CC BY
10
MSC 94A60, 16Z05, 14G50, 11T71, 16S50
10.14529/mmp200205
COMMUTATIVE ENCRYPTION METHOD BASED ON HIDDEN LOGARITHM PROBLEM
D.N. Moldovyan1, N.A. Moldovyan1, A.A. Moldovyan1
1 St. Petersburg Institute for Informatics and Automation of Russian Academy
of Sciences, St. Petersburg, Russian Federation
E-mails: mdn.spectr@mail.ru, nmold@mail.ru, maa1305@yandex.ru
A candidate for post-quantum commutative encryption algorithm is proposed, which is based on the hidden discrete logarithm problem defined in a new 6-dimensional finite non-commutative associative algebra. The properties of the algebra are investigated in detail and used in the design of the proposed commutative cipher. The formulas describing the set of p2 different global right-sided units contained in the algebra and local left-sided units are derived. Homomorphisms of two different types are considered and used in the commutative cipher. The encrypted message is represented in the form of a locally invertible element T of the algebra and encryption procedure includes performing the exponentiation operation and homomorphism map followed by the left-sided multiplication by a randomly selected local right-sided unit. The introduced commutative cipher is secure to the known-plaintext attacks and has been used to develop the post-quantum no-key encryption protocol providing possibility to send securely a secret message via a public channel without using any pre-agreed key. The proposed commutative encryption algorithm is characterized in using the single-use keys that are selected at random directly during the encryption process.
Keywords: commutative encryption; probabilistic cipher; post-quantum cryptoscheme; no-key protocol; finite non-commutative algebra; associative algebra; global unit; right-sided unit.
Introduction
The public-key cryptographic algorithms and protocols which are based on the computational difficulty of the factoring problem (FP) and the discrete logarithm problem (DLP) are the most widely used cryptoschemes. However, they will not be secure in the coming era of quantum computations [1,2], since both the FP and the DLP can be solved in polynomial time on a quantum computer [3]. Therefore, development of practical post-quantum public-key cryptoschemes is considered as one of challenges in the area of the applied and theoretic cryptography. However, the problem of the development of the post-quantum commutative encryption algorithms has practically remained outside the attention of researchers. This particular problem is connected with the fact that practical applications have commutative encryption algorithms possessing security to the known-plaintext attacks. The known ciphers satisfying the last demand are based on the computational difficulty of the DLP, therefore they do not provide security against quantum attacks. Development of the post-quantum versions of the commutative ciphers is also an open problem.
The first attempt to solve this problem relates to designing the commutative cipher on the base of the hidden discrete logarithm problem (HDLP) defined in a finite quaternion algebra [4] set over the finite ground field GF(p). The recent paper [5] has shown: that form of the HDLP is polynomially reducible to the DLP in a finite field GF(p2).
The present paper introduces a new form of the HDLP that is applied to development of the post-quantum commutative encryption algorithms suitable for using them in frame of the no-key protocols. The used form of the HDLP is formulated in the concrete 6-dimensional finite non-commutative associative algebra (FNAA) containing a large set of the global righ-tsided units, which is used as algebraic support of the proposed postquantum commutative-encryption algorithm. The introduced method is charecterized in ussing the exponentiation operation as the main encryption procedure and the masking homomorphism-map operations.
1. The Used 6-Dimensional Finite Algebra
The finite m-dimensional vector space with the additionally defined operation of multiplying arbitrary two vectors, which is distributive relatively the addition operation, represents the algebraic structure called the m-dimensional finite algebra. Suppose e0, ei, ... em—1 are the basis vectors. The vector A of a vector space defined over the finite field GF(p) can be denoted in the following two forms: A = (a0,a1,... ,am-1) and A = a0e0 + a1 e1 + ■ ■ ■ + am-1em-1, where a0, a1,..., am-1 G GF(p) are called coordinates. The multiplication operation (denoted as o) of two vectors A and B = Yj-0 bjej is usually defined as follows
m—1m—1
A ◦B = J2Y1 aibj (eio ej), i=0 j=0
where every of the products ei o ej is to be substituted by a single-component vector Aek, where A G GF(p) is called structural constant, indicated in the respective cell of so called basis vector multiplication table (BVMT). It is usually assumed that the intersection of the ith row and jth column defines the cell indicating the value of the product ei o ej. In the developed commutative encryption method we use computations in the 6-dimensional FNAA, in which the vector multiplication is defined by BVMT shown as Table.
