Security Features of an Asymmetric Cryptosystem based on the Diophantine Equation Hard Problem and Integer Factorization Problem
The Diophantine Equation Hard Problem (DEHP) is a potential cryptographic problem on the Diophantine equation . A proper implementation of DEHP would render an attacker to search for private parameters amongst the exponentially many solutions. However, an improper implementation would provide an attacker exponentially many choices to solve the DEHP. The AA -cryptosystem is an asymmetric cryptographic scheme that utilizes this concept together with the factorization problem of two large primes and is implemented only by using the multiplication operation for both encryption and decryption. With this simple mathematical structure, it would have low computational requirements and would enable communication devices with low computing power to deploy secure communication procedures efficiently.
Keywords:Diophantine equation hard problem (DEHP), integer factorization problem, asymmetric cryptography, passive adversary attack
The discrete log problem (DLP) and the elliptic curve discrete log problem (ECDLP) has been the source of security for cryptographic schemes such as the Diffie Hellman key exchange procedure, El-Gamal cryptosystem and elliptic curve cryptosystem (ECC) respectively , . As for the world renowned RSA cryptosystem, the inability to find the -th root of the ciphertext C modulo N from the congruence relation coupled with the inability to factor for large primes and is its fundamental source of security . Recently, suggestions have been made that the ECC is able to produce the same level of security as the RSA with shorter key length. Thus, ECC should be the preferred asymmetric cryptosystem when compared to RSA . Hence, the notion “cryptographic efficiency” is conjured. That is, to produce an asymmetric cryptographic scheme that could produce security equivalent to a certain key length of the traditional RSA but utilizing shorter keys. However, in certain situations where a large block needs to be encrypted, RSA is the better option than ECC because ECC would need more computational effort to undergo such a task . Thus, adding another characteristic toward the notion of “cryptographic efficiency” which is it must be less “computational intensive”. As such, in order to design a state-of-the-art public key mechanism, the above two characteristics must be adhered to apart from other well known security issues. In 1998 the cryptographic scheme known as NTRU was proposed with better ”cryptographic efficiency” relative to RSA and ECC . Much effort has been done to push NTRU to the forefront .
The cryptographic scheme in this paper is based on what is defined as the Diophantine Equation Hard Problem (DEHP). It is coupled together with the well known integer factorization problem of two large primes. The DEHP is a new form of cryptographic problem based on the Diophantine equation of the form . The authors propose that the DEHP as outlined in this paper is also another cryptographic problem that has secure cryptographic qualities coupled with the above described “cryptographic efficiency” qualities.
The layout of this paper is as follows. In Section 2, the Diophantine Equation Hard Problem (DEHP) will be described. The mechanism of the AA -cryptosystem will be detailed in Section 3. Continuing in Section 4, will be discussion on the security features of this cryptosystem. In Section 5 lattice based attacks on the scheme is discussed. Section 6 will be devoted in discussing the consequences of improper design utilizing the DEHP. That is, the possibility of succumbing to a passive adversary attack. The underlying principle and reduction proofs regarding the intractability of the scheme is proposed in Section 7. A numerical example of the scheme as well as an illustration of the DEHP will also be given in this section. Finally, we conclude the paper by comparing “cryptographic efficiency” characteristics against RSA,ECC and NTRU schemes in Section 8.
2 The Diophantine equation hard problem (DEHP)
The DEHP is based upon the linear diophantine equation which is of the form . The following definitions would give a precise idea regarding the DEHP.
Let where the integers and are known. We define the sequence of integers as the preferred integers used to obtain . The sequence are particular elements from the set of solutions of that contains infinitely many elements. The problem to determine the sequence is known as the DEHP.
From Definition 1, for and the DEHP is known as the AA -DEHP-2 (see Section 7).
The Diophantine equation given by is defined to be prf-solved when the sequence of integers are found in order to obtain . The DEHP or the AA -DEHP-2 is solved when is prf-solved.
Let be the preferred solutions for the equation where and are -bits long (i.e. this example ). An attacker would be faced with the AA -DEHP-2 (see Section 7) of determining the preferred integer in order to determine the remaining preferred integer that form the prf-solution set for the above Diophantine equation. Since it is known that is 64-bits long, the possible values of resides within the interval . In other words, there are possible values that might be.
3 The AA -Cryptosystem
We will now define parameters needed for the renewed -cryptosystem. The communication model is between two parties A (Along) and B (Busu).
The ephemeral secret keys for Along are three integers. The integers and are -bits long. The relation between the integers is:
where is -bits long.
Let and be two prime numbers of -bit length. Along’s public keys are given by
Along’s private key is given by
Busu will generate two ephemeral session keys: and . The keys and are -bits long.
The message that Busu will relay to Along is a -bit integer .
