An IND-CPA Analysis of a Cryptosystem Based on Bivariate Polynomial Reconstruction Problem

Abstract

The Polynomial Reconstruction Problem (PRP) was introduced in 1999 as a new hard problem in post-quantum cryptography. Augot and Finiasz were the first to design a cryptographic system based on a univariate PRP, which was published at Eurocrypt 2003 and was broken in 2004. In 2013, a bivariate PRP was proposed. The design is a modified version of Augot and Finiasz’s design. Our strategic method, comprising the modified Berlekamp–Welch algorithm and Coron strategies, allowed us to obtain certain secret parameters of the bivariate PRP. This finding resulted in us concluding that the bivariate PRP is not secure against Indistinguishable Chosen-Plaintext Attack (IND-CPA).

1. Introduction

The world of technology is evolving along with the last wall of defense of data security–cryptography. With the inevitable realization of the quantum computer, coupled with Shor’s algorithm, which can solve the Integer Factorization Problem (IFP) and the Discrete Logarithm Problem (DLP) in polynomial time, classical cryptographic schemes depending on such hard mathematical problems could be vulnerable to quantum computer attack and rendered insecure. Among such cryptographic algorithms are the popular RSA and Elliptic Curve Cryptosystem (ECC) [1,2,3,4]. In 2016, the National Institute of Standards and Technology (NIST) had made a call for quantum resistant algorithms [4].

In quantum cryptography, a cryptographic algorithm is secure against the attack of both quantum and classical computers [5]. The popular Quantum Algorithm Zoo website lists favorable hard mathematical problems that are thought to be quantum resistant [6]. The post-quantum cryptography goal is to create schemes that can be resistant to a quantum computer [7]. Therefore, it is important for researchers to investigate different hard problems to create new cryptographic schemes that are secure against the attack of a quantum computer and to keep current communication practices protected [8].

The Polynomial Reconstruction Problem (PRP) is one of the listed problems in [6]. It has the full complexity needed against quantum computers of $\mathcal{O}\left(q\right)$, where q is a prime number of n-bits. The PRP was introduced in 1999 as a potential hard mathematical problem for cryptographic design. When compared to the Reed–Solomon error correcting codes, the PRP has some similarity related to its formulation [9]. Furthermore, the PRP has been broadly studied from the point of view of solvability and robustness. Among the reasons why the PRP is recommended as a hard mathematical problem, as mentioned in [10] is, firstly, some evidence that shows that the PRP can cope with the improvement of quantum computing. Secondly, this system has new advantages from the perspective of efficiency and cost effectiveness. Thirdly, the PRP uses simple matrix operations and other interesting components that might make it useful in cryptographic settings.

The PRP can be solved in polynomial time when the weight of error w is small enough, such that $w\le \frac{n-k}{2}$, where n is the number of elements in a vector and k is the degree of the polynomial. Guruswami and Sudan improved this to $w\le n-\sqrt{kn}$ [11]. In 2003, Augot and Finiasz proposed a cryptosystem that utilizes the PRP [12]. We denote this cryptosystem as the AF-Cryptosystem. The AF-Cryptosystem utilizes two types of PRPs. The first PRP concerns the definition in [6]. The second PRP is a specially constructed PRP to ensure decryption. The second PRP, which we coin as the Augot and Finiasz Solvable PRP (AF-SPRP) is defined below.

Definition 1.

(Augot and Finiasz Solvable PRP) Given n, k, t and ${(x_i,y_i)}_{i=1,\cdots ,n}$, output any polynomial p such that $deg<k$ and $p\left(x_i\right)=y_i$ for at least t values of i, where $t=n-w$.

The AF-Cryptosystem utilizes a univariate polynomial [13,14]. The AF-SPRP as in Definition 1 ensures that decryption can occur. That is, when one is given t points on a Cartesian plane, one needs to output a polynomial that fits all the points. Parameter t represents the number of elements equal to 0 in the vector. To complete the decryption process, Lagrange interpolation is utilized.

In 2004, the AF-Cryptosystem was successfully cryptanalyzed by Coron, where Coron managed to obtain the plaintext in polynomial time [15]. Nevertheless, the idea to utilize a PRP for a cryptosystem is indeed tempting. In 2013, Ajeena et al. utilized bivariate polynomials and the Vandermonde matrix to put forward a new PRP-based cryptosystem [16]. We denote this cryptosystem as the AAK-Cryptosystem. The designers of the AAK-Cryptosystem claimed that increasing the number of variables increases the level of security and resistance against any attack.

Designers of cryptosystems usually claim the security of the design in terms of exponential time and memory needed for the attack [17]. It is an essential characteristic to verify the security of a cryptographic scheme [18]. At the same time, it must be noted that indistinguishability is also an essential characteristic for a cryptosystem that might be chosen to be used on a plaintext domain of non-exponential size. A design needs to be secure against Indistinguishable Chosen-Plaintext Attack (i.e., IND-CPA secure) in order to overcome an adversary having the capability to re-encrypt all possible plaintexts and make a comparison with the ciphertext.

A cryptosystem is IND-CPA secure if every Probabilistic Polynomial Time Adversary has a negligible “advantage” over random guessing. An IND-CPA-secure cryptosystem results in an adversary not being able to win the IND-CPA game with probability more than $\frac{1}{2}+\epsilon \left(n\right)$, where $\epsilon \left(n\right)$ is a negligible function in security parameter n. To this end, this research on the AAK-Cryptosystem is to determine whether it is IND-CPA secure or not.

Our contribution: This paper puts forward an IND-CPA analysis of the AAK-Cryptosystem that is the extension of [19]. The motivation for this research originates from the cryptanalysis performed on the AF-Cryptosystem by Coron. We used the Berlekamp–Welch algorithm and created a modified Coron cryptanalysis strategy, and we prove that we can construct a list of possible candidates of the AAK-Cryptosystem secret key, $\alpha$. As such, we can highlight that the AAK-Cryptosystem is not IND-CPA secure.

The outline of this paper is shown as follows: In Section 2, we describe fundamental knowledge about the PRP as well as the Vandermonde method and outline the AAK-Cryptosystem. We also put forward the definition of Indistinguishable under Chosen-Plaintext Attack (IND-CPA). Next, we describe our proposed attack on the AAK-Cryptosystem and provide a numerical illustration for this attack in Section 3. Finally, we conclude in Section 4.

