J. Math. Crypt.

x (2012), 111

c de Gruyter 2012 DOI 10.1515 / JMC.2012.xxx

Security Features of an Asymmetric Cryptosystem based on the Diophantine Equation Hard Problem and Integer Factorization Problem
M.R.K. Arifn, M.A. Asbullah and N.A. Abu
Communicated by xxx

Abstract. The Diophantine Equation Hard Problem (DEHP) is a potential cryptographic problem
n

on the Diophantine equation U =

i=1

Vi xi . A proper implementation of DEHP would render an

attacker to search for private parameters amongst the exponentially many solutions. However, an improper implementation would provide an attacker exponentially many choices to solve the DEHP. The AA -cryptosystem is an asymmetric cryptographic scheme that utilizes this concept together with the factorization problem of two large primes and is implemented only by using the multiplication operation for both encryption and decryption. With this simple mathematical structure, it would have low computational requirements and would enable communication devices with low computing power to deploy secure communication procedures efciently. Keywords. Diophantine equation hard problem (DEHP), integer factorization problem, asymmetric cryptography, passive adversary attack. AMS classication. 11T71, 94A60, 11D45.

Introduction

The discrete log problem (DLP) and the elliptic curve discrete log problem (ECDLP) has been the source of security for cryptographic schemes such as the Dife Hellman key exchange procedure, El-Gamal cryptosystem and elliptic curve cryptosystem (ECC) respectively [6], [11]. As for the world renowned RSA cryptosystem, the inability to nd the e-th root of the ciphertext C modulo N from the congruence relation C M e (modN ) coupled with the inability to factor N = pq for large primes p and q is its fundamental source of security [12]. Recently, suggestions have been made that the ECC is able to produce the same level of security as the RSA with shorter key length. Thus, ECC should be the preferred asymmetric cryptosystem when compared to RSA [16]. Hence, the notion cryptographic efciency" is conjured. That is, to produce an asymmetric cryptographic scheme that could produce security equivalent to a certain key length of the traditional RSA but utilizing shorter keys. However, in certain situations where a large block needs to be encrypted, RSA is the better option than ECC because ECC would need more computational effort to undergo such a task [14]. Thus, adding another characteristic toward the notion of cryptographic efciency" which is it must be less computational intensive". As such, in order to design a state-of-the-art
Fundamental Research Grant Scheme #5523934, Ministry of Higher Education, MALAYSIA.

M.R.K. Arifn, M.A. Asbullah and N.A. Abu

public key mechanism, the above two characteristics must be adhered to apart from other well known security issues. In 1998 the cryptographic scheme known as NTRU was proposed with better "cryptographic efciency" relative to RSA and ECC [9] [10]. Much effort has been done to push NTRU to the forefront [8]. The cryptographic scheme in this paper is based on what is dened as the Diophantine Equation Hard Problem (DEHP) . Depending on the parameters (V, W ), the Diophantine equation U = V x + W y could either be a linear or non-linear equation. The authors propose that the DEHP as outlined in this paper is also another hard mathematical problem that has secure cryptographic qualities coupled with the above described cryptographic efciency" qualities. On another note, it is not the intention of the authors to go into "provable" security concepts in this initial stage. The immediate objective is to be able to set up a mathematical concept that exhibits one-way characteristic functionality and differs from conventional "one-way" mathematical concepts. The reason? For better "cryptographic efciency". The layout of this paper is as follows. In Section 2, the DEHP will be described.The mechanism of the AA -cryptosystem will be detailed in Section 3. In Section 4 the authors describe the AA -function and the AA -matrices - an efcient mechanism to construct the integers for the cryptosystem (i.e. an alternative way of evaluating the AA -function as described by Blackburn [3]). It has to be noted that the idea of designing the AA -function was motivated by the piecewise function designed by Bose [1],[4]. An example will also be presented in this section. Continuing in Section 5, will be discussion on the security features of this cryptosystem. In Section 6 lattice based attacks on the scheme is discussed. Section 7 will be devoted in discussing the consequences of improper design utilizing the DEHP. Finally, we conclude the paper by comparing cryptographic efciency" characteristics against RSA,ECC and NTRU schemes in Section 8.

2
n

The Diophantine equation hard problem (DEHP)

Vi xi . The following denitions would give a precise idea regarding the DEHP.

