Improved Asymmetric Cipher Based on Matrix Power Function with Provable Security

Eligijus Sakalauskas 1, Aleksejus Mihalkovich 1,* and Algimantas Venčkauskas 2 1 Faculty of Mathematics and Natural Sciences, Department of Applied Mathematics, Kaunas University of Technology, Studentu str. 50-324, Kaunas LT 51368, Lithuania; eligijus.sakalauskas@ktu.lt 2 Faculty of Informatics, Department of Computer Science, Kaunas University of Technology, Studentu str. 50-213, Kaunas LT 51368, Lithuania; algimantas.venckauskas@ktu.lt * Correspondence: aleksejus.michalkovic@ktu.lt; Tel.: +370-60014070


Introduction
In this paper we present the improvement of the matrix power function (MPF) asymmetric cipher published in [1].The purpose of this improvement is the prevention of discrete logarithm attack (DLA), which allows us to transform the initial system of MPF equations to the matrix multivariate quadratic (MMQ) system of equations.So far, it has not been proved that the MMQ problem is also NP -complete, but nevertheless we are making a conjecture that this problem is hard, since, in general, the corresponding system of MMQ equations is neither underdefined, nor overdefined.It is known that a certain class of underdefined or overdefined systems of MQ equations can be solved in polynomial time.
MPF was previously used to construct cryptographic primitives in [2,3].Implementation of these primitives in computationally restricted environments was analyzed in [4,5].The results have shown that suggested protocols can be effectively implemented in Internet of Things (IoT) systems.
Formally, MPF used in our construction can be defined as a function of matrix Q as a parameter and matrices (X, Y) as function arguments parameters denoted by F Q (X, Y) and expressed by the formula where E is a matrix representing the function value.
Symmetry 2016, 9, 9; doi:10.3390/sym9010009www.mdpi.com/journal/symmetry In the previous protocol, the entries of matrix Q were chosen in the specially constructed multiplicative group Z n of integers with multiplication operation performed modulo n.In this paper we would like discuss some aspects of this structure and present an alternative algebraic structure, which can be used to execute the proposed protocol more efficiently and prevent discrete logarithm attack.
The cryptographic protocols and algorithms constructed on the base of MPF (see [1,2]) belong to the branch of non-commutiative cryptography.The survey of non-commutative cryptography can be found in [6].Some initial investigation in this field can be found in [7][8][9] where the authors investigated the so-called Sakalauskas, Tvarijonas, Raulynaitis (STR) key agreement protocol published in [3].Moreover, in [8] it is shown that STR protocol can be effectively realized in microprocessors.
In Section 5 we present a proof of our protocol resistance to chosen plaintext attack (CPA) and chosen ciphertext attack (CCA).
The prevention of DLA attack is also presented in subsequent sections.

Our Previous Work
Let us recall some definitions from our previous paper.We consider a commutative multiplicative semigroup S. The multiplicative order of semigroup S is defined as the smallest integer t, such that a t = e, ∀a ∈ S, where e is a neutral element in S. Hence the powers of elements of S can be defined in a commutative numeric ring Z t , where addition and multiplication are defined modulo t.
We construct a semigroup of square m × m matrices with entries defined in semigroup S and denote it by M S .We call this matrix semigroup a platform semigroup.Analogously we construct a ring of square m × m matrices M R with entries of these matrices defined in numerical ring R = Z t .This ring is called a power ring.
The matrix power function (MPF) for a fixed parameter matrix Q ∈ M S is a mapping M R × M R → M S which is denoted as follows: where matrices X = {x ij } and Y = {y ij } are defined in a power ring M R and matrix Q = {q ij } is defined in a platform semigroup M S .The entries of matrix E = {e ij } are calculated in a following way: To demonstrate further clarity, let us assume that all matrices are the square of second order.The elements are then computed as follows: We will refer to matrices X and Y as matrix powers or power matrices, Q as a base matrix and E as a matrix power value.Recall from our previous paper, that under chosen algebraic structures the following properties hold for MPF: To define a platform semigroup we previously considered a multiplicative semigroup Z n = {0, 1, . . ., n − 1}, where n = pq is a composite integer and p, q are distinct odd primes with p > q.We defined an ideal of this semigroup Id q (Z n ) = {j = i • q; i = 1, ..., p − 1} and used it to construct a new multiplicative semigroup Z n in a following way: where Z * n is a multiplicative group consisting of elements coprime with n.It is well-known, that the multiplicative order of elements of Z * n is determined by Carmichael function λ(n).For our goals we suggested to use n = 3p, since in this case λ(n) = p − 1 and hence where | • | denotes the cardinality of the set.The latter identity makes it possible to define power ring over ring Z λ(n) .
The protocol suggested in [1] is described below.We name this protocol as Matrix Power Asymmetric Cipher (MPAC) protocol.