Table
The BVMT defining the FNAA with p2 global right-sided units (A ^ 1)
о е0 ei е2 е3 е4 е5
е0 е0 ei ео ei ео е1
ei е0 ei Аео ei ео Ае1
е2 е2 e5 е2 e5 е2 е5
е3 е4 ез Ае4 ез е4 Аез
е4 е4 ез е4 ез е4 ез
е5 е2 е5 Ае2 e5 е2 Ае5
1.1. The Set of Global Right-Sided Units
The 6-dimensional FNAA defined by Table, where A =1, contains p2 different global right-sided units R (global means that these units act on all elements of the algebra) which represent solutions of the vector equation A o X = A that, using Table, can be represented in the form of the following system of six linear equations with coordinates of the right operand x0,x1,x2, x3,x4,x5 as the unknown values:
(1)
aoxo + aixo + aoX2 + AaiX2 + $0X4 + ^1X4 — ao; aoX1 + a1x1 + aox3 + a1x3 + ao x5 + Aa1x5 — a1; a2Xo + a5Xo + a2^2 + Aa5X2 + $2X4 + $5X4 — a2;
a3x1 + a4x1 + a3x3 + a4x3 + Aa3x5 + a4x5 — a3;
$3Xo + a4Xo + Aa3 X2 + $4X2 + $3X4 + $4X4 — a4; ^ $2X1 + $5X1 + $2X3 + $5X3 + $2X5 + A$5X5 — $5. Performong the variable substitution u1 — Xo+X2 + X4, u2 — Xo + Ax2+X4, u3 — X1+X3 + X5, and u4 — x1 + x3 + Ax5, one can show that for arbitrary vector A the system (1) holds true for the values u1 — 1, u2 — 0, u3 — 0, and u4 — 1. From the last conditions one can write the following formula describing p2 global right-sided units R — (ro, r1; r2, r3, r4, r5):
R
u , 1 1 j A
1
1 - A'
1-A
A- 1 A - 1
(2)
where h, k = 0,1,... ,p — 1.
1.2. Local Left-Sided Units
Computing the local left-sided unit for some fixed vector A is connected with finding solutions of the vector equation
X o A — A. (3)
Using Table 1 one can represent (3) in the form of the following three independent systems of two linear equations with the pairs of the unknowns (xo,x1) , (x2,x5) , and (x3,x4) :
^ + $2 + 04) Xo + (oo + A$2 + 04) X1 —
01 + $3 + $5) Xo + ($1 + $3 + A$5) X1 —
^ + $2 + $4) X2 + (^ + A$2 + $4) X5 — $2; $1 + $3 + $5) X2 + ($1 + $3 + A$5) X5 — $5;
$1 + $3 + A$5) X3 + ($1 + $3 + $5) X4 — $3; ^ + A^ + X3 + (^ + ^ + X4 — «4.
The same main determinant A a corresponds to each of the systems (4) - (6):
Aa — (Qo$5 + $4$5 — ^2 — $2Q3) (A — 1) .
(4)
(5)
(6)
(7)
If Aa = 0, then every of the systems (4) - (6) has unique solution, i. e., the vector equation (5) also has unique solution as the single left-sided unit LA related to the vector A. Solving the systems (4) - (6) one gets the following formulas describing the vector
LA = (¿0) ¿1) ¿2) /3, ¿4) ¿5) :
/0 ¿2 I4
a0a3 — a1a4 + A (a0a5 — a1a2)
A
h
aia2 + ai a4 — ^0^3 — a0 a5
1
¿3
A
a0a3 + a2a3 — ai a4 — aia5
A
A
1 — V Aa
a1 a4 + Aa4a5 — a0 a3 — Aa2 a3
(8)
A
¿5 =
A
A — 1
1
Proposition 1. Suppose the vector A is such that Aa = 0. Then the local left-sided unit LA relating to A is contained in the set of the global right-sided units, i. e., there exist the single local two-sided unit EA relating to the vector A, which is equal to LA.
Proof. Let us consider the formulas (2) and (8). We have r2 = /2 = (1 — A)-1 and r5 = /5 = (A — 1)-1. Substituting the values h = /0 = A-1 (a0a3 — a1 a4 + A (a0a5 — a1 a2)) and k = /1 = A-1 (a1a2 + a1a4 — a0a3 — a0a5) in (2) we get r3 = /3 and r4 = /4.
□
Proposition 2. Suppose the vector A is such that Aa = 0. Then the local left-sided unit LA relating to A relates also to the vector A1 for arbitrary natural value i.
Proof. {La 0 A = A о La = A} ^
о La = J
i-1
о A о L4 - A Г .
□
{La о Ai = La о A о Ai-1 = Ai; Ai о La = Ai-1 о A о LA = Ai}
Proposition 3. Suppose the vector A is such that Aa = 0. Then the sequence A, A2,..., A1,... is periodic and for some positive integer u we have Aw = LA.
Proof. Suppose the sequence A, A2,..., A1,... contains the zero vector O = (0, 0, 0, 0, 0, 0). Then for some natural number j (for example, j = 2) we have Aj-1 = O and Aj = O, i. e., Aj-1 o A = O. Since Aa = 0 and X = O the equation X o A = O has unique solution that is the following one: X = O. Therefore, Aj-1 = O. The obtained contradiction proves that all values in the considered sequence are different from O. The last fact and the finiteness of the considered algebra shows that for some minimum natural number t the value A* is equal to one of the previous values A, A2,..., At-1, namely, to the value A. If we suppose A* = Ah, where 1 < h < t, then we have A o At-1 = A o Ah-1 ^ (Ai_1 — Ah_1) o A = O. Since Aa = 0, we have At-1 — Ah-1 = O ^ At-1 = Ah-1. The last equality contradicts to the fact that the value t is the first number for which we have a repetition. Thus, we have A* = At-1 o A = A and Aw = LA, where u = t — 1.
□
The Proposition 3 shows that every vector A such that Aa = 0 generates a finite cyclic group with the unit element equal to the local left-sided unit of the vector A. The vector A is invertible relatively the unit La and can be called locally invertible element of the algebra. The value u can be called local order of the vector A. Respectively, the vectors A such that Aa = 0 can be called locally invertible vectors [8].
