- Original article
- Open Access
A public key cryptosystem based on diophantine equations of degree increasing type
- Shinya Okumura^{1}Email author
https://doi.org/10.1186/s40736-015-0014-4
© Okumura. 2015
- Received: 23 December 2014
- Accepted: 26 April 2015
- Published: 5 June 2015
Abstract
In this paper we propose a new public key cryptosystem based on diophantine equations which we call of degree increasing type. We use an analogous method to the “Algebraic Surface Cryptosystem” (ASC) proposed by Akiyama, Goto and Miyake. There are two main differences between our cryptosystem and ASC. One of them is to twist a plaintext by using some modular arithmetic to increase the number of candidates of the plaintext in order to complicate finding the correct plaintext. Another difference is to use a polynomial of degree increasing type to recover the plaintext uniquely even if the plaintext was twisted. Although we have not been able to give a security proof, we give some discussions on how secure our cryptosystem is against known attacks including the ideal decomposition attack, which can break the one-wayness of ASC.
Keywords
- Diophantine equation
- Post quantum cryptography
- Public key cryptography
1 Introduction
After Diffie and Hellman proposed the concept of public key cryptography [11], the theory of cryptography has been developed rapidly and has contributed to the security of networks. This cryptosystem is based on computationally hard problems, for example factorization of large integers and computation of discrete logarithm in large finite groups. The most famous public key cryptosystems are the RSA cryptosystem [27] and elliptic curve cryptosystem [17,22]. Although these cryptosystems have been studied by many researchers, efficient attacks have not been found in general. However, Shor showed that factorization of integers and computation of discrete logarithm are done efficiently by using quantum computers [28]. So it is important to find new computationally hard problems which are intractable even with quantum computers and can be used to construct cryptosystems. We expect that the diophantine problem is one of such problems. This problem is to find integral or rational solutions of a given multivariate polynomial with integer coefficients. Despite many researchers’ endeavor (see e.g. [14]), this problem is usually a very difficult problem. Moreover Matijasevič showed that there is no general method which determines the solvability of an arbitrary diophantine equation [10]. On the other hand, for any integers a _{1},a _{2},⋯,a _{ n }, it is easy to find a polynomial \(X(x_{1},\cdots,x_{n}) \in \mathbb {Z}[x_{1},\cdots,x_{n}]\) with X(a _{1},a _{2},⋯,a _{ n })=0 (see section 3.4.1). So we can expect that diophantine equations can be used to construct a new public key cryptosystems. Indeed some cryptosystems based on this problem have already been proposed [15,19,34]. But the one-wayness of the cryptosystem proposed in [19] was broken [9]. On the other hand, cryptosystems in [15,34] are interesting in theory, but these cryptosystems can be used only a few times with the same key ([15], Proposition 2).
We can also consider the diophantine problem over global function fields. This problem is also hard and it is proved that there is no general method which determines the solvability of an arbitrary diophantine equation [25]. The Algebraic Surface Cryptosystem (ASC) proposed in [1] is based on the hardness of the section finding problem (SFP) which can be viewed as a diophantine problem over \(\mathbb {F}_{p}[t]\) (or \(\mathbb {F}_{p}(t)\)). More precisely, let p be a prime number and \(X(x,y,t) \in \mathbb {F}_{p}[x,y,t]\) a polynomial which defines a surface S with a fibration \(S \rightarrow \mathbb {A}_{\mathbb {F}_{p}}^{1}\) over the affine t-line. The SFP is to find \(u_{x}(t), u_{y}(t) \in \mathbb {F}_{p}[t]\) such that X(u _{ x }(t),u _{ y }(t),t)=0.
In number theory, there are many analogous problems between number fields and function fields. There are many cases where problems over function fields have been solved while the corresponding problems have hardly been solved. For example, there is an algorithm to factorize elements of \(\mathbb {F}_{p}[t]\) in probabilistic polynomial time [2,7], while the best known algorithm (the general number field sieve) for fuctorization in \(\mathbb {Z}\) takes subexponential time \(O\left (e^{(c+o(1))(\log N)^{\frac {1}{3}}(\log \log N)^{\frac {2}{3}}}\right)\), where \(c = \left (\frac {9}{64}\right)^{\frac {1}{3}}\) and N is an integer which we want to factorize [18]. The Riemann Hypothesis for function fields was proved by André Weil [33], while the Riemann Hypothesis for \(\mathbb {Z}\) still seems far beyond our reach. The abc conjecture for function fields (the Mason-Stothers Theorem) was proved in [21,29], while a proof of the abc conjecture for \(\mathbb {Z}\) was announced just a few years ago by Shinichi Mochizuki [23].
In this paper we consider diophantine equations of degree increasing type (see Definition 3.1) over integers and propose a new public key cryptosystem whose security relies on the hardness to find a rational solution to them. In our cryptosystem we use a polynomial \(X(x_{1},\cdots,x_{n}) \in \mathbb {Z}[x_{1},\cdots,x_{n}]\) and integers \(d,e \in \mathbb {Z}\) satisfying certain conditions as public keys and integers a _{1},⋯,a _{ n } satisfying \(X\left (\frac {a_{1}}{d},\cdots,\frac {a_{n}}{d}\right) = 0\) as secret keys. Our method is to mix a plaintext (this is a polynomial) with other polynomials and cover the mixed polynomial with public key. To recover the plaintext we use secret keys and some modular arithmetic. This method is analogous to ASC except for using modular arithmetic. Although the one-wayness of ASC was broken by the ideal decomposition attack [12], our analysis (section 4) shows that our cryptosystem has resistance against some possible attacks including the ideal decomposition attack. However, we have not been able to give a security proof of it. Finally, we estimate the size of keys of our cryptosystem. This paper aims to design a scheme with 128 bit-security level. Our estimation shows that if we use integers d, e and a diophantine equation with n variables and total degree w as the public key, then the size of the secret key is at most \(\left (\lceil \frac {128}{n-1} \rceil + 1\right)n + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \) bits and the size of the public key is at most \(\vspace *{1pt} \left (\lceil \frac {128}{n-1} \rceil + 76 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \right)w + 65 + \lceil \log _{2}e \rceil \) bits. We also estimate the size of ciphertexts to be at most \(\frac {3}{2}(w^{2}+w)(129+130w + \lceil \log _{2} w \rceil) + 129+65(w-1)\) bits.
This paper is organized as follows: In section 2 we give a brief review of ASC and known attacks against it. In section 3 we describe our cryptosystem including some remarks on it and give a method to construct a diophantine equation of degree increasing type with a given solution. In section 4 we analyze its security against some possible attacks. In section 5 we estimate the size of keys and ciphertexts under some assumptions. In section 6 we give some examples of the size of keys and ciphertexts together with the time which it took to encrypt and decrypt.
2 Review of ASC
In this section we give a brief review of ASC and known attacks against it (for details, see [1]). Let p be a prime number. The ASC makes use of a section to a fibration of an algebraic surface to the afine line over \(\mathbb {F}_{p}\).
2.1 Notation
2.2 Key generation
- 1.
Secret key
Choose two polynomials u _{ x }(t), \(u_{y}(t) \in \mathbb {F}_{p}[t]\) of degree d.
- 2.
