A public key cryptosystem based on diophantine equations of degree increasing type

In this paper we propose a new public key cryptosystem based on diophantine equations which we call of degree increasing type. We use an analogous method to the “Algebraic Surface Cryptosystem” (ASC) proposed by Akiyama, Goto and Miyake. There are two main differences between our cryptosystem and ASC. One of them is to twist a plaintext by using some modular arithmetic to increase the number of candidates of the plaintext in order to complicate finding the correct plaintext. Another difference is to use a polynomial of degree increasing type to recover the plaintext uniquely even if the plaintext was twisted. Although we have not been able to give a security proof, we give some discussions on how secure our cryptosystem is against known attacks including the ideal decomposition attack, which can break the one-wayness of ASC.

After Diffie and Hellman proposed the concept of public key cryptography [11], the theory of cryptography has been developed rapidly and has contributed to the security of networks. This cryptosystem is based on computationally hard problems, for example factorization of large integers and computation of discrete logarithm in large finite groups. The most famous public key cryptosystems are the RSA cryptosystem [27] and elliptic curve cryptosystem [17,22]. Although these cryptosystems have been studied by many researchers, efficient attacks have not been found in general. However, Shor showed that factorization of integers and computation of discrete logarithm are done efficiently by using quantum computers [28]. So it is important to find new computationally hard problems which are intractable even with quantum computers and can be used to construct cryptosystems. We expect that the diophantine problem is one of such problems. This problem is to find integral or rational solutions of a given multivariate polynomial with integer coefficients. Despite many researchers’ endeavor (see e.g. [14]), this problem is usually a very difficult problem. Moreover Matijasevič showed that there is no general method which determines the solvability of an arbitrary diophantine equation [10]. On the other hand, for any integers a ₁,a ₂,⋯,a _n , it is easy to find a polynomial \(X(x_{1},\cdots,x_{n}) \in \mathbb {Z}[x_{1},\cdots,x_{n}]\) with X(a ₁,a ₂,⋯,a _n )=0 (see section 3.4.1). So we can expect that diophantine equations can be used to construct a new public key cryptosystems. Indeed some cryptosystems based on this problem have already been proposed [15,19,34]. But the one-wayness of the cryptosystem proposed in [19] was broken [9]. On the other hand, cryptosystems in [15,34] are interesting in theory, but these cryptosystems can be used only a few times with the same key ([15], Proposition 2).

We can also consider the diophantine problem over global function fields. This problem is also hard and it is proved that there is no general method which determines the solvability of an arbitrary diophantine equation [25]. The Algebraic Surface Cryptosystem (ASC) proposed in [1] is based on the hardness of the section finding problem (SFP) which can be viewed as a diophantine problem over \(\mathbb {F}_{p}[t]\) (or \(\mathbb {F}_{p}(t)\)). More precisely, let p be a prime number and \(X(x,y,t) \in \mathbb {F}_{p}[x,y,t]\) a polynomial which defines a surface S with a fibration \(S \rightarrow \mathbb {A}_{\mathbb {F}_{p}}^{1}\) over the affine t-line. The SFP is to find \(u_{x}(t), u_{y}(t) \in \mathbb {F}_{p}[t]\) such that X(u _x (t),u _y (t),t)=0.

In number theory, there are many analogous problems between number fields and function fields. There are many cases where problems over function fields have been solved while the corresponding problems have hardly been solved. For example, there is an algorithm to factorize elements of \(\mathbb {F}_{p}[t]\) in probabilistic polynomial time [2,7], while the best known algorithm (the general number field sieve) for fuctorization in \(\mathbb {Z}\) takes subexponential time \(O\left (e^{(c+o(1))(\log N)^{\frac {1}{3}}(\log \log N)^{\frac {2}{3}}}\right)\), where \(c = \left (\frac {9}{64}\right)^{\frac {1}{3}}\) and N is an integer which we want to factorize [18]. The Riemann Hypothesis for function fields was proved by André Weil [33], while the Riemann Hypothesis for \(\mathbb {Z}\) still seems far beyond our reach. The abc conjecture for function fields (the Mason-Stothers Theorem) was proved in [21,29], while a proof of the abc conjecture for \(\mathbb {Z}\) was announced just a few years ago by Shinichi Mochizuki [23].

In this paper we consider diophantine equations of degree increasing type (see Definition 3.1) over integers and propose a new public key cryptosystem whose security relies on the hardness to find a rational solution to them. In our cryptosystem we use a polynomial \(X(x_{1},\cdots,x_{n}) \in \mathbb {Z}[x_{1},\cdots,x_{n}]\) and integers \(d,e \in \mathbb {Z}\) satisfying certain conditions as public keys and integers a ₁,⋯,a _n satisfying \(X\left (\frac {a_{1}}{d},\cdots,\frac {a_{n}}{d}\right) = 0\) as secret keys. Our method is to mix a plaintext (this is a polynomial) with other polynomials and cover the mixed polynomial with public key. To recover the plaintext we use secret keys and some modular arithmetic. This method is analogous to ASC except for using modular arithmetic. Although the one-wayness of ASC was broken by the ideal decomposition attack [12], our analysis (section 4) shows that our cryptosystem has resistance against some possible attacks including the ideal decomposition attack. However, we have not been able to give a security proof of it. Finally, we estimate the size of keys of our cryptosystem. This paper aims to design a scheme with 128 bit-security level. Our estimation shows that if we use integers d, e and a diophantine equation with n variables and total degree w as the public key, then the size of the secret key is at most \(\left (\lceil \frac {128}{n-1} \rceil + 1\right)n + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \) bits and the size of the public key is at most \(\vspace *{1pt} \left (\lceil \frac {128}{n-1} \rceil + 76 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \right)w + 65 + \lceil \log _{2}e \rceil \) bits. We also estimate the size of ciphertexts to be at most \(\frac {3}{2}(w^{2}+w)(129+130w + \lceil \log _{2} w \rceil) + 129+65(w-1)\) bits.

This paper is organized as follows: In section 2 we give a brief review of ASC and known attacks against it. In section 3 we describe our cryptosystem including some remarks on it and give a method to construct a diophantine equation of degree increasing type with a given solution. In section 4 we analyze its security against some possible attacks. In section 5 we estimate the size of keys and ciphertexts under some assumptions. In section 6 we give some examples of the size of keys and ciphertexts together with the time which it took to encrypt and decrypt.

In this section we give a brief review of ASC and known attacks against it (for details, see [1]). Let p be a prime number. The ASC makes use of a section to a fibration of an algebraic surface to the afine line over \(\mathbb {F}_{p}\).

2.1 Notation

Let p be a prime number and \(\mathbb {F}_{p}\) a finite field with p elements. For a polynomial \(g = \sum _{i,j}g_{{ij}}(t)x^{i}y^{j} = \sum _{i,j,k}g_{{ijk}}x^{i}y^{j}t^{k} \in \mathbb {F}_{p}[x,y,t]\) we define

For two subsets Λ ₁, \(\Lambda _{2} \subset (\mathbb {Z}_{\geq 0})^{2}\) we define

This means that if \(\Lambda _{i}^{(p)} = \Lambda _{f_{i}}^{(p)}\) for some \(f_{i} \in \mathbb {F}_{p}[x,y,t]\), then \(\Lambda _{1}\Lambda _{2} = \Lambda _{f_{1}f_{2}}^{(p)}\). For each ideal \(J = (f_{1},\ldots,f_{n}) \subset \mathbb {F}_{p}[x,y,t]\), each polynomial \(g \in \mathbb {F}_{p}[x,y,t]\) and each monomial ordering <, there are polynomials h, \(r \in \mathbb {F}_{p}[x,y,t]\) such that h∈J, g=h+r and that no monomial of r is in the ideal generated by the leading monomials of f _i for i=1,…,n. The r may depend on the choice of a system of generators of J, but is uniquely determined (for a fixed monomial ordering of \(\mathbb {F}_{p}[x,y,t]\)) if we calculate it using a Gröbner basis of J. Then this unique r is called the normal form of g with respect to J and <, and we denote it by N F _J (g) (see [8]).

2.2 Key generation

1. 1.

   Secret key

   Choose two polynomials u _x (t), \(u_{y}(t) \in \mathbb {F}_{p}[t]\) of degree d.

2. 2.