2. Materials and Methods

This section presents the fundamentals of PRP, Vandermonde method, AAK-Cryptosystem and IND-CPA concept.

2.1. Polynomial Reconstruction Problem (PRP)

We begin by revising fundamental knowledge regarding the PRP. The PRP has been well known since the generalized Reed–Solomon list decoding problem was reduced to it [20,21]. The PRP also seems to be hard, which results in it being a potential source of a hard mathematical problems to establish a cryptosystem [22]. To fathom the PRP, we here put forward the definition of PRP sourced from [6].

Definition 2.

(Polynomial Reconstruction Problem from Quantum Zoo) Let $p\left(x\right)=a_k{x}^k+\cdots +a_{1}x+a_0$ be a polynomial over finite field ${\mathbb{F}}_q$. One is given access to the oracle and query value of $x_i\in {\mathbb{F}}_q$, where $1\le i\le k+1$ and then outputs coefficients $a_k,\dots ,a_0$ to determine $p\left(x\right)$.

When an oracle receives input $x\in {\mathbb{F}}_q$, it outputs $p\left(x\right)$. The objective of solving the PRP is to obtain coefficients $a_k,\dots ,a_0$ [6]. Note that the value of k is unknown and input x is less than q. Classically, the queries that are required to determine the coefficients are $k+1$. In the case of univariate polynomials of degree k, the PRP has query complexity of $\mathcal{O}\left(\genfrac{}{}{0pt}{}{k+1}{k}\right)$.

2.2. PRP Computational Complexity

The highest degree for $p\left(x\right)$ is k and the number of coefficients in $p\left(x\right)$ is $k+1=q-1$; this means that $k=q-2$. Therefore,

$$\mathcal{O}\left(\genfrac{}{}{0pt}{}{k+1}{k}\right)=\mathcal{O}(q-1).$$

If $q\approx 2^n$ is exponentially large, it is impossible to query input x up to $2^n$ times. Hence, solving the PRP takes exponential time, which is $\mathcal{O}\left(2^n\right)$.

2.3. Vandermonde Method

The Vandermonde method is a method that is used to find an interpolating polynomial in two or more dimensions. Let us suppose that we have two dimensional points, $(x_1,y_1),(x_2,y_2),\dots ,(x_n,y_n)$ and that we obtain polynomial values for each point, denoted by $z_1,z_2,\dots ,z_n$, respectively. We want to find a bivariate polynomial of degree $n-1$ that fits all of these points. The step-by-step method is as follows:

• Write the general formula of the bivariate polynomial of degree $n-1$.
• Evaluate the polynomial at points $(x_1,y_1),(x_2,y_2),\dots ,(x_n,y_n)$.
• Solve the linear equation system.

The problem can easily be written as $V·c=Z$, where Z is the vector of z values and c is the coefficient vector. This method is utilized in the decryption process of the AAK-Cryptosystem.

2.4. AAK-Cryptosystem

Ajeena et al. [16] proposed a bivariate PRP cryptosystem as described below. Let n be the number of elements in the vector. The AAK-Cryptosystem takes into consideration the below parameters (

Table 1. Parameters used in the AAK-Cryptosystem.

Parameter	Remark
X	Input $x_i$
Y	Input $y_i$
${\mathbb{F}}_q$	Finite field with size q
n	The number of elements in a vector
k	Its dimension
W	The weight of big error vector E when the PRP is hard, that is, $W>\frac{n-k}{2}$ [16]
w	The weight of small error e, which results in the PRP being able to decrypt the ciphertext such that $w\le \frac{n-k}{2}$ [15]

).

Remark 1.

Value w represents the maximum number of elements not equal to 0 in a vector.

Remark 2.

Value $n-w$ represents the number of elements equal to 0 in a vector.

Utilizing the above parameters, ref. [16] constructed their cryptosystem with Algorithms 1–3.

Algorithm 1 Key Generation Process

Input: Parameters ($x_i,y_i,q,n,k,W,w$) Output: Public Key, $PK$ and secret key pair $(C,E)$ Alice secretly generates monic bivariate polynomial $p(X,Y)$ of degree equal to $k-1$ with respect to X and Y and big error vector E with the weight of W. Alice computes codeword $C=ev\left(p(X,Y)\right)=p(x_i,y_i)$ where $x_i,y_i\in {\mathbb{F}}_q$ and computes $PK=C+E$. Output public key, PK secret key pair $(C,E)$.

Algorithm 2 Encryption Process

Input: Message, $\mu \in {\mathbb{F}}_q$ Output: Ciphertext, $CT$ Bob wants to send a message polynomial $\mu (X,Y)$ with length $k+1$. The message is encoded into a codeword $\mu$ by computing $\mu =ev\left(\mu (X,Y)\right)=\mu (x_i,y_i)$. Bob randomly generates $\alpha \in {\mathbb{F}}_q$ and small error vector e with the weight of w. Bob computes ciphertext $CT=\mu +\alpha \times PK+e$ and sends the ciphertext to Alice.

Algorithm 3 Decryption Process

Input: Ciphertext, $CT$ Output: Message polynomial, $\mu (X,Y)$ For i, where $E_i=0$, determine $\overline{CT}=\overline{\mu }+\alpha \times \overline{C}+\overline{e}$. Correct $\overline{CT}$ to obtain $\widetilde{CT}=\tilde{\mu }+\alpha \times \tilde{C}$. Compute unique polynomial $q(X,Y)$ of degree $k-1$ by using Vandermonde method. Determine the leading coefficient $q(X,Y)$. Compute $\mu (X,Y)=q(X,Y)-\alpha p(X,Y)$.

Proof of Correctness

Proposition 1.

The AAK-Cryptosystem decryption algorithm is correct.

Proof of Proposition 1.

