Permutation Matrix and Left Right Inverse of Matrices
AN APPLICATION OF LEFT / RIGHT INVERSE
IN PUBLIC KEY CRYPTOSYSTEM
Budi Murtiyasa
Department of Mathematics Education, Muhammadiyah University of Surakarta e-mail : bdmurtiyasa@yahoo.com Fax : +62 271 715448
Subanar, Retantyo Wardoyo, Sri Hartati
Faculty of Mathematics and Natural Science, Gadjah Mada University
Abstract
The theory of matrices becomes a potential tool in cryptographic research. The paper
addreses to develop a public key cryptosystem based on right inverse of matrices. The
idea is similar to the previous public key cryptosystem, that is McElice’s public key and
Wu-Dawson’s public key, in term of the usage of a coding theory. Properties of the
public key cryptosystem are analyzed and compared with the previous public key
cryptosystem.Key word : left inverse, right inverse, public key cryptosystem
Introduction
For a public key cryptosystem with information expansion, i.e. the length of ciphertext blocks is larger than that of plaintext blocks, it is possible that one plaintext block may correspond to several valid ciphertext blocks. For example, McEliece’s public key cryptosystem and Wu-Dawson’s public key cryptosystem have information expansion (Wu and Dawson, 1998:321). Both of them have an advantage that is fast encryption and decryption. Disadvantages need large key space and have message expansion.
This paper proposes a public key cryptoystem based on the left / right inverses of matrices in the field Z = {0, 1}. The algorithms of encryption and decryption, which are
2
linear operation, can be performed very quickly. Properties and risk analysis of the public key cryptosystem are discussed by comparing with McEliece’s and Wu-Dawson’s public key cryptosystem.
Encryption by McEliece’s public key can be explained as follows. For a message ⊕ e, G’ = SGP, where G is a kxn generator matrix of linear
m, cipherptext c = mG’
code C[n,k], S is a kxk a nonsingular matrix, P is a nxn permutation matrix, and e is a binary vector of length n with Hamming weight t. G’ is public, and G, S, and P are secret. Conversely, the decryption processes of ciphertext c to obtain the plaintext m are
- 1
⊕ e : (1) compute c
1 = cP , (2) m 1 = c
1 1 , (3) retrieve m from m G = m 1 , (4) compute m
- 1
S
= m (Stinson, 1995:196). Meanwhile, Wu-Dawson’s public key can be summarized as in Table 1 below.
Table 1. Wu-Dawson’s public key cryptosystem
-
Public
G, H - H
Private H
- - T
Encryption c = mG ) ⊕ e(H
T
- - Decryption (1) n ⊕ ( H
H) ) mG = c(I (2) retrieve m from mG where c is a ciphertext of a message m, G is a kxn generator matrix of linear code C[n,k],
- -
H is (n-k)xn parity check of matrix, H is nx(n-k) generalized reinverses of matrix H.
(Wu and Dawson, 1998:323).
Permutation Matrix and Left / Right Inverse of Matrices
- 1
For a nonsingular and square matrix A, the inverse of A is A , so that
- 1 -1
AA
= A A = I (1)
- -1
The matrix A can be found by (i) adjoint matrix, (ii) elementary row operation, and/or (iii) elementary column operation.
Definition 1. Permutation matrix is a matrix which is by permute i-th row and j-th row of the identity matrix I.
By Definition 1, every row and column of permutation matrix has exactly one entry 1, meanwhile the others are entry 0. From Definition 1 above, it is mean that the permutation matrix also can be found by elementary row-operation of first type
(interchange of row), in this case interchange of i-th row and j-th row from identity matrix I. So, permutation matrix is also elementary matrix. If P ij is permutation matrix by permute i-th and j-th row of I, P ij P ij = I or:
2 P ij = I
(2) From relation (2), it can be concluded that inverse of permutation matrix is also permutation matrix.
Lemma 1. For nxn identitity matrix I, the number of permutation matrix is n!.