   Public key

   For k=1,2,3, choose finite subsets \(\Lambda _{k}^{(p)} \subset (\mathbb {Z}_{\geq 0})^{2}\) and \(D_{k} = \left \{ d_{{ij}}^{(k)} \mid (i,j) \in \Lambda _{k}^{(p)} \right \} \subset \mathbb {Z}_{\geq 0}\) so that the following holds: (i) \(\Lambda _{2}^{(p)} \subset \Lambda _{1}^{(p)}\Lambda _{3}^{(p)}\). (ii) For any polynomial \(f_{k} = \sum _{(i,j) \in \Lambda _{k}^{(p)}}f_{{ij}}^{(k)}(t)x^{i}y^{j}\in \mathbb {F}_{p}[x,y,t]\) (k=1,2,3) with \(\Lambda _{f_{k}}^{(p)} = \Lambda _{k}^{(p)}\) and \(\deg \, f_{{ij}}^{(k)}(t) = d_{{ij}}^{(k)}\), we have

   $$\begin{array}{@{}rcl@{}} {}\left\{ \begin{array}{ll} \deg_{x}f_{1} < \deg_{x}f_{2} < \deg_{x}f_{3}, \\ \deg_{y}f_{1} < \deg_{y}f_{2} < \deg_{y}f_{3}, \\ \deg_{t}f_{1} < \deg_{t}f_{2} < \deg_{t}f_{3}, \\ (\deg_{x}f_{2}, \deg_{y}f_{2}, \deg_{t}f_{2}) \in \Gamma_{f_{2}}^{(p)}, \\ (\deg_{x}f_{3}, \deg_{y}f_{3}, \deg_{t}f_{3}) \in \Gamma_{f_{3}}^{(p)}. \end{array} \right. \end{array} $$

   (1)

   Construct an \(X(x,y,t) = \sum _{(i,j) \in \Lambda _{1}^{(p)}}c_{{ij}}(t)x^{i}y^{j} \in \mathbb {F}_{p}[x,y,t]\) such that X(u _x (t),u _y (t),t)=0, \(\deg c_{{ij}}(t)= d_{{ij}}^{(1)}\) and c _{i j} (t)≠0 for \((i,j) \in \Lambda _{1}^{(p)}\). In section 2.5 we give a method to construct such a polynomial. For i=1,2,3, make X, \(\Lambda _{i}^{(p)}\) and D _i public.

2.3 Encryption

Assume that the sender wants to send a polynomial \(m(x,y,t) = \sum _{(i,j) \in \Lambda _{2}^{(p)}}m_{{ij}}(t)x^{i}y^{j} \in \mathbb {F}_{p}[x,y,t]\) with \(\deg m_{{ij}}(t) = d_{{ij}}^{(2)}\) for \((i,j) \in \Lambda _{2}^{(p)}\).

1. 1.

   For k=1,2, choose random polynomials in \(\mathbb {F}_{p}[x,y,t]\):

   $$\begin{array}{@{}rcl@{}} s_{k} &=& \sum_{(i,j) \in \Lambda_{1}^{(p)}}s_{{ij}}^{(k)}(t)x^{i}y^{j}, \\ r_{k} &=& \sum_{(i,j) \in \Lambda_{3}^{(p)}}r_{{ij}}^{(k)}(t)x^{i}y^{j}, \\ f &=& \sum_{(i,j) \in \Lambda_{3}^{(p)}}f_{{ij}}(t)x^{i}y^{j}, \end{array} $$

   such that \(\deg s_{{ij}}^{(k)}(t) = d_{{ij}}^{(1)}\) and \(\deg r_{{ij}}^{(k)}(t)=\deg f_{{ij}}(t) = d_{{ij}}^{(3)}\). Note that from (1), we have

   $$\begin{array}{@{}rcl@{}} \left\{ \begin{array}{ll} \deg_{x}X < \deg_{x}m < \deg_{x}f, \\ \deg_{y}X < \deg_{y}m < \deg_{y}f, \\ \deg_{t}X < \deg_{t}m < \deg_{t}f, \\ (\deg_{x}m, \deg_{y}m, \deg_{t}m) \in \Gamma_{m}^{(p)}, \\ (\deg_{x}f, \deg_{y}f, \deg_{t}f) \in \Gamma_{f}^{(p)}. \end{array} \right. \end{array} $$

   (2)
2. 2.

   Put F _i :=m+s _i f+r _i X for i=1,2, and send (F ₁,F ₂).

2.4 Decryption

1. 1.

   For i=1,2, compute

   $$\begin{array}{@{}rcl@{}} h_{i}(t) &:=& F_{i}(u_{x}(t), u_{y}(t), t) \\ &=&m(u_{x}(t), u_{y}(t), t) \\ && + s_{i}(u_{x}(t), u_{y}(t), t)f(u_{x}(t), u_{y}(t), t). \end{array} $$
2. 2.

   Factorize h ₁−h ₂ and find a factor h ₃ of it whose degree is equal to degf(u _x (t),u _y (t),t). Note that from (2), we have

   $$\deg f(u_{x}(t), u_{y}(t), t) = \deg h_{3} > \deg m(u_{x}(t), u_{y}(t), t). $$
3. 3.

   Compute h ₄(t):=h ₁(t) (mod h ₃(t)). Note that if h ₃ divides s ₁(u _x (t),u _y (t),t)f(u _x (t),u _y (t),t), then h ₄=m(u _x (t),u _y (t),t).

4. 4.

   Extract m(x,y,t) from h ₄ by solving the following linear equation

   $$h_{4} = \sum_{(i,j,k) \in \Gamma_{m}^{(p)}}m_{{ijk}}{u_{x}^{i}}{u_{y}^{j}}t^{k}, $$

   in variables m _{i j k} for \((i, j, k) \in \Gamma _{m}^{(p)}\), and put

   $$m^{\prime}(x,y,t) := \sum_{(i, j, k) \in \Gamma_{m}^{(p)}}m_{{ijk}}x^{i}y^{j}t^{k}. $$
5. 5.

   We can verify whether m ^′=m or not by a MAC (message authentication code) of m. If the verification fails, then go back to step 2 and choose another factor of h ₁−h ₂.

2.5 Construction of X(x,y,t)

We describe a method to construct a polynomial \(X(x,y,t) \in \mathbb {F}_{p}[x,y,t]\) such that X(u _x (t),u _y (t),t)=0 for given polynomials u _x (t), \(u_{y}(t) \in \mathbb {F}_{p}[t]\).

1. 1.

   Choose a finite subset \((0, 0) \in \Lambda ^{(p)} \subset (\mathbb {Z}_{\geq 0})^{2}\) and \(D := \{(d_{{ij}} \mid (i,j) \in \Lambda ^{(p)} \} \subset \mathbb {Z}_{\geq 0}\).

2. 2.

   Choose random non-zero polynomials c _{i j} (t) of degree d _{i j} for \((i,j) \in \Lambda ^{(p)} \smallsetminus \{ (0, 0) \}\).

3. 3.

   Compute \(c_{00}(t) := - \sum _{(i,j) \in \Lambda ^{(p)} \smallsetminus \{ (0,0) \}}c_{{ij}}(t){u_{x}^{i}}{u_{y}^{j}}\).

4. 4.

   Define

   $$X := \sum_{(i,j) \in \Lambda^{(p)}}c_{{ij}}(t)x^{i}y^{j}. $$

2.6 Known attacks

We describe four possible attacks against ASC. For more details, see [1], section 5 and [12,24].

2.6.1 Reduction to solving a multivariate equation system

Let

where \(f_{{ijk}}^{\prime }\), \(s_{{ijk}}^{\prime }\), \(r_{{ijk}}^{\prime }\) and \(m_{{ijk}}^{\prime }\) are variables. If one can get f by solving the following quadratic equation system

then one may get m by solving N F _I (m ^′)=0, where \(I = (F_{1}, f, X) \subset \mathbb {F}_{p}[x,y,t]\). In [1], it is pointed out that if \(\# \Gamma _{f}^{(p)} > 50\) and \(\# \Gamma _{s_{1}}^{(p)} > 50\), then finding solutions of this system becomes computationally intractable, even if the \(r_{{ijk}}^{\prime }\)’s are eliminated by substituting rational points of X over a finite extension of \(\mathbb {F}_{p}\).

2.6.2 Reduction attack by Iwami [16]

Since X is made public, one can try to divide F ₁−F ₂ by X to find f in the remainder. But f does not appear in the remainder because of (2). For this attack, see also [31].

2.6.3 Rational point attack by Voloch [32]

Let F(x,y,t):=F ₁−F ₂. Let f ^′(x,y,t) and s ^′(x,y,t) be as in section 2.6.1. Let g(x,y,t):=s ^′(x,y,t)f ^′(x,y,t). We write

where g _{i j k} are polynomials in the coefficients of s ^′ and f ^′ for \((i,j,k) \in \Gamma _{g}^{(p)}\). For a large positive integer L and ℓ=1,…,L, if one can find rational points (x _ℓ ,y _ℓ ,t _ℓ ) on X(x,y,t)=0 over a certain extension field of \(\mathbb {F}_{p}\), then one may be able to get (s ₁−s ₂)f by solving the following linear equation system

Then one can find f by factorization and get m as in section 2.6.1. However, one cannot determine f and m uniquely. If \(g_{0}(x,y,t) \in \mathbb {F}_{p}[x,y,t]\) satisfies (3), then g ₀+r X also satisfies (3) and has the same form as g for any polynomial \(r(x,y,t) \in \mathbb {F}_{p}[x,y,t]\) having the same form as f. In [1], it is pointed out that if \(p^{\# \Gamma _{r}^{(p)}} = p^{\# \Gamma _{f}^{(p)}} > 2^{100}\), then we may avoid this attack.