To show that from ciphertext CT, message $\mu (x,y)$ can be obtained, let us observe the following:

$$\begin{array}{cc}\hfill CT& =\mu +\alpha \times PK+e\hfill \\ \hfill & =\mu +\alpha \times (C+E)+e.\hfill \end{array}$$

(1)

Let us consider position $E_i=0$. Let $\overline{\mu }$, $\overline{C}$, $\overline{e}$ and $\overline{CT}$ correspond to shortened codes $\mu ,C,e$ and CT, respectively. Now, $\left(1\right)$ becomes

$$\begin{array}{cc}\hfill \overline{CT}& =\overline{\mu }+\alpha \times \overline{C}+\overline{e}.\hfill \end{array}$$

(2)

By $\left(2\right)$, $\overline{\mu }+\alpha \times \overline{C}\in \overline{R{S}_k}$. Provided that e has weight that is less than error correction capacity $\overline{R{S}_k}$, then $\overline{CT}$ can be corrected and $\tilde{\mu }+\alpha \times \tilde{C}$ can be found. Using the Vandermonde method, we compute the unique polynomial $q(x,y)$ degree $k-1$ and

$$\begin{array}{cc}\hfill ev\left(q(x_i,y_i)\right)& =\widetilde{{\mu }_i}+\alpha \times \widetilde{C_i}\hfill \end{array}$$

(3)

for $i\in \{1,2,\dots ,n\}$. Since we know that $ev\left(q(x_i,y_i)\right)=q(x_i,y_i)$, $\tilde{C}=ev\left(p(x_i,y_i)\right)=p(x_i,y_i)$ and $\tilde{\mu }=ev\left(\mu (x_i,y_i)\right)=\mu (x_i,y_i)$,

$$\begin{array}{cc}\hfill q(x_i,y_i)& =\mu (x_i,y_i)+\alpha p(x_i,y_i)\hfill \\ \hfill \mu (x_i,y_i)& =q(x_i,y_i)-\alpha p(x_i,y_i).\hfill \end{array}$$

(4)

With $\left(4\right)$, message $\mu (x,y)$ is obtained.    □

2.5. Indistinguishable under Chosen-Plaintext Attack (IND-CPA)

Every cryptosystem needs to have its basic security requirements analyzed, especially its indistinguishability characteristics, in order to avoid any attack to the cryptographic protocol [23]. Indistinguishable under Chosen-Plaintext Attack (IND-CPA) is a security notion for cryptosystems where a Probabilistic Polynomial Time Adversary (PPTA) communicates with a random oracle in a two-phase session, i.e., the learning and challenge phases [24]. IND-CPA is defined below.

Definition 3.

(Indistinguishable under Chosen-Plaintext Attack) The IND-CPA security model is defined by the following game between random oracle and PPTA:

• The random oracle initializes a cryptographic scheme and generates $(PK,SK)=Gen\left(1^n\right)$ as well as choosing random $b\in \{0,1\}$ and publishing public key $PK$, while secret key $SK$ is kept secret.
• The PPTA chooses two messages, ${\mu }_0$ and ${\mu }_1$, and sends them to the random oracle.
• The random oracle randomly chooses one out of the two messages and encrypts it; then, it sends ciphertext $C=enc({\mu }_b,PK)$ to the PPTA.
• The PPTA determines $b^{\prime }$. If $b^{\prime }=b$, then it outputs 1; else, 0.

A cryptosystem is Indistinguishable under Chosen-Plaintext Attack if for any PPTA, there exists a negligible function $\epsilon \left(n\right)$ such that

$$Pr(b^{\prime }=b)\le \frac{1}{2}+\epsilon \left(n\right).$$

In other words, an IND-CPA-secure cryptosystem is a cryptosystem where any passive adversary that can eavesdrop in a communication between two parties cannot obtain any information about the encrypted message [25].

3. The Attack

In this section, we prove that the AAK-Cryptosystem is not IND-CPA secure. We also provide a numerical illustration.

3.1. Cryptanalysis of AAK-Cryptosystem

Theorem 1.

Let μ and e be as described in the AAK-Cryptosystem. If the adversary can correctly ascertain value $\mu +e$, then given public key PK and ciphertext CT, the adversary can recover secret key α in polynomial time.

Proof of Theorem 1.

Let $C{T}_i$, $P{K}_i$ and $e_i$ be vector elements in CT, PK and e, respectively. Let us recall that the vectors of ciphertext $CT$ and public key $PK$ are given by

$$C{T}_i=\mu (x_i,y_i)+\alpha ·P{K}_i+e_i\forall 1\le i\le n$$

and

$$P{K}_i=C_i+E_i\forall 1\le i\le n.$$

We know that vector C is from the evaluation of polynomial $p(x_i,y_i)$. Based on [16], polynomial $p(x_i,y_i)$ is a monic polynomial, and the highest power for this polynomial is up to $k-1$ with respect to both x and y. In addition, polynomial $\mu (x_i,y_i)$ must be of length $k+1$. Consider the following set of equations:

$$\exists V,\mu ,\alpha \left\{\begin{array}{c}\mathrm{deg}\left(V\right)\le k-1,V\ne 0\hfill \\ \forall i,V(x_i,y_i)·(C{T}_i-\alpha \times P{K}_i)=V(x_i,y_i)·\mu (x_i,y_i)\hfill \end{array}\right.$$

(5)

$$\exists V,N,\lambda \left\{\begin{array}{c}\mathrm{deg}\left(V\right)\le k-1,V\ne 0,\mathrm{deg}\left(N\right)\le k-1\hfill \\ \forall i,V(x_i,y_i)·(C{T}_i-\lambda \times P{K}_i)=N(x_i,y_i)\hfill \end{array}\right.$$

(6)

From here, we can see that any solution $\left(5\right)$ gives a solution to $\left(6\right)$, where one takes $\lambda =\alpha$ and $N(x_i,y_i)=\mu (x_i,y_i)·V(x_i,y_i)$. For a given $\lambda$, Equation $\left(6\right)$ gives $2k^2$ unknowns, which are the coefficients of polynomials $V(x_i,y_i)$ and $N(x_i,y_i)$, where

$$V(x_i,y_i)=v_k{x}_i^{k-1}{y}_i^{k-1}+\dots +v_3{x}_i{y}_i+v_2{x}_i+v_1{y}_i+v_0$$

$$N(x_i,y_i)=n_k{x}_i^{k-1}{y}_i^{k-1}+\dots +n_3{x}_i{y}_i+n_2{x}_i+n_1{y}_i+n_0$$

and Y is the vector of coordinates

$$Y=(v_0,\dots ,v_{k-1},n_0,\dots ,n_{k-1}).$$

Next, a matrix $M\left(\lambda \right)$ is created with the following entries:

$$M{\left(\lambda \right)}_{i,a,b}=(C{T}_i-\lambda ·P{K}_i)·{\left(x_i\right)}^a·{\left(y_i\right)}^b$$

