THE POLYNOMIAL MULTICOMPOSITION PROBLEM IN
(Z/nZ)
Neculai Daniel Stoleru and Victor Valeriu Patriciu
Department of Mathematics and Informatics, Military Technical Academy, Caraiman Str. 116, Bucharest, Romania
Keywords: Polynomial composition, identification, key agreement.
Abstract: Generally, the public-key cryptographic schemes base their security on the difficulty of solving hard
mathematical problems. The number of such problems currently known is relative reduced. Therefore the
further investigation of mathematical problems with applications in cryptography is of central interest. This
paper explores a new problem based on polynomial composition. We analyze the connections between the
proposed problem and the RSA problem. Adjacent, we derive from it a zero – knowledge identification
protocol. We show that the method allows the definition of a commutative class of polynomials. Based on
this class, a “Diffie – Hellman like” key exchange protocol can be devised. .
1 INTRODUCTION
In cryptography, an asymmetric algorithm is based
on a type of function first suggested by Diffie and
Hellman (Diffie, Hellman, 1976) that has special
properties known as trapdoor one-way functions. A
trapdoor one-way function, if given some additional
secret information, allows much easier computation
of its inverse function. The one-way functions are
based on hard mathematical problems, like factoring
large composites into prime factors or the discrete
logarithm problem.
Nevertheless, the number of hard mathematical
problems with applications in cryptography
currently known is rather reduced. Even considering
the known problems of this type, there are still
questionable items. As an example, the Optimal
Asymmetric Encryption Padding (OAEP) has never
been proven secure against the chosen ciphertext
attack in the adaptive scenario (RSA, 2007).
In this context, the further research of such
problems is of central interest. Similarly, finding
general procedures supporting the study of a larger
class of problems is also important.
The Polynomial Composition Problem (PCP)
was first introduced in (Joye, Naccache, Porte, 2004)
and can be enounced as follows:
Problem 1.
Let P and Q be two polynomials in (Z/nZ)[X]where
n is an RSA modulus. Given polynomials Q and
S:=Q(P), find P.
Joye et al. shown that generally the Polynomial
Composition Problem is easier than the RSA
problem – that is the computation of roots in Z/nZ -
and gave a new version of this problem called
“Reduced Polynomial Composition Problem”
(RPCP), which can be proven to be equivalent with
the RSA problem.
A number of cryptographic algorithms like the
key agreement protocols based on asymmetric
techniques (Menez, van Oorschot, Vanderstone,
1997) require operating in commutative groups. It is
well known that generally, the polynomial
composition is not commutative.
The present paper introduces a new problem
called Polynomial Multi - Composition Problem
(PMCP) based on a commutative class of
polynomials.
In a proper approach, the security of the
cryptographic scheme should be proven in a
mathematical sense, i.e. establishing theorems
claiming that illegal actions such as impersonation
are as difficult as solving a specific problem, whose
difficulty is well-established. Among these
problems, as already mentioned, are integer
factorization, or the computation of discrete
logarithms in a finite group. This will also be the
approach in the present paper, relating the new
269
Daniel Stoleru N. and Valeriu Patriciu V. (2007).
THE POLYNOMIAL MULTICOMPOSITION PROBLEM IN (Z/nZ).
In Proceedings of the Second International Conference on Security and Cryptography, pages 269-272
DOI: 10.5220/0002123402690272
Copyright
c
SciTePress
introduced polynomial multi-composition problem
to the reducible polynomial composition problem
suggested in (Joye, Naccache, Porte, 2004).
Half-way between heuristic validation and
formal proofs are proofs in a model where concrete
objects are replaced by some ideal substitutes.
Applying this paradigm to hash functions for
example, yields the so-called oracle model described
in (Bellare, Rogaway, 1993).
Using the following notation for a polynomial
composed k – times with itself:
43421
4434421
ooo
timesk
timesk
k
PPPPPPP
−
−
=⋅⋅⋅= )...)...((:
)(
(1)
we can enounce the Polynomial Multi –
Composition Problem as follows:
Problem 2.
Let P be a polynomial in (Z/nZ)[X] where n is an
RSA modulus and k a big positive integer,
11 −≤< nk
. Given k and the polynomial
)(
:
k
PS =
find P .
We observe that choosing polynomials of type
)(
:
k
PS =
can lead to the definition of a commutative
class of polynomials. For example, if we consider P,
Q, R polynomials in Z/nZ[X] and
1,1
−
≤
< nlk
integers such that
)(
:
k
PS =
and
)(
:
l
PR =
, then the
polynomials R and S are commutative over Z/nZ.