Previous Asymmetric Cipher Protocol
Alice and Bob agree on the following public data: • platform semigroup M S and power ring M R ; Alice randomly selects non-singular secret matrix X in M R and two sets of coefficients (not necessarily distinct) in numerical ring R to define two polynomials P a1 (•) and P a2 (•).To construct her private and public data she performs the following actions: • computes a secret matrix U as a product of two polynomials of Z 1 and Z 2 i.e., U = P a1 (Z 1 ) Alice keeps her private key PrK A = (X, U) a secret and publishes her public key Bob takes Alice's public key PuK A and performs a following encryption protocol: 1. Bob chooses randomly a non-singular matrix Y in M R ; 2. He selects two sets of coefficients in numerical ring R to define two polynomials P b1 (•) and P b2 (•) and computes a secret matrix V = P b1 (Z 1 ) • P b2 (Z 2 ).Then he takes matrices A 1 and A 2 and computes a matrix P b1 (A 1 ) He raises matrix X Q U to the obtained power matrix W = XVX −1 on the left and obtains XV Q U since WX = XV; 4.He raises the result matrix to the power matrix Y on the right and obtains XV Q UY = K and converts it to a bit string.One of the possible ways to do this is to write all the elements of matrix K in a string of the form and convert every k ij ∈ S into its binary representation.Then bit string of matrix K is a concatenation of all binary representations of k ij .The obtained bit string is used as a key to encrypt the message M and compute the ciphertext C; 5. Bob computes the ciphertext C = K ⊕ M, where ⊕ is bitwise sum modulo 2 of all entries of bitstings K and M; 6. Bob computes three matrices (Y encryptor ε and sends it to Alice together with C.
To decrypt Bob's message Alice does the following: 1. Using given matrices B 1 and B 2 Alice computes P a1 (B 1 ) Alice raises matrix V Q Y to the power Y −1 UY on the right and then raises the result matrix to the power X on the left and hence obtains a matrix K = XV Q UY and converts it to a bitstring.3. Alice can now decrypt a ciphertext C using encryption key K and relation Since discrete logarithm can be applied to both sides of Equation ( 1), it can be transformed to the following matrix equation Security of this protocol relies on the following problem: Definition 1.The problem of finding matrices X and Y, satisfying the following system of equations for some known values of T, S, A, B, C, D is called the matrix multivariate quadratic (MMQ) problem.
Note, that in the case of our protocol An example of MPAC protocol is presented in [1].A minor modification we use in this paper is converting the obtained encryption key K to a bitstring.An example of this transformation is presented below.
We convert each element to binary form to obtain a bitsring 000100100010000111101110111000011110, where the first four bits represent an element 1, next four bits represent an element 2 and so on.

Improvements of the Asymmetric Cipher Protocol
Let the parameter n of multiplicative group Z * n be a composite integer (factors of this number are irrelevant) and let λ(n) be of the form λ(n) = pq where p is prime and gcd(p, q) = 1.According to the Sylow theorem [10] the Sylow subgroup of the prime order p exists in Z * n .We denote this subgroup as Γ p,n .Since, according to the Lagrange theorem, the order of the element γ has to divide p, the only orders possible in group Γ p,n are 1 and p.Therefore, every non-identity element γ is the generator of Γ p,n .We can use this group to ensure the maximum entropy of the entries of the result matrix E. However, it can be shown (see Section 5) that using a cyclic group as the platform makes MPF vulnerable to algebraic cryptanalysis.Consequently we have to construct a structure similar to Z n .
Let j be an idempotent of semigroup Z n .Since the order of the element is a multiplicative function, we can multiply each element of group Γ p,n by j to obtain a new cyclic group J p,n = jΓ p,n .The identity of this group is j and the order of every non-identity element is p.We construct a semigroup Γ p,n as a union of Γ p,n and J p,n i.e., We can use this semigroup to avoid direct application of a discrete logarithm function to MPF, since J p,n is the ideal of Γ p,n .Note that no additional constraints for parameter n and the entries of Q are needed as compared to Z n .
The main advantage of Γ p,n is the prime order of non-idempotent elements.Since the order of Γ p,n determines the modulo of entries of matrices of power ring M R , we obtain a power ring defined over the field Z p .Therefore, conjugation constrains are defined over the field Z p .Furthermore, this semigroup also provides security against chosen cipertext and chosen plaintext attacks (see Section 5) since entries of matrix exponent are uniformly distributed either in Γ p,n or in J p,n depending on the entries of power matrices.Note, that the set of solutions of the latter equations depends on the canonical Jordan form of matrices Z 1 and Z 2 .More precisely we have to consider Jordan blocks of Jordan matrix J 1 and J 2 , which are similar to matrices Z 1 and Z 2 respectively.It was shown in [1], that if a Jordan matrix J is defined over the field Z p and has the form To construct Γ p,n we have to consider finding a suitable value of parameter n; and finding an idempotent j in the semigroup Z n .
To find a suitable value of n we can consider all odd square-free integers of the form n = p 1 p 2 , where p 1 and p 2 are primes.It is known from the definition of the Carmichael function λ(•), that According to Sylow theorem, the multiplicative group Z * n has a Sylow group of the fixed size p, if p divides λ(p 1 p 2 ) and p 2 does not divide λ(p 1 p 2 ).To satisfy this condition it is enough to find the value of p 1 such, that where k is the least possible even number for p 1 to be prime.To minimize the value of n we can set p 2 = 3.The idempotent j can be obtained by solving the following system of congruences: The main parameters of the semigroup Γ p,n are the following: The newly defined multiplicative semigroup Γ p,n can be used to define a platform semigroup M S .MPAC protocol is executed as presented in Section 3.