(7)

and

$$M{\left(\lambda \right)}_{i,a,b}=-{\left(x_i\right)}^a·{\left(y_i\right)}^b$$

(8)

where $i\in \{1,\dots ,n\}$, $a\in \{0,\dots ,k-1\}\mathrm{and}b\in \{0,\dots ,k-1\}$ in $\left(7\right)$ and $\left(8\right)$. For the first half of columns of $M\left(\lambda \right)$, $\left(7\right)$ is used, where a and b are the exponents of each monomial from polynomial $p(x,y)$. For the other half of columns of $M\left(\lambda \right)$, $\left(8\right)$ is used, where a and b are also the exponents of each monomial from polynomial $p(x,y)$. Hence, $M\left(\lambda \right)$ is either a rectangular matrix or a square matrix.

Then, we consider $M\left(\lambda \right)$ with $\lambda =0$ and use Gaussian elimination to compute the rank of matrix $M\left(0\right)$. Let us suppose that $M\left(\lambda \right)$ has dimensions $r\times s$. For rectangular matrix $M\left(\lambda \right)$, there are two cases:

(i)

When $r>s$, if $\mathrm{rank}M\left(0\right)=s$, then there exists sub-square matrix $M^{\prime }\left(\lambda \right)$ in $M\left(\lambda \right)$.

(ii)

When $r<s$, if $\mathrm{rank}M\left(0\right)=r$, then there exists sub-square matrix $M^{\prime }\left(\lambda \right)$ in $M\left(\lambda \right)$.

Using Equations (7) and (8), and with numerical input of public values $(x_i,y_i)$, we create $M\left(\lambda \right)$, where $\lambda$ represents the possible value of $\alpha$. By (7), which we use in the first half of columns of $M\left(\lambda \right)$, we have

$$M{\left(\lambda \right)}_{1,0,0}=(C{T}_1-\lambda ·P{K}_1)·{\left(x_1\right)}^0·{\left(y_1\right)}^0=(C{T}_1-\lambda ·P{K}_1)$$

$$M{\left(\lambda \right)}_{1,1,0}=(C{T}_1-\lambda ·P{K}_1)·{\left(x_1\right)}^1·{\left(y_1\right)}^0=(C{T}_1-\lambda ·P{K}_1)·\left(x_1\right)$$

$$\begin{array}{c}M{\left(\lambda \right)}_{1,0,1}=(C{T}_1-\lambda ·P{K}_1)·{\left(x_0\right)}^1·{\left(y_1\right)}^1=(C{T}_1-\lambda ·P{K}_1)·\left(x_1\right)·\left(y_1\right)\\ ⋮\end{array}$$

$$M{\left(\lambda \right)}_{n,k-1,k-1}=(C{T}_n-\lambda ·P{K}_n)·{\left(x_n\right)}^{k-1}·{\left(y_n\right)}^{k-1}$$

By (8), which we use in the second half of columns of $M\left(\lambda \right)$, we have

$$M{\left(\lambda \right)}_{1,0,0}=-{\left(x_1\right)}^0·{\left(y_1\right)}^0=-1\left(\mathrm{mod}q\right)$$

$$M{\left(\lambda \right)}_{1,1,0}=-{\left(x_1\right)}^1·{\left(y_1\right)}^0=-x_1\left(\mathrm{mod}q\right)$$

$$\begin{array}{c}M{\left(\lambda \right)}_{1,0,1}=-{\left(x_0\right)}^1·{\left(y_1\right)}^1=-y_1\left(\mathrm{mod}q\right)\\ ⋮\end{array}$$

$$M{\left(\lambda \right)}_{n,k-1,k-1}=-{\left(x_n\right)}^{k-1}·{\left(y_n\right)}^{k-1}\left(\mathrm{mod}q\right)$$

When we put these equations into matrix $M\left(\lambda \right)$, we have

$$M\left(\lambda \right)=\left[\begin{array}{ccccccccc}(C{T}_1-\lambda ·P{K}_1)& (C{T}_1-\lambda ·P{K}_1)·\left(x_1\right)& \cdots & (C{T}_1-\lambda ·P{K}_1)·{\left(x_1\right)}^{k-1}·{\left(y_1\right)}^{k-1}& -1& -x_1& -y_1& \cdots & -{\left(x_1\right)}^{k-1}·{\left(y_1\right)}^{k-1}\\ (C{T}_2-\lambda ·P{K}_2)& (C{T}_2-\lambda ·P{K}_2)·\left(x_2\right)& \cdots & (C{T}_2-\lambda ·P{K}_2)·{\left(x_2\right)}^{k-1}·{\left(y_2\right)}^{k-1}& -1& -x_2& -y_2& \cdots & -{\left(x_2\right)}^{k-1}·{\left(y_2\right)}^{k-1}\\ ⋮& ⋮& ⋮& ⋮& ⋮& ⋮& ⋮& ⋮& ⋮\\ (C{T}_n-\lambda ·P{K}_n)& (C{T}_n-\lambda ·P{K}_n)·\left(x_n\right)& \cdots & (C{T}_n-\lambda ·P{K}_n)·{\left(x_n\right)}^{k-1}·{\left(y_n\right)}^{k-1}& -1& -x_n& -y_n& \cdots & -{\left(x_n\right)}^{k-1}·{\left(y_n\right)}^{k-1}\end{array}\right].$$

When Equations (7) and (8) are multiplied by $V(x_i,y_i)$ and $N(x_i,y_i)$, respectively, we have

$$V(x_i,y_i)·M{\left(\lambda \right)}_{i,a,b}=(C{T}_i-\lambda ·P{K}_i)·{\left(x_i\right)}^a·{\left(y_i\right)}^b·V(x_i,y_i)$$

(9)

and

$$N(x_i,y_i)·M{\left(\lambda \right)}_{i,a,b}=-{\left(x_i\right)}^a·{\left(y_i\right)}^b·N(x_i,y_i).$$

(10)