For any
nZZ /∈
ω
we have
))(())((
)()(
ωω
lk
PPRS =
)()(
)()(
ωω
kllk
PP
++
==
))((
)()(
ω
kl
PP=
))((
ω
SR=
.
(2)
This property allows us to devise a key exchange
protocol based on polynomials in (Z/nZ)[X]
similarly with the Diffie-Hellman key exchange
protocol ((Menez, van Oorschot, Vanderstone, 1997)
Protocol 12.47).
2 ANALYSIS OF THE
POLYNOMIAL
MULTI-COMPOSITION
PROBLEM
In analyzing the security of the PMCP we relate the
suggested problem to the Reduced Polynomial
Composition Problem (RPCP) as given in (Joye,
Naccache, Porte, 2004).
Consider a polynomial
()
[]
XnZZP /∈
, a big
integer r,
11
−
≤
<
nr
and the polynomial
)(
:
k
PS =
.
We can write:
∑
=
=
r
p
t
t
t
XcXS
0
)(
(3)
where
p
p
r
p
i
p
i
tpiii
pii
p
p
t
uu
ii
ii
c L
L
L
L
L
0
21
0
0
2
1
0
0
!!
)!(
∑
=++
−=++
+
+
=
(4)
Intuitively, the hardness of the Polynomial Multi
- Composition Problem depends on how we choose
the polynomial P in (Z/nZ)[X]. Nevertheless,
generally, PMCP cannot be harder than the RSA
Problem.
Example 1.
Consider
0
2
2
)( uXuXP +=
, r = 3 and the PMCP:
“Given
)3(
: PS =
find P”. Then the equations system
given by relation (4) will be in this case:
⎪
⎪
⎪
⎩
⎪
⎪
⎪
⎨
⎧
+++=
+=
+=
=
=
02
2
0
2
2
3
0
3
2
4
00
3
2
2
0
4
2
3
02
4
20
5
2
2
04
6
206
7
28
2
44
26
4
uuuuuuuc
uuuuc
uuuuc
uuc
uc
(5)
After some simple algebraic manipulations we
obtain:
⎟
⎟
⎠
⎞
⎜
⎜
⎝
⎛
−=
8
2
6
4
8
6
2
42 c
c
c
c
c
c
(mod n)
and analogue from the last equation in (5):
2
6
2
82
0
6
6
48
3
8
3
6
0
4
2
4
64 c
cc
u
c
c
cc
c
c
c +
⎟
⎟
⎠
⎞
⎜
⎜
⎝
⎛
−=
(mod n)
(6)
With
80
,, cc K known we can determine u
0
from
equation (6). Then u
2
can be determined through the
direct substitution of u
0
in (5).
Consequently, we need to define a stronger
problem in order to meet the usual cryptographic
requirements. We introduce in the following the
Reducible Polynomial Multi – Composition Problem
(RPMCP).
Problem 3.
Let P be a polynomial in Z/nZ[X] where n is an RSA
modulus and r a big integer
11 −≤< nr
. Given the
(deg(P) + 1) coefficients of
)(
:
k
PS =
find P.
SECRYPT 2007 - International Conference on Security and Cryptography
270
As proven in (Joye, Naccache, Porte, 2004) (see
Theorem 1) the Reducible Polynomial Composition
Problem is equivalent to the RSA Problem. We give
the following result:
Proposition 1. Let P a polynomial in Z/nZ[X] where
n is an RSA modulus, r a big integer
11
−
≤
< nr
,
)(
:
r
PS =
and
)1(
:
−
=
r
PQ
. If the Polynomial Multi –
Composition Problem “given S and r find P” is
reducible then the Polynomial Composition Problem
“given
)(: PQS =
and Q find P” is also reducible.
Proof. (Sketch) We can write the coefficients k
i
of Q
based on the relation (4) for r – 1:
p
p
r
p
i
p
i
ipiii
pii
p
p
i
uu
ii
ii
k L
L
L
L
L
0
21
1
0
0
2
1
0
0
!!
)!(
∑
=++
−=++
−
+
+
=
(7)
for
)deg(0 Qi ≤≤
. Therefore, every k
i
can be written
as a combination of
p
uu ,,
0
K .
On the other hand, if the Polynomial Multi –
Composition Problem is reducible, then the values
of
1)1(
0
1
,,
−−
−r
pp
cc K
can be deduced from
rr
ppp
cc ,,
)1(
1
K
−
−
which is equivalent to deriving the
values of
1)1(0
,,
−−qp
cc K
based on
pqqp
cc ,,
)1(
K
−
and
11
,,
−q
kk K
in the related Polynomial
Composition Problem.
