AN APPLICATION OF PUBLIC KEY CRYPTOSYSTEM

BY RIGHT INVERSE IN DIGITAL SIGNATURE SCHEME

  Paper presented in Indonesia Cryptology and Information Security Conference, Jakarta, March 30 – 31, 2005

  

Budi Murtiyasa

  Department of Mathematics Education Muhammadiyah University of Surakarta Indonesia

  Jl. A. Yani Pabelan Tromol Pos I Surakarta 57102 E-mail : bdmurtiyasa@yahoo.com

AN APPLICATION OF PUBLIC KEY CRYPTOSYSTEM BY RIGHT

  

Budi Murtiyasa

  Department of Mathematics Education Muhammadiyah University of Surakarta Indonesia

  E-mail : bdmurtiyasa@yahoo.com

  

Abstract

  The paper presents about digital signature scheme based on public key cryptosystem by right inverse. Based on that scheme, it is discusses characteristics of the scheme, especially in key space, complexity of encryption and decryption, message expansion, and risk analysis. From the analysis, it can be concluded that the digital signature scheme is efficient in key space and fast in encryption/decryption. The disadvantage of the scheme is that it has a message expansion. If the order of private key matrix is large enough, the scheme is still secure from the intruder. Key words : right inverse, public key cryptosystem, digital signature.

  Introduction The theory of matrices becomes a potential tool in cryptographic research.

  Recently, it has developed of public key cryptosystem by right inverse (Murtiyasa, et.al., 2004). The idea of development is similar to the previous public key cryptosystem, that is McEliece’s public key and Wu-Dawson’s public key cryptosystem, in term of the usage of a coding theory. Generally, a cryptosystem provides security service in (1) confidentiality, (2) integrity, (3) authenticity, and (4) nonrepudiation. Stallings (2003) explained that a public key cryptosystem can be applied in (i) encryption/decryption, (ii) digital signature, and (iii) key exchange.

  Wu and Dawson (1998) have developed a public key cryptosystem based on generalized inverses of matrices. According to Sun (2001), Huang and Chang (2002), Wu-Dawson’s cryptosystem is easy to attack by the intruder. Another disadvantage of Wu-Dawson’s cryptosystem is that it only can be applied for encryption and decryption. Hence, it only provides a confidentiality service. The paper aims to develop a digital signature scheme based on public key cryptosystem by right inverse of matrices in the field Z

  2 . By digital signature, a cryptosystem will provide all the four of security services.

  Right Inverse of Matrices

• 1

  Definition 1: For a square and nonsingular matrixA, A is inverse of A if it

• -1 -1

  = A [1]

  AA A = I n

• 1

  A method to obtain matrix A can be carried out by (i) adjoint matrix and determinant, (ii) elementary row operation (ERO), (iii) elementary column operation (ECO), or (iv) combined the ERO and ECO.

  Generally, for a matrix A with order mxn and rank r, by a finite series ERO and ECO to A can be reduced to normal form :

  I I O

  ⎡ ⎤ ⎡ ⎤ _{r r} [I r | O], , or

  [2] ⎢ ⎥ ⎢ ⎥

  O O O

  ⎣ ⎦ ⎣ ⎦ (Ayres, Jr, 1982). If A is square matrix with order n and has rank n, A can reduce to normal form I n by ERO and/or ECO.

  Definition 2. Permutation matrix is a matrix by permuting i-th row and j-th row of the identity matrix I (Kwak and Hong, 1997).

  The inverse of permutation matrix is also permutation matrix.

  Lemma 1. For nxn identity matrix I, the number of permutation matrix is n!.

  Definition 3. For a matrix A, if LA = I but AL ≠ I, with more than one L, the

  matrices L are called left inverse of A. Conversely, for a matrix A, if AR = I but RA ≠ I, with more than one R, the matrices R are called right inverse of A.

  L R Furthermore, A denotes the left inverse of A, and A denoted the right inverse of A.

  L R So, if left inverse exists, A A = I, meanwhile if right inverse exists, A A = I.

  Theorem 1. For a mxn matrix A, (i) if m ≥ n and A has rank n, then A has left inverses.