Proposition 4. The number of the locally invertible vectors in the considered 6-dimensional FNAA is equal to Q = p3 (p — 1) (p2 — 1).
Proof. The number of the locally invertible vectors is equal to the number of all elements of the algebra (p6) minus the number on non-invertible vectors A for which we have Aa = 0. Let us compute the number of the vectors A for which we have Aa = 0. From (7) we have a0a5 = (a1 + a3) a2 — a4a5. In the case a5 = 0 we have p4(p — 1) non-invertible vectors satisfying the last equation. One can easily computed that in the case a5 = 0 the number of the non-invertible vectors is equal to p2 (2p2 — p). Totally, we have n = p4 (p — 1) + p2 (2p2 — p) = p5 + p4 — p3 non-invertible vectors and Q = p6 — n = p3 (p — 1) (p2 — 1) locally invertible ones.
□
Proposition 5. The set of the locally invertible vectors relating to the same fixed local left-sided unit L represent a finite group.
Proof. The value L is the group unit. The vector multiplication operation is associative. For every of the considered locally invertible vectors V there exists natural number u such that Vw = L. The inverses of the vector V is the vector Vw-1 for which we have V O VW-1 = VW-1 O V.
□
1.3. Structure of the Considered FNAA
Finding the solutions of the vector equation A o D = O, where O = (0, 0, 0, 0, 0, 0), one can easily show that the considered FNAA contains p2 different global right-sided zero divisors D which are described with the formula
D = (do, di, d2, da, d4,4) = (h, k, 0, —k, —h, 0), (9)
where h, k = 0,1,... ,p — 1.
An arbitrary fixed global right-sided unit R sets a homomorphism map of the considered FNAA, which can be called the homomorphism of the ^R-type.
Proposition 6. Suppose the vector R is a global right-sided unit. Then the map of the FNAA defined by the formula ^R(X) = R o X, where the vector X takes on all values in the algebra, is a homomorphism.
Proof. For two arbitrary vectors X1 and X2 one can get the following:
(X1 o X2) = R O (X1 o X2) = (R O X1) O (R O X2) = (X1) O (X2); (X1 + X2) = R O (X1 + X2) = R O X1 + R O X2 = (X1) + (X2).
□
Proposition 7. The homomorphism-map operation ^R(X) = R o X, where R is a global right-sided unit, and the exponentiation operation X1 are mutually commutative, i. e., the equality R o X1 = (R o X)l holds true.
Proof. Due to Proposition 6: <^r(X*) = (^r(X))*, i. e., R o Xi = (R o X)\
□
Proposition 8. Suppose for some fixed global right-sided unit R we have ^R(X) = RoX = U. Then LU = R, i. e. the function ^R(X) takes on the values the local left-sided unit of which is equal to R.
Proof. For an arbitrary value X we have R o U = R o R o X = R o X = U.
□
Proposition 9. Suppose for some fixed vector X and the global right-sided unit R we have ^R(X) = R o X = U. Then for all p2 vectors of the form VU = R' ◦ U, where R' takes on all values from the set (2), the equality <^R(VU) = R ◦ VU = U holds true.
Proof. ^r(Vu) = R o R' o U = R o U = U.
□
Proposition 10. Suppose for some fixed vector X global right-sided unit R we have ^R(X) = R o X = U, where U is such that AU = 0. Then the vector X can be represented in the form X = R' o U, where R' is a global right-sided unit.
Proof. An arbitrary global right-sided zero divisor D can be represented in the form D = D' o U, where D' is also a global right-sided zero divisor. Indeed, the equation X o U = D
has unique solution X = D', since A^ = 0. Evidently, for an arbitrary vector V such that AV = 0 we have the following: V o (D' o U) = (V o D') o U = O. Since A^ = 0, from the last equality we have V o D' = O, hence D' is a global right-sided zero divisor. One can write: {R o X = U; R o U = U} ^ R o (X — U) = O ^ (X — U) = D ^ X = U + D, where D is a global right-sided zero divisor. The last equality can be represented in the form X = R o U + D' o U = (R + D') o U = R' o U, where R' is a global right-sided unit^
The Propositions 9 and 10 show that exactly p2 different vectors of the considered 6-dimensional FNAA are mapped into the fixed value U.
Proposition 11. If the vector G satisfying the condition AG = 0 is not a global right-sided unit, then for an arbitrary natural number k such that Gk = G the non-equality ^R(Gfc) = <MG) holds true.
Proof. The map ^R(X) is a homomorphism, therefore ^R(Gfc — G) = ^R(Gfc) — <^R(G). Suppose ^R(Gfc) = <£R(G). Then (Gk — G) = O ^ Gk — G = D, where D is a global right-sided zero-divisor. Therefore (G o Gk — G) = O ^ (Gfc — G) oG = O. Since AG = 0, from the last equation we have Gk — G = O ^ Gk = G. The obtained contradiction proves the Proposition 11. ^
Proposition 12. If the vector equation V o X = Z has solution X = S, then p2 different values Xj = Rj o S, where Rj takes on all values from the set (2), also are solutions of the given equation.
Proof. V o (Rj o S) = (V o Rj) o S = V o S = Z. □
Evidently, for every global right-sided unit R' we have (R') = R and for every global right-sided zero divisor D we have <£R(D) = O. From the Proposition 11 it is easy to see that some fixed cyclic group contained in the algebra is maped with the function (X) into another cyclic group of the same order. The finite group r contained in the considered algebra as subset of the algbra elements the local left-sided unit of which is equal to a fixed global right-sided unit Rf (the group unit) is maped with the function ^R(X) into the finite group having the same order Q' and unit equal to the vector R o Rf = R. Selecting different values Rf one can fix p2 different groups having order Q'.