Public key
For k=1,2,3, choose finite subsets \(\Lambda _{k}^{(p)} \subset (\mathbb {Z}_{\geq 0})^{2}\) and \(D_{k} = \left \{ d_{{ij}}^{(k)} \mid (i,j) \in \Lambda _{k}^{(p)} \right \} \subset \mathbb {Z}_{\geq 0}\) so that the following holds: (i) \(\Lambda _{2}^{(p)} \subset \Lambda _{1}^{(p)}\Lambda _{3}^{(p)}\). (ii) For any polynomial \(f_{k} = \sum _{(i,j) \in \Lambda _{k}^{(p)}}f_{{ij}}^{(k)}(t)x^{i}y^{j}\in \mathbb {F}_{p}[x,y,t]\) (k=1,2,3) with \(\Lambda _{f_{k}}^{(p)} = \Lambda _{k}^{(p)}\) and \(\deg \, f_{{ij}}^{(k)}(t) = d_{{ij}}^{(k)}\), we have$$\begin{array}{@{}rcl@{}} {}\left\{ \begin{array}{ll} \deg_{x}f_{1} < \deg_{x}f_{2} < \deg_{x}f_{3}, \\ \deg_{y}f_{1} < \deg_{y}f_{2} < \deg_{y}f_{3}, \\ \deg_{t}f_{1} < \deg_{t}f_{2} < \deg_{t}f_{3}, \\ (\deg_{x}f_{2}, \deg_{y}f_{2}, \deg_{t}f_{2}) \in \Gamma_{f_{2}}^{(p)}, \\ (\deg_{x}f_{3}, \deg_{y}f_{3}, \deg_{t}f_{3}) \in \Gamma_{f_{3}}^{(p)}. \end{array} \right. \end{array} $$(1)Construct an \(X(x,y,t) = \sum _{(i,j) \in \Lambda _{1}^{(p)}}c_{{ij}}(t)x^{i}y^{j} \in \mathbb {F}_{p}[x,y,t]\) such that X(u _{ x }(t),u _{ y }(t),t)=0, \(\deg c_{{ij}}(t)= d_{{ij}}^{(1)}\) and c _{ i j }(t)≠0 for \((i,j) \in \Lambda _{1}^{(p)}\). In section 2.5 we give a method to construct such a polynomial. For i=1,2,3, make X, \(\Lambda _{i}^{(p)}\) and D _{ i } public.
2.3 Encryption
- 1.For k=1,2, choose random polynomials in \(\mathbb {F}_{p}[x,y,t]\):$$\begin{array}{@{}rcl@{}} s_{k} &=& \sum_{(i,j) \in \Lambda_{1}^{(p)}}s_{{ij}}^{(k)}(t)x^{i}y^{j}, \\ r_{k} &=& \sum_{(i,j) \in \Lambda_{3}^{(p)}}r_{{ij}}^{(k)}(t)x^{i}y^{j}, \\ f &=& \sum_{(i,j) \in \Lambda_{3}^{(p)}}f_{{ij}}(t)x^{i}y^{j}, \end{array} $$such that \(\deg s_{{ij}}^{(k)}(t) = d_{{ij}}^{(1)}\) and \(\deg r_{{ij}}^{(k)}(t)=\deg f_{{ij}}(t) = d_{{ij}}^{(3)}\). Note that from (1), we have$$\begin{array}{@{}rcl@{}} \left\{ \begin{array}{ll} \deg_{x}X < \deg_{x}m < \deg_{x}f, \\ \deg_{y}X < \deg_{y}m < \deg_{y}f, \\ \deg_{t}X < \deg_{t}m < \deg_{t}f, \\ (\deg_{x}m, \deg_{y}m, \deg_{t}m) \in \Gamma_{m}^{(p)}, \\ (\deg_{x}f, \deg_{y}f, \deg_{t}f) \in \Gamma_{f}^{(p)}. \end{array} \right. \end{array} $$(2)
- 2.
Put F _{ i }:=m+s _{ i } f+r _{ i } X for i=1,2, and send (F _{1},F _{2}).
2.4 Decryption
- 1.For i=1,2, compute$$\begin{array}{@{}rcl@{}} h_{i}(t) &:=& F_{i}(u_{x}(t), u_{y}(t), t) \\ &=&m(u_{x}(t), u_{y}(t), t) \\ && + s_{i}(u_{x}(t), u_{y}(t), t)f(u_{x}(t), u_{y}(t), t). \end{array} $$
- 2.Factorize h _{1}−h _{2} and find a factor h _{3} of it whose degree is equal to degf(u _{ x }(t),u _{ y }(t),t). Note that from (2), we have$$\deg f(u_{x}(t), u_{y}(t), t) = \deg h_{3} > \deg m(u_{x}(t), u_{y}(t), t). $$
- 3.
Compute h _{4}(t):=h _{1}(t) (mod h _{3}(t)). Note that if h _{3} divides s _{1}(u _{ x }(t),u _{ y }(t),t)f(u _{ x }(t),u _{ y }(t),t), then h _{4}=m(u _{ x }(t),u _{ y }(t),t).
- 4.Extract m(x,y,t) from h _{4} by solving the following linear equationin variables m _{ i j k } for \((i, j, k) \in \Gamma _{m}^{(p)}\), and put$$h_{4} = \sum_{(i,j,k) \in \Gamma_{m}^{(p)}}m_{{ijk}}{u_{x}^{i}}{u_{y}^{j}}t^{k}, $$$$m^{\prime}(x,y,t) := \sum_{(i, j, k) \in \Gamma_{m}^{(p)}}m_{{ijk}}x^{i}y^{j}t^{k}. $$
- 5.
We can verify whether m ^{′}=m or not by a MAC (message authentication code) of m. If the verification fails, then go back to step 2 and choose another factor of h _{1}−h _{2}.
2.5 Construction of X(x,y,t)
- 1.
Choose a finite subset \((0, 0) \in \Lambda ^{(p)} \subset (\mathbb {Z}_{\geq 0})^{2}\) and \(D := \{(d_{{ij}} \mid (i,j) \in \Lambda ^{(p)} \} \subset \mathbb {Z}_{\geq 0}\).
- 2.
Choose random non-zero polynomials c _{ i j }(t) of degree d _{ i j } for \((i,j) \in \Lambda ^{(p)} \smallsetminus \{ (0, 0) \}\).
- 3.
Compute \(c_{00}(t) := - \sum _{(i,j) \in \Lambda ^{(p)} \smallsetminus \{ (0,0) \}}c_{{ij}}(t){u_{x}^{i}}{u_{y}^{j}}\).
- 4.Define$$X := \sum_{(i,j) \in \Lambda^{(p)}}c_{{ij}}(t)x^{i}y^{j}. $$
2.6 Known attacks
We describe four possible attacks against ASC. For more details, see [1], section 5 and [12,24].
2.6.1 Reduction to solving a multivariate equation system
2.6.2 Reduction attack by Iwami [16]
Since X is made public, one can try to divide F _{1}−F _{2} by X to find f in the remainder. But f does not appear in the remainder because of (2). For this attack, see also [31].
2.6.3 Rational point attack by Voloch [32]
Then one can find f by factorization and get m as in section 2.6.1. However, one cannot determine f and m uniquely. If \(g_{0}(x,y,t) \in \mathbb {F}_{p}[x,y,t]\) satisfies (3), then g _{0}+r X also satisfies (3) and has the same form as g for any polynomial \(r(x,y,t) \in \mathbb {F}_{p}[x,y,t]\) having the same form as f. In [1], it is pointed out that if \(p^{\# \Gamma _{r}^{(p)}} = p^{\# \Gamma _{f}^{(p)}} > 2^{100}\), then we may avoid this attack.
2.6.4 Ideal decomposition attack
- 1.
Choose a constant C and an integer n≈ degt(m)· logp/C. Choose n irreducible polynomials P _{1},…,P _{ n } of degree ≈C/ logp such that \(\sum _{1 \leq i \leq n}\deg P_{i} > \deg _{t}m\). Set i=1.