The DEHP is based upon the linear diophantine equation which is of the form U =
i=1 n

Denition 2.1. Let U =

i=1

Vi x where the integers U and {Vi }i=1 are known. We i

n

dene the sequence of integers {x }n as the preferred integers used to obtain U . The i i=1 sequence {x }n are particular elements from the set of solutions of U = i i=1
Vi x that i

contains innitely many elements. The problem to determine the sequence {x }n is i i=1 known as the DEHP. Denition 2.2. From Denition 2.1, for n = 2, V1 = 1 and V2 = 1 the DEHP is known as the AA -DEHP-1.
n

i=1

Denition 2.3. The Diophantine equation given by U =

i=1

Vi x is dened to be prf i

DEHP, Integer Factorization and the AA Public Key Cryptosystem

solved when the sequence of integers {x }n are found in order to obtain U . The i i=1 DEHP or the AA -DEHP-1 is solved when U is prf -solved. Example 2.4. Let x1 = 6143959510671614040, x2 = 6143959507200090613 be the preferred solutions for the equation 12287919017871704653 = x1 + x2 where x1 and x2 are 2n-bits long (i.e. this example n = 32). An attacker would be faced with the AA -DEHP-1 in determining the preferred integer x1 = t in order to determine the remaining preferred integer x2 = 12287919017871704653 t that form the prf solution set for the above Diophantine equation. Since it is known that x1 is 64-bits long, the possible values of t resides within the interval (263 , 264 1). In other words, there are 264 possible values that x1 might be.

The AA -Cryptosystem

We will now dene parameters needed for the renewed AA -cryptosystem. The communication model is between two parties A (Along) and B (Busu). Denition 3.1. Let p and q be two secret prime numbers of n-bit length. Alongs public keys are given by eA1 = pq (3.1) and eA2 where
eA2 v (mod p)

(3.2)

and v is 0.8125n-bits long. Denition 3.2. Alongs private key is given by

d A1 = p d A2 = v

(3.3) (3.4)

Denition 3.3. Busu will generate two ephemeral session keys: k1 and k2 . The keys k1 and k2 are ( n )-bits long. 6
n Denition 3.4. The message that Busu will relay to Along is a ( 45 )-bit integer m.

Denition 3.5. Busu will produce the following ciphertext:

C = k1 eA1 + k2 eA2 + m

(3.5)

Proposition 3.6. (C (mod dA1 ))(mod dA2 ) = m. Proof. We begin with: (C (mod dA1 )) = k2 v + m because eA2 v (mod dA1 ), k2 v < dA1 and k2 v + m < dA1 . Then, (k2 v + m)(mod dA2 ) = m because m < dA2 .2 (3.7)
2

(3.6)

M.R.K. Arifn, M.A. Asbullah and N.A. Abu

3.1

The AA - public key cryptography scheme

We will now discuss the AA -cryptosystem. It is as follows: the scenario is that Busu will send an encrypted message to Along. Along will provide Busu with his public key pair eA1 and eA2 . Busu intends to send the integer plaintext P = m as in Denition 3.4. Busu will then proceed to generate the ciphertext C . Then Busu transmits the ciphertext C to Along. Upon receiving the ciphertext from Busu, Along by Proposition 3.6, can retrieve the integer plaintext P = m.

3.2

Example

We will now provide a clear numerical illustration of the AA -cryptosystem for n = 32-bits. Along will generate the following secret keys: p = 3471523427, q = 3539633039 and v = 66857602. Alongs public keys are eA1 = 12287919017871704653 and eA2 = 11257420096542527645. Alongs private keys are dA1 = 3471523427 and dA2 = 66857602. In the meantime Busu will generate k1 = 33 and k2 = 32. The message is M = 39152991. The ciphertext generated by Busu is C = 765738770679166291180. Finally, (C (mod dA1 ))(mod dA2 ) = 39152991.

Suggested integer generator

In this section we suggest a method to produce the integers needed by Busu by generating matrices (i.e. matrices will be generated and integers needed for the scheme will be collected from within the matrices). The method is independent of the scheme as discussed in Section 3. Historically, the predecessor of the current AA -cryptosystem is based upon the AA -function which was rst introduced by Arifn and Abu in 2009 [1]. It was cryptanalyzed by Blackburn in 2010 [3]. In this work we incorporate the AA -matrices that were introduced by Blackburn in his cryptanalysis. It has to be mentioned that the success of the attack was not due to the AA -function but was due to weaknesses in the design of the public key. An attempt to strengthen against the attack was disclosed by Arifn et. al. in 2010 [2]. However, it was not successful. We state here the denition of the AA -function together with other denitions in relation to it.