Every locally invertible element of the algebra is contained only in one of these groups, therefore we have Q = Q'p2 and the following formula for computing the value Q' (see the Proposition 4): Q' = p-2Q = p (p — 1) (p2 — 1).
1.4. Homomorphism of the Type
Suppose the vector B is such that AB = 0. Then one can select a random global right-sided unit R and compute the single vector A that satisfies the condition
A o B = R.
Solving the last equation relatively the unknown A gives the value A having local order u that is equal to the local order of the vector B and satisfying the condition Aw = R.
Proposition 13. Suppose A o B = R. Then for arbitrary natural number t the equality A* o B* = R holds true.
Proof. Al о B = At-1 о (A о B) о Bt-1 = At-1 о Bt-1 = ■ ■ ■ = A о B = R.
□
Proposition 14. Suppose A o B = R. Then the formula = B o X o A, where the vector X takes on all values in the considered 6-dimensional FNAA, sets the homomorphism map, called the R-type homomorphism.
Proof. For two arbitrary 6-dimensional vectors Xi and X2 one can get the following: (X1 o X2) = B o (X1 o X2) o A = B o (X1 o R o X2) o A = = (B o Xi o A) o (B o X2 o A4) = ^R (Xi) o ^R (X2) ; (X1 + X2) = B o (X1 + X2) o A = (B o X1 o A) + (B o X2 o A) = = ^R (X1)+ ^R (X2) .
□
Proposition 15. The -type homomorphism-map operation the ^R(X) = B o X o A and the exponentiation operation Xk are mutually commutative, i. e., the equality B o Xk o A = (B o X o A)k holds true.
Proof. (Xk) = (^R(X))k ^ B o Xk o A = (B o X o A)k.
□
Proposition 16. Suppose V is an arbitrary fixed value. Then every one of the elements
V + D, where D takes on all values from the set (9), is mapped with the function into the value (V).
Proof. We have ^r(V + D) = ^r(V) + ^r(D) = ^r(V) + O = ^r(V).
□
Proposition 17. Suppose V is an arbitrary fixed locally invertible element order of which is equal to u. Then the local left-sided unit relating to the value V + D, where D takes on all values from the set (9), is equal to the value Ly= Ly + D o Vw-1, where Ly is the local left-sided unit related to the vector V.
Proof. Taking into account that the local left-sided unit Ly is simultaneously one of the global right-sided units, we have (Ly + D o Vw-1) o (V + D) = Ly o V + D o Vw =
V + D o Ly = V + D.
□
Proposition 18. Suppose V is an arbitrary fixed locally invertible element order of which is equal to u. Then the order of every of the values V + D, where D takes on all values from the set (9), is equal to u.
Proof. (V + D)w = (V + D)w-1 o (V + D) = (V + D)w-1 o V = (V + D)w-2 o V2 = (V + D) o Vw-1 = Vw + D o Vw-1 = Ly + D o Vw-1 = Ly+D (see the Proposition 17).
□
Proposition 19. Suppose S is a solution of the equation A o X = Z, where A is an arbitrary fixed locally invertible vector, i. e., Aa = 0. Then the vector S' = S + D, where D is an arbitrary global right-sided zero divisor from the set (9), is also a solution.
Proof. We have A o (S + D) = A o S + A o D = A o S + O = A o S = Z.
□
Proposition 20. Suppose S1 and S2 are two different solutions of the equation A o X = Z, where A is such that Aa = 0. Then S2 = S1 + D', where D' is a global right-sided zero divisor from the set (9), i. e., the formula S = S1 + D, where D takes on all values from, the set (9), describes all p2 solutions of the given equation.
Proof. We have A o S2 - A o Si = O W A o (S2 - Si) = O W S2 - Si = D W S2 = Si + D, where D is an element from the set (9). Due to the Proposition 19 the value S = S1 + D' is also a solution of the given equation for arbitrary value D' from the set (9), therefore we have exactly p2 different solutions.
□
Proposition 21. Suppose V is a locally invertible element of the considered algebra. Then an arbitrary global left-sided zero divisor D can be represented in the form D = D' o V, where D' is also a global left-sided zero divisor.
Proof. The equation X o V = D has unique solution X = D', since Ay = 0. Evidently, for an arbitrary vector A we have the following: A o (D' o V) = (A o D') o V = O. Since Ay = 0, we have A o D' = O, hence D' is a global right-sided zero divisor.
□
Proposition 22. Suppose the finite group r has order equal to Q' and includes the locally invertible algebra elements {V1, V2,..., Vi,... VQ'} one of which is the group unit E. Then for the homomorphism map (X) = B o X o A, where A o B = R, the non-equality (V) = (Vj) holds true for the arbitrary two group elements V and Vj = Vi.
Proof. Suppose (Vi) = (Vj). Then we have B o Vi o A — B o Vj o A = O W (B o V - B o V-) o A = O w B o (V - Vi) = O W V - V" = D. Due to the Proposition 21 the last equality can be represented in the form V = EoVj+D'oVj = (E + D')oVj = R'oVj, where R' = E+D' is a global right-sided unit. Since V = R'oVj, we have = Qy = R'. Since V G r, Ly = E. Thus, we have R' = E W E + D' = E W D' = O W Vi = Vj. The obtained contradiction proves the Proposition 22.
