Improved cryptanalysis of a ElGamal Cryptosystem Based on Matrices Over Group Rings

Atul Pandey; Indivar Gupta; Dhiraj Kumar Singh

doi:10.1515/jmc-2019-0054

Artikel Open Access

Improved cryptanalysis of a ElGamal Cryptosystem Based on Matrices Over Group Rings

Atul Pandey , Indivar Gupta und Dhiraj Kumar Singh

Veröffentlicht/Copyright: 20. Dezember 2020

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 15 Heft 1

Abstract

ElGamal cryptosystem has emerged as one of the most important construction in Public Key Cryptography (PKC) since Diffie-Hellman key exchange protocol was proposed. However, public key schemes which are based on number theoretic problems such as discrete logarithm problem (DLP) are at risk because of the evolution of quantum computers. As a result, other non-number theoretic alternatives are a dire need of entire cryptographic community.

In 2016, Saba Inam and Rashid Ali proposed a ElGamal-like cryptosystem based on matrices over group rings in ‘Neural Computing & Applications’. Using linear algebra approach, Jia et al. provided a cryptanalysis for the cryptosystem in 2019 and claimed that their attack could recover all the equivalent keys. However, this is not the case and we have improved their cryptanalysis approach and derived all equivalent key pairs that can be used to totally break the ElGamal-like cryptosystem proposed by Saba and Rashid. Using the decomposition of matrices over group rings to larger size matrices over rings, we have made the cryptanalysing algorithm more practical and efficient. We have also proved that the ElGamal cryptosystem proposed by Saba and Rashid does not achieve the security of IND-CPA and IND-CCA.

Keywords: Group ring decomposition; ElGamal cryptosystem; circulant matrices

MSC 2010: 94A60

1 Introduction

The security of ElGamal encryption scheme depends on the difficulty of solving the discrete logarithm problem. The standard security notion for ElGamal encryption scheme is indistinguishability under a chosen plaintext attack (IND-CPA) whereas a stronger notion of security is indistinguishability under a chosen ciphertext attack (IND-CCA).

Due to the inability of resisting quantum attacks, various traditional cryptosystem based on DLP are not considered secure and there has been interest in constructing ElGamal encryption scheme via non-number theoretic platform structures. In this context, Majid Khan et al. [6] proposed two new ElGamal public key encryption schemes based on the large commutative subgroups of general linear groups on the residual ring which was later cryptanalyzed by Jia et al. [4] using structural attack.

In 2016, Inam and Ali improved it [3] and proposed a new ElGamal-like cryptosystem based on matrices over group ring. The authors claimed that the cryptosystem is safe against known plaintext attacks and has the potential to resist quantum attacks. But using a linear algebra attack, this proposed cryptosystem was rendered insecure in [5] where the authors also claimed that they could retrieve all the equivalent keys which can be used for decryption. Inam and Ali also provided a simple fix for their cryptosystem which they claimed that it has the ability to defend chosen ciphertext attacks.

Our Contribution: In this paper, we have proved that the ElGamal cryptosystem proposed by Saba and Rashid does not achieve the security of IND-CPA and IND-CCA which makes the cryptosystem completely insecure. We have developed a cryptanalytic attack and derived all equivalent keys (including the keys generated by authors in [5]) that can be used to totally break the ElGamal-like cryptosystem by Saba and Rashid. We have decomposed group ring elements to matrices over base ring and it makes the proposed cryptanalytic algorithm more efficient and practical.

The rest of this article is organized as follows. The second section provides necessary background for this work. In section 3, we present the ElGamal-like cryptosystem proposed by Saba Inam and Rashid Ali. In section 4 and 5, we prove that the proposed scheme is not secure against IND-CPA and IND-CCA adversary. In section 6, we develop a stronger attack which derives all the equivalent keys for the proposed cryptosystem. We also discuss the computational complexity of the scheme. Conclusions are finally drawn in section 7.

2 Preliminaries

Definition 1

(Group Ring). : Let R be a Commutative ring with unity and G = {g₁, g₂, · · · , g_k} be a finite multiplicative group. The group ring consist of all finite sums of the form

p = ∑ g ∈ G α g g

where α_g ∈ R and is denoted by GR. Let q = ∑ g ∈ G β g g and r = ∑ h ∈ G γ h h be elements of GR, then the addition and multiplication is defined as follows:

p + q = ( ∑ g ∈ G α g g ) + ( ∑ g ∈ G β g g ) = ∑ g ∈ G ( α g + β g ) g

and

p r = ( ∑ g ∈ G α g g ) ( ∑ h ∈ G γ h h ) = ∑ g , h ∈ G α g γ h ( g h ) = ∑ t ∈ G η t t

where gh = t and

η t = ∑ g h = t α g γ h = ∑ g α g γ g − 1 t = ∑ h α t h − 1 γ h .