Security Analysis
As it was pointed out above, by preventing DLA application to MPAC protocol [1] we are forcing an adversary to deal with the initial MPF system of Equation (2) to break our protocol.Hence the security of the improved version of the MPAC protocol relies on the complexity of the MPF problem, which is defined in the following way: Definition 2. The problem of finding matrix powers X and Y, satisfying Equation ( 1), when Q and E are given, is called an MPF problem.
In our research we are considering MPF problem with two conjugation constrains, i.e., the following system of matrix equations: where matrices Q and E are in a platform semigroup and matrices A, B, C, D are in a power ring.These matrices are publicly known.The only unknown matrices are X and Y.
The NP-hardness of MPF problem in ( 9) can be proved using the polynomial-time reduction of of known NP-hard problem to MPF problem.In previuos paper [11] author proved that the so-called multivariate quadratic power problem is NP-complete.The reduction is provided using randomly generated MQ problem, which is NP-complete.Referencing to this result and the fact that MMQ problem is conceptually related to MPF problem the NP-completeness of MPF problem can be proved by proving that MMQ problem is NP-complete.Then reduction from MMQ to MPF problem can be constructed automatically referencing to [11].
Unfortunately, the NP-completeness of MMQ problem remains an open question yet.We are making a conjecture, that the MPF problem is at least no less complex than the MMQ problem.Hence avoidance of transformation of MPF equations in protocol, presented here, should increase its security, since at this time well-known Grobner bases and other algorithms can be applied to try to solve MMQ system of equation and so far we have no knowledge of how to deal with the system of MPF equations.In this case unknowns are also multivariate quadratic monomials, but they are presented in the powers of entries of certain known matrix.
We provide the security considerations by proving that the proposed algorithm is secure against chosen ciphertext attack (CCA) and chosen plaintext attack (CPA).This analysis is performed by considering entropy of entries of matrix exponent E. For this purpose we use generators of some cyclic group G.In this case we can estimate the statistical security of MPF using the following known propositions: Proposition 1.For any generator g of group G and α ∈ Z |G| chosen at random, the power term g α has the same distribution in G as α in Z |G| [10].
Proposition 2. Let a ∈ Z |G| be an arbitrary element.Choosing at random b ∈ Z |G| and setting c = ab gives the same distribution for c as choosing random c [10].
We can now formulate the following corollary.
Corollary 1.For any two generators of group G g 1 and g 2 and two uniformly chosen elements α, β ∈ Z |G| the element z, computed by the expression z = g α 1 g The latter corallary implies that element z as a function of α, β is strongly universal 2 as defined by authors in [12] (notation of strongly universal function is taken from the same paper), i.e., g α 1 and g β 1 are two independent elements uniformly distributed in G.This result can also be generalized for any entry of the matrix exponent E in (1), i.e., each entry of this matrix is a strongly universal function.In [13] this property is defined as a perfect m 2 -wise decorrelation (as denoted by the author).
The statistical security of MPF in case of S = Z * n and R = Z λ(n) is also considered in [14].The parameter n is selected as a composite number of the form n = 3p, where p = 2s + 1 and both p and s are prime numbers.The main outcome of that paper is the following proposition: Proposition 3. If a base matrix Q ∈ M G implying power matrices X, Y ∈ M R where R = Z |G| , and if the entries of power matrices are chosen at random with uniform distribution, then the system (9) yields the matrix E which entries are also uniformly distributed.
Note also, that the last step of our protocol is similar to the Vernam cipher.According to [13] this cipher has perfect 1-wise decorrelation.Due to Proposition 3 if matrices X and Y are chosen randomly with uniform distribution of their entries then the key matrix K has perfect m 2 -wise decorrelation.It was shown in [13], that in this case our cipher is secure against CCA and CPA respectively (Theorem 7).Corollary 2. MPAC protocol is CPA and CCA secure.
However, using a cyclic group G to define a platform semigroup does not provide any security against a specific algebraic attack.This so-called discrete logarithm attack (DLA) is based on a ordinary discrete logarithm function, which can be generalized to matrix semigroups.This generalization is performed as follows: where ld g (•) is the discrete logarithm function, g is a generator of a semigroup S and Q, P are square m × m matrices in M S .Note, that we do not consider both ordinary and matrix discrete logarithm problems (DLP) as hard, since we will not use a large semigroup S to define the platform semigroup and hence ld g Q can be obtained easily if S = G.
The generalized discrete logarithm function can be applied to MPF Equation (1) to obtain where T = ld g Q.
The way to break the presented asymmetric cipher specification is to solve either system of matrix Equation (9) or an MMQ problem corresponding to an MPF problem with the same conjugation constrains, i.e., the system (6), where all equations are defined in a power ring.
Despite the fact that a MMQ problem is a subclass of well-known multivariate quadratic (MQ) problems, which is NP-complete, the NP-completeness of MMQ problem has thus far not been proved.However, it was shown in [11] that MQ power problem is NP-complete over any semigroup Z n .
Note, that choosing S = Z * n , where n = pq does not provide security against DLA as well, since Chinese Remainder Theorem (CRT) can be used to define the following mapping: where g p and g q are generators of multiplicative cyclic groups Z * p and Z * q respectively.The semigroup Γ p,n however does not have this flaw, i.e it cannot be split into two multiplicative cyclic groups and therefore the isomorphism ϕ cannot be used to define the discrete logarithm.
To demonstrate this we present the following example: Example 2. Let us consider the multiplicative group Z * 33 = {a|gcd(a, 33) = 1}.The isomorphism implied by Chinese reminder theorem is as follows: Let Γ 5,33 = {1, 3, 4, 9, 12, 15, 16, 25, 27, 31}.Evidently this semigroup has no non-trivial isomorphism, which can be used to split this semigroup into a direct product of two or more separate (semi)groups.Therefore, the discrete logarithm function is not defined in Γ 5,33 .
However semigroup Γ p,n has a non-trivial isomorphism The latter isomorphism can be used to perform reduction of the initial MPF problem to an MMQ problem.This can be done by defining a mapping and using it on each entry of MPF value matrix E in (1), thus transforming it into an MMQ problem However, we found that under the certain conditions, the obtained MMQ problem is not equivalent to the initial MPF problem, i.e., solutions X and Y of Equation ( 13) do not satisfy the initial Equation (1).This happens if an entry of base matrix Q, which is chosen from an ideal is raised to zeroth power.In this case not all entries of MPF value matrix E are in the ideal J p,n .To demonstrate this we present an example: We can see, that entries of the second row are not contained in the ideal J 5,33 = {3, 9, 12, 15, 27} and therefore mapping ψ is not one-to-one.Therefore the mapping ψ cannot be used to reduce MPF problem to MMQ problem in general case and hence multiplicative semigroup Γ p,n provides efficient security against DLA attack.