□
Proposition 23. Suppose the set of the algebra elements {V1, V2,..., Vi,... VQ'} is a finite group with the group unit E, which has order equal to Q'. Then all p2 different groups contained in the considered algebra can be represented as the following p2 sets of the algebra elements {R o Vi, R o V2,..., R o Vi,... R o VQ'}, where R takes on all values from the set (2) describing all right-sided units contained in the algebra.
Proof. The inverses of every fixed value R o Vi is the value R o Vj, where Vj is such that Vi o Vj = E. Indeed, (R o Vi) (R o Vj) = R o (Vi o Vj) = R o E = R, where R is the group unit of the set connected with the fixed value R. Every locally invertible element of the algebra is included only in one of the considered sets of the algebra elements, namely, in the group with the group unit E = LA
□
Proposition 24. Suppose the set of the algebra elements {V1, V2,..., Vi,... VQ'} is a finite group with the group unit E and the pairs of the values (Ak, Bk), where k = 1, 2,... ,p2 are such that the vectors Rk = Ak o Bk take on all values from the set (2) of the global right-sided units. Then the following p2 sets (V1) (V2) ,... (VQ')} describe all p2 different finite groups of the order Q' contained in the considered 6-dimensional FNAA.
Proof. For k = 1,2,...,p2 we have p2 different local two-sided unit elements Ek = (E) = Bfc o E o Afc = Rfc o E = Rfc.
□
From the Proposition 22 it is easy to see that every of p2 finite groups of the order Q' contained in the in the considered 6-dimensional FNAA is mapped with the function (X) = B o X o A into the single finite group with the unit equal to the value R = A o B.
For the fixed values A, B, and R selecting different non-negative integer values t one can define different homomorphism maps of the set of locally invertible algebra elements into the fixed finite group r, which can be described with the formula (X) = B4 oX o A*.
2. Forms of the HDLP
The DLP is defined in a finite cyclic group r as follows: Y' = Gx, where G is a generator of the group and the value x is unknown natural number. Finding the value x, when the values G and Y' are known, is called DLP. The HDLP is defined so that one of the values G and Y' or both of them are hidden (masked), namely, instead of the values G and Y' there are given some other values Z and Y correspondinly.
Thus, it is supposed the cyclic group r is a subset of elemets of some algebraic structure called carrier of the HDLP. The FNAAs suite well for defining different versions of the HDLP. The exponentiation operation Gx is the base operation in the HDLP. The operation used to mask the values G and Y' are called the masking operations. To provide possibility to design a public-key cryptoscheme on the base of HDLP one should use the masking operations that are mutually commutative with the base exponentiation operation. Therefore, the automorphism-map operations and the homomorphism-map operations are attractive to be applied as masking operations. A particular form of the HDLP is defined by the concrete set of the used masking operation.
The FNAAs are of significant interest as algebraic carriers of the HDLP and the cryptoschemes on its base. Different types of the FNAAs are used to define different forms of the HDLP. For the first time the HDLP was defined in the finite algebra of quaternions [4,6] as follows:
Y = Qw o Gx o Q-w = a (Gx), (10)
where Q o G = G o Q; a (V) is the automorphism-map operation (V takes on all values in the quaternion algebra). The form of HDLP descibed by the formula (10) was applied to design a public key-agreement scheme and commutative encryption algorithm [4,6]. However, reducibility of the first form of the HDLP to the DLP in the finite field GF(p2) was shown in the paper [5].
Recently [7,8] several new FNAAs and new versions of the HDLP were introduced and used to develop the post-quantum digital signature protocols. For example, in the digital signature scheme defined in the FNAA containing global two-sided unit the public key represents the triple of vectors (Y, Z, W) defined as follows [7]:
Y = Q o Gx o Q-1, Z = H o G o H-1; W = Q o E o H-1, (11)
where Q o G = G o Q; H o G = G o H; E is a randomly selected vector from the set of local units related to the non-invertible vector G. The HDLP defined with formula (11) consists in finding the value x in the case, when only the public key is known.
In the signature scheme defined in the FNAA containing a large set of global left-sided units the public key represents the pair of vectors (Y, Z) defined as follows [8]:
Y = H o Gx o D, Z = J o G o W, (12)
where D o G = G o D; D o H = L1; D o J = L2; W o J = L3; L1, L2, and L3 are global left-sided units. The HDLP defined with formula (12) consists in finding the value x in the case, when only the values Y and Z are known. In each of the last two versions of the HDLP no element of the base finite cyclic group is known, therefore the method [5] for reducing the HDLP to the DLP in a finite field do not work.
3. Commutative Encryption
Encryption algorithm F is called commutative, if for arbitrary two keys K1 and K2 = K1 the following condition holds true:
Fk [FK2 (T)] = FK2 [FK (T)], (13)
where T is an encrypted message. Commutative encryption algorithms resisting the known-plaintext attacks are used as the base primitive of the Shamir's three-pass protocol [9]) for no-key encryption, described as follows. To send the secret message T to Bob, using a public channel and no pre-agreed key, Alice can use the following protocol:
1. Alice encrypts the message T using a random key K1 and the commutative encryption function F: C1 = FKl (T). Then she sends the ciphertext C1 to Bob.