Remark 1

[Decomposition of group ring] Corresponding to every element p = ∑ g ∈ G α g g ∈ G R , we can define a matrix M_p ∈ M_k(R) as

M p = α g 1 g 1 − 1 α g 1 g 2 − 1 … α g 1 g k − 1 α g 2 g 1 − 1 α g 2 g 2 − 1 … α g 2 g k − 1 ⋮ ⋮ ⋱ ⋮ α g k g 1 − 1 α g k g 2 − 1 … α g 1 g k − 1

which clearly has k entries α g 1 , α g 2 , ⋯ , α g k in row 1 in some order and rest all other entries are permutation of this row. Thus for each p ∈ GR, the associated matrix M_p can be defined by only k unknowns α g 1 , α g 2 , ⋯ , α g k and their permutations. Thus, for any matrix A ∈ M_n(GR), say,

A = a 11 a 12 … a 1 n a 21 a 22 … a 2 n ⋮ ⋮ ⋱ ⋮ a n 1 a n 2 … a n n

we can define a corresponding matrix A ¯ ∈ M n k (R) as

A ¯ = M a 11 M a 12 … M a 1 n M a 21 M a 22 … M a 2 n ⋮ ⋮ ⋱ ⋮ M a n 1 M a n 2 … M a n n

where M a i j are k × k matrices corresponding to the elements a_ij ∈ GR. The previous remark and computations are summarized in Theorem 1.

Theorem 1

For a finite group G with k elements and a commutative ring R with unity, M_n(GR) can be embedded in M_nk(R) via the map ϕ : A ↦ A ¯ [9].

Theorem 2

For a matrix A ∈ M_n(GR), we have [8]

A ∈ G L n ( G R ) ⟺ ϕ ( A ) = A ¯ ∈ G L n k ( R ) .

Definition 2

(Circulant matrices and their properties [1]). let F be a finite field. We define a k × k circulant matrix C over F as

C = c i r c ( c 1 , c 2 , … , c k ) = c 1 c 2 … c k c k c 1 … c k − 1 ⋮ ⋮ ⋱ ⋮ c 2 c 3 … c 1

where the elements of each row of are identical to those of the previous row, but are moved one position to the right and wrapped around.

Circulant matrices have the following important properties:

If A and B are two n × n circulant matrices then so is AB and the matrix product is commutative, that is,

A B = B A

If A is circulant matrix, A⁻¹ is also circulant (provided it exists).

Corollary 1

Using Theorem 1, for any circulant matrix C ∈ M_n(GR) we have a corresponding block circulant matrix C ¯ ∈ M n k ( R ) defined by

C ¯ = M a 1 M a 2 … M a n M a n M a 1 … M a n − 1 ⋮ ⋮ ⋱ ⋮ M a 2 M a 3 … M a 1 n k × n k

which can be defined clearly by nk elements only of the first row of all M a i .

3 Description of the public key cryptosystem

In this section, we describe the ElGamal-like cryptosystem proposed by Saba Inam and Rashid Ali [3].

Let M_n(GR) be the set of all n × n matrices over the group ring GR and H ⊂ M_n(GR) be the subgroup of all n × n invertible circulant matrices over GR. Bob and Alice communicate in the following steps.

Key generation (KeyGen)

Alice Choose random A, B ∈ H and compute

M 1 = A B 2 , M 2 = B A 2
Select a random invertible matrix N ∈ GL_n(GR) and generate the key pairs (pk, sk) given by

p k = ( P 1 , P 2 ) = ( M 1 − 1 N M 1 , M 2 − 1 N − 1 M 2 ) and s k = ( A , B )

where pk is public key and sk is secret key.

Encryption (Enc_pk(m))

Bob represents the message m as an element M ∈ M_n(GR).
Choose a random invertible matrix X ∈ H and η, a unit of the group ring GR and compute the ciphertext as Enc_pk(m) = C = (C₁, C₂), where

C 1 = η − 1 X − 1 P 2 X and C 2 = η M X − 1 P 1 X .