Proof : Because matrix I has dimension n, the number of permutation is n !.. So, the number of permutation matrices is n!. Moreover, if A is non-square, it is possible to find a left inverse or a right inverse of A.
≠ I, with more than one L, the
Definition 2. For a matrix A, if LA = I but AL
matrices L are called left inverse of A. Conversely, for a matrix A, if AR = I but ≠ I, with more than one R, the matrices R are called right inverse of A.
RA L R Furthermore, A denotes the left inverse of A, and A denoted the right inverse of A.
L R So, if left inverse exist, A A = I, meanwhile if right inverse exist, A A = I.
≥ n and rank of A is n.
Theorem 1. An mxn matrix A has left inverses only if m ≤ n and rank of A is m. Theorem 2. An mxn matrix A has right inverses only if m
Proof: we prove that a contradictory result can be obtained as m > n and A having right
X ⎛ ⎞ nxn
R
inverse. For m > n, let A = , and suppose nxm matrix A is right inverse of A,
⎜⎜ ⎟⎟ Y
( m − xn n ) ⎝ ⎠
R A P Q = , then :
( nxn nx ( m − n ) )
I X ⎛ ⎞ n
⎛ ⎞ nxn
XP
XQ
⎛ ⎞
R P Q
AA = ( nxn nx ( m n ) ) = = I m =
− ⎜⎜ ⎟⎟ ⎜⎜ ⎟⎟ ⎜⎜ ⎟⎟
Y
I ( m n ) YP YQ ( m − ) n − xn
⎝ ⎠ ⎝ ⎠
⎝ ⎠
this means XP = I, XQ = 0, YP = 0, and YQ = I. Since XP = I and both X and P are
- 1
square matrices, then P = X . Meanwhile,
- 1
YP = YX = 0
- 1
YX X = 0 X)
(multiple by
Y = 0
≠ I. It is contradictory. Therefore, if m > n, an mxn matrix A has no and YQ = 0Q = 0 right inverse. Meanwhile, because A has rank m, there exists an mxm non-singular
−
1 ⎛ ⎞
X mxm
⎜ ⎟ R
submatrix X of A. Let A = (X m xm Y m x(n-m) ), and suppose A = is right inverse
⎜ ⎟ ( n − m ) xm
⎝ ⎠ R
of A, then AA = I m .
T Theorem 3. A matrix A has right inverse if and only if A has left inverse.
Proof :
- Suppose an mxn matrix A has right inverse, by Theorem 2, matrix A has rank m and
T T m ≤ n. Hence, A ≥ m. By Theorem 1, A
has dimension nxm, rank m, and n has left inverse.
T T
≥ m. Hence, has left inverse, by Theorem 1, A has rank m and n
- Suppose an nxm A
T T
≤ n. By Theorem 2, A has right (A ) = A has dimension mxn, rank m, and m inverse.
T
Theorem 4. A matrix A has left inverse if and only if A has right inverse.
R T T Theorem 5. If a matrix A has right inverse, (A ) is left inverse of A .Proof :
R
Suppose A has right inverse A ,
R A A
= I
R T T
(A A ) = I
R T T
(A ) A = I
R T T
Its mean (A ) is left inverse of A .
L T T Theorem 6. If a matrix A has left inverse, (A ) is right inverse of A . From Theorem 5 and Theorem 6, if left inverse or right inverse exist,
R T T L
(A ) = (A ) (3)
L T T R
(A ) = (A ) (4)
≥ m, there is nxn
Constructing of left inverse. If an nxm matrix A has rank m and n
I ⎛ mxm ⎞
nonsingular matrix P so that PA = , or :
⎜⎜ ⎟⎟ O
( n − xm m ) ⎝ ⎠
I ⎛ ⎞ mxm
- 1
A = P
(5)
⎜⎜ ⎟⎟ O
( n − xm m ) ⎝ ⎠ where P is product of elementary row matrix.