2. Using a random key K2 Bob encrypts the ciphertext C1: C2 = FK2(C1). Then he sends the ciphertext C2 to Alice.
3. Using the decryption function F-1 Alice decrypts the ciphertext C2: C3 = FK-11(C2) and sends the ciphertext C3 to Bob.
After receiving the ciphertext C3 Bob recovers the message T = F-1(C3).
If the commutative cipher F is secure to the know-plaintext attack, then the described protocol provides security. However, the protocol do not provide authenticity and this fact is to be taken into account at practical applications of the protocol. The exponentiation cipher proposed by Pohlig and Hellman in [10] suits well for implementing the no-key encryption protocol. That commutative cipher uses the exponentiation operation modulo a large prime p, for example, having the size equal to 2048 bits and the structure described by the formula p = 2q + 1, where q is a large prime.
The encryption/decryption key (e,d) is generated as follows: 1) select at random a natural number e which has the size equal to 256 (or more) bits and is mutually prime with (p — 1); 2) compute the value d = e-1 mod p — 1. The encryption and decryption procedures are described by the formulas C = Te mod p and T = Cd mod p. Security of the Pohlig-Hellman cipher is defined by the computational difficulty of the DLP modulo p.
In the present paper we use the notion of the commutativity of the encryption function in the extended sense. We call the cipher commutative, if the consecutive encryption of the source message on two different keys produces the ciphertext which can be correctly decrypted using the keys in arbitrary order. The proposed definition of the commutativity also provides possibility to implement the no-key encryption protocols on the base of such commutative ciphers.
The introduced interpretation of the notion of the commutative encryption covers the deterministic commutative ciphers defined by the formula (13). The proposed extended interpretation of the notion of commutativity covers both the deterministic commutative ciphers and the probabilistic commutative ciphers.
4. Probabilistic Commutative Ecryption Algorithm
Suppose the FNAA described in Section 2 is defined over the field GF(p), where p = 2q +1 and q is a 256-bit prime, and the encrypted message is represented in the form of the 6-dimensional vector T = (io,t1,... ,t5) which satisfies the condition AT = 0. The local two-sided unit ET relating to the vector T can be computed as the local left-sided unit LT from the formulas (8), since Et — Lt .
The vector T is contained in one of p2 finite groups of the order Q that are contained in the considered 6-dimensional FNAA. The order of the vector T is equal to a divisor of the integer p (p2 - 1). Therefore, the alternative method for finding the value ET is performing computations defined by the following formula:
ET = Tp(p2-1). (14)
Evidently, computing the value ET from the formulas (8) has significantly lower computational complexity than from the formula (14). The message T can be encrypted and then correctly decrypted with using the following two formulas:
C = Te; T = Cd, (15)
where e and d are values satisfying the condition ed = 1 mod p (p2 - 1).
Security of the commutative cipher defined by the formulas (15) is based on the computational difficulty of the DLP. To develop a post-quantum commutative cipher one can additionally use the masking homomorphism-map operations, for example, the operation.
The following probabilistic commutative cipher uses the ciphering key (e,d) and the single-use key representing a randomly selected global right-sided unit R and includes the following steps:
1. Using the formulas (8) compute the local two-sided unit ET relating to the message
T.
2. Using the formulas (2) compute a random global right-sided unit R and compute the value C = R o Te.
3. Output the ciphertext representing the pair of two vectors (ET, C).
This encryption algorithm defines a probabilistic encryption process due to using a randomly selected single-use key R. The ciphertext is two times large in size than the source message T. The value C is a part of the ciphertext that depends on the random value R. The decryption procedure is defined by the following formula:
T = ET o Cd.
Correctness proof of this probabilistic cipher is as follows:
ET o Cd = ET o (R o Te)d = ET o R o Ted = ET o T = T.
A feature of the described probabilistic cipher relates to the fact that the first part of the ciphertext is independent on the encryption key. Therefore, one should define the process of encrypting the message on two different keys. Evidently, the first part ET of the ciphertext should be computed in frame of the first encrypton and in frame of the second encryption only the second part C of the ciphertext is to be encrypted.
Thus, the encryption on the key (eA,dA) and then on the key (eB,dB) produces the ciphertext
Cab = (ET , RB o TeAeB),
where RB is the single-use subkey selected at random at the second encryption. The encryption on the key (eB,dB) and then on the key (eA, dA) produces the ciphertext
CBA = (ET,RA O TeBeA),
where RA is the single-use subkey at the second encryption. Due to using the single-use key selected at random in the considered two cases the output ciphertexts have different values. Nevertheless, both the ciphertext CAB and the ciphertext CBA are decrypted correcly using the keys (eA,dA) and (eB,dB) in arbitrary order, i. e. the described probabilistic cipher is commutative.
5. Post-Quantum Commutative Cipher
To implement encryption of the message T using both the ^-map operation and the ^-map operation one should specify two vectors A and B such that A о B = R0, where R0 is some fixed global right-sided unit, as common parameters of the encryption function. Besides, the additional subkey representing a natural number t < p2 — 1 is to be used in the encryption process, i. e., the encryption key represents the triple of non-negative integers (e,d,t). The proposed post-quantum commutative cipher is describe as follows:
1. Using the formulas (8) compute the local two-sided unit ET relating to the encrypted message T.
2. Using the formula (2) compute a random global right-sided unit R as the value of the single-use key and compute the ciphertxt C = R о B4 о Te о A*.