- 2.
Let \(K_{i} := \mathbb {F}_{p}[t]/(P_{i})\).
- 3.
Let \(F_{k}^{(P_{i})} := F_{k}\phantom {\dot {i}\!}\) (mod P _{ i }) and \(X^{(P_{i})} := X\phantom {\dot {i}\!}\) (mod P _{ i }). Compute \(Q(y) := \text {Res}_{x}(F_{1}^{(P_{i})} - F_{2}^{(P_{i})}, X^{(P_{i})}) \in K_{i}[y]\phantom {\dot {i}\!}\), the resultant of \(F_{1}^{(P_{i})} - F_{2}^{(P_{i})}\phantom {\dot {i}\!}\) and \(X^{(P_{i})}\phantom {\dot {i}\!}\) with respect to x.
- 4.
Factor Q(y) and let Q _{0}(y) be an irreducible factor of highest degree.
- 5.
Compute a Gröbner basis of the ideal \(J := (F_{1}^{(P_{i})} + z, F_{2}^{(P_{i})} + z, X^{(P_{i})}, Q_{0}) \subset K_{i}[x,y,z]\phantom {\dot {i}\!}\) with respect to the graded reverse lexicographical ordering.
- 6.Using the above Gröbner basis, solve the following linear equation system over K _{ i } to get \(m^{(P_{i})} := m\phantom {\dot {i}\!}\) (mod P _{ i })where m ^{′} is as above. If the system has no solution, then go back to step 4 and choose another factor of Q.$$NF_{J}(m^{\prime} + z) = 0, $$
- 7.
If i<n, then replace i by i+1 and go back to step 2.
- 8.
Recover m from \(m^{(P_{i})}\phantom {\dot {i}\!}\) by using the Chinese Remainder Theorem.
3 Our cryptosystem
3.1 Notation
For a vector \(\underline {v} := (v_{1},\ldots,v_{n}) \in \mathbb {Q}^{n}\), we denote by \(f({\underline {v}})\) the value of f at \(\underline {v}\). For an integer d, we denote by \(\underline {v}/d\) the vector \(\left (\frac {v_{1}}{d},\ldots,\frac {v_{n}}{d}\right)\). For each ideal \(J \subset \mathbb {Q}[\underline {x}]\), each polynomial \(f \in \mathbb {Q}[\underline {x}]\) and each monomial ordering <, we denote by N F _{ J }(f) a normal form of f with respect to J and <. For a polynomial \(f \in \mathbb {Z}[\underline {x}]\) and an integer m, we denote by \(\overline {f}^{(m)}\) the polynomial f (mod m) \(\in (\mathbb {Z}/m\mathbb {Z})[\underline {x}]\).
3.2 Polynomials of degree increasing type
Before we describe our cryptosystem, we define the following notion which is one of our key ideas to construct our cryptosystem.
Definition 3.1.
Define a map \(\sigma : \mathbb {Z}^{n} \longrightarrow \mathbb {Z}\) by \(\underline {i} \mapsto \sum \underline {i}\). A polynomial \(X \in \mathbb {Z}[\underline {x}]\) is of degree increasing type if \(\sigma |_{\Lambda _{X}}\) is injective. In other words, X is of degree increasing type if and only if for each \(k \in \mathbb {Z}\), X has at most one term of degree k.
Remark 3.2.
We can prove that there is no general algorithm to solve an arbitrary diophantine equation of degree increasing type in \(\mathbb {Z}\). This can be seen as follows: Suppose \(T \in \mathbb {Z}[\underline {x}]\) is an arbitrary polynomial. It is easy to see that by making a change of variables \(x_{i} \mapsto x_{i}^{q_{i}}\) with suitable q _{ i }’s, we can make \(T\left (x_{1}^{q_{1}},\ldots,x_{n}^{q_{n}}\right)\) of degree increasing type. Thus if there exists an algorithm to solve an arbitrary diophantine equation of degree increasing type, then it can solve an arbitrary diophantine equation, which contradicts Matijasevič’s result [10].
Example 3.3.
If X(x,y):=5x ^{3} y ^{2}+12x y ^{2}+7x y+6x+5, then X is of degree increasing type.
Let \(X \in \mathbb {Z}[\underline {x}]\) be a polynomial of degree increasing type. Then we can define a total order in Λ _{ f } as follows: for \(\underline {i}_{1}\), \(\underline {i}_{2} \in \Lambda _{f}\), we define \(\underline {i}_{1} \geq \underline {i}_{2}\) if \(\sum \underline {i}_{1} \geq \sum \underline {i}_{2}\). Since Λ _{ f } is finite, there is a maximal element \(\underline {k}\). We call the coefficient of degree \(\sum \underline {k}\) of X the leading coefficient of X and denote it by l d(X).
3.3 Outline of our cryptosystem
3.4 Algorithm of our cryptosystem
Now, we describe our cryptosystem.
3.4.1 Key generation
- 1.
Secret key
Choose a vector \(\underline {a} = (a_{1},\ldots,a_{n}) \in \mathbb {Z}^{n}\) of a suitable size^{a} such that \(\gcd (a_{i},d) =1\) for i=1,…,n. Make them secret.
- 2.
Public key
Choose integers d and e of suitable sizes^{b} such that \(\gcd (e,\varphi (d)) =1\). Choose an irreducible polynomial \(X(\underline {x}) \in \mathbb {Z}[\underline {x}]\) of degree increasing type such that \(X(\underline {a}/d) = 0\) and # Λ _{ X }≤w=w _{ X }. Make e, X and Λ _{ X } public.
- 1.
Choose a finite subset \(\Lambda \subset (\mathbb {Z}_{\geq 0})^{n}\) such that \(\# \left \{\sum \underline {i} \mid \underline {i} \in \Lambda \right \} = \# \Lambda \).
- 2.
Let \(\underline {k} = (k_{1},\ldots,k_{n})\) be the maximal element of Λ. For \(\underline {i} \in \Lambda ^{\prime } := \Lambda \smallsetminus \{\underline {0}, \underline {k} \}\), choose random non-zero integers \(c_{\underline {i}}\).
- 3.Choose \(c_{\underline {0}}\) and \(c_{\underline {k}}\) so thatwhere \(w^{\prime } = \max \left \{\sum \underline {i} \mid \underline {i} \in \Lambda ^{\prime } \right \}\), by solving the linear diophantine equation$$\frac{c_{\underline{k}}\underline{a}^{\underline{k}} + c_{\underline{0}}d^{w}}{d^{w}} = - \frac{\sum_{\underline{i} \in \Lambda^{\prime}}c_{\underline{i}}\underline{a}^{\underline{i}}d^{w^{\prime} - \sum \underline{i}}}{d^{w^{\prime}}}, $$$$ c_{\underline{k}}\underline{a}^{\underline{k}} + c_{\underline{0}}d^{w} = - \sum_{\underline{i} \in \Lambda^{\prime}}c_{\underline{i}}\underline{a}^{\underline{i}}d^{w - \sum \underline{i}}. $$(4)
- 4.Define$$X := \sum_{\underline{i} \in \Lambda}c_{\underline{i}}\underline{x}^{\underline{i}}. $$
The condition on Λ (step 1 above) means that X is of degree increasing type. The equation (4) means that \(X(\underline {a}/d) = 0\).
3.4.2 Encryption
- 1.
Choose a positive integer N such that Nd is larger than the absolute value of each coefficient of X. We assume that an upper bound of N is given.
- 2.
