Download PUBLIC KEY CRYPTOSYSTEM USING A RECIPROCAL NUMBER

PUBLIC KEY CRYPTOSYSTEM USING A
RECIPROCAL NUMBER WITH THE SAME
INTRACTABILITY AS FACTORING A LARGE
NUMBER
Kaoru KUROSAWA
Toshiya Itoh
Masashi Takeuchi
Department of Electrical and Electronic Engineering,
Faculty of Engineering,
Tokyo Institute of Technology
2{12{1 O-okayama, Meguro-ku, Tokyo 152, Japan
[email protected]
Abstract This paper proposes a public key cryptosystem using a reciprocal
number. Breaking the proposed cryptosystem is proven to be as dicult
as factoring a large number. Encryption requires ( 2 ) bit operations and
decryption requires ( 3 ) bit operations. ( is the bit length of a plaintext.)
O n
O n
n
1 Introduction
A public key cryptosystem proposed by Rabin [1] is excellent because it has
been proven that breaking the cryptosystem is as hard as factoring a large
number. However, a ciphertext cannot be uniquely deciphered because four
dierent plaintexts produce the same cipher. Williams [2] showed that this
disadvantage can be overcome if the secret two prime numbers, and , are
chosen such that = = 3 mod 4.
RSA cryptosystem [3] is the most well-known public key cryptosystem.
However, it is not known whether breaking RSA cryptosystem is as hard as
factoring a lagre number. Recently, Williams [4] proposed a modied RSA
cryptosystem which utilizes quadratic irrational numbers. He showed that
the cryptosystem is as dicult to break as it is to factor a large number.
p
p
q
1
q
Such RSA schemes require ( 3 ) bit operations for both encryption and
decryption (where is the bit length of a plaintext).
This paper proposes a public key cryptosystem using a reciprocal number. Breaking the proposed cryptosystem is proven to be as dicult as factoring a large number. Encryption requires only ( 2 ) bit operations and
decryption requires ( 3 ) bit operatinos. The secret two prime numbers,
and , are arbitrary, which is a great advantage over Williams' version [2]
of Rabin's cryptosystem.
O n
n
O n
O n
p
q
2 Preliminaries
2.1 Legendre's symbol and Jacobi's symbol
The following symbol is called Legendre's symbol.
4 1 if \ 2 = mod " has a solution;
( )=
?1 otherwise,
where is a prime number other than 2. Half of the integers \a" such that
0
satisfy ( ) = 1 and the other half satisfy ( ) = ?1.
The following symbol is called Jacobi's symbol.
x
a=p
a
p
p
< a < p
a=p
a=p
4 ( )( )
( )=
where = . The value of ( ) is computed eciently by applying a
method like Euclidean algorithm to \ " and .
a=R
R
pq
a=p
a=q ;
a=R
a
R
2.2 Rabin's cryptosystem
Rabin proposed the following public key cryptosystem [1].
(Secret key) two lagre prime numbers, and .
(Public key) (= ) and .
(Plaintext) , where 0
.
(Ciphertext) = ( + ) mod .
(Decryption) Solve the following quadratic equations.
2
+ ? = 0 mod
2
+ ? = 0 mod
p
R
M
E
pq
q
c
< M < R
M M
c
R
M
cM
E
p
M
cM
E
q
2
(1)
(2)
He has proved that breaking the crytosystem is as hard as factoring . However, the ciphertexts cannot be uniquely deciphered because four dierent
plaintexts produce the same cipher.
Williams showed that the following special form of Rabin's cryptosystem
can overcome the above disadbantage [2].
pq
(Secret key) two lagre prime numbers, and , where = = 3 mod 4.
(Public key) (= ).
(Plaintext) , where 0
2 and (
) = 1.