The summation of (10) and (11) is

$$(C{T}_i-\lambda ·P{K}_i)·{\left(x_i\right)}^a·{\left(y_i\right)}^b·V(x_i,y_i)-{\left(x_i\right)}^a·{\left(y_i\right)}^b·N(x_i,y_i).$$

(11)

Since $N(x_i,y_i)=\mu (x_i,y_i)·V(x_i,y_i)$, (11) becomes

$$(C{T}_i-\lambda ·P{K}_i)·{\left(x_i\right)}^a·{\left(y_i\right)}^b·V(x_i,y_i)-{\left(x_i\right)}^a·{\left(y_i\right)}^b·\mu (x_i,y_i)·V(x_i,y_i).$$

(12)

Equation (5) shows that $V(x_i,y_i)·(C{T}_i-\alpha \times P{K}_i)=V(x_i,y_i)·\mu (x_i,y_i)$ and $\lambda =\alpha$; hence,

$${\left(x_i\right)}^a·{\left(y_i\right)}^b·\mu (x_i,y_i)·V(x_i,y_i)-{\left(x_i\right)}^a·{\left(y_i\right)}^b·\mu (x_i,y_i)·V(x_i,y_i)=0.$$

(13)

As such, Y contains the coefficients of polynomials $V(x_i,y_i)$ and $N(x_i,y_i)$, and if $\lambda =\alpha$, there exists Y such that

$$M\left(\lambda \right)·Y=0,Y\ne 0.$$

(14)

If $M\left(\lambda \right)$ is a square matrix and $\mathrm{rank}M\left(0\right)=r=s$, then we take $M\left(\lambda \right)$ as $M^{\prime }\left(\lambda \right)$ to compute $f\left(\lambda \right)=\mathrm{Det}\left(M^{\prime }\left(\lambda \right)\right).$ If $M\left(\lambda \right)$ is a rectangular matrix, then we need to follow cases (i) and (ii) to find sub-square matrix $M^{\prime }\left(\lambda \right)$. Sub-square matrix $M^{\prime }\left(0\right)$ is invertible when the determinant is not equal to 0. Next, we need to identify parameter $\lambda$ from matrix $M^{\prime }\left(\lambda \right)$, which is constructed with relations (7) and (8). Given relation

$$M^{\prime }\left(\lambda \right)·Y=0\left(\mathrm{mod}q\right)$$

(15)

the chosen rows or columns in $M\left(\lambda \right)$ can be arbitrary as long as the summation of (10) and (11) equals 0. Equation (15) shows a column matrix Y with entries not all equal to 0; then, Y corresponds to the nullspace of $M^{\prime }\left(\lambda \right)$. This means that $M^{\prime }\left(\lambda \right)$ is non-invertible and its determinant is equal to 0. As such, $\lambda$ can be determined from relation $\mathrm{Det}\left(M^{\prime }\left(\lambda \right)\right)=0$. Hence, a solution of $\alpha$ must be a root for polynomial

$$f\left(\lambda \right)=\mathrm{Det}\left(M^{\prime }\left(\lambda \right)\right).$$

To this end, the degree of polynomial $f\left(\lambda \right)$ is directly related to the number of columns containing $\lambda$ in $M^{\prime }\left(\lambda \right)$. The maximum number of columns possible is given by relation $\frac{n}{2}$. Note that n refers to the number of elements in the ciphertext ($CT$) vector. Let us observe that in order for the AAK-Cryptosystem to be practical, the number of elements in a vector cannot be exponentially large. Thus, the maximum number of roots is not exponentially large. Hence, if the adversary knows value $\mu +e$, the adversary can test all possible values of $\alpha$ in polynomial time.    □

3.2. Algorithm for Theorem 1

The Algorithm 4 for Theorem 1 is shown below.

Algorithm 4 Listing all possible candidates of secret key $\alpha$ via Theorem 1

Input: Public key, $PK$ and ciphertext, $CT$ Output: Secret key, $\alpha$ Compute public key, $PK=C+E$. Compute ciphertext, $CT=\mu +\alpha \times PK+e$. Construct matrix $M\left(\lambda \right)$:    Compute first half column using $M{\left(\lambda \right)}_{i,a,b}=(C{T}_i-\lambda ·P{K}_i)·{\left(x_i\right)}^a·{\left(y_i\right)}^b$.    Compute second half column using $M{\left(\lambda \right)}_{i,a,b}=-{\left(x_i\right)}^a·{\left(y_i\right)}^b$. Get $[m,n]=M\left(\lambda \right)$ where m represents as number of rows and n represents as number of columns for matrix $M\left(\lambda \right)$. Apply $\alpha =0$ to compute rank $M\left(0\right)$. Do the following procedure:    if $\mathrm{rank}M\left(0\right)=m=n$ then take $M\left(\lambda \right)$ as $M^{\prime }\left(\lambda \right)$ end if    if $\mathrm{rank}M\left(0\right)=n$ then there exist sub square matrix $M^{\prime }\left(\lambda \right)$ in $M\left(\lambda \right)$ end if    if $\mathrm{rank}M\left(0\right)=m$, then there exist sub square matrix $M^{\prime }\left(\lambda \right)$ in $M\left(\lambda \right)$ end if for sub square $M^{\prime }\left(\lambda \right)$ do    Compute determinant, $\mathrm{Det}\left(M^{\prime }\left(\lambda \right)\right)$.    Solve $f\left(\lambda \right)=\mathrm{Det}\left(M^{\prime }\left(\lambda \right)\right)=0$.    List all roots of $f\left(\lambda \right)$. This list contains all possible candidates of the secret key $\alpha$.