Theorem 7. A left inverse of A in form (5) is: L
A = (I m S m x(n-m) ) P (6) which is an arbitrary S. Proof :
I ⎛ mxm ⎞
L -1 A
A = (I m S m x(n-m) ) P P = I m .
⎜⎜ ⎟⎟ O
( n − xm m ) ⎝ ⎠
The Theorem 7 above gives way to construct a left inverse of A. Because an mx(n-m) matrix S is an arbitrary, in the field of real number R, the number of left inverses of A is infinite. In the field of computer science, discussion in the field R is meaningless. Therefore, a discussion will be meaningfull if in the field Z
2 = {0, 1}. It can be show that
in the field Z 2 , the number of left inverses is finite.
mx(n-m) Lemma 2. In the field Z , a number of left inverses of A in the form (6) are 2 .
2 Proof:
The number of different left inverses of A is the number of different choices of S which
mx(n-m)
is totally 2 .
Constructing of right inverse. An mxn matrix A which has rank m, there exists an nxn
nonsingular matrix Q, so that AQ = (I O ) or :
m m x(n-m)
- 1
A = (I m O mx(n-m) ) Q (7) Where Q is product of elementary column matrix.
Theorem 8. In form (7), right inverses of A is
I ⎛ ⎞ m
R A
= Q (8)
⎜⎜ ⎟⎟ W
( n − xm m ) ⎝ ⎠ where W is an arbitrary.
Proof :
I ⎛ ⎞ m
R -1 A A = (I m O mx(n-m) ) Q Q = I m .
⎜⎜ ⎟⎟ W
− xm ( n m ) ⎝ ⎠
The Theorem 8 above gives way to construct right inverse of A. Every different choice of W, gives different rigt inverse.
(n-m)xm Lemma 3. In the field Z , a number of right inverses of A in the form (8) are 2 .
2 Proof :
The number of different right inverses of A is the number of different choices of W
(n-m)xm
which is totally 2 .
Design of Public Key Cryptosystem
An arbitrary linear code C[n,k] can be treated as a vector subspace of V (Z ). A
n
2 Generator matrix for C is a kxn matrix G that has rank k. For message m, c = mG is
codeword, see for detail on error correcting code (Vanstone and Oorschot, 1989; MacWilliams and Sloane, 1993). By reconstruction of generator matrix G, that is G =
R -1 T
(P S ) , the ciphertext of plaintext m with length k is c = mG. S is a kxk permutation matrix, and P is a kxn matrix with rank k. Matrix G is public to encrypt message m. The decryption to obtain message m can be performed as follows :
T T R -1 T T -1 T R T T T compute c(SP) = mG(SP) = m (P S ) (SP) = m (S ) (P ) P S = m.
The above description can be summarized as in Table 2 below.
Table 2. Our public key cryptosystem
R -1 T
Public G = (P S ) Private R = SP Encryption c = mG
T
Decryption m = c R
- 1
- 1
Key space.
The public key space is size of G, which are kn bits. Meanwhile, the private key space is size of R, which are also kn bits. So, the total of key space needs 2kn bits.
A key generation of the public key cryptosystem can be performed according to the following steps : (1) select G
1 = [I k A] with an arbitrary kx(n-k) matrix A, (2) select
an arbitrary kxk permutation matrix S, (3) P = SG
1 , (4) find a right inverse of P, i.e. P R
, (5) find inverse of S, i.e. S
, (6) G = (P
R
S
)
T
, (7) R = SP. Thus, R is a private key and G is a public key.
Properties of the Cryptosystem 1.
2. Encryption and decryption complexity.
- 2kn – k = 4kn – k – n . So, encryption and decryption complexity are also the order of O(kn).