(Ciphertext) = mod .
p
R
p
q
pq
M
< M < R=
E
q
M
2
M=R
R
We call the above cryptosystem \restricted Rabin's cryptosystem" because
and are restricted such that = = 3 mod 4.
p
q
p
q
3 Public key cryptosystem using a reciprocal numbner
We present a public key cryptosystem that utilizes the reciprocal number
of a plaintext modulo (= ). Breaking our cryptosystem is proven to
be as hard as factoring . The encryption procedure requires ( 2 ) bit
operateions and decryption requires ( 3 ) bit operations, where is the bit
length of a plaintext. The secret two prime numbers, and , are arbitrary,
which is a great advantage over restricted Rabin's cryptosystem.
R
p
q
R
O n
O n
n
p
q
(Secret key) two lagre prime numbers, and .
(Public key) (= ) and such that
p
R
pq
c
(
) = ( ) = ?1
c=p
(Plaintext) , where 0
q
(3)
c=q
and gcd(
) = 1.
(When and are 250 bits long, the probability that gcd(
)=
or is ( + ) 2?250 , which is negligibly small. RSA cryptosystem
is also broken if gcd(
) = or .)
M
p
q
p
< M < R
M; R
q
M; R
q =R
M; R
p
q
3
p
(Ciphertext) (
), where
E; s; t
= + ( ) mod
) = 1;
= 10 ifif ((
)
= ?1.
mod )
= 10 ifif ((
mod )
E
M
c=M
(4)
(5)
R
M=R
s
M=R
t
c=M
R
> M
c=M
R
< M
;
,
(6)
(Decryption) From (4), we obtain
2
M
?
EM
+ =0
(7)
c
Let 1 and 2 be the roots of (7) mod and 1 and 2 be the roots of
(7) mod . (Solving (7) mod or mod will be shown in Sec. 5.) Then,
(7) mod has the following four roots:
a
a
p
q
p
b
b
q
R
=[
3 = [
]
2]
=[
4 = [
]
1]
M1
a1 ; b 1 ;
M2
a2 ; b2
M
a1 ; b
M
a2 ; b
;
where 1 = [ 1 1 ] means 1 = 1 mod and 1 = 1 mod . (Chinese
remainder theorem gives i from j and k .)
The plaintext is one of the four roots. and tell the receiver which
root the plaintext is. From (3) and the relationship between the roots
and the coecients of (7), we obtain
M
a ;b
M
a
M
p
a
M
b
q
b
M
s
t
M
)=(
) = ?1
)=1
(
) = ?1
:
(8)
)=1
(
) = ?1
:
(9)
(
)(
(
a1 =p
We set
a2 =p
a1 =p
Similarly, we set
(
b1 =q
c=p
;
:
a2 =p
;
b2 =q
Then, we obtain
(
M1 =R
)=(
)(
M1 =p
M1 =q
)=(
)(
a1 =p
b1 =q
Similarly, we get
(
(
M2 =R
M3 =R
) = 1
) = (
M4 =R
4
) = ?1
:
)=1
:
Therefore, the receiver sees that
= 1 or
or
if = 0;
if = 1.
Now, suppose that = 0. The relationship between the roots and the
coecients of (7) gives us
M
M
M2
s
M3
M4
s
s
M1 M2
=[
a1 a2 ; b1 b2
] = [ ] = mod
c; c
Hence,
=
Therefore, the receiver sees that
min(
= max(
When = 1
= min(
max(
M2
mod
M1 ; M 2
M
s
c=M1
c
R:
R:
) if = 0;
) if = 1.
t
M 1 ; M2
t
;
) if = 0;
) if = 1.
Thus, a ciphertext is uniquely deciphered.
M3 ; M 4
M
t
M 3 ; M4
(Digital signature) Let
Ej
t
= +
E
j:
Increase ( = 0 1 2 ) until the following equation holds.
j
j
;
;
; :::
((
2
Ej
? 4 ) ) = (( j ? 4 ) ) = 1
c =p
E
Let satisfying (10) be and let
from J . The signed message is (
j
J
MJ
2
c =q
(10)
be any one of the plaintexts obtained
).