2.6.4 Ideal decomposition attack

As mentioned above, we can design ASC to avoid the above three attacks. However, in [12] Faugére and Spaenlehauer proposed a new attack called the ideal decomposition attack and claimed that this attack can fully break ASC. The idea of this attack is to reconstruct the ideal I:=(m,f,X) in \(\mathbb {F}_{p}[x,y,t]\) or the ideal J:=(m+z,f,X) in \(\mathbb {F}_{p}(t)[x,y,z]\) or \((\mathbb {F}_{p}[t]/(P(t)))[x,y,z]\) from the data (F ₁,F ₂,X) by using the ideal decomposition \((F_{1} - F_{2}, X) = ((s_{1} - s_{2})f, X) = I_{1} \bigcap I_{2}\) for some ideals I ₁⊃(f,X) and I ₂. Then the following equality holds:

(Note that, essentially, a resultant was used to reconstruct J in [12]). Let m ^′ be as in section 2.6.1. Then one can get m by solving N F _I (m ^′)=0 or N F _J (m ^′+z)=0, where z is a new variable and P is an irreducible polynomial in \(\mathbb {F}_{p}[t]\). There are three versions of this attack called the Level 1, the Level 2 and the Level 3 attack, respectively. The largest difference between these attacks is the polynomial ring under consideration. In the Level 1 attack, the polynomial ring \(\mathbb {F}_{p}[x,y,t]\) is used, and they gave an algorithm to reconstruct the ideal \(I \subset \mathbb {F}_{p}[x,y,t]\). The most time consuming computation in this attack is to compute a Gröbner basis of I to solve N F _I (m ^′)=0. In [12], it is pointed out that the Level 1 attack is not efficient and cannot break ASC for the recommended parameters. In the Level 2 attack, the polynomial ring \(\mathbb {F}_{p}(t)[x,y,z]\) is used. In this case they gave an algorithm (which is similar to the Level 1 attack) to reconstruct the ideal \(J \subset \mathbb {F}_{p}(t)[x,y,z]\). Note that the new variable z is necessary because the ideal (m,f,X) is generically equal to \(\mathbb {F}_{p}(t)[x,y]\) (see [12] section 3.2). The key which accelerates the computation of Gröbner basis is the following observation: the polynomials occuring in ASC have a high degree in t and a low degree in x and y. Thus, it is natural to regard these polynomials as elements of \(\mathbb {F}_{p}(t)[x,y]\) rather than elements of \(\mathbb {F}_{p}[x,y,t]\). To make this attack more practical, in the Level 3 attack a modular arithmetic was used, i.e., the polynomial ring \((\mathbb {F}_{p}[t]/(P(t)))[x,y,z]\) is used for an irreducible polynomial P(t) with degP> degt m. The degree in t of the polynomials appearing in the computation of Gröbner basis is bounded by degP(t) and so using a polynomial P of small degree, for example degP= degt m+1, makes this attack becomes more efficient than the Level 2 attack. Moreover, it is also possible to use a polynomial \(P(t) = \prod _{i}P_{i}(t)\) such that P _i (t)’s are distinct irreducible polynomials and \(\sum _{i} \deg P_{i} > \deg _{t}m\). In this case for each i we compute m (mod P _i ) and get m by the Chinese Remainder Theorem. Since degP _i < degP, we may have more efficient attack by using P having an appropriate number of irreducible factors and degree if degt m is large. Now, we give an algorithm of the Level 3 attack.

1. 1.

   Choose a constant C and an integer n≈ degt(m)· logp/C. Choose n irreducible polynomials P ₁,…,P _n of degree ≈C/ logp such that \(\sum _{1 \leq i \leq n}\deg P_{i} > \deg _{t}m\). Set i=1.

2. 2.

   Let \(K_{i} := \mathbb {F}_{p}[t]/(P_{i})\).

3. 3.

   Let \(F_{k}^{(P_{i})} := F_{k}\phantom {\dot {i}\!}\) (mod P _i ) and \(X^{(P_{i})} := X\phantom {\dot {i}\!}\) (mod P _i ). Compute \(Q(y) := \text {Res}_{x}(F_{1}^{(P_{i})} - F_{2}^{(P_{i})}, X^{(P_{i})}) \in K_{i}[y]\phantom {\dot {i}\!}\), the resultant of \(F_{1}^{(P_{i})} - F_{2}^{(P_{i})}\phantom {\dot {i}\!}\) and \(X^{(P_{i})}\phantom {\dot {i}\!}\) with respect to x.

4. 4.

   Factor Q(y) and let Q ₀(y) be an irreducible factor of highest degree.

5. 5.

   Compute a Gröbner basis of the ideal \(J := (F_{1}^{(P_{i})} + z, F_{2}^{(P_{i})} + z, X^{(P_{i})}, Q_{0}) \subset K_{i}[x,y,z]\phantom {\dot {i}\!}\) with respect to the graded reverse lexicographical ordering.

6. 6.

   Using the above Gröbner basis, solve the following linear equation system over K _i to get \(m^{(P_{i})} := m\phantom {\dot {i}\!}\) (mod P _i )

   $$NF_{J}(m^{\prime} + z) = 0, $$

   where m ^′ is as above. If the system has no solution, then go back to step 4 and choose another factor of Q.

7. 7.

   If i<n, then replace i by i+1 and go back to step 2.

8. 8.

   Recover m from \(m^{(P_{i})}\phantom {\dot {i}\!}\) by using the Chinese Remainder Theorem.

3.1 Notation

We denote by \(\mathbb {Z}[\underline {x}] := \mathbb {Z}[x_{1},\ldots,x_{n}]\) the polynomial ring with n variables. For a vector \(\underline {i} := (i_{1},\ldots,i_{n}) \in (\mathbb {Z}_{\geq 0})^{n}\) we write \(\underline {x}^{\underline {i}} := x_{1}^{i_{1}} \cdots x_{n}^{i_{n}}\) and \(\sum \underline {i} := \sum _{1 \leq j \leq n}i_{j}\). For a finite subset \(\Lambda \subset (\mathbb {Z}_{\geq 0})^{n}\) and a polynomial \(f = \sum _{(i_{1},\ldots,i_{n}) \in \Lambda }f_{i_{1}\cdots i_{n}}x_{1}^{i_{1}}\cdots x_{n}^{i_{n}} = \sum _{\underline {i} \in \Lambda }f_{\underline {i}}\underline {x}^{\underline {i}} \in \mathbb {Z}[\underline {x}]\) we define

We call Λ _f the support of f. For example, for \(f_{1} = 5{x_{1}^{4}}{x_{2}^{2}}x_{3} - 13{x_{1}^{2}}x_{2} + 7x_{3} + 2\) and \(f_{2} = 8{x_{1}^{2}}{x_{2}^{2}}x_{3} - 9x_{1}{x_{2}^{2}} + 6x_{3} -11\), we have

We denote by w _f the total degree of f. Define

For a vector \(\underline {v} := (v_{1},\ldots,v_{n}) \in \mathbb {Q}^{n}\), we denote by \(f({\underline {v}})\) the value of f at \(\underline {v}\). For an integer d, we denote by \(\underline {v}/d\) the vector \(\left (\frac {v_{1}}{d},\ldots,\frac {v_{n}}{d}\right)\). For each ideal \(J \subset \mathbb {Q}[\underline {x}]\), each polynomial \(f \in \mathbb {Q}[\underline {x}]\) and each monomial ordering <, we denote by N F _J (f) a normal form of f with respect to J and <. For a polynomial \(f \in \mathbb {Z}[\underline {x}]\) and an integer m, we denote by \(\overline {f}^{(m)}\) the polynomial f (mod m) \(\in (\mathbb {Z}/m\mathbb {Z})[\underline {x}]\).

3.2 Polynomials of degree increasing type

Before we describe our cryptosystem, we define the following notion which is one of our key ideas to construct our cryptosystem.

Definition 3.1.

Define a map \(\sigma : \mathbb {Z}^{n} \longrightarrow \mathbb {Z}\) by \(\underline {i} \mapsto \sum \underline {i}\). A polynomial \(X \in \mathbb {Z}[\underline {x}]\) is of degree increasing type if \(\sigma |_{\Lambda _{X}}\) is injective. In other words, X is of degree increasing type if and only if for each \(k \in \mathbb {Z}\), X has at most one term of degree k.

Remark 3.2.

We can prove that there is no general algorithm to solve an arbitrary diophantine equation of degree increasing type in \(\mathbb {Z}\). This can be seen as follows: Suppose \(T \in \mathbb {Z}[\underline {x}]\) is an arbitrary polynomial. It is easy to see that by making a change of variables \(x_{i} \mapsto x_{i}^{q_{i}}\) with suitable q _i ’s, we can make \(T\left (x_{1}^{q_{1}},\ldots,x_{n}^{q_{n}}\right)\) of degree increasing type. Thus if there exists an algorithm to solve an arbitrary diophantine equation of degree increasing type, then it can solve an arbitrary diophantine equation, which contradicts Matijasevič’s result [10].

Example 3.3.

If X(x,y):=5x ³ y ²+12x y ²+7x y+6x+5, then X is of degree increasing type.

Let \(X \in \mathbb {Z}[\underline {x}]\) be a polynomial of degree increasing type. Then we can define a total order in Λ _f as follows: for \(\underline {i}_{1}\), \(\underline {i}_{2} \in \Lambda _{f}\), we define \(\underline {i}_{1} \geq \underline {i}_{2}\) if \(\sum \underline {i}_{1} \geq \sum \underline {i}_{2}\). Since Λ _f is finite, there is a maximal element \(\underline {k}\). We call the coefficient of degree \(\sum \underline {k}\) of X the leading coefficient of X and denote it by l d(X).