3. Output the ciphertext in the form of the pair of two vectors (ET, C).
This encryption procedure is probabilistic. The decryption procedure is described by the following formula:
T = ET о A* о Cd о B4. Correctness proof of the decryption process is as follows:
Et о A4 о Cd о B4 = Et о A4 о (R о B4 о Ted о A4) о B4 = = ET о R0 о T о R0 = ET о T = T.
Encrypting the message T on the key (eA, dA, tA) and then on the key (eB, , tB) outputs the ciphertext ( )
CAB = (ET, RB о Bо TeAeB о AiA+iB) ,
where RB is the single-use key used at the second encryption. Encrypting the message T on the key (eB, ,tB) and then on the key (eA,dA,tA) produces the ciphertext
CBA = (ET, Ra о BiA +4b о TeB eA о A4b +4a ) ,
where RA is the single-use key used at the second encryption. One can easily show that each of the ciphertexts CAB and CBA can be decrypted correctly using the keys (eA, dA, tA) and (eB,tB) in different order and, therefore, the proposed post-quantum encryption algorithm is commutative. It can be used as the base encryption function in the following post-quantum no-key protocol:
1. Alice selects her local key (eA, dA,tA) , generates at random the single-use subkey RA , computes the two-sided local unit relating to the vector T, and encrypts the message T :
C1 = RA o Bo TeA o AtA.
Then she sends the ciphertext (ET, C1) to Bob.
2. Bob selects his local key (eB,dB), generates at random the single-use subkey RB, and encrypts the vector C1 :
C2 = Rb o BtB o o AtB.
Then he sends the vector C2 to Alice.
3. Alice generates at random the single-use subkey RA and decrypts the vector C2 obtaining the ciphertext
C3 = RA o AtA o C2dA o B. Then she sends the vector C3 to Bob.
After receiving the ciphertext C3 Bob computes the value
T = ET o AtB o C3dB o B.
Correctness proof of the protocol is as follows:
\eB
C2 = RB o BtB o CeB o AtB = RB o Bo (Ra o BtA o TeA o AiA)eB o AtB =
= RB o BtB o (BiA o TeAeB o AtA) o AtB = RB o BtA Bo TeAeB o AtB AtA W C3 = RA o AtA o (RB o BtA Bo TeAeB o AtB AtA )dA o BtA =
<-A o R0 o B B o T o A o R0 = RA
RA o R0 o Bo TeAeBo AtB o R0 = RA o BtB o TeB o AtB W
ET o AtB o C3dB o B= ET o AtB o (RA o BtB o TeBo A4^ o BtB = = ET o R0 o T o R0 = ET o T = T.
Conclusion
It is proposed a new more wider interpretation of the notion of commutative encryption and for the fist time the probabilistic commutative cipher has been developed. A new 6-dimensional FNAA (defined over the finite ground field GF(p)) containing p2 different global right-sided units is introduced as the algebraic carrier of the postquantum cryptoschemes based on computational difficulty of the HDLP. The structure and respective properties of the algebra have been studied and used in the design of the proposed post-quantum commutative cipher. The exponentiation operation is used as the base encryption operation which is complemented with two different masking homomorphism-map operations. A novel feature of the proposed commutative encryption method is the application of the single-use subkeys selected at random from the set of p2 global right-sided units contaned in the used algebraic carrier.
Acknowledgements. The reported study was partially funded by Russian Foundation for Basic Research (project no. 18-07-00932-a).
References
1. Song Y. Yan. Quantum Computational Number Theory. N.Y., Springer, 2015.
2. Song Y. Yan. Quantum Attacks on Public-Key Cryptosystems. N.Y., Springer, 2014.
66 Bulletin of the South Ural State University. Ser. Mathematical Modelling, Programming
& Computer Software (Bulletin SUSU MMCS), 2020, vol. 13, no. 2, pp. 54-68
3. Shor P.W. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on Quantum Computer. SIAM Journal of Computing, 1997, vol. 26, pp. 1484-1509.
4. Moldovyan D.N. Non-Commutative Finite Groups as Primitive of Public-Key Cryptoschemes. Quasigroups and Related Systems, 2010, vol. 18, no. 2, pp. 165-176.
5. Kuzmin A.S., Markov V.T., Mikhalev A.A., Mikhalev A.V., Nechaev A.A. Cryptographic Algorithms on Groups and Algebras. Journal of Mathematical Sciences, 2017, vol. 223, no. 5, pp. 629-641.
6. Moldovyan D.N., Moldovyan N.A. Cryptoschemes over Hidden Conjugacy Search Problem and Attacks Using Homomorphisms. Quasigroups Related Systems, 2010, vol. 18, no. 2, pp. 177-186.
7. Moldovyan A.A., Moldovyan N.A. Post-Quantum Signature Algorithms Based on the Hidden Discrete Logarithm Problem. Computer Science Journal of Moldova, 2018, vol. 26, no. 3 (78), pp. 301-313.
8. Moldovyan N.A., Moldovyan A.A. Finite Non-Commutative Associative Algebras as Carriers of Hidden Discrete Logarithm Problem. Bulletin of the South Ural State University. Series: Mathematical Modelling, Programming and Computer Software, 2019, vol. 12, no. 1, pp. 66-81.