Construct a polynomial \(\tilde {m}(\underline {x})\) with \(\Lambda _{\tilde {m}} = \Lambda _{m}\) as follows:
Let \(\tilde {m}_{\underline {i}}\) be an integer such that \(0<\tilde {m}_{\underline {i}}<Nd\) and \(\tilde {m}_{\underline {i}} \equiv m_{\underline {i}}^{e}\) (mod Nd), and put \(\tilde {m}(\underline {x}) = \sum _{\underline {i} \in \Lambda _{m}}\tilde {m}_{\underline {i}}x^{\underline {i}}\).
- 3.
Choose a random polynomial \(f \in \mathbb {Z}[\underline {x}]\) with Λ _{ f }=Λ _{ X } such that \(H(\tilde {m}) < ld(f) < Nd\) and l d(f) is relatively prime to d. We also assume that all coefficients of f except l d(f) are also as large as the coefficients of \(\tilde {m}\).
- 4.
Choose random polynomials s _{ i } and r _{ i } in \(\mathbb {Z}[\underline {x}]\) with \(\Gamma _{s_{i}} = \Gamma _{X}\) and \(\Gamma _{r_{i}} = \Gamma _{f}\) for 1≤i≤3.
- 5.
Put \(F_{i} := \tilde {m} + s_{i}f + r_{i}X\) for 1≤i≤3 and send (F _{1},F _{2},F _{3},N).
3.4.3 Decryption
- 1.
Compute \(h_{i} := F_{i}(\underline {a}/d) = \tilde {m}(\underline {a}/d) + s_{i}(\underline {a}/d)f(\underline {a}/d)\), \(H_{1} := (h_{1} - h_{2})d^{2w_{X}}\phantom {\dot {i}\!}\) and \(H_{2} := (h_{1} - h_{3})d^{2w_{X}}\phantom {\dot {i}\!}\). Note that \(H_{1}, H_{2} \in \mathbb {Z}\).
- 2.
Compute \(g := \gcd (H_{1}, H_{2}) > 0\), the greatest common divisor of H _{1} and H _{2}. If \(\gcd (g,d) > 1\), then we replace g by \(\frac {g}{\gcd (g,d)}\). Note that if \(g = f(\underline {a}/d)d^{w_{X}}\phantom {\dot {i}\!}\), then \(\gcd (g,d)=1\) (cf. Remark 3.6.3).
- 3.Compute \(H := h_{1}d^{2w_{X}}\phantom {\dot {i}\!}\) (mod g) and \(\tilde {\mu } := Hd^{-w_{X}}\) (mod g). Note that if \(|g| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\phantom {\dot {i}\!}\) and g divides \(s_{1}(\underline {a}/d)f(\underline {a}/d)d^{2w_{X}}\phantom {\dot {i}\!}\), then we haveNote that \(\tilde {m}(\underline {a}/d)d^{w_{X}} \neq 0\phantom {\dot {i}\!}\) (cf. Remark 3.6.4).$$\tilde{m}(\underline{a}/d)d^{w_{X}} =\left\{ \begin{array}{ll} \tilde{\mu} & \text{if}~\tilde{m}(\underline{a}/d)d^{w_{X}} > 0, \\ \tilde{\mu} - g & \text{if}~\tilde{m}(\underline{a}/d)d^{w_{X}} < 0. \end{array} \right. $$
- 4.
Recover \(m(\underline {x})\) from \(\tilde {\mu }\) or \(\tilde {\mu } - g\) by RA which we will describe below.
3.4.4 Recovering Algorithm (RA)
- 1.Compute$$e^{\prime} := e^{-1} (\text{mod}~\varphi(d)). $$
- 2.Let \(\underline {k}\) be the maximal element of Λ _{ X }. Compute$$\begin{array}{@{}rcl@{}} m_{\underline{k}}^{\prime} &:=& \left(\tilde{\mu}\underline{a}^{-\underline{k}}\right)^{e^{\prime}} (\text{mod}~{d}) (0 < m_{\underline{k}}^{\prime} < d), \\ \tilde{m}_{\underline{k}}^{\prime} &:=& \left(m_{\underline{k}}^{\prime}\right)^{e} (\text{mod}~{Nd}) (0 < \tilde{m}_{\underline{k}}^{\prime} < Nd). \end{array} $$
- 3.
If \(\Lambda _{X}^{\prime } := \Lambda _{X} \smallsetminus {\underline {k}} = \emptyset \), then return \(m^{\prime }(\underline {x}) = \sum _{\underline {i} \in \Lambda _{X}}m_{\underline {i}}^{\prime }\underline {x}^{\underline {i}}\). Otherwise, let \(\underline {k}^{\prime }\) be the maximal element of \(\Lambda _{X}^{\prime }\). Let \(w_{X}^{\prime } := \sum \underline {k}^{\prime }\). Put \(\tilde {\mu }^{\prime } := \frac {\tilde {\mu } - \tilde {m}_{\underline {k}}^{\prime }\underline {a}^{\underline {k}}}{d^{w_{X} - w_{X}^{\prime }}}\). If \(\tilde {\mu }^{\prime } \in \mathbb {Z}\), then replace \(\tilde {\mu }\), \(\underline {k}\) and Λ _{ X } by \(\tilde {\mu }^{\prime }\), \(\underline {k}^{\prime }\) and \(\Lambda _{X}^{\prime }\), respectively. Otherwise, return “false”.
- 4.
Go back to step 2.
Proposition 3.4.
If \(\tilde {\mu } = \tilde {m}(\underline {a}/d)d^{w_{\tilde {m}}}\), then RA returns \(m(\underline {x})\).
Proof.
Thus, \(\tilde {\mu }^{\prime } = \tilde {m}_{\underline {k}^{\prime }}\underline {a}^{\underline {k}^{\prime }} + \sum _{\underline {i} \in \Lambda _{X}^{\prime } \smallsetminus \{ \underline {k}^{\prime } \}}\tilde {m}_{\underline {i}}\underline {a}^{\underline {i}}d^{\sum \underline {k}^{\prime } - \sum \underline {i}}\). Because \(\tilde {m}\) is of degree increasing type, we have \(\sum \underline {k}^{\prime } - \sum \underline {i} \geq 1\). It implies that we can get \(m_{\underline {k}^{\prime }}\) as above. Similarly, we can get \(m_{\underline {i}}\) for \(\underline {i} \in \Lambda _{X} \smallsetminus \{ \underline {k}, \underline {k}^{\prime } \}\). □
Remark 3.5.
- 1.
If d=p is a prime number, we may choose e=p and e ^{′}=1.
- 2.
We should choose d so that the computation of φ(d) is easy. For example, if d is a prime number, then φ(d)=d−1.
3.5 Improvement in recovering algorithm
- 1.
If RA returned “false", then we choose a positive integer M and construct the set \(F(g,M) := \{x \in \mathbb {Z} \mid 2 \leq x \leq M, x|g\} \subset \mathbb {Z}\).
- 2.
If F(g,M)≠∅, then we choose an element x∈F(g,M) and remove x from F(g,M). Otherwise, go back to step 1 and choose an integer which is larger than M.
- 3.
Compute \(g^{\prime } := \frac {g}{x}\), \(H^{\prime } := h_{1}d^{2w_{X}}\) (mod g ^{′}) and \(\tilde {\mu }^{\prime } := H^{\prime }d^{-w_{X}}\) (mod g ^{′}) and recover \(m(\underline {x})\) from \(\tilde {\mu }^{\prime }\).
- 4.
If RA returned “false" again, then go back to step 2.