3.3 Outline of our cryptosystem

We use an analogous method to ASC. More precisely, we use a polynomial \(X(\underline {x}) \in \mathbb {Z}[\underline {x}]\) of degree increasing type and a solution \(\underline {a} = \left (\frac {a_{1}}{d},\ldots,\frac {a_{n}}{d}\right) \in \mathbb {Q}^{n}\) to X=0 as a public key and a secret key, respectively. A plaintext is given as a polynomial \(m \in \mathbb {Z}[\underline {x}]\). We use the following polynomials in \(\mathbb {Z}[\underline {x}]\) as cipher polynomials in our cryptosystem:

where \(\tilde {m}\), s _i , f and r _i are polynomials in \(\mathbb {Z}[\underline {x}]\) with \(\Lambda _{X} = \Lambda _{\tilde {m}} = \Lambda _{f} = \Lambda _{s_{i}} = \Lambda _{r_{i}}\). The polynomial \(\tilde {m}\) is constructed from a plaintext polynomial \(m \in \mathbb {Z}[\underline {x}]\) and has large coefficients (see section 3.4.2). We need to have \(\Lambda _{X} = \Lambda _{\tilde {m}} = \Lambda _{f} = \Lambda _{s_{i}} = \Lambda _{r_{i}}\) and translate m into \(\tilde {m}\) to avoid the ideal decomposition attack and other attacks (see section 4). It is the lagest difference between ASC and our cryptosystem. Recall that w _X is the total degree of X. We compute \(h_{i} := F_{i}(\underline {a})\), \(H_{1} := (F_{1}(\underline {a}) - F_{2}(\underline {a}))d^{2w_{X}}\phantom {\dot {i}\!}\), \(H_{2} := (F_{1}(\underline {a}) - F_{3}(\underline {a}))d^{2w_{X}}\phantom {\dot {i}\!}\) and \(g := \gcd (H_{1},H_{2})\) to get \(\tilde {m}(\underline {a})d^{w_{X}}\phantom {\dot {i}\!}\). We pointed out that unlike factorizing a polynomial in \(\mathbb {F}_{p}[t]\), it is hard to factorize integers and so we use three polynomials as cipher polynomials and a GCD computation to get \(f(\underline {a})d^{w_{X}}\phantom {\dot {i}\!}\). If \(g = |f(\underline {a})d^{w_{X}}|\phantom {\dot {i}\!}\) and \(g > |\tilde {m}(\underline {a})d^{w_{X}}|\phantom {\dot {i}\!}\), then we can get \(\tilde {m}(\underline {a})d^{w_{X}}\phantom {\dot {i}\!}\) by computing \(H := h_{1}d^{2w_{X}}\phantom {\dot {i}\!}\) (mod g) and \(Hd^{-w_{X}}\phantom {\dot {i}\!}\) (mod g). If we can get \(\tilde {m}(\underline {a})d^{w_{X}}\phantom {\dot {i}\!}\), then we can recover m by the Recovering Algorithm (RA) described in section 3.4.4. In order to use RA, \(\tilde {m}\) must be of degree increasing type (see section 3.4.4) and for security reasons (section 4), an X must have the same support as \(\tilde {m}\). So we use X which is of degree increasing type.

3.4 Algorithm of our cryptosystem

Now, we describe our cryptosystem.

3.4.1 Key generation

1. 1.

   Secret key

   Choose a vector \(\underline {a} = (a_{1},\ldots,a_{n}) \in \mathbb {Z}^{n}\) of a suitable size^a such that \(\gcd (a_{i},d) =1\) for i=1,…,n. Make them secret.

2. 2.

   Public key

   Choose integers d and e of suitable sizes^b such that \(\gcd (e,\varphi (d)) =1\). Choose an irreducible polynomial \(X(\underline {x}) \in \mathbb {Z}[\underline {x}]\) of degree increasing type such that \(X(\underline {a}/d) = 0\) and # Λ _X ≤w=w _X . Make e, X and Λ _X public.

We give a method to construct a public key X of degree increasing type with \(X(\underline {a}/d) = 0\).

1. 1.

   Choose a finite subset \(\Lambda \subset (\mathbb {Z}_{\geq 0})^{n}\) such that \(\# \left \{\sum \underline {i} \mid \underline {i} \in \Lambda \right \} = \# \Lambda \).

2. 2.

   Let \(\underline {k} = (k_{1},\ldots,k_{n})\) be the maximal element of Λ. For \(\underline {i} \in \Lambda ^{\prime } := \Lambda \smallsetminus \{\underline {0}, \underline {k} \}\), choose random non-zero integers \(c_{\underline {i}}\).

3. 3.

   Choose \(c_{\underline {0}}\) and \(c_{\underline {k}}\) so that

   $$\frac{c_{\underline{k}}\underline{a}^{\underline{k}} + c_{\underline{0}}d^{w}}{d^{w}} = - \frac{\sum_{\underline{i} \in \Lambda^{\prime}}c_{\underline{i}}\underline{a}^{\underline{i}}d^{w^{\prime} - \sum \underline{i}}}{d^{w^{\prime}}}, $$

   where \(w^{\prime } = \max \left \{\sum \underline {i} \mid \underline {i} \in \Lambda ^{\prime } \right \}\), by solving the linear diophantine equation

   $$ c_{\underline{k}}\underline{a}^{\underline{k}} + c_{\underline{0}}d^{w} = - \sum_{\underline{i} \in \Lambda^{\prime}}c_{\underline{i}}\underline{a}^{\underline{i}}d^{w - \sum \underline{i}}. $$

   (4)
4. 4.

   Define

   $$X := \sum_{\underline{i} \in \Lambda}c_{\underline{i}}\underline{x}^{\underline{i}}. $$

The condition on Λ (step 1 above) means that X is of degree increasing type. The equation (4) means that \(X(\underline {a}/d) = 0\).

3.4.2 Encryption

Assume that the sender wants to send a polynomial \(m(\underline {x}) = \sum _{\underline {i} \in \Lambda _{m}}m_{\underline {i}}x^{\underline {i}} \in \mathbb {Z}[\underline {x}](1 < m_{\underline {i}} < d\) and \(\gcd (m_{\underline {i}}, d) = 1)\) with Λ _m =Λ _X .

1. 1.

   Choose a positive integer N such that Nd is larger than the absolute value of each coefficient of X. We assume that an upper bound of N is given.

2. 2.

   Construct a polynomial \(\tilde {m}(\underline {x})\) with \(\Lambda _{\tilde {m}} = \Lambda _{m}\) as follows:

   Let \(\tilde {m}_{\underline {i}}\) be an integer such that \(0<\tilde {m}_{\underline {i}}<Nd\) and \(\tilde {m}_{\underline {i}} \equiv m_{\underline {i}}^{e}\) (mod Nd), and put \(\tilde {m}(\underline {x}) = \sum _{\underline {i} \in \Lambda _{m}}\tilde {m}_{\underline {i}}x^{\underline {i}}\).

3. 3.

   Choose a random polynomial \(f \in \mathbb {Z}[\underline {x}]\) with Λ _f =Λ _X such that \(H(\tilde {m}) < ld(f) < Nd\) and l d(f) is relatively prime to d. We also assume that all coefficients of f except l d(f) are also as large as the coefficients of \(\tilde {m}\).

4. 4.

   Choose random polynomials s _i and r _i in \(\mathbb {Z}[\underline {x}]\) with \(\Gamma _{s_{i}} = \Gamma _{X}\) and \(\Gamma _{r_{i}} = \Gamma _{f}\) for 1≤i≤3.

5. 5.

   Put \(F_{i} := \tilde {m} + s_{i}f + r_{i}X\) for 1≤i≤3 and send (F ₁,F ₂,F ₃,N).

3.4.3 Decryption

1. 1.

   Compute \(h_{i} := F_{i}(\underline {a}/d) = \tilde {m}(\underline {a}/d) + s_{i}(\underline {a}/d)f(\underline {a}/d)\), \(H_{1} := (h_{1} - h_{2})d^{2w_{X}}\phantom {\dot {i}\!}\) and \(H_{2} := (h_{1} - h_{3})d^{2w_{X}}\phantom {\dot {i}\!}\). Note that \(H_{1}, H_{2} \in \mathbb {Z}\).

2. 2.

   Compute \(g := \gcd (H_{1}, H_{2}) > 0\), the greatest common divisor of H ₁ and H ₂. If \(\gcd (g,d) > 1\), then we replace g by \(\frac {g}{\gcd (g,d)}\). Note that if \(g = f(\underline {a}/d)d^{w_{X}}\phantom {\dot {i}\!}\), then \(\gcd (g,d)=1\) (cf. Remark 3.6.3).

3. 3.