4.1

The AA -function

Denition 4.1. The set of binary strings with a length of k bits is dened by S k = k1 s = {bi }i=0 : bi {0, 1} where k Z+ . Denition 4.2. Let , Z+ where < and both are of length k-bits. The AA function is dened as
AAs (xi ) =

(xi1 + xi ) , if bi = 0 (xi1 + xi ) , if bi = 1

where i = 0, 1, 2, . . . , k 1, x1 = 0, x0 Z+ and s S k .

DEHP, Integer Factorization and the AA Public Key Cryptosystem

Denition 4.3. Let s, dA , dB S k . The symbolic representation value is dened as the integer m = AAs (1) which is computed via Denition 4.2. We will denote mA = AAdA (1) and mB = AAdB (1) to be the symbolic representation value of Along and Busu respectively. The value of m is bounded below by the minimum value of mmin = AAs (1) where s = {1, 0, 0, . . . , 0} and bounded above by the maximum value of mmax = AAs (1) where s = {1, 1, 1, . . . , 1}. The following table depicts the symbolic representation of a 4-bit key and its value for selected and . Binary String 1000 1001 1010 1011 1100 1101 1110 1111 Symbolic Representation
+ + 2 + 2 + + + 2 + 2 2 + 2 + 2 + + + 2 + 2 + 3 + + 2 + 2 + 1 + 2 + 2 + 3 + 1 3 + 2 + 2 + 4 + 3 2 + 1

Symbolic Representation Value for = 5 and = 7 107 341 151 649 335 645 607 2549

Table 1 Symbolic representation value for 4-bit binary string The following is a lemma from [1] regarding the symbolic representation value. Lemma 4.4. Let s S k and AA be a function as dened in Denition 4.2. Let G = x0 Z+ then AAs (G) = AAs (1) G = mG.

4.2

The AA -matrices

In 2010, Blackburn identied another mechanism to construct either the integer mA or mB when conducting an attack upon the AA -cryptosystem then. Let the integer matrices (to be known as the AA -matrices) be identied as follows: A0 = 1 1 0
, A1 = 1

1 0

Correspondent A (Along) and B (Busu) will generate their private strings dA , dB S k respectively. Along will compute the integer matrix given by A = Abk1 Abk2 A0 where the choice of the matrix Abj to be utilized depends on the binary element. If the binary is 0 choose A0 otherwise choose A1 . The integer mA is the top left entry of the

M.R.K. Arifn, M.A. Asbullah and N.A. Abu

resulting matrix. Busu will also compute his mB in the same manner (Busus resultant integer matrix will be denoted as B). Observe that, differing from the work by Arifn and Abu in 2009, instead of just utilizing a1 as the private key, we know utilize entries within a matrix. In tandem with the size of each entry in the matrix dened earlier, only the rst n-bits of the integer entry of the matrix generated by the AA -matrix will be utilized.

The Underlying Security Principle

We will now observe the underlying security principles that the AA -cryptosystem is based upon.

5.1

The AA -DEHP-1

Determine the preferred integers (v, , p) such that eA2 = v + p.

5.2

The AA -DEHP-2

Determine the preferred integer either k1 or k2 such that m = C k1 eA1 (mod eA2 ) or m = C k2 eA2 (mod eA1 ).

5.3

The integer factorization problem

Let p and q be two large primes. From eA1 = pq obtain dA1 = p. Remark 5.1. The ability to prf -solve the AA -DEHP-1, would result in ability to derive dA1 = p, hence being able to factor the product of primes in eA1 . This is also true vice-versa. Remark 5.2. From eA2 v (mod p), the private key dA2 = v is secure as long as p is intractable from eA1 = pq .

Lattice based attacks

In this section we put forward two possible attacks via lattices and show that why such attacks will not yield any information detrimental to the scheme.

6.1

Attack with Coppersmith method in the univariate case

We will reproduce Coppersmiths theorem for the benet of the reader. Theorem 6.1. (Coppersmith) Let N be an integer of unknown factorization, which has a divisor b N . Furthermore, let f (x) be an univariate, monic polynimial of degree

DEHP, Integer Factorization and the AA Public Key Cryptosystem

. Then we can nd all solutions x0 for the equation f 0(mod b) with | x0 |

1 2 N 2

in polynomial time in (logN, , 1 ). Case 1 We begin by observing eA1 = pq where p and q are of equal length. Suppose p is prime integer that satises p > (pq ) . It is clear that = 1 . Let us now 2 observe the polynomials x eA2 and eA1 = pq which have a small common root v modulo p. By the polynomial fp (x) = x2 eA2 x + (pq ) we have the parameter
1 = 2. The parameter 2 N is an ( n )-bit integer while the parameter v is a 4 0.8125n-bit integer. Thus, the bound is much smaller than the root.
2

Case 2 A more efcient method would be just to observe the polynomial fp (x) =
x eA2 . Hence, = 1. The parameter 1 N is an ( n )-bit integer while the 2 2 parameter v is a 0.8125n-bit integer. Thus, the bound is still much smaller than the root.
2

As a result, any attack through Coppersmiths theorem as mentioned above, would not be successful.