We describe the reason why RA returns “false” with high probability if we do not get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). Because ♯ Λ _{ X }=w _{ X }+1 implies \(w_{X} - w_{X}^{\prime } = 1\), we have always \(d^{w_{X} - w_{X}^{\prime }} \mid \left (\tilde {\mu } - \tilde {m}_{\underline {k}}^{\prime }\underline {a}^{\underline {k}}\right)\). Thus in this case RA does not return “false” even if we do not get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). On the other hand if ♯ Λ _{ X }≤w _{ X }, then \(w_{X} - w_{X}^{\prime } \geq 2\) is satisfied in the middle of the process of RA and then RA returns “false” with high probability, if we do not get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). Thus we need to improve the success probability of decryption.
Remark 3.6.
- 1.
In step 3 of the decryption process, we require that \(|g| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\) to get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\). To satisfy this condition we impose the condition of step 3 in the encryption process on l d(f). Note that the fact that X is of degree increasing type also helps to satisfy \(|g| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\), because \(O(f) = O(\underline {x}^{\underline {k}}) = O(\tilde {m})\) as \(x_{1},\ldots, x_{n} \rightarrow \infty \left (\sum \underline {k} = w_{X}\right)\), if X is of degree increasing type. Thus, if \(f_{\underline {k}} > \tilde {m}_{\underline {k}}\) and |a _{1}|,…,|a _{ n }|≫d, then \(|f(\underline {a}/d)d^{w_{X}}| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\) is satisfied with high probability because \(|\frac {a_{1}}{d}|,\ldots, |\frac {a_{n}}{d}| \gg 1\). We also note that we can estimate whether \(\tilde {m}(\underline {a}/d)d^{w_{X}} > 0\) or not by the same reason with high probability.
- 2.
If |a _{1}|,…,|a _{ n }|≈d or |a _{1}|,…,|a _{ n }|≪d, then the argument in Remark 3.6.1 is not correct because \(|\frac {a_{1}}{d}|,\ldots,|\frac {a_{n}}{d}| \approx 1\) or \(|\frac {a_{1}}{d}|,\ldots,|\frac {a_{n}}{d}| \ll 1\). So in this case \(\underline {a}\) and f should be chosen so that a _{1},…,a _{ n }>0 and, for each \(\underline {i} \in \Lambda _{f}\), the absolute value of the \(\underline {i}\)-th coefficient of f is larger than that of the monomial \(\underline {x}^{\underline {i}}\) of \(\tilde {m}\) to satisfy \(|f(\underline {a}/d)d^{w_{X}}| > |\tilde {m}(\underline {a}/d)d^{w_{X}}|\).
- 3.We need to have \(\gcd (f(\underline {a}/d)d^{w_{X}},d) = 1\) to compute the inverse element of d (mod g). We show that this condition is satisfied. Let \(\underline {k}\) be the maximal element of Λ _{ f }. It follows from the expressionthat if \(\gcd (f(\underline {a}/d)d^{w_{X}},d) = d^{\prime } > 1\), then \(f_{\underline {k}}\) is divisible by d ^{′} because \(\gcd (\underline {a}^{\underline {k}},d) = 1\) is satisfied, and \(\sum _{\underline {i} \in \Lambda _{f} \smallsetminus \{ \underline {k} \}}f_{\underline {i}}\underline {a}^{\underline {i}}d^{w_{X} - \sum \underline {i}}\) is divisible by d. This contradicts our assumption because we assume \(\gcd (f_{\underline {k}}, d) = 1\) in step 3 of the encryption process.$$f(\underline{a}/d)d^{w_{X}} = f_{\underline{k}}\underline{a}^{\underline{k}} + \sum_{\underline{i} \in \Lambda_{f} \smallsetminus \{ \underline{k} \}}f_{\underline{i}}\underline{a}^{\underline{i}}d^{w_{X} - \sum \underline{i}}, $$
- 4.We also need to have \(\tilde {m}(\underline {a}/d)d^{w_{X}} \neq 0\) to recover m. We show that this condition is satisfied. Let \(\underline {k}\) be as above. It follows from the expressionthat if \(\tilde {m}(\underline {a}/d)d^{w_{X}} = 0\), then \(\tilde {m}_{\underline {k}}\) is divisible by d. This is a contradiction because \(\gcd (m_{\underline {k}}, d) = 1\) implies \(\gcd (\tilde {m}_{\underline {k}}, d) = 1\).$$\tilde{m}(\underline{a}/d)d^{w_{X}} = \tilde{m}_{\underline{k}}\underline{a}^{\underline{k}} + \sum_{\underline{i} \in \Lambda_{\tilde{m}} \smallsetminus \{ \underline{k} \}}\tilde{m}_{\underline{i}}\underline{a}^{\underline{i}}d^{w_{X} - \sum \underline{i}}, $$
- 5.
Recall that the t in section 3.5 is troublesome if it is large. We experimented 100000 times on the value of t for each set of parameters in the following tables.
According to these results, we can expect that t is smaller than 1000 with high probability. So we can get \(\tilde {m}(\underline {a}/d)d^{w_{X}}\) in practical time with high probability. However, we do have t> >1000, though it happens with low probability. In this case we would not be able to decrypt the plaintext in practical time by the simple trial. Thus if we want to design a scheme with lower probability of decryption failure, we need an efficient integer factorization algorithm in the above steps Tables 1, 2 and 3.Table 1Quantities of t for | t |<100
No.
n
w _{ X }
#Λ _{ X }
|a _{ i } | (bit)
|t|<100 (time)
1
3
5
5
66
99341
2
3
7
7
66
99357
3
3
10
10
66
99398
Table 2Quantities of the t for | t |<1000
No.
n
w _{ X }
#Λ _{ X }
|a _{ i } | (bit)
|t|<1000 (time)
1
3
5
5
66
99910
2
3
7
7
66
99929
3
3
10
10
66
99931
Table 3Quantities of the t for | t |>10000
No.
n
w _{ X }
#Λ _{ X }
|a _{ i } | (bit)
|t|>10000 (time)
1
3
5
5
66
32
2
3
7
7
66
12
3
3
10
10
66
11
4 Security analysis
In this section although we have not been able to give a security proof, we analyze the effectiveness of some possible attacks for the one-wayness of our cryptosystem. We also discuss the sizes of d, e and N to achieve 128 bit-security. First, we note that the attacks against ASC described in section 2.6 are applicable also to our cryptosystem.
4.1 Reduction to solving a multivariate equation system I
where s and t are any integers, show that there are many solutions of the system (5). So we may avoid this attack.
4.2 Reduction to solving a multivariate equation system II
Noting that \(\Lambda _{X} = \Lambda _{\tilde {m}} = \Lambda _{f} = \Lambda _{s_{1}}\), \(\Gamma _{s_{i}} = \Gamma _{X}\) and \(\Gamma _{r_{i}} = \Gamma _{f}\) for 1≤i≤3, we see that there are many possible solutions of (6). Hence, we may suppose that this attack is not efficient if Nd is sufficiently large, say N d>2^{128} H(X). Note that it is also possible to compare \(F^{\prime }(\underline {a}_{i}) - \tilde {m}^{\prime }(\underline {a}_{i})\) and \(F_{1}(\underline {a}_{i}) - F_{2}(\underline {a}_{i})\) to get f, but it would be hard because of the same reason.
4.3 Reduction to solving a multivariate equation system III
It implies that there are many possible solution to \(F^{\prime \prime }(\underline {a}_{1}) - F_{1}(\underline {a}_{1}) = 0,\ldots,F^{\prime \prime }(\underline {a}_{\ell }) - F_{1}(\underline {a}_{\ell }) = 0\), where \(\underline {a}_{1},\ldots,\underline {a}_{\ell }\) are as in section 4.2. Note that S+r X has the same form as S, and r ^{′}−r, \(\tilde {m}^{\prime } - r\) and S+r have the same form as r ^{′}, \(\tilde {m}^{\prime }\) and S, respectively.