Busu will produce the following ciphertext:
We begin with:
because . Then,
3.1 The AA - public key cryptography scheme
We will now discuss the AA -cryptosystem. It is as follows: the scenario is that Busu will send an encrypted message to Along. Along will provide Busu with his public key pair and . Busu intends to send the integer plaintext as in Definition 8. Busu will then proceed to generate the ciphertext . Then Busu transmits the ciphertext to Along. Upon receiving the ciphertext from Busu, Along by Proposition 1, can retrieve the integer plaintext .
4 Security Features
In this section we will focus on the obvious objective of an attacker. That is to retrieve the plaintext or the private key or both. Discussion would begin by discussing the objective of trying to obtain the plaintext from the ciphertext followed by the objective to obtain the private key embedded within the public key.
4.1 To obtain the plaintext from the ciphertext
As defined in Definition 9, the plaintext resides within . Thus, the attacker has to prf-solve via the preferred integers and the AA -DEHP-1 (see Section 7) given by
The ability to determine the keys or would infer that the attacker has also the ability to determine in the first instance.
4.2 To obtain the private key from the public key via the Diophantine equations
The attacker has to prf-solve and via the preferred integers and the AA -DEHP-2 (see Section 7). In congruent with the ability to obtain the plaintext from the ciphertext as discussed above, the ability to determine the keys and would infer that the attacker has also the ability to determine in the first instance.
5 Lattice based attacks
In this section we put forward two possible attacks via lattices and show that why such attacks will not yield any information detrimental to the scheme.
5.1 Attack with Coppersmith method in the univariate case
We will reproduce Coppersmith’s theorem for the benfit of the reader.
(Coppersmith) Let be an integer of unknown factorization, which has a divisor . Furthermore, let be an univariate, monic polynimial of degree . Then we can find all solutions for the equation with
in polynomial time in .
We begin by observing where and are of equal length. Suppose is prime integer that satisfies . It is clear that . Let us now observe the polynomials and which have a small common root modulo . By the polynomial we have the parameter . The parameter is an -bit integer while the parameter is a -bit integer. Thus, the bound is much smaller than the root.
A more efficient method would be just to observe the polynomial . Hence, . The parameter is an -bit integer while the parameter is a -bit integer. Thus, the bound is still much smaller than the root.
5.2 Gaussian heuristic
We will look at the the lattice spanned by . Observe that the vector is in . If is short, then the LLL algorithm will be able to detect . This is critical since by the usage of the vector it is obvious that the length of m is dominant when compared to k1 and k2 hence length of V is approximately m. And by the above information m is certainly dominant in the vector V=(k1,k2,-m). Now let us check whether V is really short or not. The Gaussian heuristic for the lattice L is given by:
One can see that is approximately -bits, while the length of the vector is -bits. The Gaussian heuristic is much smaller than the length of the vector . Thus, the vector is not considered to be short and cannot be detected by the LLL algorithm.
6 Improper design via the DEHP
It is important to note that, an improper design of an asymmetric cryptosystem via the DEHP would lead to succesful passive adversary attacks. To illustrate this fact, we will produce the following two examples.
6.1 A key exchange mechanism based on the DEHP
Let Along and Busu utilize private 2 X 2 non-singular matrices A and B respectively. A base generator G will be made public. It is a 2 X 2 singular matrix. The parameter and will be exchanged between Along and Busu. Then Along will compute , while Busu will compute . Now both parties have the same key (i.e. key exchange). If the assumption is that the attacker has to obtain either A or B from either or this would be the DEHP, since G is singular. However, an attacker could still compute but and as a result is able to compute . Thus rendering the scheme insecure. The following is a numerical example.
Along will generate
and Busu will generate
The shared key computed by both parties is
An attacker intercepting could construct the matrix
It could be observed that . Hence, a passive adversary attack has been successfully executed.
6.2 Improper integer size
Observe the equation given by
where and are public parameters. Let be of length -bits, while the private parameters and are -bits long.Because of this improper choice of size, one can obtain
7 The Underlying Security Principle
We will now observe the underlying security principles that the -cryptosystem is based upon.
7.1 The -Dehp-1
Determine the preferred integer either or such that or .
7.2 The -Dehp-2
Determine the preferred integers belonging to the public keys and .
7.3 The integer factorization problem
Let and be two large primes. From obtain .
7.4 Security reduction
-DEHP-2 Factoring .
Let be an oracle that factors the product of primes. Call to obtain and . Then we are able to construct , and . Hence, the preferred integers are obtained Thus, -DEHP-2 Factoring . Let be an oracle that obtains the preferred integers . Then obtain and . Thus, Factoring -DEHP-2. Hence, -DEHP-2 Factoring .
Decryption Factoring .
Let be an oracle that factors the product of primes. Call to obtain and . Then determine . Now, decryption can occur.
The public key cryptosystem is IND-CPA.