  (ii) if m ≤ n and A has rank m, then A has right inverses.

  T

  Based on Theorem 1 above, a matrix A has right inverses if and only if A has left

  T inverses. Conversely, a matrix A has left inverses if and only if A has right inverses. R T T Furthermore, if A has a right inverse, then (A ) is a left inverse of A . L T T

  Conversely, if A has a left inverse, then (A ) is a right inverse of A . So, if left/right inverse are exists, then

  R T T L L T T R

  (A ) = (A ) [4]

  If an mxn matrix A has rank n and m ≥ n, there exists an mxm nonsingular matrix

  I ⎛ ⎞ _nxn

  P so that PA = , or: ⎜⎜ ⎟⎟

  O ( m − xn n )

  ⎝ ⎠

  I ⎛ ⎞ _nxn

• 1

  A = P [5] ⎜⎜ ⎟⎟

  O ( m − xn n )

  ⎝ ⎠ where P is product of elementary row matrices.

  Theorem 2. A left inverse of A in form [5] is: L _{n n}

  A = (I | S x(m-n) ) P [6] which is an arbitrary matrix S. _{n x(m-n)}

  Lemma 2. In field Z 2 , the number of left inverses of A in form [6] is 2 .

  An mxn matrix A which has rank m, there exists an nxn nonsingular matrix Q, so that AQ = (I m O m ) or :

  x(n-m)

• 1

  A = (I m | O m ) Q [7]

  x(n-m) where Q is product of elementary column matrix.

  Theorem 3. In form [7], right inverse of A is

  I ⎛ ⎞ _m

  R A = Q [8]

  ⎜⎜ ⎟⎟ W

  − xm ( n m ) ⎝ ⎠ where W is an arbitrary.

  (n-m)xm Lemma 3. In the field Z 2 , the number of right inverses of A in form [8] is 2 .

  Design of Public Key Cryptosystem

  Murtiyasa, et.al (2004) gives a new design of public key cryptosystem by right inverse which can be performed as follows. An arbitrary linear code C[n,k] can be treated as a k-dimensional vector subspace of V (Z ). A generator matrix for C is a kxn matrix

  n

  

2

G that has rank k. For message m, c = mG is codeword. By reconstructing of generator R -1 T R -1

  a kxk permutation matrix, and P is a kxn matrix with rank k. P and S are right inverse of P and inverse of S respectively. Matrix G is public to encrypt message m. The

  T

  decryption to obtain message m can be performed as follows. Compute c(SP) =

  T R -1 T T -1 T R T T T mG(SP) = m (P S ) (SP) = m (S ) (P ) P S = m. So, R = SP is private key to

  decrypt ciphertext c. To assure of unique interpretation, the message m must be blocked in k bits.

  Table 1. Public Key Cryptosystem By Right Inverse Public key G Private key

  

R

  Encryption c = mG

  T

  Decryption m = cR A key generation to develop a public key G and a private key R are as follows :

  (1) select G

  1 = [I k | A] with an arbitrary a kx(n-k) matrix A, (2) select a kxk permutation R

  matrix S, (3) P = SG 1 , (4) find a right inverse of P, i.e. P , (5) find inverse of S, i.e.

• 1 R -1 T

  S , (6) G = (P S ) , and (7) R = SP. So, G is public key to encrypt message m, and R is private key to decrypt ciphertext c. (Murtiyasa, et.al, 2004).

  Digital Signature Scheme

  A digital signature scheme is developed by an algorithm of the public key cryptosystem. Digital signature scheme between user A and user B can be explained as follows. User A develops a public key G and a private key R each of which is a kxn dimension. A key generation to develop a public key G and a private key R by user A are as follows : (1) select G

  1 = [I k | A] with an arbitrary a kx(n-k) matrix A, (2) select a kxk

  R

  permutation matrix S, (3) P = SG

  1 , (4) find a right inverse of P, i.e. P , (5) find inverse

• 1 R -1 T of S, i.e. S , (6) G = (P S ) , and (7) R = SP.