4.4 Reduction by X
Since X is made public, one can try to divide F _{1}−F _{2} by X to find f in the remainder. But f does not appear in the remainder if Λ _{ f }=Λ _{ X } and the absolute values of coefficients of f are larger than those of X. So this attack would not be effective.
4.5 Rational point attack (solving X=0)
Next, we discuss more general diophantine problems. If one can find a vector \(\underline {a}\) such that \(X(\underline {a}/d) = 0\), then one can get m by the same process of decryption. The solution \(\underline {a}/d\) is not an integral solution but a rational solution. (Using rational solutions is suggested by Professor Noriko Hirata-Kohno.) However, finding such rational solutions is equivalent to finding integral solutions of \(G(\underline {x}) := X(\underline {x}/d)d^{w_{X}} = 0\). (If we do not know the denominator d, finding rational solutions of \(G(\underline {x}) = 0\) is reduced to finding integer solutions of the equation \(G\left (\frac {x_{1}}{z},\ldots,\frac {x_{n}}{z}\right)z^{w_{X}} = 0\) in n+1 variables.) If n=2 and \(G(\underline {x}) = 0\) defines a curve of genus 0, 1 or a hyperelliptic curve, then there are explicit algorithms to find all integral solutions [6,26,30]. Otherwise, in special cases there are some algorithms to find all integral points [3,4]. Moreover, it is believed that in many cases, diophantine equations with two variables are solvable. Theoretically, using Baker’s method and its improvements, explicit upper bounds of the size of solutions to special equations with two variables are known (see [13] and the references given there). (Note that if solutions of a diophantine equation are sufficiently large, then Baker’s method is not practical in general, but we want to use a solution which is as small as possible.) However, no efficient methods are known to find integral solutions of diophantine equations of n variables with n≥3. So we should use a diophatine equations with at least 3 variables as a public key of our cryptosystem. Note that in case of 3 variables, our experience in arithmetic geometry suggests to use X of degree at least 5, because then the hypersurface in the projective 3-space defined by (the homogenized form of) X is of general type if it is non-singular (cf. [14], Example F.5.1.7 and section F.5.2).
4.6 Solving \(X(\underline {x}/d)d^{w_{X}} \equiv 0 \left (\mathrm {mod d}^{w_{X}+1}\right)\)
4.7 Ideal decomposition attack
By using the resultant as in section 2.6.4, it is also possible in our case to reconstruct the ideals \(I := (\tilde {m},f,X) \subset \mathbb {Z}[\underline {x}]\), \(J := (\tilde {m} + z,f,X) \subset \mathbb {Q}[\underline {x},z]\) or \(\overline {J}^{(\ell)} := \left (\overline {\tilde {m}}^{(\ell)} + z, \overline {f}^{(\ell)}, \overline {X}^{(\ell)}\right) \subset (\mathbb {Z}/\ell \mathbb {Z})[\underline {x},z]\) from the data (F _{1},F _{2},X), where z is a new variable and ℓ is a prime number. If one can get \(\tilde {m}\), then one can get m. A simple method to avoid this attack is to let \(\Lambda _{\tilde {m}} = \Lambda _{f} = \Lambda _{X}\) and the coefficients of \(\tilde {m}\) be larger than H(X). Then \(\tilde {m}\) cannot be determined uniquely because \(\tilde {m}^{\prime } + z \in J\) implies \(\tilde {m}^{\prime } + z + sX + tf \in J\) for any s, \(t \in \mathbb {Z}\) (note that \(\Lambda _{\tilde {m}} = \Lambda _{f} = \Lambda _{X}\)). However, in general, we cannot determine \(\tilde {m}\) from \(\tilde {m}(\underline {a}/d)d^{w_{X}}\) uniquely even if we know the secret key \(\underline {a}\). This reason is as follows: for any \(t \in \mathbb {Z}\), \(\tilde {m}(\underline {x})\) and \(\tilde {m}(\underline {x}) + tX(\underline {x})\) have the same value at \(\underline {a}/d\). So, we use modular exponentiation to transform m into \(\tilde {m}\) and use Euler’s theorem as in the RSA cryptosystem to recover m from \(\tilde {m}(\underline {a}/d)d^{w_{X}}\) in RA. This is the main idea to avoid this attack.
to reconstruct from the data (F _{1},F _{2},X) an ideal \(J \subset \mathbb {Q}[\underline {x},z]\) which coincides with \((\tilde {m} + z, f, X)\). To get \(\tilde {m}\), we use the fact that if a Gröbner basis of J is computed, then \(\tilde {m}^{\prime } + z \in J\) if and only if \(NF_{J}(\tilde {m}^{\prime } + z) = 0\) (see section 2.6.4 for more detail). But, if \(\tilde {m}^{\prime } + z \in J\), then for any integers s and t, \(\tilde {m}^{\prime } + z + sX + tf \in J\) is also satisfied. If the number of choices of the pairs \((s, t) \in \mathbb {Z}^{2}\) is larger than 2^{128}, we may avoid this attack. All coefficients of \(\tilde {m}\) and f are smaller than Nd, but in many cases they are as large as Nd, if \(m_{\underline {i}}^{e} > Nd\). So the possible choices of t may be only 0, 1 or 2. But, if N d>2^{128} H(X), the number of the possible choices of s may be larger than 2^{128}. So N should be chosen so that N d>2^{128} H(X) and e should be so large that \(m_{\underline {i}}^{e} \geq 2^{e} > Nd\) for \(\underline {i} \in \Lambda _{m}\). In this case, this attack is not assumed to be effective. Note that, because the absolute value of coefficients of f are as large as those of \(\tilde {m}\), the above argument implies that choosing N satisfying N d>2^{128} H(X) may complicate finding f from the ideal J or I _{1}.
Next, we analyze the effectiveness of the ideal decomposition attack of Level 3 (see [12], section 3.3). We assume that d is a prime number. We note that if one got \(\overline {\tilde {m}}^{(d)}\), then one can get m. So one does not need to get \(\tilde {m}\). It is possible to reconstruct an ideal \(\overline {J}^{(d)} \subset (\mathbb {Z}/d\mathbb {Z})[\underline {x},z]\) which coincides with \(\left (\overline {\tilde {m}}^{(d)} + z, \overline {f}^{(d)}, \overline {X}^{(d)}\right)\) from tha data (F _{1},F _{2},X) (see the algorithm in 2.6.4). Let \(\tilde {m}^{\prime }(\underline {x}) := \sum _{\underline {i} \in \Lambda _{\tilde {m}}}\tilde {m}_{\underline {i}}^{\prime }\underline {x}^{\underline {i}}\), where \(\tilde {m}_{\underline {i}}^{\prime }\) are variables for \(\underline {i} \in \Lambda _{\tilde {m}}\). Assume that a Gröbner basis of \(\overline {J}^{(d)}\) is computed. Let J be the ideal of \((\mathbb {Z}/d\mathbb {Z})[m_{\mathrm {c}\underline {0}}^{\prime },\cdots,\tilde {m}_{\underline {k}}^{\prime }]\) generated by the coefficients of \(NF_{\overline {J}^{(d)}}(\tilde {m}^{\prime } + z)\). Let {g _{1},⋯,g _{ h }} be a Gröbner basis of J. Then g _{ i } is linear with respect to its variables for each 1≤i≤h. So we can use linear algebra techniques to solve \(NF_{\overline {J}^{(d)}}(\tilde {m}^{\prime } + z) = 0\). Let A be the coefficient matrix of the equation system g _{1}=⋯=g _{ h }=0. Let D be the dimension of the kernel of the linear map \(\mathbb {F}_{d}^{\# \Lambda _{\tilde {m}}} \rightarrow \mathbb {F}_{d}^{h}\) defined by A. Then the number of polynomials in \(\overline {J}^{(d)}\) having the same form as \(\overline {\tilde {m}}^{(d)} + z\) is d ^{ D }. So if d ^{ D }>2^{128}, the Level 3 attack is not effective. Experimentally, D is at least 2. Thus, this attack is not assumed to be effective if d ^{2}≥2^{128}(d≥2^{64}).
