.
Note, that choosing
, where
does not provide security against DLA as well, since Chinese Remainder Theorem (CRT) can be used to define the following mapping:
where
and
are generators of multiplicative cyclic groups
and
respectively.
The semigroup however does not have this flaw, i.e it cannot be split into two multiplicative cyclic groups and therefore the isomorphism φ cannot be used to define the discrete logarithm. To demonstrate this we present the following example:
Example 2. Let us consider the multiplicative group . The isomorphism implied by Chinese reminder theorem is as follows:Let . Evidently this semigroup has no non-trivial isomorphism, which can be used to split this semigroup into a direct product of two or more separate (semi)groups. Therefore, the discrete logarithm function is not defined in . However semigroup
has a non-trivial isomorphism
The latter isomorphism can be used to perform reduction of the initial MPF problem to an MMQ problem. This can be done by defining a mapping
and using it on each entry of MPF value matrix
E in (
1), thus transforming it into an MMQ problem
However, we found that under the certain conditions, the obtained MMQ problem is not equivalent to the initial MPF problem, i.e., solutions
and
of Equation (
13) do not satisfy the initial Equation (
1). This happens if an entry of base matrix
Q, which is chosen from an ideal is raised to zeroth power. In this case not all entries of MPF value matrix
E are in the ideal
. To demonstrate this we present an example:
Example 3. Let us consider the multiplicative semigroup . Entries of power matrices X and Y have to be selected from . Define matrices Q, X and Y in a following way:Then MPF value represented by matrix E is the following: We can see, that entries of the second row are not contained in the ideal and therefore mapping is not one-to-one. Therefore the mapping cannot be used to reduce MPF problem to MMQ problem in general case and hence multiplicative semigroup provides efficient security against DLA attack.