Decryption (Dec_sk(C))

Using her secret keys A, B Alice computes

S = A B − 1 C 1 B A − 1 .
She obtains the message using C₂ and S as

C 2 S = M

Thus, Dec_sk(C) = M

Correctness of the protocol: Since S = AB⁻¹C₁BA⁻¹, we have

S = A B − 1 η − 1 X − 1 P 2 X B A − 1 = η − 1 A B − 1 X − 1 M 2 − 1 N − 1 M 2 X B A − 1 = η − 1 A B − 1 X − 1 A − 2 B − 1 N − 1 B A 2 X B A − 1 = η − 1 A − 1 B − 2 X − 1 N − 1 X B 2 A

and hence

C 2 S = η M X − 1 P 1 X η − 1 A − 1 B − 2 X − 1 N − 1 X B 2 A = M X − 1 M 1 − 1 N M 1 X A − 1 B − 2 X − 1 N − 1 X B 2 A = M X − 1 B − 2 A − 1 N A B 2 X A − 1 B − 2 X − 1 N − 1 X B 2 A = M X − 1 B − 2 A − 1 N X X − 1 N − 1 B 2 A X = M X − 1 B − 2 A − 1 B 2 A X = M X − 1 X = M

Remark 2

The authors in [3] have used the commutative circulant matrices over the group ring GR, where R is a commutative ring with unity and G is a finite group. We believe that the authors wanted the group G to be an abelian group, otherwise the circulant matrices will not commute and the proposed cryptosystem will not work. Hence from now onwards we assume that G is a finite abelian group.

4 Analysis of IND-CPA security of the cryptosystem

Consider the following IND-CPA experiment with the challenger 𝒞 and and efficient adversary 𝒜:

Challenger 𝒞 generates the key pair (pk, sk) and publishes p k = ( P 1 , P 2 ) = ( M 1 − 1 N M 1 , M 2 − 1 N − 1 M 2 ) to the adversary 𝒜.
Adversary 𝒜 chooses D₀, D₁ ← M_n(GR) and submits these to 𝒞.
Challenger 𝒞 selects a bit b ← {0, 1} uniformly at random and sends the challenge ciphertext

C = ( C 1 , C 2 ) = ( η − 1 X − 1 P 2 X , η D b X − 1 P 1 X )

to the adversary 𝒜.
The adversary 𝒜 outputs a bit b′.

The adversary is successful in the above experiment and outputs 1 if and only if b = b′

In step two, if the adversary 𝒜 chooses two messages D₀ and D₁ such that det(D₀) ≠ det(D₁), then it can compute

d e t ( C 1 C 2 ) d e t ( P 1 P 2 ) = d e t ( η − 1 X − 1 P 2 X η D b X − 1 P 1 X ) d e t ( P 1 P 2 ) = d e t ( D b )

and if

d e t ( C 1 C 2 ) d e t ( P 1 P 2 ) = d e t ( D 0 ) A outputs b ′ = 0

otherwise 𝒜 outputs b′ = 1. Thus the adversary 𝒜 succeeds in the above IND-CPA security experiment with probability 1. Hence the proposed scheme is not secure against a chosen plaintext attack.

5 Analysis of IND-CCA security of the cryptosystem

The authors in [3] have presented a chosen cipher text attack for their scheme and they proposed a fix where they replace the one sided ciphertext with the two sided ciphertext as follows:

C = ( C 1 , C 2 ) where C 1 = η − 1 X − 1 P 2 X and C 2 = η 2 X − 1 P 1 X M X − 1 P 1 X

Consider the following IND-CPA experiment with the challenger 𝒞 and and efficient adversary 𝒜:

Challenger 𝒞 generates the key pair (pk, sk) and publishes p k = ( P 1 , P 2 ) = ( M 1 − 1 N M 1 , M 2 − 1 N − 1 M 2 ) to the adversary 𝒜.
Adversary 𝒜 has access to a decryption oracle Dec_sk(.). Adversary 𝒜 chooses D₀, D₁ ← M_n(GR) and submits these to 𝒞.
Challenger 𝒞 selects a bit b ← {0, 1} uniformly at random and sends the challenge ciphertext

C = ( C 1 , C 2 ) = ( η − 1 X − 1 P 2 X , η 2 X − 1 P 1 X M X − 1 P 1 X )

to the adversary 𝒜.
A continues to query the decryption oracle except for the challenge ciphertext C.
The adversary 𝒜 outputs a bit b′.