   Compute \(H := h_{1}d^{2w_{X}}\phantom {\dot {i}\!}\) (mod g) and \(\tilde {\mu } := Hd^{-w_{X}}\) (mod g). Note that if \(|g| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\phantom {\dot {i}\!}\) and g divides \(s_{1}(\underline {a}/d)f(\underline {a}/d)d^{2w_{X}}\phantom {\dot {i}\!}\), then we have

   $$\tilde{m}(\underline{a}/d)d^{w_{X}} =\left\{ \begin{array}{ll} \tilde{\mu} & \text{if}~\tilde{m}(\underline{a}/d)d^{w_{X}} > 0, \\ \tilde{\mu} - g & \text{if}~\tilde{m}(\underline{a}/d)d^{w_{X}} < 0. \end{array} \right. $$

   Note that \(\tilde {m}(\underline {a}/d)d^{w_{X}} \neq 0\phantom {\dot {i}\!}\) (cf. Remark 3.6.4).

4. 4.

   Recover \(m(\underline {x})\) from \(\tilde {\mu }\) or \(\tilde {\mu } - g\) by RA which we will describe below.

3.4.4 Recovering Algorithm (RA)

We describe a method to recover \(m(\underline {x})\) from \(\tilde {\mu }\). Let N, d, e and Λ _X be as above.Input : \(\tilde {\mu }\), N, d, e and Λ _X . Output : \(m^{\prime }(\underline {x}) \in \mathbb {Z}[\underline {x}]\) or “false”.

1. 1.

   Compute

   $$e^{\prime} := e^{-1} (\text{mod}~\varphi(d)). $$
2. 2.

   Let \(\underline {k}\) be the maximal element of Λ _X . Compute

   $$\begin{array}{@{}rcl@{}} m_{\underline{k}}^{\prime} &:=& \left(\tilde{\mu}\underline{a}^{-\underline{k}}\right)^{e^{\prime}} (\text{mod}~{d}) (0 < m_{\underline{k}}^{\prime} < d), \\ \tilde{m}_{\underline{k}}^{\prime} &:=& \left(m_{\underline{k}}^{\prime}\right)^{e} (\text{mod}~{Nd}) (0 < \tilde{m}_{\underline{k}}^{\prime} < Nd). \end{array} $$
3. 3.

   If \(\Lambda _{X}^{\prime } := \Lambda _{X} \smallsetminus {\underline {k}} = \emptyset \), then return \(m^{\prime }(\underline {x}) = \sum _{\underline {i} \in \Lambda _{X}}m_{\underline {i}}^{\prime }\underline {x}^{\underline {i}}\). Otherwise, let \(\underline {k}^{\prime }\) be the maximal element of \(\Lambda _{X}^{\prime }\). Let \(w_{X}^{\prime } := \sum \underline {k}^{\prime }\). Put \(\tilde {\mu }^{\prime } := \frac {\tilde {\mu } - \tilde {m}_{\underline {k}}^{\prime }\underline {a}^{\underline {k}}}{d^{w_{X} - w_{X}^{\prime }}}\). If \(\tilde {\mu }^{\prime } \in \mathbb {Z}\), then replace \(\tilde {\mu }\), \(\underline {k}\) and Λ _X by \(\tilde {\mu }^{\prime }\), \(\underline {k}^{\prime }\) and \(\Lambda _{X}^{\prime }\), respectively. Otherwise, return “false”.

4. 4.

   Go back to step 2.

Proposition 3.4.

If \(\tilde {\mu } = \tilde {m}(\underline {a}/d)d^{w_{\tilde {m}}}\), then RA returns \(m(\underline {x})\).

Proof.

We assume that \(\tilde {\mu } = \tilde {m}(\underline {a}/d)d^{w_{\tilde {m}}} = ld(\tilde {m})\underline {a}^{\underline {k}} + \sum _{\underline {i} \in \Lambda _{X} \smallsetminus \{ \underline {k} \}}\tilde {m}_{\underline {i}}\underline {a}^{\underline {i}}d^{\sum \underline {k} - \sum \underline {i}}\). Because \(\tilde {m}\) is of degree increasing type, we have \(\sum \underline {k} - \sum \underline {i} \geq 1\). It implies that

Because l d(m)<d, we have

Thus, \(\tilde {\mu }^{\prime } = \tilde {m}_{\underline {k}^{\prime }}\underline {a}^{\underline {k}^{\prime }} + \sum _{\underline {i} \in \Lambda _{X}^{\prime } \smallsetminus \{ \underline {k}^{\prime } \}}\tilde {m}_{\underline {i}}\underline {a}^{\underline {i}}d^{\sum \underline {k}^{\prime } - \sum \underline {i}}\). Because \(\tilde {m}\) is of degree increasing type, we have \(\sum \underline {k}^{\prime } - \sum \underline {i} \geq 1\). It implies that we can get \(m_{\underline {k}^{\prime }}\) as above. Similarly, we can get \(m_{\underline {i}}\) for \(\underline {i} \in \Lambda _{X} \smallsetminus \{ \underline {k}, \underline {k}^{\prime } \}\). □

Remark 3.5.

We give some remarks on our cryptosystem.

1. 1.

   If d=p is a prime number, we may choose e=p and e ^′=1.

2. 2.

   We should choose d so that the computation of φ(d) is easy. For example, if d is a prime number, then φ(d)=d−1.

3.5 Improvement in recovering algorithm

In step 2 of the decryption process we can write \(g = f(\underline {a}/d)d^{w_{X}}t(t \in \mathbb {Z})\). If |t|>1, then, in step 3, g may not divide \(s_{1}(\underline {a}/d)f(\underline {a}/d)d^{2w_{X}}\). If so, both \(\tilde {\mu }\) and \(\tilde {\mu } - g\) are not equal to \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). Then RA will return “false” with high probability because d is large, ♯ Λ _X ≤w _X and hence \(w_{X} - w_{X}^{\prime }\) becomes ≥2 in the middle of the process of RA. In this case we must take the following steps:

1. 1.

   If RA returned “false", then we choose a positive integer M and construct the set \(F(g,M) := \{x \in \mathbb {Z} \mid 2 \leq x \leq M, x|g\} \subset \mathbb {Z}\).

2. 2.

   If F(g,M)≠∅, then we choose an element x∈F(g,M) and remove x from F(g,M). Otherwise, go back to step 1 and choose an integer which is larger than M.

3. 3.

   Compute \(g^{\prime } := \frac {g}{x}\), \(H^{\prime } := h_{1}d^{2w_{X}}\) (mod g ^′) and \(\tilde {\mu }^{\prime } := H^{\prime }d^{-w_{X}}\) (mod g ^′) and recover \(m(\underline {x})\) from \(\tilde {\mu }^{\prime }\).

4. 4.

   If RA returned “false" again, then go back to step 2.

We describe the reason why RA returns “false” with high probability if we do not get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). Because ♯ Λ _X =w _X +1 implies \(w_{X} - w_{X}^{\prime } = 1\), we have always \(d^{w_{X} - w_{X}^{\prime }} \mid \left (\tilde {\mu } - \tilde {m}_{\underline {k}}^{\prime }\underline {a}^{\underline {k}}\right)\). Thus in this case RA does not return “false” even if we do not get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). On the other hand if ♯ Λ _X ≤w _X , then \(w_{X} - w_{X}^{\prime } \geq 2\) is satisfied in the middle of the process of RA and then RA returns “false” with high probability, if we do not get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). Thus we need to improve the success probability of decryption.

Remark 3.6.

1. 1.

   In step 3 of the decryption process, we require that \(|g| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\) to get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). To satisfy this condition we impose the condition of step 3 in the encryption process on l d(f). Note that the fact that X is of degree increasing type also helps to satisfy \(|g| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\), because \(O(f) = O(\underline {x}^{\underline {k}}) = O(\tilde {m})\) as \(x_{1},\ldots, x_{n} \rightarrow \infty \left (\sum \underline {k} = w_{X}\right)\), if X is of degree increasing type. Thus, if \(f_{\underline {k}} > \tilde {m}_{\underline {k}}\) and |a ₁|,…,|a _n |≫d, then \(|f(\underline {a}/d)d^{w_{X}}| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\) is satisfied with high probability because \(|\frac {a_{1}}{d}|,\ldots, |\frac {a_{n}}{d}| \gg 1\). We also note that we can estimate whether \(\tilde {m}(\underline {a}/d)d^{w_{X}} > 0\) or not by the same reason with high probability.

2. 2.

   If |a ₁|,…,|a _n |≈d or |a ₁|,…,|a _n |≪d, then the argument in Remark 3.6.1 is not correct because \(|\frac {a_{1}}{d}|,\ldots,|\frac {a_{n}}{d}| \approx 1\) or \(|\frac {a_{1}}{d}|,\ldots,|\frac {a_{n}}{d}| \ll 1\). So in this case \(\underline {a}\) and f should be chosen so that a ₁,…,a _n >0 and, for each \(\underline {i} \in \Lambda _{f}\), the absolute value of the \(\underline {i}\)-th coefficient of f is larger than that of the monomial \(\underline {x}^{\underline {i}}\) of \(\tilde {m}\) to satisfy \(|f(\underline {a}/d)d^{w_{X}}| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\).

3. 3.