3.3. Numerical Illustration of Theorem 1

This section presents a numerical illustration of how to retrieve secret key $\alpha$ based on Theorem 1. Given $n=10$, $k=3$, $w=1$ and $W=3$ in ${\mathbb{F}}_{11}$, let $x=(2,3,3,4,5,6,7,8,9,10)$ and $y=(4,3,6,2,1,5,7,8,9,10)$. We take private polynomial

$$p(x,y)=x^{2}y+x{y}^2+3xy+5$$

and big error vector E,

$$E=(0,0,0,10,0,7,3,0,0,0).$$

The public key is

$$PK=C+E$$

where $C=ev\left(p\right(x,y\left)\right)$. We compute C as follows:

$$p(2,4)=0,p(3,3)=9,p(3,6)=1,p(4,2)=0,p(5,1)=6,$$

$$p(6,5)=7,p(7,7)=2,p(8,8)=0,p(9,9)=1,p(10,10)=6.$$

Therefore,

$$\begin{array}{cc}\hfill PK& =C+E\hfill \\ \hfill & =(0,9,1,0,6,7,2,0,1,6)+(0,0,0,10,0,7,3,0,0,0)\hfill \\ \hfill & =(0,9,1,10,6,3,5,0,1,6).\hfill \end{array}$$

A message $\mu (x,y)=xy+2x+4y+3$ is encoded into codeword $\mu$, where $\mu =ev\left(m\right(x,y\left)\right)$. That is,

$$\mu (2,4)=9,\mu (3,3)=8,\mu (3,6)=7,\mu (4,2)=5,\mu (5,1)=0$$

$$\mu (6,5)=10,\mu (7,7)=6,\mu (8,8)=5,\mu (9,9)=6,\mu (10,10)=9.$$

Therefore, we have

$$\mu =(9,8,7,5,0,10,6,5,6,9).$$

(16)

We choose private constant $\alpha =3\in {\mathbb{F}}_{11}$ and small error vector e, where

$$e=(0,0,0,0,0,7,0,0,0,0)$$

(17)

of weight $w=1$. Ciphertext CT is

$$\begin{array}{cc}\hfill CT& =\mu +\alpha \times PK+e\hfill \\ \hfill & =(9,8,7,5,0,10,6,5,6,9)+3\times (0,9,1,10,6,3,5,0,1,6)+(0,0,0,0,0,7,0,0,0,0)\hfill \\ \hfill & =(9,8,7,5,0,10,6,5,6,9)+(0,5,3,8,7,9,4,0,3,7)+(0,0,0,0,0,7,0,0,0,0)\hfill \\ \hfill & =(9,2,10,2,7,4,10,5,9,5).\hfill \end{array}$$

We now proceed to attack ciphertext $CT$. Let $M\left(\lambda \right)$ be the matrix of the following system:

• $M{\left(\lambda \right)}_{i,a,b}=(C{T}_i-\lambda ·P{K}_i)·{\left(x_i\right)}^a·{\left(y_i\right)}^b$
• $M{\left(\lambda \right)}_{i,a,b}=-{\left(x_i\right)}^a·{\left(y_i\right)}^b$

where $i\in \{1,\dots ,10\},a\in \{0,1,2\}\mathrm{and}b\in \{0,1,2\}$ in $\left(1\right)$ and $\left(2\right)$. For the first half of columns of matrix $M\left(\lambda \right)$, we use $\left(1\right)$. Hence, when $i=1$, $a=0$ and $b=0$,

$$\begin{array}{cc}\hfill M{\left(\lambda \right)}_{1,0,0}& =(C{T}_1-\lambda ·P{K}_1)·{\left(x_1\right)}^0·{\left(y_1\right)}^0\hfill \\ \hfill & =9-\lambda ·0\hfill \\ \hfill & =9.\hfill \end{array}$$

When $i=5$, $a=1$ and $b=1$,

$$\begin{array}{cc}\hfill M{\left(\lambda \right)}_{5,1,1}& =(C{T}_5-\lambda ·P{K}_5)·{\left(x_5\right)}^1·{\left(y_5\right)}^1\hfill \\ \hfill & =(7-\lambda ·6)·5·1\hfill \\ \hfill & =2-8\lambda .\hfill \end{array}$$

When $i=5$, $a=2$ and $b=1$,

$$\begin{array}{cc}\hfill M{\left(\lambda \right)}_{5,2,1}& =(C{T}_5-\lambda ·P{K}_5)·{\left(x_5\right)}^2·{\left(y_5\right)}^1\hfill \\ \hfill & =(7-\lambda ·6)·5^2·1^1\hfill \\ \hfill & =10-7\lambda .\hfill \end{array}$$

For the second half of columns of matrix $M\left(\lambda \right)$, we use $\left(2\right)$. When $i=2$, $a=2$ and $b=2$,

$$\begin{array}{cc}\hfill M{\left(\lambda \right)}_{2,2,2}& =-{\left(x_2\right)}^2·{\left(y_2\right)}^2\hfill \\ \hfill & =-\left(3^2\right)·\left(3^2\right)\hfill \\ \hfill & =7.\hfill \end{array}$$

When $i=2$, $a=2$ and $b=1$,

$$\begin{array}{cc}\hfill M{\left(\lambda \right)}_{2,2,1}& =-{\left(x_2\right)}^2·{\left(y_2\right)}^1\hfill \\ \hfill & =-\left(3^2\right)·\left(3^1\right)\hfill \\ \hfill & =6.\hfill \end{array}$$

When all the entries in $M\left(\lambda \right)$ have been calculated, see Appendix A. In Appendix A, we can see that the dimension of $M\left(\lambda \right)$ is $10\times 18$. Next, we consider $M\left(\lambda \right)$ with $\lambda =0$ and apply Gaussian elimination to calculate the rank of matrix $M\left(0\right)$. The rank for matrix $M\left(0\right)$ is 10, which, in this example case (ii), is applied, and we take columns 9 to 18 to be a sub-square matrix of $M\left(\lambda \right)$. Then, the sub-square matrix denoted by $M^{\prime }\left(\lambda \right)$ is the matrix with dimensions $10\times 10$, as follows:

$$M^{\prime }\left(\lambda \right)=\left[\begin{array}{cccccccccc}4& 10& 7& 6& 9& 3& 1& 7& 6& 2\\ 8-3\lambda & 10& 8& 2& 8& 2& 6& 2& 6& 7\\ 6-5\lambda & 10& 5& 8& 8& 4& 2& 2& 1& 6\\ 7-2\lambda & 10& 9& 7& 7& 3& 6& 6& 1& 2\\ 10-7\lambda & 10& 10& 10& 6& 6& 6& 8& 8& 8\\ 3-5\lambda & 10& 6& 8& 5& 3& 4& 8& 7& 2\\ 8-4\lambda & 10& 4& 6& 4& 6& 9& 6& 9& 8\\ 9& 10& 3& 2& 3& 2& 5& 2& 5& 7\\ 1-5\lambda & 10& 2& 7& 2& 7& 8& 7& 8& 6\\ 5-6\lambda & 10& 1& 10& 1& 10& 1& 10& 1& 10\end{array}\right].$$