Next, we assume that \(d = \prod _{1 \leq i \leq k}p_{i}(k \geq 2\) and p _{ i } are distinct prime numbers for 1≤i≤k). If one got \(\overline {\tilde {m}}^{(p_{i})}\) for 1≤i≤k, then one can get \(\overline {\tilde {m}}^{(d)}\) and m by the Chinese Remainder Theorem. However, because of the above argument we may also avoid this attack, if d is sufficiently large, for example d ^{2}>2^{128}. Note that if \(d = \prod _{1 \leq i \leq k}p_{i}^{e_{i}}\) and e _{ i }≥2 for some i, this attack may not be directly applicable, because \(\mathbb {Z} / p^{e_{i}}\mathbb {Z}\) is not a domain if e _{ i }≥2. But, it is possible to lift a polynomial \(\overline {\tilde {m}}^{(p_{i})} \in (\mathbb {Z}/p_{i}\mathbb {Z})[\underline {x}]\) to a polynomial \(\overline {\tilde {m}}^{(p_{i}^{e_{i}})} \in (\mathbb {Z}/p_{i}^{e_{i}}\mathbb {Z})[\underline {x}]\) for 1≤i≤n. There are \(p_{i}^{e_{i}-1}\) ways of such a lifting. So we may also avoid this attack, if d is sufficiently large, for example d≥2^{64}.
5 Sizes of keys and cipher polynomials
On the other hand, as mentioned in section 4.7, N, d and e should be chosen so that N d>2^{128} H(X), d≥2^{64} and 2^{ e }>N d, respectively. We must determine an upper bound of Nd and d to estimate the size of e and \(c_{\underline {k}}\), respectively. We assume that \(H(X) = c_{\underline {k}}\), 2^{64}≤d<2^{65} and \(2^{128}H(X) \leq 2^{128}d^{w_{X}} < 2^{128+65w_{X}} \leq Nd\phantom {\dot {i}\!}\). Then \(c_{\underline {k}} \leq 2^{65w_{X}}\phantom {\dot {i}\!}\) and \(N \geq 2^{128+65(w_{X}-1)}\phantom {\dot {i}\!}\). If we assume that \(2^{128+65(w_{X}-1)} \leq N < 2^{128+65(w_{X}-1) + 1} = 2^{129+65(w_{X}-1)}\phantom {\dot {i}\!}\), then we should choose e so that e≥129+65w _{ X } because \(Nd < 2^{129 + 65w_{X}}\phantom {\dot {i}\!}\). It remains to estimate the size of \(|c_{\underline {i}}|\) for \(\underline {i} \in \Lambda _{X}^{\prime }\phantom {\dot {i}\!}\). We think that the size of these coefficients may be small enough to keep the size of the public key reasonable even though we cannot prove it. For example, if \(|c_{\underline {i}}| < 2^{10}\phantom {\dot {i}\!}\), then the size of X, that is \(\sum _{\underline {i} \in \Lambda _{X}}\)(bit length of \(c_{\underline {i}}\)), is at most \(\left (\lceil \frac {128}{n-1} \rceil + 1 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \right)w_{X} + 65w_{X} + 10(\#\Lambda _{X} - 2) = \left (\lceil \frac {128}{n-1} \rceil + 66 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \right)w_{X} + 10\# \Lambda _{X}^{\prime }\phantom {\dot {i}\!}\) bits under the above assumptions. If \(w_{X} \approx \#\Lambda _{X} = \Lambda _{X}^{\prime } + 2\phantom {\dot {i}\!}\), then the size of X \(\approx (\lceil \frac {128}{n-1} \rceil + 76 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil)w_{X}\) bits. Then the size of the secret key and the public key is at most \(\left (\lceil \frac {128}{n-1} \rceil + 1\right)n + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \) bits and \(\left (\lceil \frac {128}{n-1} \rceil + 76 + \lceil \log _{2} d - \log _{2} \varphi (d) \rceil \right)w_{X} + 65 + \lceil \log _{2}e \rceil \) bits, respectively.
6 Examples
Size of keys of our cryptosystem
No. | n | w _{ X } | #Λ _{ X } | Secret key (bit) | Public key (bit) |
---|---|---|---|---|---|
1 | 3 | 5 | 4 | 198 | 739 |
2 | 3 | 5 | 5 | 198 | 747 |
3 | 3 | 7 | 4 | 198 | 1000 |
4 | 3 | 7 | 7 | 198 | 1031 |
5 | 3 | 10 | 4 | 198 | 1393 |
6 | 3 | 10 | 7 | 198 | 1420 |
7 | 3 | 10 | 10 | 198 | 1450 |
Size of ciphertext of our cryptosystem
No. | n | w _{ X } | #Λ _{ X } | F _{ 1 } (bit) | F _{ 2 } (bit) | F _{ 3 } (bit) | N (bit) |
---|---|---|---|---|---|---|---|
1 | 3 | 5 | 4 | 7442 | 7443 | 7440 | 387 |
2 | 3 | 5 | 5 | 10755 | 10748 | 10752 | 390 |
3 | 3 | 7 | 4 | 9946 | 9942 | 9947 | 521 |
4 | 3 | 7 | 7 | 23907 | 23915 | 23917 | 515 |
5 | 3 | 10 | 4 | 13685 | 13684 | 13688 | 717 |
6 | 3 | 10 | 7 | 33658 | 33659 | 33667 | 717 |
7 | 3 | 10 | 10 | 57740 | 57749 | 57767 | 719 |
Encryption time and decryption time
No. | n | w _{ X } | #Λ _{ X } | enc. time (ms) | dec. time (ms) |
---|---|---|---|---|---|
1 | 3 | 5 | 4 | 39 | 34 |
2 | 3 | 5 | 5 | 38 | 33 |
3 | 3 | 7 | 4 | 38 | 34 |
4 | 3 | 7 | 7 | 38 | 34 |
5 | 3 | 10 | 4 | 39 | 34 |
6 | 3 | 10 | 7 | 39 | 36 |
7 | 3 | 10 | 7 | 40 | 40 |
7 Conclusion
In this paper we have proposed a new public key cryptosystem based on diophantine equations and analyzed its security. It is a number field analogue of the ASC, incorporating a key idea, to avoid some attacks, of “twisting” the plaintext by using some modular arithmetic and Euler’s theorem as in the RSA cryptosystem. Another key idea is to use a polynomial, as the public key, of degree increasing type to recover the plaintext. In this paper we have not studied the hardness of solving diophantine equations of degree increasing type. Investigating the security of our cryptosystem by using this special type of diophantine equations is a future work.
Endnotes
^{a} The size of a _{ i } should be \(|a_{i}| \geq \frac {2^{\lceil \frac {128}{n-1} \rceil + 1}d}{\varphi (d)}\) for i=1,…,n, where φ(·) is the Euler function and d is an integer which we will choose below. (For the reason of this choice, see section 5).
^{b} The sizes of d and e should be d≥2^{64} and e≥129+65w, respectively. (For the reason of this choice, see section 5).