   We need to have \(\gcd (f(\underline {a}/d)d^{w_{X}},d) = 1\) to compute the inverse element of d (mod g). We show that this condition is satisfied. Let \(\underline {k}\) be the maximal element of Λ _f . It follows from the expression

   $$f(\underline{a}/d)d^{w_{X}} = f_{\underline{k}}\underline{a}^{\underline{k}} + \sum_{\underline{i} \in \Lambda_{f} \smallsetminus \{ \underline{k} \}}f_{\underline{i}}\underline{a}^{\underline{i}}d^{w_{X} - \sum \underline{i}}, $$

   that if \(\gcd (f(\underline {a}/d)d^{w_{X}},d) = d^{\prime } > 1\), then \(f_{\underline {k}}\) is divisible by d ^′ because \(\gcd (\underline {a}^{\underline {k}},d) = 1\) is satisfied, and \(\sum _{\underline {i} \in \Lambda _{f} \smallsetminus \{ \underline {k} \}}f_{\underline {i}}\underline {a}^{\underline {i}}d^{w_{X} - \sum \underline {i}}\) is divisible by d. This contradicts our assumption because we assume \(\gcd (f_{\underline {k}}, d) = 1\) in step 3 of the encryption process.

4. 4.

   We also need to have \(\tilde {m}(\underline {a}/d)d^{w_{X}} \neq 0\) to recover m. We show that this condition is satisfied. Let \(\underline {k}\) be as above. It follows from the expression

   $$\tilde{m}(\underline{a}/d)d^{w_{X}} = \tilde{m}_{\underline{k}}\underline{a}^{\underline{k}} + \sum_{\underline{i} \in \Lambda_{\tilde{m}} \smallsetminus \{ \underline{k} \}}\tilde{m}_{\underline{i}}\underline{a}^{\underline{i}}d^{w_{X} - \sum \underline{i}}, $$

   that if \(\tilde {m}(\underline {a}/d)d^{w_{X}} = 0\), then \(\tilde {m}_{\underline {k}}\) is divisible by d. This is a contradiction because \(\gcd (m_{\underline {k}}, d) = 1\) implies \(\gcd (\tilde {m}_{\underline {k}}, d) = 1\).

5. 5.

   Recall that the t in section 3.5 is troublesome if it is large. We experimented 100000 times on the value of t for each set of parameters in the following tables.

   According to these results, we can expect that t is smaller than 1000 with high probability. So we can get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\) in practical time with high probability. However, we do have t> >1000, though it happens with low probability. In this case we would not be able to decrypt the plaintext in practical time by the simple trial. Thus if we want to design a scheme with lower probability of decryption failure, we need an efficient integer factorization algorithm in the above steps Tables 1, 2 and 3.

   Full size table

   Full size table

   Full size table

In this section although we have not been able to give a security proof, we analyze the effectiveness of some possible attacks for the one-wayness of our cryptosystem. We also discuss the sizes of d, e and N to achieve 128 bit-security. First, we note that the attacks against ASC described in section 2.6 are applicable also to our cryptosystem.

4.1 Reduction to solving a multivariate equation system I

Let

where \(f_{\underline {i}}^{\prime }\), \(s_{\underline {i}}^{\prime }\) and \(r_{\underline {i}}^{\prime }\) are variables. One may be able to get f by solving the following quadratic equation system

The number of variables of the system is smaller than that of the system in section 2.6.1, but experimentally a Gröbner basis of the ideal generated by the coefficients of F ₁−F ₂−(s ^′ f ^′+r ^′ X) consists of quadratic polynomials and there is no known general algorithm to solve a multivariate quadratic equation system over \(\mathbb {Z}\) or \(\mathbb {Q}\) in polynomial time. So solving the system would not be easy. Moreover, if \(\Lambda _{s_{1}} = \Lambda _{f} = \Lambda _{r_{1}} = \Lambda _{X}\), then the equalities

where s and t are any integers, show that there are many solutions of the system (5). So we may avoid this attack.

4.2 Reduction to solving a multivariate equation system II

Let \(f^{\prime }(\underline {x}) = \sum _{\underline {i} \in \Lambda _{f}}f_{\underline {i}}^{\prime }\underline {x}^{\underline {i}}\), \(s^{\prime }(\underline {x}) = \sum _{\underline {i} \in \Lambda _{s_{1}}}s_{\underline {i}}^{\prime }\underline {x}^{\underline {i}}\) and \(r^{\prime }(\underline {x}) = \sum _{\underline {i} \in \Lambda _{r_{1}}}r_{\underline {i}}^{\prime }\underline {x}^{\underline {i}}\) be as in section 4.1. Let

where \(\tilde {m}_{\underline {i}}^{\prime }\) are variables. Let \(\underline {a}_{1}=(a_{11},\ldots,a_{1n}),\cdots,\underline {a}_{\ell }=(a_{\ell 1},\ldots,a_{\ell n}) \in \mathbb {Z}^{n}\) be n-tuples of integers. Then we have the following multivariate equation system in \(f_{\underline {i}}^{\prime }\), \(s_{\underline {i}}^{\prime }\), \(r_{\underline {i}}^{\prime }\) and \(\tilde {m}_{\underline {i}}^{\prime }\):

One of the methods of solving (6) is to use the Gröbner basis technique. However, if {g ₁,⋯,g _h } is a Gröbner basis of the ideal (G ₁,⋯,G _ℓ ), experimentally, g _i is a cubic or a quadratic polynomial with rational coefficients having large denominators and numerators. Thus, as mentioned in section 4.1, it would not be easy to solve (6). Moreover, for any integers s and t we have

Noting that \(\Lambda _{X} = \Lambda _{\tilde {m}} = \Lambda _{f} = \Lambda _{s_{1}}\), \(\Gamma _{s_{i}} = \Gamma _{X}\) and \(\Gamma _{r_{i}} = \Gamma _{f}\) for 1≤i≤3, we see that there are many possible solutions of (6). Hence, we may suppose that this attack is not efficient if Nd is sufficiently large, say N d>2¹²⁸ H(X). Note that it is also possible to compare \(F^{\prime }(\underline {a}_{i}) - \tilde {m}^{\prime }(\underline {a}_{i})\) and \(F_{1}(\underline {a}_{i}) - F_{2}(\underline {a}_{i})\) to get f, but it would be hard because of the same reason.

4.3 Reduction to solving a multivariate equation system III

The following attack was suggested by Professor Attila Pethő. Let f ^′, s ^′, r ^′ and \(\tilde {m}^{\prime }\) be as in section 4.2. Let \(S := \sum _{\underline {i} \in \Lambda _{f^{\prime }s^{\prime }}}S_{\underline {i}}\underline {x}^{\underline {i}}\) and define

where \(S_{\underline {i}}\)’s are variables. Then one can apply the similar attack as in section 4.2 to F ^′′. However, we may also suppose that this attack is not efficient if Nd is sufficiently large, say N d>2¹²⁸ H(X). To see this, let \(r \in \mathbb {Z}[\underline {x}]\) be a random polynomial with Λ _r =Λ _X . Then we have

It implies that there are many possible solution to \(F^{\prime \prime }(\underline {a}_{1}) - F_{1}(\underline {a}_{1}) = 0,\ldots,F^{\prime \prime }(\underline {a}_{\ell }) - F_{1}(\underline {a}_{\ell }) = 0\), where \(\underline {a}_{1},\ldots,\underline {a}_{\ell }\) are as in section 4.2. Note that S+r X has the same form as S, and r ^′−r, \(\tilde {m}^{\prime } - r\) and S+r have the same form as r ^′, \(\tilde {m}^{\prime }\) and S, respectively.

4.4 Reduction by X

Since X is made public, one can try to divide F ₁−F ₂ by X to find f in the remainder. But f does not appear in the remainder if Λ _f =Λ _X and the absolute values of coefficients of f are larger than those of X. So this attack would not be effective.

4.5 Rational point attack (solving X=0)

This attack is equivalent to solving the diophantine equation \(X(\underline {x}) = 0\). Although it is hard in general as mentioned in introduction, one may wonder if the diophantine equation \(X(\underline {x}) = 0\) may be solvable for X of degree increasing type. However, there are no known general algorithms to solve such diophantine equations in polynomial time. For instance, in [20], it was proved that the problem for determining whether there are positive integer solutions for

where a, b and c are positive integers, is NP-complete. So we may assume that solving the diopantine equations of degree increasing type is hard in general.

Next, we discuss more general diophantine problems. If one can find a vector \(\underline {a}\) such that \(X(\underline {a}/d) = 0\), then one can get m by the same process of decryption. The solution \(\underline {a}/d\) is not an integral solution but a rational solution. (Using rational solutions is suggested by Professor Noriko Hirata-Kohno.) However, finding such rational solutions is equivalent to finding integral solutions of \(G(\underline {x}) := X(\underline {x}/d)d^{w_{X}} = 0\). (If we do not know the denominator d, finding rational solutions of \(G(\underline {x}) = 0\) is reduced to finding integer solutions of the equation \(G\left (\frac {x_{1}}{z},\ldots,\frac {x_{n}}{z}\right)z^{w_{X}} = 0\) in n+1 variables.) If n=2 and \(G(\underline {x}) = 0\) defines a curve of genus 0, 1 or a hyperelliptic curve, then there are explicit algorithms to find all integral solutions [6,26,30]. Otherwise, in special cases there are some algorithms to find all integral points [3,4]. Moreover, it is believed that in many cases, diophantine equations with two variables are solvable. Theoretically, using Baker’s method and its improvements, explicit upper bounds of the size of solutions to special equations with two variables are known (see [13] and the references given there). (Note that if solutions of a diophantine equation are sufficiently large, then Baker’s method is not practical in general, but we want to use a solution which is as small as possible.) However, no efficient methods are known to find integral solutions of diophantine equations of n variables with n≥3. So we should use a diophatine equations with at least 3 variables as a public key of our cryptosystem. Note that in case of 3 variables, our experience in arithmetic geometry suggests to use X of degree at least 5, because then the hypersurface in the projective 3-space defined by (the homogenized form of) X is of general type if it is non-singular (cf. [14], Example F.5.1.7 and section F.5.2).