3 CRYPTOGRAPHIC
APPLICATIONS
3.1 A Simple PMCP – based
Identification Protocol
We suggest the following identification protocol
based on PMCP:
In order to set up the system, a Trusted Third
Party (TTP) selects and publishes an RSA modulus
n. Each user chooses a polynomial P in (Z/nZ)[X]
and some big integers q, r and s
1,,1
−
≤
< nsrq
such as q + r = s. Afterwards, the user computes
)(
:
s
PS =
,
)(
:
q
PQ =
and
)(
:
r
PR =
(8)
in (Z/nZ)[X] and registers the polynomials S and Q
and the integers q, r and s with the TTP. S and Q
represent user’s public key and will be made
publicly available. Nevertheless, after calculating R,
the user will keep it secret. P is user’s secret key.
To prove the knowledge of P the user executes l
times the following protocol:
Figure 1: A simple identification protocol.
3.2 A Diffie – Hellman Like Key
Agreement Protocol based on
PMCP
Based on the property (2) we can deduce that the
polynomials defined as
)(
:
k
PS = - with k a big
integer
11
−
≤
<
nk where n is an RSA modulus
and
][/, XnZZPS
∈
- define an abelian finite
group regarding to the polynomial composition.
This property allows us to devise the following
key agreement protocol:
SUMMARY: A and B each send the other one
message over on open channel.
RESULT: shared secret K known to both parties A
and B.
1. One-time setup. An RSA modulus n, an
nZZ /
∈
ω
and a polynomial
])[/( XnZZP
∈
are selected and
published.
2. Protocol messages.
BA →
:
(
)
nP
l
mod
)(
ω
(i)
AB →
:
(
)
nP
r
mod
)(
ω
(ii)
3. Protocol actions.
Perform the following steps each time a shared
key is required.
(a) A chooses a random secret l,
21
−
≤< nl
,
and sends B the message (i).
(b) B chooses a random secret r,
21
−
≤< nr
,
and sends A the message (ii).
1. The prover selects a random
nZZ /
∈
ω
, evaluates
)(:
ω
Sc =
and
sends c to the verifier;
2. The verifier sends to the prover a
random bit b;
3. If
0
=
b
the prover reveals
ω
=t
and the verifier checks
ctS =)(
;
If
1
=
b
the prover reveals
)(
ω
Rt
=
and the verifier checks
ctQ
=
)(
.
THE POLYNOMIAL MULTICOMPOSITION PROBLEM IN (Z/nZ)
271
(c) B receives
)(
)(
ω
l
P
and computes the shared
key as
(
)
nPPK
lr
mod)(
)()(
ω
=
(d) A receives
)(
)(
ω
r
P
and computes the shared
key as
(
)
nPPK
rl
mod)(
)()(
ω
=
.
Note that in the set scenario, the polynomial
])[/( XnZZP ∈
is known but the big integers l and r
are secret. An adversary tapping the communication
between A and B can catch the messages of type (i)
and (ii) sent between the two parties. The adversary
can also calculate
)(
ω
P as P and
ω
are public.
Nevertheless, in order to determine the values l and r
and therefore to be able to determine the shared key
K, she will have to solve a problem equivalent to the
discrete logarithm problem, which is known as being
hart.
4 CONCLUSIONS AND FUTURE
WORK
The present paper introduced a new cryptographic
primitive called Polynomial Multi – Composition
Problem. We shown that this polynomial class
define a commutative group towards polynomial
composition. This propriety gave us the possibility
to define a key exchange protocol. A zero-
knowledge identification scheme based on the
mentioned primitive was also presented.
It is interesting to note that the Polynomial
Composition Problem gives a general framework for
studying a wider class of cryptographic primitives.
We believe that a deeper study of the Polynomial
Composition Problem could lead to a better
understanding of the actual cryptographic problems.
REFERENCES
M. Bellare and P. Rogaway, 1993, Random Oracles are
Practical: A Paradigm for Designing Efficient
Protocols. In Proceedings of the 1st ACM-CCS, pages
62-73. ACM Press, New York.
W. Diffie and M. Hellman, 1976, New Directions in
Cryptography, IEEE Trans. Info. Theory 22(6), pages
644–654.
Marc Joye, David Naccache, and Stéphanie Porte, 2004,
The Polynomial Composition Problem in (Z/nZ)[X],
Article retrieved April 3, 2007 from
http://citeseer.ist.psu.edu/joye04polynomial.html.
Alfred J. Menezes, Paul C. van Oorschot, and Scott A.
Vanderstone, 1997, Handbook of Applied
Cryptography, CRC Press.
RSA report “Recent Results on OAEP Security, study
retrieved May 27, 2007 from
”http://www.rsa.com/rsalabs/node.asp?id=2147.
SECRYPT 2007 - International Conference on Security and Cryptography
272