6.2

Gaussian heuristic

We will look at the the lattice L spanned by (1, 0, eA1 ), (0, 1, eA2 ), (0, 0, C ). Observe that the vector V = (k1 , k2 , m) is in L. If V is short, then the LLL algorithm will be able to detect V . This is critical since by the usage of the vector V = (k1 , k2 , m) it is obvious that the length of m is dominant when compared to k1 and k2 hence length of V is approximately m. And by the above information m is certainly dominant in the vector V = (k1 , k2 , m). Now let us check whether V is really short or not. The Gaussian heuristic for the lattice L is given by:
(L) =

3 )C 1/3 2e

(6.1)

n One can see that (L) is approximately ( 23 )-bits, while the length of the vector V 4n is ( 5 )-bits. The Gaussian heuristic is much smaller than the length of the vector V . Thus, the vector V is not considered to be short and cannot be detected by the LLL algorithm.

Improper design via the DEHP

It is important to note that, an improper design of an asymmetric cryptosystem via the DEHP would lead to succesful passive adversary attacks. To illustrate this fact, we will produce the following two examples.

M.R.K. Arifn, M.A. Asbullah and N.A. Abu

7.1

A key exchange mechanism based on the DEHP

Let Along and Busu utilize private 2 X 2 non-singular matrices A and B respectively. A base generator G will be made public. It is a 2 X 2 singular matrix. The parameter EA = AG and EB = GB will be exchanged between Along and Busu. Then Along will compute EAB = [A]EB , while Busu will compute EBA = EA [B]. Now both parties have the same key (i.e. key exchange). If the assumption is that the attacker has to obtain either A or B from either EA or EB this would be the DEHP, since G is singular. However, an attacker could still compute A = A but A G = AG and as a result is able to compute A EB = EAB. Thus rendering the scheme insecure. The following is a numerical example. Example 7.1. Let G= Along will generate EA = and Busu will generate EB = 25 28 50 56 7 14 14 28 1 2 2 4
,A =

2 3 4 5

,B =

7 8 9 10

The shared key computed by both parties is AGB = 175 196 350 392

An attacker intercepting EA could construct the matrix A = 7 0 14 0

It could be observed that AGB = A GB. Hence, a passive adversary attack has been successfully executed.

7.2

Improper integer size

Observe the equation given by

eA = a1 + a2 g1

(7.1)

where eA and g1 are public parameters. Let g1 be of length 2n-bits, while the private parameters a1 and a2 are n-bits long.Because of this improper choice of size, one can obtain eA a2 = f loor( ) (7.2) g1

DEHP, Integer Factorization and the AA Public Key Cryptosystem

Conclusion

The AA -cryptosystem has the capacity to become a novel public key cryptosystem whose hard mathematical problem is based upon the difculty of the DEHP and the integer factorization problem of two large primes. In comparison, the RSA is based on the e th root problem together with the integer factorization problem of two large primes. The minimum key length for optimum security should be set to n = 512-bits. On another note, it is known that the implementation of RSA and ECC is O(n3 ) operations where n is the length of the message block while the NTRU algorithm has similar speed of O(n2 ) [5],[8],[10],[17] . Another scope to be observed is the expansion of the plaintext after encryption. Due to absence of modular reduction within the AA cryptosystem, plaintext expansion after encryption is obvious. However, by carefully selected parameters, the expanded plaintext is constant. Expansion is 1:2.7. We now sum up in the following table of comparison.

Algorithm RSA ECC NTRU AA

Encryption Speed O(n3 ) O(n3 ) O(n2 ) O(n2 )

Decryption Speed O(n3 ) O(n3 ) O(n2 ) O(n2 )

Expansion 1-1 1 - 2 (2 parameter ciphertext) Varies (See [10]) 1 - 2.7

Table 2 Encryption / decryption speed and message expansion table for message block of length n One can also note another advantage. That is, since encrypt and decrypt procedures are the basic arithmetic operation of multiplication, the scheme could encrypt messages of large block size with ease. As a result this algorithm is advantageous relative to RSA or ECC (because of better speed) and ECC (because of less computational effort to encrypt/decrypt messages of large block size). Acknowledgments. The authors would like to thank Yanbin Pan of Key Laboratory of Mathematics Mechanization Academy of Mathematics and Systems Science, Chinese Academy of Sciences Beijing, China and Gu Chunsheng of School of Computer Engineering, Jiangsu Teachers University of Technology, Jiangsu Province, China for valuable comments and discussion.