MJ ; J
E
4 Intractability of breaking the proposed cryptosystem
It will now be shown that breaking the proposed cryptosystem is as dicult
as factoring a large number. It is clear that the proposed cryptosystem is
broken if one can factor = . We will prove the converse. That is, one
can factor = if the proposed cryptosystem is broken.
R
R
pq
pq
Theorem 1 Neither \ (7) mod p " nor \ (7) mod q " has a multiple root.
5
(Proof)
From (8) and (9), we get
a1
6= mod
a2
p;
b1
6= mod
b2
q
Q.E.D.
Theorem 2 Suppose that there exists a polynomial time algorithm nding
the plaintext from any ciphertext of the proposed cryptosystem. Then, there
exists a polynomial time algorithm factoring R = pq with probability 1=4.
(Proof)
Choose at random a number 0
. satises (3) with 1 4 probability. Let ( ) be a public key of the proposed cryptosystem.
Pick any plaintext . Compute 0 as follows:
< c < R
c
=
R; c
M
M
! (
) (Encryption)
! ( )
! 0 (Decryption)
M
E; s; t
E; s; t
M
;
where = + 1 mod 2.
Let = [ 1 1 ]. Since = + 1 mod 2,
s
s
M
f ;g
s
M
s
0 = [f1 ; g2 ] or M 0 = [f2 ; g1 ]:
Let's consider the case of 0 = [
M
M
?
M
f 1 ; g2
]. Then,
0 = [f1 ; g1 ] ? [f1 ; g2 ] = [0; g1 ? g2 ]:
From Theorem 1, 1 ? 2 6= 0 mod . That is, ? 0 = 0 mod and
? 0 6= 0 mod . Therefore, gcd( ? 0 ) = .
The number of bit operations required by the above procedure is clearly
polynomial of ( is the bit length of ). The proof in the case of 0 =
[ 2 1 ] is the same.
Q.E.D.
The probability that the above probabilistic algorithm fails after 100
trials is (3 4)100 = 10?13 , which is negligibly small.
The next theorem strengthens Theorem 2.
g
M
M
q
n
g
q
M
n
M
M ;R
R
f ;g
=
6
M
p
p
M
Theorem 3 Suppose that there exists a polynomial time algorithm nding
the plaintext from 1=K of all the ciphertexts of the proposed cryptosystem.
Then, there exists a polynomial time algorithm factoring R = pq with probability 1=4K .
(Proof)
Let be the set of the ciphertexts which are broken by the supposed
algorithm. Choose at randam a number 0
. The ciphertext of
belongs to with 1 probability. We can apply the same algorithm in the
proof of Theorem 2 to the . It is clear that the total algorithm succeds
with probability 1 4 .
X
< M < R
X
M
=K
M
= K
Q.E.D.
5 A quadratic equation mod p in the proposed cryptosystem
This chapter shows how to solve \(7) mod " or \(7) mod ". (We use the
same notation as in Sec. 3.) The following theorem is attained by modifying
Rabin's method [5] to the proposed cryptosystem.
p
Theorem 4
q
(i) Over GF (p),
gcd( (p?1)=2 ? 1
x
;x
2
?
2
?
Ex
+ )= ?
a1
+ )= ?
b1
c
x
(ii) Over GF (q),
gcd( (q?1)=2 ? 1
x
;x
Ex
c
x
(Proof)
(i) (8) and Euler's criterion give us
?1)=2 = 1;
(p
a1
?1)=2 = ?1
(p
a2
Therefore, 1 is a root of (p?1)=2 ? 1 and
holds.
(ii) The proof is the same as (i).
a
x
7
a2
isn't. This shows that (i)
Q.E.D.
2 and 2 are obtained from the relationship between the roots and the
coecients of (7) as follows:
a
b
= ? 1 mod
? 1 mod
2 =
a2
E
a
b
E
b
Note that gcd( (p?1)=2 ? 1
x
;x
x
2
?