9. Menezes A.J., Oorschot P.C., Vanstone S.A. Applied Cryptography. N.Y., London, CRC Press, 1996.
10. Hellman M.E., Pohlig S.C. Exponentiation Cryptographic Apparatus and Method. U.S. Patent no. 4,424,414, 3 January 1984.
Received June 17, 2019
УДК 681.3 10.14529/mmp200205
КОНЕЧНЫЕ НЕКОММУТАТИВНЫЕ АССОЦИАТИВНЫЕ АЛГЕБРЫ КАК НОСИТЕЛИ СКРЫТОЙ ЗАДАЧИ ДИСКРЕТНОГО ЛОГАРИФМИРОВАНИЯ
Д.Н. Молдовян1, Н.А. Молдовян1, А.А. Молдовян1
1 Санкт-Петербургский институт информатики и автоматизации РАН,
г. Санкт-Петербург, Российская Федерация
Предложен кандидат на постквантовый алгоритм коммутативного шифрования, основанный на скрытой задаче дискретного логарифмирования, заданной в новой шестимерной конечной некоммутативной ассоциативной алгебре. Свойства алгебры детально исследованы и использованы при разработке предложенного коммутативного шифра. Выведены формулы, описывающие p2 глобальных правосторонних единиц, содержащихся в алгебре. Рассмотрены и использованы в шифре гомоморфизмы двух различных типов. Шифруемое сообщение представлено в виде локально обратимого элемента T алгебры, а процедура шифрования включает выполнение операции возведения в степень и гомоморфное отображение, за которым следует левостороннее умножение на случайно выбранную глобальную правостороннюю единицу. Предложенный шифр является стойким к атакам на основе известного исходного текста и использован для разработки протокола бесключевого шифрования, обеспечивающего возможность безопасной передачи секретных сообщений по открытым каналам без использования предварительно согласованных ключей. Предложенный коммутативный шифр отличается использованием одноразовых подключей, выбираемых случайным образом непосредственно в ходе процесса зашифровывания.
Ключевые слова: коммутативное шифрование; вероятностный шифр; постквантовая криптосхема; конечная некоммутативная алгебра; ассоциативная алгебра; глобальная единица; правосторонняя единица.
Литература
1. Song Y. Yan. Quantum Computational Number Theory / Song Y. Yan. - N.Y.: Springer, 2015.
2. Song Y. Yan. Quantum Attacks on Public-Key Cryptosystems / Song Y. Yan. - N.Y.: Springer, 2014.
3. Shor, P.W. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on Quantum Computer / P.W. Shor // SIAM Journal of Computing. - 1997. - V. 26. -Р. 1484-1509.
4. Moldovyan, D.N. Non-Commutative Finite Groups as Primitive of Public-Key Cryptoschemes / D.N. Moldovyan // Quasigroups and Related Systems. - 2010. - V. 18, № 2. - Р. 165-176.
5. Kuzmin, A.S. Cryptographic Algorithms on Groups and Algebras / A.S. Kuzmin, V.T. Markov, A. A. Mikhalev, A. V. Mikhalev, A. A. Nechaev // Journal of Mathematical Sciences. - 2017. - V. 223, № 5. - Р. 629-641.
6. Moldovyan, D.N. Cryptoschemes over Hidden Conjugacy Search Problem and Attacks Using Homomorphisms / D.N. Moldovyan, N.A. Moldovyan // Quasigroups Related Systems. -2010. - V. 18, № 2. - Р. 177-186.
7. Moldovyan, A.A. Post-Quantum Signature Algorithms Based on the Hidden Discrete Logarithm Problem / A.A. Moldovyan, N.A. Moldovyan // Computer Science Journal of Moldova. - 2018. - V. 26, № 3 (78). - Р. 301-313.
8. Moldovyan, N.A. Finite Non-commutative Associative Algebras as Carriers of Hidden Discrete Logarithm Problem. / N.A. Moldovyan, A.A. Moldovyan // Bulletin of the South Ural State University. Series: Mathematical Modelling, Programming and Computer Software. - 2019. - V. 12, № 1. - Р. 66-81.
9. Menezes, A.J. Applied cryptography / A.J. Menezes, P.C. Oorschot, S.A. Vanstone. - N.Y., London: CRC Press, 1996.
10. Hellman, M.E., Pohlig, S.C. Exponentiation Cryptographic Apparatus and Method. U.S. Patent № 4,424,414, 3 January 1984.
Дмитрий Николаевич Молдовян, кандидат техических наук, научный сотрудник лаборатории кибербезопасности и постквантовых криптосистем, Санкт-Петербургский институт информатики и автоматизации РАН (г. Санкт-Петербург, Российская Федерация), mdn.spectr@mail.ru.
Николай Андреевич Молдовян, доктор техических наук, профессор, главный научный сотрудник лаборатории кибербезопасности и постквантовых криптосистем, Санкт-Петербургский институт информатики и автоматизации РАН (г. Санкт-Петербург, Российская Федерация), nmold@mail.ru.
Александр Андреевич Молдовян, доктор техических наук, профессор, главный научный сотрудник лаборатории кибербезопасности и постквантовых криптосистем, Санкт-Петербургский институт информатики и автоматизации РАН (г. Санкт-Петербург, Российская Федерация), maa1305@yandex.ru.
Поступила в редакцию 17 июня 2019 г.