  Meanwhile, user B develops a public key K and a private key H each of which is an nxw dimensional. A key generation to develop a public key K and a private key H by user B are as follows : (1) select K = [I | B] with an arbitrary a nx(w-n) matrix B , (2)

  1 n R

  1

• 1 R -1 T (5) find inverse of T, i.e. T , (6) K = (Q ) , and (7) H = TQ.

  T

Encryption. Encryption to message m by user A carried out in two steps, namely (1) y =

mR, and (2) c = yK. Furthermore, ciphertext c is transmitted to user B.

  

Decryption. When user B receives ciphertext c, decryption and verification are also in

T T two steps, i.e. : (1) y = cH , and (2) m = yG .

  Characteristics of the Digital Signature Scheme

  A key space for encryption depends on the dimension of matrix R and K, which are (kn + nw) bits. A key space for decryption depends on the dimension of matrix H and

  G, that is (nw + kn) bits. Totally, key space is 2(kn + nw) bits.

  Complexity of encryption and decryption is computing based on a number of additional and multiplication operation. Encryption complexity is (2k–1)n + (2n–1)w operation, and decryption needs (2w – 1)n + (2n – 1)k operation. Totally, encryption and decryption complexity needs (4nw + 4kn – 2n – w – k) operation, which is family of O(nw). Ratio of message expansion is w/k.

  Table 2. Comparison of the digital signature scheme Digital Key pace for Key space for Complexity of encryption Message signature encryption decryption and decryption expansion

  kn kn w/k

  My scheme + nw + nw 4nw + 4kn – 2n – w – k Æ O(nw)

  3 k/k

  RSA scheme 4(k + 1) 4(k + 1) O(k ) = 1 The digital signature scheme has lower complexity than a digital signature scheme by RSA cryptosystem. This means that the process for encrypting, decrypting, and verifying of message can be done more quickly. Conversely, a digital signature scheme by RSA cryptosystem is more efficient in key space and message space than the digital signature scheme which uses the cryptosystem by right inverse.

  Risk Analysis

  the private key H is found, the ciphertext c can be broken and the attacker gets message

  

m. The private key H possibility is attacked by : (1) finding a matrix that develops H (2)

finding right inverse of K, and (3) trying an arbitrary matrix H.

  (1)

  1 ,

  attack 1 : finding a matrix that develops matrix H, namely matrix T and Q = TK where K

  1 = [I n | B]. In this case Q depends on T and B. Hence, finding a matrix Q

  means finding an nxn permutation matrix T and nx(w-n) matrix B. By Lemma 1, a number of permutation matrices T is n!. Meanwhile, the number of possibilities of _{n(w-n) n(w-n)} matrix B is 2 . So, the number of ways to get matrix H is n! 2 . By this attack,

  1 probability the intruder will succeed is only . _{n ( w − n )} n

  ( ! )(

  2

  (2) Attack 2 : finding a right inverse of K. Actually, one of the right inverses of K is a

  R R T

  private key H. Because of c = yK, so cK = yKK = y. Furthermore, m = yG . It means that message m can be found by the intruder if they get a right inverse of K. The public key K has an order nxw rank n, the number of the right inverses of K

  (w-n)xn R

  based on Lemma 3 is 2 . Meanwhile, a matrix K that satisfies the condition is

  1 only one. Hence, probability the intruder will succeed is . _{w − n n} ( )

  2

  (3) Attack 3 : trying an arbitrary matrix H. A matrix H has an order nxw. The number of elements of H is nw. In the field Z _nw 2 = {0, 1}, the number of possibilities of matrix H is 2 . It is a greater number to get one of the key matrices. By this attack, probability