The adversary is successful in the above experiment and outputs 1 if and only if b = b′

In step two, if the adversary 𝒜 chooses two messages D₀ and D₁ such that det(D₀) ≠ det(D₁), then it can compute

d e t ( C 1 2 C 2 ) d e t ( P 1 2 P 2 2 ) = d e t ( η − 2 X − 1 P 2 2 X η 2 X − 1 P 1 X D b X − 1 P 1 X ) d e t ( P 1 2 P 2 2 ) = d e t ( D b )

and if

d e t ( C 1 2 C 2 ) d e t ( P 1 2 P 2 2 ) = d e t ( D 0 ) A outputs b ′ = 0

otherwise 𝒜 outputs b′ = 1. Thus the adversary 𝒜 succeeds in the above IND-CCA security experiment with probability 1.

Additionally, an adversary can decrypt any plaintext M by playing the following game with the challenger:

Adversary 𝒜		Challenger 𝒞
M^* = dI_n(d ≠ 1 is unit in GR) ← M_n(GR)
		M ← M_n(GR)
	⟵ C	C = (C₁, C₂) ← Enc_pk(M)
(C₁, M^C₂) = C^ ≠ C	⟶ C ∗
	⟵ M ∗ M	M^*M ← Dec_sk(C^*)
M = (M^)⁻¹M^M

Hence the proposed fix for the scheme is not secure against a chosen ciphertext attack as claimed by authors in [3].

6 Key recovery attack

In this section, we propose a method where we generate all the equivalent key pairs for the cryptosystem in [3] from the public key pk only.

From the public information any adversary 𝒜 has the ability to get the public keys pk = (P₁, P₂). 𝒜 find a solution of the following system to obtain all equivalent key pairs (P, Q).

Choose arbitrary circulant matrices P and Q and hence

P X = X P and Q X = X Q

P and Q satisfies

(1) P P 2 Q = P 1 − 1

The above system has atleast a solution namely P = AB⁻¹ and Q = A⁻¹B as

P P 2 Q = P M 2 − 1 N − 1 M 2 Q = P A − 2 B − 1 N − 1 B A 2 Q = A B − 1 A − 2 B − 1 N − 1 B A 2 A − 1 B = A − 1 B − 2 N − 1 B 2 A = B − 2 A − 1 N − 1 A B 2 = M 1 − 1 N − 1 M 1 = P 1 − 1

Theorem 3

If the adversary is able to find a solution P, Q to the equation (1), then the ElGamal-like cryptosystem proposed by Saba and Rashid is completey broken with equivalent keys P, Q.

Proof. Using the equivalent keys P and Q, plaintext M can be retrieved from a ciphertext pair (C₁, C₂) as

C 2 P C 1 Q = η M X − 1 P 1 X P η − 1 X − 1 P 2 X Q = η η − 1 M X − 1 P 1 P P 2 Q X = M X − 1 X = M

Thus, the proposed scheme is not secure and a total break of the scheme is performed where equivalent key pairs (P, Q) are computed from the public key pair (P₁, P₂).

In Example 1 in appendix, we derive all the equivalent key pairs (P, Q) for the toy example provided in [3] and obtain the plaintext M.

Remark 3

Out of 16 choices for the solution set in appendix, 8 are non-invertible and remaining 8 invertible choices are listed in Example 1. Equations A4-A7 are solutions to equation 1 which satisfy P = Q⁻¹ and these solutions can also be recovered by the method of cryptanalysis of Jia et al. They claim that they can obtain all equivalent keys by their cryptanalysis but their method only allows them to obtain those equivalent key pairs (P, Q) which satisfies P = Q⁻¹ in equation 1. But our cryptanlysis is more of a generic kind and it allows us to obtain all the equivalent key pairs (P, Q) which can be used along with Theorem 3 to retrieve the plaintext M.

6.1 Algorithm for deriving the private keys and decrypting ciphertexts

Remark 4

Equation 1 can be rewritten as

P P 2 − P 1 − 1 Q − 1 = 0

and then using the Theorem 1 we can embed P, P₁, P₂ and Q in M_nk(R) and rewrite the corresponding equation as

(2) P ¯ P ¯ 2 − P ¯ 1 − 1 Q ¯ − 1 = 0

which is a system of n²k² linear equations in 2nk unknowns over the commutative ring R and it can further be written as

(3) A X = 0

where A ∈ M n 2 k 2 × 2 n k ( R ) and X ∈ M 2 n k × 1 ( R ) is the unknwon vector.

