Public-Key Encryption Based on Matrix

Diagonalization Problem

Jiande Zheng

Department of Computer Science, Xiamen University, Xiamen 361005, P. R. China

Abstract. A research on the development of a new public-key encryption

scheme

based on matrix diagonalization problem over a ring of algebraic

integers is reported in this paper. The research is original, although it is still

in its early stage. The new public key encryption algorithm has three

original features that distinguish it from existing ones: (a) it works on an

infinite field instead of a Galois field; (b)it recognizes the ability of

adversaries to factor big integers; (c) it requires only simple (without

modulus) additions and multiplications for message encryption and

decryption, no high-order exponentiation is required.

1 Introduction

The idea of inventing new public key cryptographies by exploring the matrix

diagonalization problem (MDP) was first suggested in [1]. The original

encryption system was implemented with modulo-p addition and multiplications,

where p is a big prime, which was broken due to the fact that the characteristic

polynomial of the public key matrix can be factored efficiently over GF(p) using

Cantor-Zassenhaus algorithm [2]. Improved public key encryption and digital

signature schemes were developed later with the same idea, but with the

underlying algebraic setting selected differently as Zn, the ring of integers with

modulo-n addition and multiplication, where n is an RSA modulus [3][4]. The

new selection links MDP to integer factorization problem (IFP). In fact,

diagonalizing a 2×2 matrix over Zn is equivalent to solving a modulo-n quadratic

equation, or inverting the Rabin public key function [5], which is a proven hard

problem.

The purpose of this paper is to report the further research on developing an

encry

tion scheme based on MDP over yet another algebraic setting, which is an

infinite field instead of a Galois field, as is the case with almost all existing

schemes. Since factoring a polynomial over the specially formulated algebraic

setting is a brand new crypto problem, the complexity of which is still under

study. However, we have made important progress on this aspect, which will be

presented in this paper.

Zheng J. (2005).

Public-Key Encryption Based on Matrix Diagonalization Problem.

In Proceedings of the 3rd International Workshop on Security in Information Systems, pages 102-112

DOI: 10.5220/0002543101020112

 SciTePress

2 The new encryption scheme

2.1 The algebraic setting

First, we choose a big composite integer, denoted n, which is a product of a large

number of primes. Let p and q be two secret divisors of n, pq=n, a ring of

algebraic integers, denoted Ω, can be defined as

},,2,:{

21212

1121

]s[RqpnΩ ∈=+=+=

ααααωααωωω

(1)

where

},:)({

32121

Zz,ZzzszzzR ∈±∈+=

−

,]s[

(2)

s is an integer,

is an irrational number, Z stands for the ring of integers,

...}.,3,2,1{

...},,3,2,1,0{

±±=

Another algebraic setting, denoted Π, can be defined with Ω,

},,{

2121

]n,s[R

∈∈+=

πΩπππΠ

(3)

where

}:{

2121

]s[,]n,s[

RrrnrrR ∈+=

(4)

It is easily verified that

]n,s[R

is a field under normal addition and

multiplication. Meanwhile, one notices that (1) can be rewritten as

},:{

2121

]s[RqpΩ ∈+=

αααα

(5)

for any

Ω∈+=

qvpvv

qupuu

103

]n,s[R

∈+= nwww

one obtains

],,[)()(

))((

12212211

2121

nsnvuvuqvupvu

qupuqvpvvu

qvpvqupuuv

R∈+++=

++==

++=

and

.)(

)(

2121

Ω

∈++=

++=

+==

pquqpuwuw

qupupqwuw

nuwuw

unwwwu

nwwuuw

One notices from the above discussions that Π is closed under ordinary addition and

multiplication. Further more, let

∈

, where

]ns[

RΩ ∈∈

ξξ

one also obtains from the above discussion

]ns[

R∈

ξξ

and

]ns[

,))((

12121

R∈−=−+

ξξξξξξ

which is invertible within

]ns[

, and

]ns[

,)()(

R∈−−

−

ξξξξ

gives the inverse of

. So we conclude that Π is also a field under

normal addition and multiplication.

There are 168 primes between 1 and 1000[6], we suggest that n be selected as 150

primes among them, so that

, the size of which will be

comparable with that of widely used RSA modulus[7].

1500450150

210)1000( <=<n

104

2.2 The keys

The private key for the encryption scheme is given by

⎥

⎦

⎤

⎢

⎣

⎡

−−−−−

1...1111

...

..................

...

4321

rrrr

λλλλλ

(6)

where

,},,,,,,,

,)(

)({...,,

424132312221121

42413231

2221121121

Πωωωωωωωω

ωωωω

ωωωωλλλ

⊂∈

++++

++++∈

nss

r>4, while the public key is given by

⎥

⎦

⎤

⎢

⎣

⎡

−−−

−

)1(...