Declarations
Acknowledgements
I am grateful to my supervisor Yuichiro Taguchi for comments, corrections, and suggestions on this research. I am also grateful to Koichiro Akiyama, Noriko Hirata-Kohno, Attila Pethő, Takakazu Satoh and Tsuyoshi Takagi for useful comments, suggestions and discussions.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.
Authors’ Affiliations
References
- Akiyama, K., Goto, Y., Miyake, H.: An algebraic surface cryptosystem. In: Proceedings of PKC’09, Lecture Notes in Comput. Sci., vol. 5443, pp. 425–442. Springer, Berlin Heidelberg (2009).Google Scholar
- Berlekamp, E.R: Factoring polynomials over large finite fields. Math. Comput. 24, 713–735 (1970).MathSciNetView ArticleMATHGoogle Scholar
- Beukers, F., Tengely, S.: An implementation of Runge’s method for Diophantine equations, (2005). available at arXiv:math/0512418.
- Bilu, Y.: Effective analysis of integral points on algebraic curves. Israel J. Math. 90, 235–252 (1995).MathSciNetView ArticleMATHGoogle Scholar
- Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24, 235–265 (1997).MathSciNetView ArticleMATHGoogle Scholar
- Bugeaud, Y., Mignotte, S., Siksek, S., Stoll, M., Tengely, S.: Integral points on hyperelliptic curves. Algebra Number Theory. 2, 859–885 (2008).MathSciNetView ArticleMATHGoogle Scholar
- Cantor, D.G, Zassenhaus, H.: On Algorithms for Factoring Polynomials over Finite Fields. Math. of Computation. 36, 587–592 (1981).MathSciNetView ArticleMATHGoogle Scholar
- Cox, D., Little, J., O’Shea, D.: Ideals, varieties, and algorithms: an introduction to computational algebraic geometry and commutative algebra, 3rd., Undergraduate Texts in Mathematics. Springer Verlag, New York (2007).View ArticleMATHGoogle Scholar
- Cusick, T.W: Cryptoanalysis of a public key system based on diophantine equations. Inform. Process. Lett. 56, 73–75 (1995).MathSciNetView ArticleMATHGoogle Scholar
- Davis, M., Matijasevič, Y., Robinson, J.: Hilbert’s tenth problem, Diophantine equations: positive aspects of a negative solution, In: Browder, FE (ed.) Mathematical developments arising from hilbert problems (Proc. Sympos. Pure Math., Vol. XXVIII, Northern Illinois Univ., De Kalb, Ill., 1974), pp. 323–378. (loose erratum) Amer. Math. Soc., Providence, R. I., 1976.Google Scholar
- Diffie, W., Hellman, M.: New direction in cryptography. Trans. Inf. Theory. 22, 644–654 (1976).MathSciNetView ArticleMATHGoogle Scholar
- Faugére, J.C, Spaenlehauer, P.-J.: Algebraic Cryptanalysis of the PKC’2009 Algebraic Surface Cryptosystem. In: Proceedings of PKC’10, Lecture Notes in Comput. Sci., vol. 6056, pp. 35–52. Springer, Berlin Heidelberg (2010).Google Scholar
- Győry, K.: Solving Diophantine equations by Baker’s theory. In: A panorama of number theory of the view from Baker’s garden (Zürich, 1999), pp. 38–72. Cambridge University Press, Cambridge, England (2002).Google Scholar
- Hindry, M., Silverman, J.H: Diophantine geometry: an introduction, Graduate Texts in Mathematics, 201. Springer, New York (2000).View ArticleMATHGoogle Scholar
- Hirata-Kohno, N., Pethő, A.: On a key exchange protocol based on Diophantine equations. Infocommunications J. 16(2), 168–184 (1987).Google Scholar
- Iwami, M.: A Reduction Attack on Algebraic Surface Public-Key Cryptosystems. In: Kapur, D (ed.) ASCM 2007. LNCS, vol. 5081, pp. 323–332. Springer, Heidelberg (2008).Google Scholar
- Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987).MathSciNetView ArticleMATHGoogle Scholar
- Lenstra, A.K, Lenstra, H.W, (ed.): The Development of the Number Field Sieve, Lecture Notes in Mathematics, vol. 1554. Springer-Verlag, Berlin Heidelberg (1993).Google Scholar
- Lin, C.H, Chang, C.C, Lee, R.CT: A new public-key cipher system based upon the diophantine equations. IEEE Trans. Comp. 44, 13–19 (1995).View ArticleMATHGoogle Scholar
- Manders, K., Adleman, L.: NP-complete decision problems for binary quadratics. J. Comput. Syst. Sci. 24, 713–735 (1970).MATHGoogle Scholar
- Mason, R.C: Diophantine Equations over Function Fields, London Mathematical Society Lecture Note Series, vol. 96. Cambridge University Press, Cambridge, England (1984).Google Scholar
- Miller, V.S: Use of elliptic curves in cryptography. Abstracts for Crypto. ‘85. Lect. Notes Comput. Sci. 218, 417–426 (1986).MathSciNetView ArticleGoogle Scholar
- Mochizuki, S.: Inter-universal Teichmüller Theory I: Construction of Hodge Theaters, I I: Hodge-Arakelov-theoretic Evaluation, II: Canonical Splittings of the Log-theta-lattice, IV: Log-volume Computations and Set-theoretic Foundations. available at http://www.kurims.kyoto-u.ac.jp/~motizuki/papers-english.html.
- Ogura, N.: On Multivariate Public-key cryptosystems. PhD thesis, Tokyo Metropolitan University (2012).Google Scholar
- Pheidas, T.: Hilbert’s tenth problem for fields of rational functions over finite fields. Invent. Math. 103(1), 1–8 (1991).MathSciNetView ArticleMATHGoogle Scholar
- Poulakis, D., Voskos, E.: On the practical solution of genus zero Diophantine equations. J. Symbolic Comput. 30, 573–582 (2000).MathSciNetView ArticleMATHGoogle Scholar
- Rivest, R.L, Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Commun. ACM. 21, 120–126 (1987).MathSciNetView ArticleMATHGoogle Scholar
- Shor, P.: Algorithms for Quantum Computation: Discrete Logarithm and Factoring. In: Proc. 35th Annual Symposium on Foundations of Computer Science, pp. 124–134 (1994).Google Scholar
- Stothers, W. W.: Polynomial identities and hauptmoduln. Quart. J. Math. Oxford Ser. (2). 32(127), 349–370 (1981).MathSciNetView ArticleMATHGoogle Scholar
- Stroeker, R.J, Tzanakis, N.: Computing all integer solutions of a genus 1 equation. Math. Comput. 72, 1917–1933 (2003).MathSciNetView ArticleMATHGoogle Scholar
- Uchiyama, S., Tokunaga, H.: On the Security of the Algebraic Surface Public-key Cryptosystems (in Japanese). In: Proceedings of of SCIS 2007, CD-ROM 2C1-2 (2009).Google Scholar
- Voloch, F.: Breaking the Akiyama-Goto algebraic surface cryptosystem. Arithmetic, Geometry, Cryptography and Coding Theory, CIRM meeting (2007).Google Scholar
- Weil, A.: Sur les courbes algébriques et les variétés qui s’en déduisent. Actualités Sci. Ind., no. 1041; Publ. Inst. Math. Univ. Strasbourg 7 (1945). Hermann, Paris, 1948. iv+85 pp.Google Scholar
- Yosh, H.: The key exchange cryptosystem used with higher order Diophantine equations. Int. J. Netw. Secur. Appl. 3, 43–50 (2011).Google Scholar