Algorithm 1 Generating equivalent key pairs and retrieving plaintext

Step 1:	Input public information (P₁, P₂, C₁, C₂)
Step 2:	Choose random elements (a₁, a₂, · · · , a_n), (b₁, b₂, · · · , b_n) ∈ GRⁿ and form corresponding circulant matrices P and Q⁻¹ respectively.
Step 3:	Using the embedding of Theorem 1 obtain the matrices P, Q ⁻¹, P₁, P₂, C₁ and C₂.
Step 4:	Solve for a system of equations over ring R P ¯ P ¯ 2 − P ¯ 1 − 1 Q ¯ − 1 = 0 using equation 3 and formulate the invertible matrices P and Q ⁻¹.
Step 5:	Find a_i and b_j using P, Q ⁻¹ and formulate key pairs P, Q.
Step 6:	Compute M = C₂PC₁Q

In example 2 in appendix, we execute our proposed algorithm to cryptanalyze the toy example provided in [3]. We decompose the elements of group ring to matrices over same ring and use it to obtain equivalent key pairs and the corresponding plaintext from the given public key pairs and ciphertext.

6.2 Computational complexity of the proposed algorithm over finite field 𝔽_p

In this section, we compute the complexity of Algorithm 1 where the commutative ring R is a prime field, that is, R = 𝔽_p.

The number of bit operations required to compute product of two m × m matrices is 𝒪(m^ω), where ω ≈ 2.3755.
Inverse of a m × m matrix can be found using complexity 𝒪(m^ω).
Inverses in finite field 𝔽_p can be computed using (log p)³ bit operations [7].
Solving a system of p equation in r unknowns over ℤ_n has complexity [11] of 𝒪(pr^ω⁻¹) .

Using above complexity results, we have the following complexity:

The embedding in step 3 is nothing but the rearrangement of the coefficients of the elements of the group ring GR and hence its complexity is neglected.
In step 4 we need to perform 2 matrix multiplications, 1 matrix inversion and 1 subtraction and then solve the system given in equation 3. Hence the complexity of step 3 is 𝒪((nk)^ω(log p)³+2(nk)^ω(log p)² + (nk)²(2nk)^ω⁻¹(log p)³) = 𝒪((nk)^ω⁺¹(log p)³).
In step 5, the complexity of matrix inversion to find Q from Q ⁻¹ is 𝒪((nk)^ω(log p)³). We then rearrange to obtain P and Q from P and Q respectively. .
Step 6 requires 3 matrix multiplications with complexity 𝒪((nk)^ω(log p)²).

Thus the overall complexity of Algorithm 1 is 𝒪((nk)^ω⁺¹(log p)³), which is polynomial in the size of the entry of the matrices.

Remark 5

Jia et al. have also computed the complexity of their attack which is not exactly correct as they have computed it over matrices over group rings but the complexity results of ℤ_n are used.

7 Conclusion

We have presented a generic kind of cryptanalysis of a new ElGamal-like cryptosystem based on matrices over group ring. Though the author claimed that their cryptographic protocol seems to be resistant to known plaintext attacks, ciphertext only attacks and chosen plaintext attacks, we have proved that the proposed scheme is not even secure against the weaker security notion IND-CPA and also against IND-CCA of ElGamal cryptosystem. We then designed a strong linear algebra attack which requires polynomial time to compute all the equivalent keys for a given public key pair.

Acknowledgement

This research is supported by University Grants Commission (UGC), reference number-1100 (DEC-2016).

References

[1] P. J. Davis, Circulant matrices Chelsea (1994).Suche in Google Scholar

[2] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms IEEE Trans Inf Theory 31, (1985), 469–472.10.1007/3-540-39568-7_2Suche in Google Scholar

[3] S. Inam and R. Ali, A new ElGamal-like cryptosystem based on matrices over group ring Neural Comput. Appl. 29(11), (2018), 1279–1283.10.1007/s00521-016-2745-2Suche in Google Scholar

[4] J. Jia, J. Liu and H. Zhang, Cryptanalysis of cryptosystems based on general linear group China Commun. 13(6), (2016), 217–224.10.1109/CC.2016.7513216Suche in Google Scholar