4321 r

σσσσσ

(7)

where σ

, σ

, …σ

are algebraic integers computed from λ

, λ

,… λ

using the

following equations:

....

......

...,

1321

111

rrr

λλλλλσ

λλλσ

λλσ

λσ

−

=+=+=

=+=

∑∑∑

∑∑

∑

105

We have [8]

)(mod)...,,(

ndiag

−

= HHA

λλλ

(8)

Note that the private key can be represented by (λ

, λ

,…λ

), while the public key

can be represented by (σ

, σ

, …σ

2.3 The trap-door one-way function

The following trap-door one-way function is used for message encryption in this

paper:

∈+++=

−−

xxxxxxxxxf ,...,,)...(),...,(

121

bIAA

(9)

where

is an r×1 matrix, the elements of which can be

computed as

, so that

[

bbb ...

]

ritrb

...,2,1),( ==

−

[

]

1...11Hb =

(10)

2.4 Message encryption

The encrypting process is divided into the following three steps

Step 1 Create r random numbers in

Ω. These numbers, denoted , can be

computed from the public key as

xxx ,...,

,1...,3,2,)...(

,)...(

12211

2111

−=++=

++=

−

rixkkkx

iiii

σσσ

(11)

and

)...,,(

1211 −

xxxx

(12)

106

where

are random numbers in

kkk ,...,

]s[

is a publicly known

one-way function, which can be made as the combination of a hash function with

some arithmetic operations.

Step 2 Compute the first component of the cipher-text, denoted y, which is an r×1

matrix obtainable from the public key function:

bIAAy

)...(

xxx +++=

−−

(13)

Step 3 Compute the second component of the cipher-text, denoted z, which is an

integer,

)...,,(

212 r

xxxmz

(14)

where m is the message,

is a publicly known one-way function similar to

The full cipher text of m is given by (y, z).

2.5 Message decryption

One notices that (13) can be reduced to a univariate quadratic equation by multiplying

the inverse of H on both sides of the equation. We have

,)...)()([

)...(

1221

122

bHIAHHAHH

bHHIAAHyH

−−−−−

+++=

xxx

(15)

where

)...,,()(mod

diagn

λλλ

−

AHH

which is an alternative form of (8). Let

[

]

δδδ

...

−

rixxx

,...2,1,...

=+++=

−−

λλµ

(16)

where

, and equation (15) can be reduced to

[

xxx ...

]

107

[]

[

]

[]

,...

1...11)...,,(...

121

diag

µµµ

µµµδδδ

which can be further rewritten as

,...2,1,

µδ

(17)

The above equations are readily solved, the solutions of which are given by

,...2,1, =±=

δµ

(18)

Meanwhile, one obtains from (6) and (16)

[

]

µµµ

...

so we have

[

]

...

−

= Hx

µµµ

(19)

Note that 2

possible solutions to (13) can be computed from (18) and (19), and

(12) can be used to find out the correct one. The original message can then be

recovered as

212

)]...,,([

−

xxxzm

3 Security of the encryption scheme

We study in this section two kinds of possible attacks on our encryption scheme. The

first kind of attacks aims at recovering the secret key, while the second kind of attacks

tries to crack the cipher texts.

3.1 Attacks aiming at recovering the private key

An adversary can recover H, if and only if the adversary can diagonalize the

corresponding public key A, or factoring its characteristic polynomial

108

rrrr

σλσλσλλλφ

)1(...)det()(

−++−=−=

−−

(20)

over Π. Since Π is an infinite field, the polynomial factoring algorithms that work

well on Galois fields, such as the famous Cantor-Zassenhaus algorithm, will not work

on it. According to Abel’s theorem [9], it is also hard for the adversary to solve

φ(λ)=0 over R, the real number field, as this task is incapable of finite number of

additions, multiplications and root extractions if r>4.

The adversary may also substitute

nssnss )()(

4241323122211211

ωωωωωωωωλ

+++++++=

into (20) and transform φ(λ)=0 over Π to

nssnss

∈=

+++++++=

424132312221121

4241323122211211

424132312221121

,,,,,,,,0

))()((

),,,,,,,(

ωωωωωωωω

ωωωωωωωωφ

(21)

However, it is easily verified that (21) can not be broken into a small number of

rational equations over Z, so this transformation can not reduce the complexity of

recovering the private key.