Ex
p
q:
+ ) can be obtained by computing
c
?1)=2 mod (x2 ? Ex + c):
(p
6 Computational complexity
Let a plaintext
M
be bits long.
n
(Encryption) 1
mod is computed by applying Enclidean algorithm
to and . (
) is computed in a similar way. Euclidean algorithm
requires ( 2 ) bit operations. The multiplication of (1 ) mod
also requires ( 2 ) bit operations. Therefore, encryption of the
proposed cryptosystem requires ( 2 ) bit operations.
(Decryption) Note that the method shown in Sec. 5 is equivalent to computing
=M
M
R
R
M=R
O n
R
c
=M
O n
O n
?1)=2 mod x2 ? Ex + c
(q ?1)=2
x
mod x2 ? Ex + c:
(p
x
The above equations are computed by ( 3 ) bit operaionts. Therefore,
the complexity of decryption is ( 3 ).
O n
O n
Table 1 shows the comparison of computational complexity.
Table 1. Comparison of computational complexity
(bit operations)
Proposed Rabin
RSA
2
2
2
(Encryption) ( )
( ) ( )( is small.)
( 3 )( is large.)
(Decryption) ( 3 )
( 3) ( 3)
O n
O n
O n
O n
8
O n
e
O n
e
O n
7 Discussion
The decryption procedure for Rabin's cryptosystem is to solve
M
On the other hand,
2
+
?
cM
? =0
E
:
+ =0
must be solved in the proposed cryptosystem. The quadratic equation of the
proposed cryptosystem is given only by exchanging the constant term and
the linear term of Rabin's quadratic equation. This exchange overcomes the
disadvantages of Rabin's cryptosystem and restricted Rabin's cryptosystem.
That is,
M
2
EM
c
;
1. A ciphertext is uniquely deciphered.
2. The two secret prime numbers, p and q, are arbitrary.
8 Example
(Secret key) = 11 = 13
(Public key) (= ) = 143 = 2
(Plaintext) = 24
(Encryption)
p
;q
R
pq
;c
M
= 24 + (2 24) = 36 mod 143
E
s
=
;
= 0 because (24 ) = 1. = 1 because
=R
c=M
= 2 24 = 12 mod 143 and 12 24(= )
(Ciphertext) (36 0 1)
(Decryption) Solving
;
t
=
<
;
M
2
? 36 + 2 = 0 mod 11 yields
M
a1
=1
;
9
a2
=2
:
M :
Solving
M
2
? 36 + 2 = 0 mod 13 yields
M
b1
= 12
;
b2
= 11
Since = 0, the plaintext is
s
M1
Since = 1 and
t
= [1 12] = 12 or
;
M 1 < M2
M2
= [2 11] = 24
;
, the receiver sees that
M
= 24.
9 Summary
The authors propose a Public Key Cryptosystem using a reciprocal number.
It has been proved that breaking the proposed cryptosystem is as hard as
factoring a large number. Encryption requires ( 2 ) bit operations and
decryption requires ( 3 ) bit operations. The proposed cryptosystem has
no disadvantage of Rabin's cryptosystem.
It will take further work to develop a more ecient method that solves
a quadratic equation mod .
O n
O n
p
References
[1] M.O. Rabin, \Digitalized signatures and public-key functions as intractable as factorization ", Technical Report LCS/TR212, Cambridge
MA:MIT, 1979.
[2] H.C. Williams, \A modication of the RSA public-key encryption procedure ", IEEE Trans. Information Theory. 26: 726-729, 1980.
[3] R.L. Rivest, A. Shamir, and L. Adleman, \A method for obtaining digital
signatures and public-key cryptosystems ", Comm. ACM.21: 120-126,
1978.
[4] H.C. Williams, \Some public-key cryptofunctions as intractable as factorization ", Cryptologia. 9: 223-237, 1985.
[5] M.O. Rabin, \Probabilistic algorithms in nite elds ", SIAM J. Comput. 9: 273-280, 1980.
10