Furthering the process, we calculate determinant $f\left(\lambda \right)$,

$$f\left(\lambda \right)=\det \left(M^{\prime }\left(\lambda \right)\right)=74877540\lambda -42937040.$$

The highest degree of polynomial $f\left(\lambda \right)$ is 1. This coincides with the fact that $M^{\prime }\left(\lambda \right)$ has one column that contains $\lambda$. Upon computing $f\left(\lambda \right)$ modulo $q=11$, we obtain the following:

$$f\left(\lambda \right)=\lambda -3.$$

We take $\lambda =3$ as the secret key. In line with Theorem 1, $M^{\prime }\left(3\right)$ is indeed a non-invertible matrix. To see this fact, we compute column matrix Y, which is the nullspace of $M^{\prime }\left(3\right)$, respectively. Column matrix Y is given by

$$Y=\left[\begin{array}{c}9\\ 1\\ 4\\ 0\\ 5\\ 5\\ 3\\ 7\\ 9\\ 1\end{array}\right].$$

Let us observe that $M^{\prime }\left(3\right)·Y=0$.

Remark 3.

Let us assume that the adversary knows that

$$\begin{array}{cc}\hfill \mu +e& =(9,8,7,5,0,10,6,5,6,9)+(0,0,0,0,0,7,0,0,0,0)\hfill \\ \hfill & =(9,8,7,5,0,6,6,5,6,9).\hfill \end{array}$$

(18)

It is easy to see that the adversary can determine whether $\lambda =3$ is the secret key or not. This can be illustrated as follows:

$$\begin{array}{cc}\hfill CT-3\times PK& =(9,2,10,2,7,4,10,5,9,5)-3\times (0,9,1,10,6,3,5,0,1,6)\hfill \\ \hfill & =(9,8,7,5,0,6,6,5,6,9).\hfill \end{array}$$

(19)

Hence, $\lambda =3$ is the correct value of α.

Remark 4.

At this point, when the adversary tries $\lambda =3$, it does not provide any constructive information upon his attempt to successfully cryptanalyze the ciphertext. This is clear because the adversary does not have Equation (18) at hand to make a comparison with (19). The usefulness of the above strategy can only be seen in the following section, IND-CPA on the AAK-Cryptosystem.

3.4. Indistinguishable under Chosen Plaintext Attack on AAK-Cryptosystem

This section proves that the AAK-Cryptosystem is not IND-CPA secure. Let us observe that within the AAK-Cryptosystem, the weight of small error vector e must be $w<\frac{n-k}{2}$. This means there are $n-w$ elements equal to 0 in small error vector e. Therefore, we can utilize this fact to prove that the AAK-Cryptosystem is not IND-CPA secure. The theorem for this attack is reported below.

Theorem 2.

If vector $\mu +e$ has been obtained, then the AAK-Cryptosystem is not IND-CPA secure.

Proof of Theorem 2.

The PPTA conducts the following:

• It chooses two messages, ${\mu }_0$ and ${\mu }_1$, in which identical elements do not share the same position in the vector and sends it to the random oracle.
• The random oracle relays the ciphertext, where $CT={\mu }_b+\alpha \times PK+e$.
• It computes $\alpha$ based on Theorem 1.
• It computes $CT-\alpha \times PK={\mu }_b+e$.
• Since the PPTA knows about secret key $\alpha$, the PPTA can check the ${\mu }_b+e$ vector entry positions. Due to the fact that e has vector elements equal to 0 totaling $n-w$, the PPTA can identify b.

Note that if the adversary chooses an incorrect root from $f\left(\lambda \right)$, it would result in an incorrect value of $\alpha$. As such, $CT-\alpha \times PK$ would result in a meaningless vector to make a comparison with either ${\mu }_0$ or ${\mu }_1$. The adversary would then just choose the next root available. Since the number of roots is not exponentially large, this process is feasible.

From here, we can see that the AAK-Cryptosystem is not IND-CPA secure, because the PPTA can guess which vector ${\mu }_b$ is encrypted with $Pr(b^{\prime }=b)=1$. Furthermore, on a side note, the PPTA can also distinguish vector e.    □

3.4.1. Algorithm for Theorem 2

The Algorithm 5 for Theorem 2 is shown below.

Algorithm 5 IND -CPA on the AAK-Cryptosystem using Theorem 2

Input: Messages pair $({\mu }_0,{\mu }_1)$ Output:b where $b\in \{0,1\}$ PPTA chooses 2 messages, $({\mu }_0,{\mu }_1)$ where identical elements do not share the same position in the vectors. PPTA sends 2 messages to random oracle. Random oracle chooses 1 message between $({\mu }_0,{\mu }_1)$. Random oracle encrypts the message and publishes $CT={\mu }_b+\alpha \times PK+e$. PPTA computes $\alpha$. PPTA computes $CT-\alpha \times PK={\mu }_b+e$. PPTA check ${\mu }_b+e$ with $({\mu }_0,{\mu }_1)$ to determine b.

3.4.2. Numerical Illustration of Theorem 2

This section presents a numerical illustration of IND-CPA on the AAK-Cryptosystem based on Theorem 2. Given $n=10$, $k=3$, $w=1$ and $W=3$ in ${\mathbb{F}}_{11}$, let $x=(2,3,3,4,5,6,7,8,9,10)$ and $y=(4,3,6,2,1,5,7,8,9,10)$. We take the private key,

$$p(x,y)=x^{2}y+x{y}^2+3xy+5$$

and big error vector E,

$$E=(0,0,0,10,0,7,3,0,0,0).$$

The public key is:

$$PK=C+E$$

where $C=ev\left(p\right(x,y\left)\right)$; hence,

$$p(2,4)=0,p(3,3)=9,p(3,6)=1,p(4,2)=0,p(5,1)=6,$$

$$p(6,5)=7,p(7,7)=2,p(8,8)=0,p(9,9)=1,p(10,10)=6.$$

Therefore,

$$\begin{array}{cc}\hfill PK& =C+E\hfill \\ \hfill & =(0,9,1,0,6,7,2,0,1,6)+(0,0,0,10,0,7,3,0,0,0)\hfill \\ \hfill & =(0,9,1,10,6,3,5,0,1,6).\hfill \end{array}$$