4.6 Solving \(X(\underline {x}/d)d^{w_{X}} \equiv 0 \left (\mathrm {mod d}^{w_{X}+1}\right)\)

If we use a single cipher polynomial \(F := \tilde {m} + rX\), where r is an integer or a polynomial in \(\mathbb {Z}[\underline {x}]\) such that rX is of degree increasing type, and \(\Lambda _{\tilde {m}} = \Lambda _{rX}\), then it can be broken by finding a solution to the congruence equation

which can be computable in probabilistic polynomial time. Let \(\underline {b}\) be a solution of (7) and \(\underline {k}\) the maximal element of Λ _{r X} . Then the same method as RA is applicable as follows:

Similarly, we can compute the other coefficients of m. However, using cipher polynomials of the form

we may avoid this weakness because s _i f obstructs to get \(\tilde {m}(\underline {b}/d)d^{w_{X}}\) (mod d).

4.7 Ideal decomposition attack

By using the resultant as in section 2.6.4, it is also possible in our case to reconstruct the ideals \(I := (\tilde {m},f,X) \subset \mathbb {Z}[\underline {x}]\), \(J := (\tilde {m} + z,f,X) \subset \mathbb {Q}[\underline {x},z]\) or \(\overline {J}^{(\ell)} := \left (\overline {\tilde {m}}^{(\ell)} + z, \overline {f}^{(\ell)}, \overline {X}^{(\ell)}\right) \subset (\mathbb {Z}/\ell \mathbb {Z})[\underline {x},z]\) from the data (F ₁,F ₂,X), where z is a new variable and ℓ is a prime number. If one can get \(\tilde {m}\), then one can get m. A simple method to avoid this attack is to let \(\Lambda _{\tilde {m}} = \Lambda _{f} = \Lambda _{X}\) and the coefficients of \(\tilde {m}\) be larger than H(X). Then \(\tilde {m}\) cannot be determined uniquely because \(\tilde {m}^{\prime } + z \in J\) implies \(\tilde {m}^{\prime } + z + sX + tf \in J\) for any s, \(t \in \mathbb {Z}\) (note that \(\Lambda _{\tilde {m}} = \Lambda _{f} = \Lambda _{X}\)). However, in general, we cannot determine \(\tilde {m}\) from \(\tilde {m}(\underline {a}/d)d^{w_{X}}\) uniquely even if we know the secret key \(\underline {a}\). This reason is as follows: for any \(t \in \mathbb {Z}\), \(\tilde {m}(\underline {x})\) and \(\tilde {m}(\underline {x}) + tX(\underline {x})\) have the same value at \(\underline {a}/d\). So, we use modular exponentiation to transform m into \(\tilde {m}\) and use Euler’s theorem as in the RSA cryptosystem to recover m from \(\tilde {m}(\underline {a}/d)d^{w_{X}}\) in RA. This is the main idea to avoid this attack.

Now, we analyze the effectiveness of the ideal decomposition attack in detail. We analyze only the Level 2 and the Level 3 attacks because, experimentally, the Level 1 attack is not efficient. First, we analyze the effectiveness of the ideal decomposition attack of Level 2 (see [12], section 3.2), which uses the ideal decomposition

to reconstruct from the data (F ₁,F ₂,X) an ideal \(J \subset \mathbb {Q}[\underline {x},z]\) which coincides with \((\tilde {m} + z, f, X)\). To get \(\tilde {m}\), we use the fact that if a Gröbner basis of J is computed, then \(\tilde {m}^{\prime } + z \in J\) if and only if \(NF_{J}(\tilde {m}^{\prime } + z) = 0\) (see section 2.6.4 for more detail). But, if \(\tilde {m}^{\prime } + z \in J\), then for any integers s and t, \(\tilde {m}^{\prime } + z + sX + tf \in J\) is also satisfied. If the number of choices of the pairs \((s, t) \in \mathbb {Z}^{2}\) is larger than 2¹²⁸, we may avoid this attack. All coefficients of \(\tilde {m}\) and f are smaller than Nd, but in many cases they are as large as Nd, if \(m_{\underline {i}}^{e} > Nd\). So the possible choices of t may be only 0, 1 or 2. But, if N d>2¹²⁸ H(X), the number of the possible choices of s may be larger than 2¹²⁸. So N should be chosen so that N d>2¹²⁸ H(X) and e should be so large that \(m_{\underline {i}}^{e} \geq 2^{e} > Nd\) for \(\underline {i} \in \Lambda _{m}\). In this case, this attack is not assumed to be effective. Note that, because the absolute value of coefficients of f are as large as those of \(\tilde {m}\), the above argument implies that choosing N satisfying N d>2¹²⁸ H(X) may complicate finding f from the ideal J or I ₁.

Next, we analyze the effectiveness of the ideal decomposition attack of Level 3 (see [12], section 3.3). We assume that d is a prime number. We note that if one got \(\overline {\tilde {m}}^{(d)}\), then one can get m. So one does not need to get \(\tilde {m}\). It is possible to reconstruct an ideal \(\overline {J}^{(d)} \subset (\mathbb {Z}/d\mathbb {Z})[\underline {x},z]\) which coincides with \(\left (\overline {\tilde {m}}^{(d)} + z, \overline {f}^{(d)}, \overline {X}^{(d)}\right)\) from tha data (F ₁,F ₂,X) (see the algorithm in 2.6.4). Let \(\tilde {m}^{\prime }(\underline {x}) := \sum _{\underline {i} \in \Lambda _{\tilde {m}}}\tilde {m}_{\underline {i}}^{\prime }\underline {x}^{\underline {i}}\), where \(\tilde {m}_{\underline {i}}^{\prime }\) are variables for \(\underline {i} \in \Lambda _{\tilde {m}}\). Assume that a Gröbner basis of \(\overline {J}^{(d)}\) is computed. Let J be the ideal of \((\mathbb {Z}/d\mathbb {Z})[m_{\mathrm {c}\underline {0}}^{\prime },\cdots,\tilde {m}_{\underline {k}}^{\prime }]\) generated by the coefficients of \(NF_{\overline {J}^{(d)}}(\tilde {m}^{\prime } + z)\). Let {g ₁,⋯,g _h } be a Gröbner basis of J. Then g _i is linear with respect to its variables for each 1≤i≤h. So we can use linear algebra techniques to solve \(NF_{\overline {J}^{(d)}}(\tilde {m}^{\prime } + z) = 0\). Let A be the coefficient matrix of the equation system g ₁=⋯=g _h =0. Let D be the dimension of the kernel of the linear map \(\mathbb {F}_{d}^{\# \Lambda _{\tilde {m}}} \rightarrow \mathbb {F}_{d}^{h}\) defined by A. Then the number of polynomials in \(\overline {J}^{(d)}\) having the same form as \(\overline {\tilde {m}}^{(d)} + z\) is d ^D. So if d ^D>2¹²⁸, the Level 3 attack is not effective. Experimentally, D is at least 2. Thus, this attack is not assumed to be effective if d ²≥2¹²⁸(d≥2⁶⁴).

Next, we assume that \(d = \prod _{1 \leq i \leq k}p_{i}(k \geq 2\) and p _i are distinct prime numbers for 1≤i≤k). If one got \(\overline {\tilde {m}}^{(p_{i})}\) for 1≤i≤k, then one can get \(\overline {\tilde {m}}^{(d)}\) and m by the Chinese Remainder Theorem. However, because of the above argument we may also avoid this attack, if d is sufficiently large, for example d ²>2¹²⁸. Note that if \(d = \prod _{1 \leq i \leq k}p_{i}^{e_{i}}\) and e _i ≥2 for some i, this attack may not be directly applicable, because \(\mathbb {Z} / p^{e_{i}}\mathbb {Z}\) is not a domain if e _i ≥2. But, it is possible to lift a polynomial \(\overline {\tilde {m}}^{(p_{i})} \in (\mathbb {Z}/p_{i}\mathbb {Z})[\underline {x}]\) to a polynomial \(\overline {\tilde {m}}^{(p_{i}^{e_{i}})} \in (\mathbb {Z}/p_{i}^{e_{i}}\mathbb {Z})[\underline {x}]\) for 1≤i≤n. There are \(p_{i}^{e_{i}-1}\) ways of such a lifting. So we may also avoid this attack, if d is sufficiently large, for example d≥2⁶⁴.