References
[1] M. R. K. Arifn and N. A. Abu, AA -cryptosystem: A chaos based public key cryptosystem, Int. Jour. Cryptology Research. vol. 1, no. 2 (2009), 149163.

10

M.R.K. Arifn, M.A. Asbullah and N.A. Abu

[2] M. R. K. Arifn, N. A. Abu and A. Mandangan, Strengthening the AA -cryptosystem, Proc. Second International Cryptology Conference 2010. (2010), 1626. [3] S. R. Blackburn, The Discrete Log Problem Modulo 1: Cryptanalyzing the Arifn - Abu cryptosystem, J. Mathematical Cryptology, vol. 4, no. 2, (2010), 193198. [4] R. Bose, Novel Public Key Encryption Techniques Based on Multiple Chaotic Systems, Physic Review Letters. vol. 95, issue 9 (2005), id. 098702. [5] A. E. Cohen and K. K. Parhi, Implementation of Scalable Elliptic Curve Cryptosystem CryptoAccelerators for GF(2m), Conference Record of the Thirty-Eighth Asilomar Conference on Signals, Systems and Computers 1. (2004), 471477. [6] W. Dife and M. E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory. vol. 22, no. 26 (1976), 644654. [7] J. Hoffstein, J. Pipher and J. H. Silverman, An Introduction to Mathematical Cryptography. New York: Springer. (2008), 352358. [8] J. Hermans et. al., Speed Records for NTRU, CT-RSA 2010, LNCS 5985. (2010), 7388. [9] J. Hoffstein, J. Pipher, J. H. Silverman. NTRU: A Ring Based Public Key Cryptosystem in Algorithmic Number Theory (ANTS III) Lecture Notes in Computer Science 1423, SpringerVerlag, Berlin. (1998), 267288. [10] J. A Hoffstein, D. Lieman, J. Pipher, J. H. Silverman., NTRU: Public Key Cryptosystem. (1999) [Online]. Available: HTTP :// GROUPER . IEEE . ORG / GROUPS /1363/ LATT PK/ SUBMISSIONS / NTRU . PDF

[11] N. Koblitz, Elliptic Curve Cryptosystems, Math. Comp. vol. 48, no. 177 (1987), 203209. [12] R. L. Rivest, A. Shamir and L. Adleman, A method for obtainning digital signatures and public key cryptosystems, Commun. ACM. vol. 21, issue 2 (1978), 120126. [13] B. Schneier, Key length in Applied Cryptography. New York: John wiley & Sons. (1996), 151 168. [14] M. Scott, When RSA is better than ECC. (2008, November 15) [Online]. Available: HTTP :// WWW. DERKEILER . COM /N EWSGROUPS / SCI . CRYPT /2008-11/ MSG 00276. HTML [15] S. S. Wagstaff, Cryptanalysis of Number Theoretic Ciphers, Divisibility and Arithmetic. (2003), 2742. [16] S. Vanstone, ECC holds key to next generation cryptography. (2006, March 18) [Online].Available: HTTP :// WWW. DESIGN - REUSE . COM / ARTICLES /7409/ ECC - HOLD - KEY- TO NEXT- GEN - CRYPTOGRAPHY. HTML [17] J. Wolkerstorfer and W. Bauer, A PCI-Card for Accelerating Elliptic Curve Cryptography, Proceedings of Austrochip 2002, Graz, Austria, October 4, (2002). Received xxx; revised xxx Author information M.R.K. Arifn, Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, Universiti Putra Malaysia, 43400 UPM Serdang, Selangor, Malaysia. Email: rezal@math.upm.edu.my M.A. Asbullah, Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, Universiti Putra Malaysia, 43400 UPM Serdang, Selangor, Malaysia. Email: ma_asyraf@putra.upm.edu.my

DEHP, Integer Factorization and the AA Public Key Cryptosystem

11

N.A. Abu, Department of Computer Systems and Communications, Faculty of Information and Communication Technology, Universiti Teknikal Malaysia Melaka, Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, Malaysia. Email: nura@utem.edu.my