[5] J. Jia, H. Wang, H. Zhang, S. Wang and J. Liu, Cryptanalysis of an ElGamal-Like Cryptosystem Based on Matrices Over Group Rings In: Zhang H., Zhao B., Yan F. (eds) Trusted Computing and Information Security. CTCIS 2018. Communications in Computer and Information Science, vol 960. Springer, Singapore (2019).10.1007/978-981-13-5913-2_16Suche in Google Scholar

[6] M. Khan and T. Shah, A novel cryptosystem based on general linear group 3D Res. 6(1), (2015), 1–8.10.1007/s13319-014-0035-2Suche in Google Scholar

[7] N. Koblitz, A course in Number Theory and Cryptography 2nd edn. springer, New York (1994).10.1007/978-1-4419-8592-7Suche in Google Scholar

[8] M. Kreuzer, A. D. Myasnikov and A. Ushakov, A linear algebra attack to group-ring-based key exchange protocols Applied Cryptography and Network Security (ACNS 2014), Lecture Notes in Comput. Sci. 8479, Springer, Berlin, (2014), 37–43.10.1007/978-3-319-07536-5_3Suche in Google Scholar

[9] A. D. Myasnikov and A. Ushakov: Quantum algorithm for the discrete logarithm problem for matrices over finite group rings Groups, Complexity, Cryptology 6, (2014), 31–36.10.1515/gcc-2014-0003Suche in Google Scholar

[10] D. S. Passman, The Algebraic structure of Group Ring Wiley, New York (1977).Suche in Google Scholar

[11] A. Storjohann and T. Mulders, Fast algorithms for linear algebra modulo N Proceedings of Algorithms—ESA’98. Springer Berlin Heidelberg, 1461, (1998), 139-150.10.1007/3-540-68530-8_12Suche in Google Scholar

Appendix

Example 1

Consider the ring R = ℤ₂ = {0, 1} and the cyclic group G = C₂ = {1, y} = 〈y〉, then the group ring is defined as

G R = { ∑ g ∈ C 2 a g g : a g ∈ R } = { 0 , 1 , y , 1 + y }

The addition and multiplication table for the group ring GR are provided in Table A1 and Table A2 respectively:

Table A1

Addition table for group ring

+	0	1	y	1+y
0	0	1	y	1+y
1	1	0	1+y	y
y	y	1+y	0	1
1+y	1+y	y	1	0

Table A2

Multiplication table for group ring

·	1	y	1+y
0	0	0	0
1	1	y	1+y
y	y	1	1+y
1+y	1+y	1+y	0

In the 2 × 2 matrix semi group M₂(GR), consider the public key elements

P 1 = 1 0 1 + y y a n d P 2 = 1 0 1 + y y

and for some plaintext M, the ciphertext pair (C₁, C₂) given by

C 1 = y 0 1 + y 1 a n d C 2 = y 1 1 y

Suppose P and Q⁻¹ be arbitrary invertible circulant matrices with elements in GR, then

P = a b b a a n d Q − 1 = c d d c

and P P 2 Q = P 1 − 1 can be written as

P P 2 = P 1 − 1 Q − 1

which implies

a b b a 1 0 1 + y y = 1 0 1 + y y c d d c

which results in the following system of 4 linear equations in 4 variables a, b, c and d.

a + b ( 1 + y ) + c = 0 y b + d = 0 a ( 1 + y ) + b + ( 1 + y ) c + y d = 0 a y + c y + d ( 1 + y ) = 0

which can further be written as

c = a + b ( 1 + y ) d = b y

where a, b are free parameters. Hence, a solution to the above system is given by

a b c d = { s 1 0 1 0 + t 0 1 1 + y y | s , t ∈ G R }

The following are the invertible key pairs obtained by these solutions

(A4) P 1 = 1 0 0 1 a n d Q 1 = 1 0 0 1

(A5) P 2 = y 0 0 y a n d Q 2 = y 0 0 y

(A6) P 3 = 1 1 + y 1 + y 1 a n d Q 3 = 1 1 + y 1 + y 1

(A7) P 4 = y 1 + y 1 + y y and Q 4 = y 1 + y 1 + y y

(A8) P 5 = 0 1 1 0 a n d Q 5 = 1 + y y y 1 + y

(A9) P 6 = 0 y y 0 a n d Q 6 = 1 + y 1 1 1 + y

(A10) P 7 = 1 + y y y 1 + y a n d Q 7 = 0 1 1 0

(A11) P 8 = 1 + y 1 1 1 + y a n d Q 8 = 0 y y 0

Using any of these possible pairs, say

P = 0 y y 0 a n d Q = 1 + y 1 1 1 + y

we can obtain the plaintext M as

C 2 P C 1 Q = y 1 1 y 0 y y 0 y 0 1 + y 1 1 + y 1 1 1 + y = y 1 1 y 1 + y y 1 0 = y 1 1 y = M

which is the original plaintext which was encrypted in toy example in [3].