The public key cryptosystem is a probabilistic cryptosystem. A probabilitic encryption scheme is IND-CPA . Thus the public key cryptosystem is IND-CPA.
We will now provide a clear numerical illustration of the -cryptosystem for -bits. Along will generate the following secret keys: , and . Along’s public keys are and . Observe that is product of two 32-bit primes ( and ). Along’s private keys are and . In the meantime Busu will generate and . The message is . The ciphertext generated by Busu is . Finally, .
The -cryptosystem has the capacity to become a novel
public key cryptosystem whose hard mathematical problem is based
upon the difficulty of the DEHP and the integer factorization
problem of two large primes. Just like the RSA, where the -th
root problem is considered much more difficult than factoring the
product of primes, the DEHP could also be considered much more
difficult than factoring the product of primes (due to the
exponential number of possibilities for the private parameters).
The minimum key length for optimum security should be set to
-bits. On another note, it is known that the implementation
of RSA and ECC is operations where is the length of
the message block ,,. By this fact we can
have the following table of comparison.
|Algorithm||Encryption Speed||Decryption Speed||Expansion|
|RSA||1 - 1|
|ECC||1 - 2 (2 parameter ciphertext)|
|1 - 2.7|
Table 2 Encryption / decryption speed and message expansion table for message block of length
One can also note another advantage. That is, since encrypt and decrypt procedures are the basic arithmetic operation of multiplication, the scheme could encrypt messages of large block size with ease. As a result this algorithm is advantageous relative to RSA or ECC (because of better speed) and ECC (because of less computational effort to encrypt/decrypt messages of large block size).
The authors would like to thank Yanbin Pan of Key Laboratory of Mathematics Mechanization Academy of Mathematics and Systems Science, Chinese Academy of Sciences Beijing, China and Gu Chunsheng of School of Computer Engineering, Jiangsu Teachers University of Technology, Jiangsu Province, China for valuable comments and discussion.
-  M. R. K. Ariffin and N. A. Abu, -cryptosystem: A chaos based public key cryptosystem, Int. Jour. Cryptology Research. vol. 1, no. 2 (2009), pp. 149–163.
-  AM. R. K. Ariffin, N. A. Abu and A. Mandangan, Strengthening the -cryptosystem, Proc. Second International Cryptology Conference 2010. (2010), pp. 16–26.
-  S. R. Blackburn, The Discrete Log Problem Modulo 1: Cryptanalyzing the Ariffin - Abu cryptosystem, J. Mathematical Cryptology, vol. 4, no. 2, (2010), pp. 193–198.
-  CR. Bose, Novel Public Key Encryption Techniques Based on Multiple Chaotic Systems, Physic Review Letters. vol. 95, issue 9 (2005).
-  A. E. Cohen and K. K. Parhi, Implementation of Scalable Elliptic Curve Cryptosystem Crypto-Accelerators for GF(2m), Conference Record of the Thirty-Eighth Asilomar Conference on Signals, Systems and Computers 1. (2004), pp. 471–477.
-  W. Diffie and M. E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory. vol. 22, no. 26 (1976), pp. 644–654.
-  J. Hoffstein, J. Pipher and J. H. Silverman, An Introduction to Mathematical Cryptography. New York: Springer. (2008), pp. 352–358.
-  J. Hermans et. al., Speed Records for NTRU, CT-RSA 2010, LNCS 5985. (2010), pp. 73–88.
-  J. Hoffstein, J. Pipher, J. H. Silverman. NTRU: A Ring Based Public Key Cryptosystem in Algorithmic Number Theory (ANTS III) Lecture Notes in Computer Science 1423, Springer-Verlag, Berlin. (1998), pp. 267–288.
-  N. Koblitz, Elliptic Curve Cryptosystems, Math. Comp. vol. 48, no. 177 (1987), pp. 203–209.
-  R. L. Rivest, A. Shamir and L. Adleman, A method for obtainning digital signatures and public key cryptosystems, Commun. ACM. vol. 21, issue 2 (1978), pp. 120–126.
-  B. Schneier, Key length in Applied Cryptography. New York: John Wiley & Sons. (1996), pp. 151–168.
-  M. Scott, When RSA is better than ECC. (2008, November 15) [Online]. Available: http://www.derkeiler.com/Newsgroups/sci.crypt/2008-11/msg00276.html
-  S. S. Wagstaff, Cryptanalysis of Number Theoretic Ciphers, Divisibility and Arithmetic. (2003), pp. 27–42.
-  S. Vanstone, ECC holds key to next generation cryptography. (2006, March 18) [Online].Available: http://www.design-reuse.com/articles/7409/ecc-hold-key-to-next-gen-cryptography.html
-  J. Wolkerstorfer and W. Bauer, A PCI-Card for Accelerating Elliptic Curve Cryptography, Proceedings of Austrochip 2002, Graz, Austria, October 4, (2002).