Two messages are chosen by the PPTA, ${\mu }_0(x,y)=xy+2x+4y+3$ and ${\mu }_1(x,y)=xy+5x+8y+7$. These two messages are encoded into codewords ${\mu }_0$ and ${\mu }_1$, respectively, where ${\mu }_b=ev\left(\mu (x,y)\right)$ for $b\in \{0,1\}$. For ${\mu }_0(x,y)=xy+2x+4y+3$, it is encoded as follows:

$${\mu }_0(2,4)=9,{\mu }_0(3,3)=8,{\mu }_0(3,6)=7,{\mu }_0(4,2)=5,{\mu }_0(5,1)=0,$$

$${\mu }_0(6,5)=10,{\mu }_0(7,7)=6,{\mu }_0(8,8)=5,{\mu }_0(9,9)=6,{\mu }_0(10,10)=9.$$

Then, we obtain ${\mu }_0=(9,8,7,5,0,10,6,5,6,9)$. For ${\mu }_1(x,y)=xy+5x+8y+7$, it is encoded as follows:

$${\mu }_1(2,4)=2,{\mu }_1(3,3)=0,{\mu }_1(3,6)=0,{\mu }_1(4,2)=7,{\mu }_1(5,1)=1,$$

$${\mu }_1(6,5)=8,{\mu }_1(7,7)=4,{\mu }_1(8,8)=10,{\mu }_1(9,9)=7,{\mu }_1(10,10)=6.$$

Then, we obtain ${\mu }_1=(2,0,0,7,1,8,4,10,7,6)$. The PPTA must ensure that identical elements in the two message vectors do not share the same location. Next, the PPTA sends these two message vectors, $({\mu }_0$ and ${\mu }_1)$ to the random oracle. The random oracle chooses one of the message vectors, encrypts it and publishes ciphertext CT, where

$$\begin{array}{cc}\hfill CT& ={\mu }_b+\alpha \times PK+e\hfill \\ \hfill & =(9,2,10,2,7,4,10,5,9,5).\hfill \end{array}$$

Since the value of secret key $\alpha$ can be computed based on Theorem 1, the PPTA retrieves $\alpha =3$. Next, the PPTA computes equation

$$CT-\alpha \times PK={\mu }_b+e$$

and obtains ${\mu }_b+e=(9,8,7,5,0,6,6,5,6,9)$. The PPTA can check the entry positions using Equation $\left(19\right)$. Finally, the PPTA can identify b from ${\mu }_b+e$, considering the fact that e has vector elements equal to 0 totaling $n-w$. To this end, the PPTA can identify $b^{\prime }=0$ with probability equal to one.

4. Discussion

This analysis shows that from $M\left(\lambda \right)$, we choose columns 9 to 18 to be our sub-square matrix $M^{\prime }\left(\lambda \right)$. In our study, we also observe that columns 7 to 16 also give the correct value of $\alpha$, where the sub-square matrix is given as follows:

$$M_1^{\prime }\left(\lambda \right)=\left[\begin{array}{cccccccccc}3& 1& 4& 10& 7& 6& 9& 3& 1& 7\\ 7-4\lambda & 10-\lambda & 8-3\lambda & 10& 8& 2& 8& 2& 6& 2\\ 2-9\lambda & 1-10\lambda & 6-5\lambda & 10& 5& 8& 8& 4& 2& 2\\ 10-6\lambda & 9-\lambda & 7-2\lambda & 10& 9& 7& 7& 3& 6& 6\\ 10-7\lambda & 10-7\lambda & 10-7\lambda & 10& 10& 10& 6& 6& 6& 8\\ 1-9\lambda & 5-\lambda & 3-5\lambda & 10& 6& 8& 5& 3& 4& 8\\ 6-3\lambda & 9-10\lambda & 8-4\lambda & 10& 4& 6& 4& 6& 9& 6\\ 1& 8& 9& 10& 3& 2& 3& 2& 5& 2\\ 3-4\lambda & 5-3\lambda & 1-5\lambda & 10& 2& 7& 2& 7& 8& 7\\ 5-6\lambda & 6-5\lambda & 5-6\lambda & 10& 1& 10& 1& 10& 1& 10\end{array}\right].$$

Then, the determinant for $M_1^{\prime }\left(\lambda \right)$, where $f_1\left(\lambda \right)=\det \left(M_1^{\prime }\left(\lambda \right)\right)$, is

$$f_1\left(\lambda \right)=\det \left(M_1^{\prime }\left(\lambda \right)\right)=-21483650{\lambda }^3+136151740{\lambda }^2+72625310\lambda +44956500.$$

The highest degree of polynomial $f_1\left(\lambda \right)$ is 3. This coincides with the fact that $M_1^{\prime }\left(\lambda \right)$ has three columns that contain $\lambda$. Upon computing $f_1\left(\lambda \right)$ modulo $q=11$, we obtain the following:

$$f_1\left(\lambda \right)=10({\lambda }^2+4\lambda +2)(\lambda -3).$$

When $\lambda =3$, determinants $f\left(\lambda \right)$ and $f_1\left(\lambda \right)$ are 0. From the analysis performed above, we can see that from determinant $f\left(\lambda \right)$, we can obtain a set of $\lambda$, where one of them is the correct value of $\alpha$. In order to determine which root is the correct value of $\alpha$, we need to compute $CT-\alpha \times PK=\mu +e$. We know that the weight of small error e must be $\frac{n-k}{2}$, which gives us the information about the zero elements in e. Next, if $\lambda \ne \alpha$, then vector $CT-\lambda \times PK$ does not provide any significant information about the message. Hence, this cryptanalysis presents a good outcome, where secret key $\alpha$ can be determined. Therefore, this shows that the AAK-Cryptosystem is not IND-CPA secure.

5. Conclusions

In this research study, we present an algebraic cryptanalysis of an AAK-Cryptosystem as described in [16]. This attack is resourced from strategies found in [15]. In this paper, we proved that we managed to form a list of possible values of the secret key, $\alpha$. Furthering our analysis, we were able to prove that the AAK-Cryptosystem is not IND-CPA secure. As such, the AAK-Cryptosystem, as outlined in [16], is not suitable for utilization upon a set of plaintexts originating from a domain of non-exponential size.