Example 2

Consider the ring R = ℤ₂ = {0, 1} and the cyclic group G = C₂ = {g₁ = 1, g₂ = y} = 〈y〉, then the group ring is defined as

G R = { ∑ g ∈ C 2 a g g : a g ∈ R } = { 0 , 1 , y , 1 + y }

Also, g 1 g 1 − 1 = 1 = g 1 , g 1 g 2 − 1 = y = g 2 and g 2 g 1 − 1 = y = g 2 , g 2 g 2 − 1 = 1 = g 1 . Then the embedding of the group ring elements are given by

0 ↔ 0 0 0 0 , 1 ↔ 1 0 0 1 , y ↔ 0 1 1 0 . 1 + y ↔ 1 1 1 1

Step 1: Now consider the public key elements

P 1 = 1 0 1 + y y a n d P 2 = 1 0 1 + y y

and for some plaintext M, the ciphertext pair (C₁, C₂) given by

C 1 = y 0 1 + y 1 a n d C 2 = y 1 1 y

Step 2: Choose arbitrary (a, b), (c, d) ∈ GR² and form circulant matrices P and Q⁻¹ as

P = a = a 1 g 1 + a 2 g 2 b = b 1 g 1 + b 2 g 2 b = b 1 g 1 + b 2 g 2 a = a 1 g 1 + a 2 g 2

and

Q − 1 = c = c 1 g 1 + c 2 g 2 d = d 1 g 1 + d 2 g 2 d = d 1 g 1 + d 2 g 2 c = c 1 g 1 + c 2 g 2

Step 3: Then the embedded matrices are

P ¯ = a 1 a 2 b 1 b 2 a 2 a 1 b 2 b 1 b 1 b 2 a 1 a 2 b 2 b 1 a 2 a 1 Q ¯ − 1 = c 1 c 2 d 1 d 2 c 2 c 1 d 2 d 1 d 1 d 2 c 1 c 2 d 2 d 1 c 2 c 1

The embedded public key elements are given by

P 1 ↔ 1 0 0 0 0 1 0 0 1 1 0 1 1 1 1 0 = P 1 ¯ P 2 ↔ 1 0 0 0 0 1 0 0 1 1 0 1 1 1 1 0 = P 2 ¯

and the embedded ciphertext matrices are

C 1 ↔ 0 1 0 0 1 0 0 0 1 1 1 0 1 1 0 1 = C 1 ¯ C 2 ↔ 0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0 = C 2 ¯

Step 4: The equation P ¯ P ¯ 2 − P ¯ 1 − 1 Q ¯ − 1 = 0 can be written as

a 1 + b 1 + b 2 − c 1 a 2 + b 1 + b 2 − c 2 b 2 − d 1 b 1 − d 2 a 2 + b 2 + b 1 − c 2 a 1 + b 2 + b 1 − c 1 b 1 − d 2 b 2 − d 1 b 1 + a 1 + a 2 − c 1 + c 2 + d 2 b 2 + a 1 + a 2 − c 2 + c 1 + d 1 a 2 − d 1 + d 2 + c 2 a 1 − d 2 + d 1 + c 1 b 2 + a 2 + a 1 − c 1 + c 2 + d 1 b 1 + a 2 + a 1 − c 2 + c 1 + d 2 a 1 − d 1 + d 2 + c 1 a 2 − d 2 + d 1 + c 2 = 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