  1 the intruder will succeed is . _nw

  2 Table 3. The number of Possibilities to find right inverses of K No The order of The number of right Time consumed to find all of matrix K inverses of K right inverses of K

  n

  1 = 4, w = 7 4096 18.8826 seconds = 0.0052 hours

  k

  2 = 8, n = 15 7.205759403793e+16 8.7478e+014 second = 2.4299e+011 hours =

  2.7739e+007 years

  k

  3 = 16, n = 31 1.766847064778e+72 6.5409e+070 seconds = 1.8169e+067 hours =

  2.0741e+63 years

  k

  4 = 32, n = 63 4.185580496821e+298 9.1748e+297 seconds = 2.5486e+294 hours =

  2.9094e+290 years From the above discussion, finding right inverse of K provides the greatest probability to succeed on attacking to the digital signature scheme. Table 3 gives an illustration to find all possibilities of right inverses of matrix K. Data in Table 3 are worst cases to find right inverse of K. However, if the intruder is lucky, it is possible to break the ciphertext faster than the time indicated. Table 4 gives an illustration about best case to break the ciphertext. Based on data in Table 4, extrapolation for the value of n and w such that w – n = 100 needs about 226340 hours to break the ciphertext. Moerover, the value of n and w such that w – n = 250 needs about 1475600 hours ≈ 168.5 years. This means, for example by taking the value of n = 300 and w = 550, the digital signature scheme is secure. It should be noted that the value of w is not too large compared with the value of n to avoid a message expansion. Generally, it can be pointed out that if the value of n and w such that n – w > 250, with w ≈ 2n, ciphertext c is still secure from attacking. In other words, the digital signature scheme is still secure from the intruder. Tabel 4. Best Case to Break the Ciphertext The order of matrix K Finding i-th / of time

  n

  = 4, w= 7; w – n = 3 2559 /4096 50.4060 ≈ 0.014 hours

  n =

  5, w = 9; w – n= 4 614400 / 1048576 11737.02 ≈ 3.26 hours

  6, w = 10; w – n = 5 10066329 / 16777216 198175.8300 ≈ 55.05 hours

  n

  = 7, w = 13; w – n = 6 - 155.3840 hours *)

  = 8, w = 15; w – n = 7 304.2620 hours *)

• n

  n

  = 10, w = 19; w – n = 9 - 747.6500 hours *)

  = 16, w = 31; w – n = 15 3242.9 hours *)

• n

  = 32, w = 63; w – n = 31 18441 hours *) Note : *) extrapolation from the prior data.

• n

  Conclusion and Suggestion The public key cryptosystem by right inverse is applicable for digital signature.

  Hence, the cryptosystem provides a confidentiality, integrity, authenticity, and non repudiation service. The digital signature scheme is efficient in key space and lower complexity than RSA Scheme. The disadvantage of the digital signature scheme is that it has a message expansion. It can be pointed out that if the value of n and w , which are dimension of private key K, such that n – w > 250, with w ≈ 2n, the digital signature scheme is still secure from the intruder.

  The digital signature scheme by right inverse needs further studies, for example in using of communication protocol. Further research in security of ciphertext is still needed. On Mathematics field, although the method for finding left/right inverse has been found, further research to find a more efficient method for finding left/right inverse which is still needed.

  References

  Ayres Jr., F., 1982, Theory and Problems of Matrices. Asian Edition. Singapore : Mc Graw-Hill Book Company. Huang, H.F., and, Chang, C.C, 2002, “Cryptanalysis of the WD Public-Key

  Cryptosystem” Paper in First International Symposium on Cyber World, November 2002, Institute of Electrical Electronics Engineers. Kwak, J.H., and Hong, S., 1997, Linear Algebra, Boston : Birkhauser Murtiyasa, B., Subanar, Wardoyo, R., Hartati, S., 2004, “Right Inverse in Public Key

  Cryptosystem Design” in Proceeding of the SEAMS-GMU Conference 2003, Pp

  414-418 . Yogyakarta : Department of Mathematics Gadjah Mada University.

  Stallings, W., 2003, Cryptography and Network Security Principles and Practice Third

  Edition , New Jersey : Pearson Education, Inc.

  Sun, H.M., 2001, “Cryptanalysis of a Public Key Cryptosystem Based on Generalized Inverses of Matrices” in IEEE Communication Letter Vol. 5 No. 2, Pp. 61 – 63. Wu, C.K., and Dawson, E., 1998, “Generalized Inverses in Public Key Cryptosystem

  Design” in IEE Proceedings Computer Digit. Tech. Vol. 145 No. 5, September 1998, Pp : 321-326.