Public key space
2 kn
n/k
)
3
2
3
2kn n
2
n
Wu-Dawson
n/k
)
2
2kn+(2n-1)n+(2k-1)k Æ O(n
2
We assume that both binary addition and multiplication are bit operation. For encryption, computation c = mG needs (k + k – 1)n = (2k –1) n = 2kn – n. Encryption complexity is the order of O(kn). For decryption, ciphertext c has length n, so that computation m = cR
k
McEliece
n/k
4kn – n – k Æ O(kn)
kn
Our cryptosystem kn
Complexity of encryption and decryption Ratio of message expansion
Table 3. Comparison of cryptosystem Cryptosystem Private key space
A cryptosystem is said to have message expansion if the length of ciphertext blocks is longer than the length of the plaintext blocks. If r denotes the proportion of the length of the ciphertext blocks from the length of plaintext blocks, in our cryptosystem r = n/k.
3. message expansion.
n
needs (n + n – 1)k = (2n –1)k = 2kn – k. Decryption complexity is the order of O(kn). Therefore, both encryption and decryption process needs 2kn –
T
- kn + n
- 3n
- – 2n Æ O(n
Risk Analysis
R is right inverse of G, by
1 −
2
xk k n ) (
only one. So, that the probability of the intruder will succeed is only
R that satisfies the condition is
. Matrix G
(n-k)xk
= m. Matrix G has a size kxn and rank k, by lemma 3, the number of right inverses of G is 2
R = mGG R = mI k
computation cG
(2) Attack 2 : find a right inverse of G. Because of c = mG, the message m will be found if the intruder got a right inverse of G. Therefore, if G
The risk analysis is based on security of ciphertext c, which is by possibly attacks by the intruder. If the intruder has known a private key R, the ciphertext c can be broken. By computation m = cR
k(n-k) . It is very large to get one of the private keys R.
. So, the number of ways to findout the private key R is : n! 2
k(n-k)
number of possibilities of matrix A is 2
2 = {0,1}, the number of permutation matrix S is n!. Meanwhile, the
for a permutation matrix S k xk and an arbitrary matrix A k x(n-k) . According Lemma 1, in the field of Z
S and A. As a consequence, finding a matrix that generates matrix R means looking
1 , where G 1 = [I k A]. This means that matrix P depends on matrix
Attack 1: find a matrix that generates the private key R. By procedure of key generation, P = SG
, the intruder will obtain message m. The intruder will perhaps find out of the private key R by : (1) find a matrix that generates R, i.e. S and P, (2) find a right inverse of G, and (3) try an arbitrary matrix R. (1)
T
. It is very small probability.
(3) Attack 3: try an arbitrary matrix R. Matrix R has size kxn, the number of element of matrix R is kn. In the field Z
2 = {0, 1}, the number of possibilities of different matrix kn R is 2 . It is large enough to get one of the private keys R.
From above discussion, it can be concluded that if k and n are large, the ciphertext c is still secure. We would like to point out that by removing error pattern e in our cryptosystem, we hope our cryptosystem is still secure and efficient, because error patterns e, both in McElice’s and Wu-Dawson’s cryptosystem, became a weak key of the cryptosystem (Wu and Dawson, 1998).
Conclusion
By the right inverses of matrices, a public key cryptosysem which has a good performance is proposed. It is shown that the theory of matrices became a potential tool in cryptographic research. The complexity of the matrix operation is low. Hence, it can work very quickly. It is anticipated that the theory of matrices over finite field may have more cryptographic applications.
We would like to remind that although we have found a method to find out left inverses in form (6) and right inverses in form (8), an efficient algorithm to find right inverses needs further investigation. Further research about authentication scheme of the cryptosystem is still needed.
References
MacWilliams, F.J., and Sloane, N.J.A., 1993, The Theory of Error Correcting Codes, Eight Impression, Amsterdam : North-Holland Mathematical Library. Stinson, D. R., 1995, Cryptography Theory and Practice, Florida : CRC Press LLC. Vanstone, S.A., and Oorscot, V.P.C., 1989, An Introduction to Error Correcting Code
with Applications , Kluwer Academic Publisher.
Wu, C.K., and Dawson, E., 1998, “Generalised Inverses in Public Key Cryptosystem Design” in IEE Proceedings Computer Digit. Tech. Vol. 145 No. 5, September 1998, Pp:321-326.