This can be written as a new system of equations given by

1 0 1 1 1 0 0 0 0 1 1 1 0 1 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 0 0 1 1 1 1 0 1 1 0 1 1 1 0 1 1 1 1 0 0 1 0 0 0 1 1 1 1 0 0 0 1 0 1 1 a 1 a 2 b 1 b 2 c 1 c 2 d 1 d 2 = 0 0 0 0 0 0 0 0

which is equivalent to

1 0 0 0 1 0 1 1 0 1 0 0 0 1 1 1 0 0 1 0 0 0 0 1 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 a 1 a 2 b 1 b 2 c 1 c 2 d 1 d 2 = 0 0 0 0 0 0 0 0

which corresponds to the following system of equations

a 1 = c 1 + d 1 + d 2 a 2 = c 2 + d 1 + d 2 b 1 = d 2 b 2 = d 1

Step 5: Thus for different values of (c₁, c₂, d₁, d₂) ∈ Z 2 4 we get 16 pairs of different matrices ( P ¯ , Q ¯ − 1 ) . The choices of tuple which makes the matrix Q invertible are:

(1, 0, 0, 0):

Q ¯ = 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 ↔ Q 1 P ¯ = 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 ↔ P 1
(0, 1, 0, 0):

Q ¯ = 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 ↔ Q 2 P ¯ = 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 ↔ P 2
(1, 0, 1, 1):

Q ¯ = 1 0 1 1 0 1 1 1 1 1 1 0 1 1 0 1 ↔ Q 3 P ¯ = 1 0 1 1 0 1 1 1 1 1 1 0 1 1 0 1 ↔ P 3
(0, 1, 1, 1):

Q ¯ = 0 1 1 1 1 0 1 1 1 1 0 1 1 1 1 0 ↔ Q 4 P ¯ = 0 1 1 1 1 0 1 1 1 1 0 1 1 1 1 0 ↔ P 4
(1, 1, 0, 1):

Q ¯ = 1 1 0 1 1 1 1 0 0 1 1 1 1 0 1 1 ↔ Q 5 P ¯ = 0 0 1 0 0 0 0 1 1 0 0 0 0 1 0 0 ↔ P 5
(1, 1, 1, 0):

Q ¯ = 1 1 1 0 1 1 0 1 1 0 1 1 0 1 1 1 ↔ Q 6 P ¯ = 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 ↔ P 6
(0, 0, 1, 0):

Q ¯ = 0 0 1 0 0 0 0 1 1 0 0 0 0 1 0 0 ↔ Q 7 P ¯ = 1 1 0 1 1 1 1 0 0 1 1 1 1 0 1 1 ↔ P 7
(0, 0, 0, 1):

Q ¯ = 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 ↔ Q 8 P ¯ = 1 1 1 0 1 1 0 1 1 0 1 1 0 1 1 1 ↔ P 8

Hence the equivalent key pairs are given by ( P ¯ i , Q i ¯ ) or (P₁, Q_i), 1 ≤ i ≤ 8 which are exactly the same as extracted in Example 1.

Step 6: Using any of these possible pairs, say

P = 0 y y 0 a n d Q = 1 + y 1 1 1 + y

we can obtain the plaintext M as

C 2 P C 1 Q = y 1 1 y 0 y y 0 y 0 1 + y 1 1 + y 1 1 1 + y = y 1 1 y 1 + y y 1 0 = y 1 1 y = M

which is the original plaintext which was encrypted in toy example in [3].

Received: 2019-10-24

Accepted: 2020-09-08

Published Online: 2020-12-20

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2019-0054

Schlagwörter für diesen Artikel

Group ring decomposition; ElGamal cryptosystem; circulant matrices

Creative Commons

BY 4.0

Improved cryptanalysis of a ElGamal Cryptosystem Based on Matrices Over Group Rings

Artikel

Abstract

1 Introduction

2 Preliminaries

Definition 1

Remark 1

Theorem 1

Theorem 2

Definition 2

Corollary 1

3 Description of the public key cryptosystem

Key generation (KeyGen)

Encryption (Encpk(m))

Decryption (Decsk(C))

Remark 2

4 Analysis of IND-CPA security of the cryptosystem

5 Analysis of IND-CCA security of the cryptosystem

6 Key recovery attack

Theorem 3

Remark 3

6.1 Algorithm for deriving the private keys and decrypting ciphertexts

Remark 4

Algorithm 1 Generating equivalent key pairs and retrieving plaintext

6.2 Computational complexity of the proposed algorithm over finite field 𝔽p

Remark 5

7 Conclusion

Acknowledgement

References

Example 1

Example 2

Artikel in diesem Heft

Artikel in diesem Heft

Artikel in diesem Heft

Encryption (Enc_pk(m))

Decryption (Dec_sk(C))

6.2 Computational complexity of the proposed algorithm over finite field 𝔽_p