Discussion
We presented enhanced Matrix Power Asymmetric Cipher (MPAC) protocol regarding previously published prototype suggested in [1].
We have proved that enhanced MPAC is resistant to Chosen Plaintext Attack and Chosen Ciphertext Attack.
The improved security measures were proposed for preventing DLA based on application of logarithm function directly to MPAC equations and consequently avoiding initial MPF equations transformation to MMQ system of equations.Despite the lack of proof that the complexity of randomly generated MMQ system is NP-complete as it is proved for randomly generated MQ system of equations over any field [15], we are making a conjecture that the complexity of MMQ problem is high.
So far we do not know the methods of the solution of systems defined by initial MPF equations, since they are not custom systems of algebraic equations.It is rather a system of power equations, where unknown variables are the powers of certain elements in the semigroup.
By preventing initial MPF transformation to MMQ problem and referencing to these considerations we are making a conjecture that the proposed MPAC is secure against DLA since discrete logarithm functions cannot be defined for algebraic structures introduced in this paper.
It is determined in [16] that MPAC has significant computation efficiency advantage over other algorithms considered in the paper.Since we improved our protocol in this paper, MPAC can be efficiently applied in the IoT.

Example 1 .
Let us assume, that Bob has obtained the following encryption key K K = ., it consists of a single Jordan block of size m with eigenvalue µ, then each equation in(8) has exactly p m−1 (p − 1) solutions.

Example 3 .
Let us consider the multiplicative semigroup S = Γ 5,33 .Entries of power matrices X and Y have to be selected from Z 5 .Define matrices Q, X and Y in a following way:

Table 1 .
Values of the main parameters of Γ p,n for a fixed value of p are presented in Table1.Values of main parameters of Γ p,n .