The third method for key recovery is substituting

nssqsps

∈

+++++++=

4241323122211211

,,,,,,,

,)()()(

ωωωωαααα

ωωωωααααλ

into (20), which will transform φ(λ)=0 over Π to eight polynomial equations of

4241323122211211

,,,,,,,

ωωωωαααα

over Z. This transformation makes it possible to recover the private key with existing

polynomial factorization algorithms over finite fields. However p and q, the factors of

n, should be found before the above method can be applied, and for this purpose we

can not find any existing method that is more effective than enumeration. Suppose n

is selected as a product of 150 different primes, and p is selected as the product of 70

prime factors of n, it takes maximal

tries for the adversary to find p. We have

150

1294370

150

21066.6 >×=C

109

which is more than the number of all 128-bits symmetric keys.

3.2 Attacks aiming at cracking the cipher texts

We have studies three methods that may be used to solve (20). These methods may

also be used to solve (13), in order to crack the cipher text directly. Complexity of

applying the second and the third methods to (13) is the same as that of applying it to

(20), while complexity of solving (13) over R depends heavily on that of reducing it

into quartic or lower order univariate equations. The basic methods for the reduction

are linear transformations, including linear eliminations and linear substitutions. We

have the following proposition:

Proposition 1 Breaking (13) into univariate equations through linear

transformations is as hard as finding the eigenvalues of A.

Proof One may represent a scalar equation obtained from (13) through linear

eliminations as

bIAAvyv

)...(

rrTT

xxx +++=

−−

where v is an r×1 matrix. Suppose the above equation can be turned into a univariate

equation through linear substitution, there exist three scalars

321

and an

r×1matrix u, so that

satisfies

)...(

γεγεγ

++≡−+++

−−

yvbIAAv

rrT

xxx

(22)

According to (8) and (10), the left side of (22) can be rewritten as

[]

,...

...

)...,,(

)...(

122

wwww

diag

xxx

rrT

−+++=

−=

−+++

−

−−

µµµ

yvw

yvbHHv

yvbIAAv

(23)

110

where

, ,

w =

[]

Hvw

www ==...

0≠w

since H is of full

rank. Without loss of generality, we assume that

≠

. Meanwhile one obtains from

(19)

[]

,......)(

221121

TTT

ddd

µµµµµµε

+++===

−

Huxu

(24)

where

[

. Substituting (23) and (24) into (22) gives

]

...

−

ddd

322112

22111

)...()...(

...

γµµµγµµµγ

µµµ

++++++++≡

−+++

rrrr

dddddd

wwww

(25)

and one obtains from the above equation

0......,

3232

111

=======

dddwwwdw

So we have

[]

[

]

0...0...

121

wwww

==Hv

(26)

which reveals the fact that v is a left eigenvector of A, and an eigenvalue of A can be

obtained by multiplying A with it on the left side.

In summary, obtaining a univariate equation from (13) through linear

transformations is equivalent to computing an eigenvalue of A. If an adversary can

obtain r independent univariate equations from (13), the adversary will also be able to

obtain all r eigenvalues of the public key matrix. This is the end of the proof.

4 Conclusions

Extracting irrational roots from a high-order polynomial equation has been proved to

be an impossible task, while complexity of finding a secret composite factor from a

big integer is decided by the number of prime factors contained in the integer, and

apparently irreducible with algebraic tools. Our encryption scheme is novel since we

have built a strong relationship between complexity of breaking the scheme to that of

111

solving the above two original problems, which are different substantially from the

underlying mathematical problems of existing public-key encryption schemes.

However we have not been able to reduce the cryptographic problem formulated in

this paper to either of the proven hard problems mentioned above. The security topics

that remained open to further research includes the complexity of reducing (13) to

quartic or lower order univariate equations through nonlinear transformations and the

complexity of solving (13) over R without breaking it into univariate equations.

Acknowledgements

This research is supported by National Natural Science Foundation of China under

Grant 60373077.

References

1. J. D. Zheng, “A new public key cryptosystem for constrained hardware”, in LNCS

2433, New York: Springer-Verlag, 2002, 334-341

2. D. Cantor, and H. Zassenhaus, “A new algorithm for factoring polynomials over finite

fields”, Math. Comp., 1981, 36: 587-592.

3. J. D. Zheng, “An Economical public-key crypto-device for C/S and B/S

applications”, Journal of Xiamen University, 2004, vol. 43(2): 141-143

4. J. D. Zheng “A fast digital signature scheme based on MDP”, Journal of Computer

Research and Development, 2005, 42(2) to appear

5. M O Rabin, Digital signatures and public key functions as intractable as factorization.

MIT Laboratory for Computer Science, Technical Report: MIT/LCS/TR-212, 1979

http://www.utm.edu/research/primes/howmany.html

7. B. Schneier, Applied Cryptography, New York: John Wiley & Sons, 1996

8. T. W, Hungerford, Algebra, New York: Springer-Verlag, 1974, pp. 114-145

9. Raymond G. Ayoub, On the nonsolvability of the general polynomial, American

Mathematical Monthly 89(1982), 397-401

112