In this section we estimate the sizes of keys and cipher polynomials so that our cryptosystem can be expected to have 128 bit-security. First, we estimate the size of a secret key and a public key. A typical brute force attack is as follows: One chooses a random vector (b ₁,…,b _n−1) and factorize the polynomial \(X\left (\frac {b_{1}}{d},\ldots,\frac {b_{n-1}}{d},x_{n}\right)\) in x _n . If \(X\left (\frac {b_{1}}{d},\ldots,\frac {b_{n-1}}{d},x_{n}\right)\) has a factor of the form \(\left (x_{n} - \frac {b_{n}}{d}\right)\) for some integer b _n , then \(\left (\frac {b_{1}}{d},\ldots,\frac {b_{n}}{d}\right)\) is a solution to X=0. If \(\gcd \left (\prod _{i} b_{i}, d\right) = 1\), then using the solution \(\left (\frac {b_{1}}{d},\ldots,\frac {b_{n}}{d}\right)\), one can get m by taking the same steps as the decryption process. So we should choose a secret key \(\underline {a} = (a_{1},\ldots,a_{n})\) such that |a _i | is sufficiently large for i=1,…,n to avoid the brute force attack. Since the probability that a random integer b is prime to d is \(\frac {\varphi (d)}{d}\) (φ(·) is the Euler’s function), the number of choices of the vector (b ₁,…,b _n−1) which satisfies \(\frac {2^{\lceil \frac {128}{n-1} \rceil }d}{\varphi (d)} \leq |b_{i}| < \frac {2^{\lceil \frac {128}{n-1} \rceil + 1}d}{\varphi (d)}\) and \(\gcd \left (\prod _{i} b_{i}, d\right) = 1\) is at least \(2^{\left \lceil \frac {128}{n-1} \right \rceil (n-1)} \geq 2^{128}\). Thus we should choose a secret key so that

for i=1,…,n. We assume (8). Let \(\underline {k}\) be the maximal element of Λ _X and \(\Lambda _{X}^{\prime }\) be as in section 3.4.1. We assume that X is constructed by the method described in section 3.4.1. There are infinitely many solutions of (4). We claim that we can choose a solution \((c_{\underline {0}}, c_{\underline {k}})\) such that \(|c_{\underline {0}}| \leq |\underline {a}^{\underline {k}}|\) and \(|c_{\underline {k}}| \leq d^{w_{X}}\), if the following inequality is satisfied:

To see this, let \(A := \left | \sum _{\underline {i} \in \Lambda _{X}^{\prime }}c_{\underline {i}}\underline {a}^{\underline {i}}d^{w_{X} - \sum \underline {i}} \right |\). If (x ₀,y ₀) is a solution to

then all solutions are given by \(\left (x_{0} + kd^{w_{X}}, y_{0} - k\underline {a}^{\underline {k}}\right)\phantom {\dot {i}\!}\) for \(k \in \mathbb {Z}\). Looking at the first lattice point (x,y) on the line \(|\underline {a}^{\underline {k}}|x + d^{w_{X}}y = A\phantom {\dot {i}\!}\) with x>0, we find a solution (x,y) such that \(x \leq d^{w_{X}}\phantom {\dot {i}\!}\) and \(y \leq |\underline {a}^{\underline {k}}|\phantom {\dot {i}\!}\). Thus, we have proved the above claim.

In many cases the minimum size of the solutions of (4) satisfies \(|c_{\underline {0}}| \approx |\underline {a}^{\underline {k}}|\) and \(|c_{\underline {k}}| \approx d^{w_{X}}\). If the \(|c_{\underline {i}}|\)’s are so small that (9) is satisfied, then we may assume that

On the other hand, as mentioned in section 4.7, N, d and e should be chosen so that N d>2¹²⁸ H(X), d≥2⁶⁴ and 2^e>N d, respectively. We must determine an upper bound of Nd and d to estimate the size of e and \(c_{\underline {k}}\), respectively. We assume that \(H(X) = c_{\underline {k}}\), 2⁶⁴≤d<2⁶⁵ and \(2^{128}H(X) \leq 2^{128}d^{w_{X}} < 2^{128+65w_{X}} \leq Nd\phantom {\dot {i}\!}\). Then \(c_{\underline {k}} \leq 2^{65w_{X}}\phantom {\dot {i}\!}\) and \(N \geq 2^{128+65(w_{X}-1)}\phantom {\dot {i}\!}\). If we assume that \(2^{128+65(w_{X}-1)} \leq N < 2^{128+65(w_{X}-1) + 1} = 2^{129+65(w_{X}-1)}\phantom {\dot {i}\!}\), then we should choose e so that e≥129+65w _X because \(Nd < 2^{129 + 65w_{X}}\phantom {\dot {i}\!}\). It remains to estimate the size of \(|c_{\underline {i}}|\) for \(\underline {i} \in \Lambda _{X}^{\prime }\phantom {\dot {i}\!}\). We think that the size of these coefficients may be small enough to keep the size of the public key reasonable even though we cannot prove it. For example, if \(|c_{\underline {i}}| < 2^{10}\phantom {\dot {i}\!}\), then the size of X, that is \(\sum _{\underline {i} \in \Lambda _{X}}\)(bit length of \(c_{\underline {i}}\)), is at most \(\left (\lceil \frac {128}{n-1} \rceil + 1 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \right)w_{X} + 65w_{X} + 10(\#\Lambda _{X} - 2) = \left (\lceil \frac {128}{n-1} \rceil + 66 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \right)w_{X} + 10\# \Lambda _{X}^{\prime }\phantom {\dot {i}\!}\) bits under the above assumptions. If \(w_{X} \approx \#\Lambda _{X} = \Lambda _{X}^{\prime } + 2\phantom {\dot {i}\!}\), then the size of X \(\approx (\lceil \frac {128}{n-1} \rceil + 76 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil)w_{X}\) bits. Then the size of the secret key and the public key is at most \(\left (\lceil \frac {128}{n-1} \rceil + 1\right)n + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \) bits and \(\left (\lceil \frac {128}{n-1} \rceil + 76 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \right)w_{X} + 65 + \lceil \log _{2}e \rceil \) bits, respectively.

Next, we estimate the size of F _i for i=1,2,3. We may assume that the size of F _i is about the same as that of 2s _i f because \(\Gamma _{f} = \Gamma _{r_{i}}\phantom {\dot {i}\!}\) and \(\Gamma _{s_{i}} = \Gamma _{X}\phantom {\dot {i}\!}\). Since \(\Lambda _{X} = \Lambda _{f} = \Lambda _{s_{i}}\phantom {\dot {i}\!}\), # Λ _X ≤w _X , \(H(f) < Nd < 2^{129+65w_{X}}\phantom {\dot {i}\!}\) and \(H(s_{i}) \approx H(X) < 2^{65w_{X}}\phantom {\dot {i}\!}\), we have

It implies that the size of 2s _i f is at most \((130+130w_{X} + \lceil \log _{2} w_{X} \rceil)\# \Lambda _{s_{i}f}\) bits. So, it is important to estimate \(\# \Lambda _{s_{i}f}\), explicitly. We assume \(\Lambda _{f} = \Lambda _{s_{i}} = \left \{ \underline {k}_{1},\ldots,\underline {k}_{\# \Lambda _{f}} \right \}\). Then we can write

It implies that

Thus, the size of 2s _i f is at most

bits. Since \(2^{128+65(w_{X}-1)} \leq N < 2^{129+65(w_{X}-1)}\phantom {\dot {i}\!}\), we conclude that the size of ciphertext is at most

bits.

In Table 4 and Table 5 we give examples of the size of keys and ciphertexts. In Table 6 we also give examples of the time which it took to encrypt and decrypt. We use a computer with 2.80 GHz CPU (Intel(R) Core(TM) i7-3840QM) and 8GB memory. The OS is Windows 8.1 Pro 64 bit. We implemented in Magma V2.19-7 [5] and the source code of our cryptosystem (file name: crypto-okumura.txt) is available at http://imi.kyushu-u.ac.jp/\(\tilde {}\)s-okumura/.

In this paper we have proposed a new public key cryptosystem based on diophantine equations and analyzed its security. It is a number field analogue of the ASC, incorporating a key idea, to avoid some attacks, of “twisting” the plaintext by using some modular arithmetic and Euler’s theorem as in the RSA cryptosystem. Another key idea is to use a polynomial, as the public key, of degree increasing type to recover the plaintext. In this paper we have not studied the hardness of solving diophantine equations of degree increasing type. Investigating the security of our cryptosystem by using this special type of diophantine equations is a future work.

^a The size of a _i should be \(|a_{i}| \geq \frac {2^{\lceil \frac {128}{n-1} \rceil + 1}d}{\varphi (d)}\) for i=1,…,n, where φ(·) is the Euler function and d is an integer which we will choose below. (For the reason of this choice, see section 5).

^b The sizes of d and e should be d≥2⁶⁴ and e≥129+65w, respectively. (For the reason of this choice, see section 5).

I am grateful to my supervisor Yuichiro Taguchi for comments, corrections, and suggestions on this research. I am also grateful to Koichiro Akiyama, Noriko Hirata-Kohno, Attila Pethő, Takakazu Satoh and Tsuyoshi Takagi for useful comments, suggestions and discussions.

Authors and Affiliations

1. Kyushu University, 744, Motooka, Nishi-ku, 819-0395, Fukuoka, Japan

   Shinya Okumura

Corresponding author

Correspondence to Shinya Okumura.

This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.

Reprints and permissions