Abstract
The most known public key cryptosystem was introduced in 1978 by Rivest et al. (1978) and is now called the RSA public key cryptosystem in their honor. Later, a few authors gave a simple extension of RSA over algebraic numbers field (see Takagi and Naito (2015), Uematsu et al. (1985, 1986)), but they require that the ring of algebraic integers is Euclidean ring, and this requirement is much more stronger than the class number one condition. In this chapter, we introduce a high dimensional form of RSA by making use of the ring of algebraic integers of an algebraic number field and the lattice theory. We give an attainable algorithm (see Algorithm 1) which is significant both from the theoretical and practical point of view. Our main purpose in this chapter is to show that the high dimensional RSA is a lattice based on public key cryptosystem indeed, of which would be considered as a new number in the family of post-quantum cryptography (see Peikert (2014), Pradhanet al. (2019)). On the other hand, we give a matrix expression for any algebraic number fields (see Theorem 2), which is a new result even in the sense of classical algebraic number theory.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Let \( Q, \mathbb {R},\mathbb {C}\) be the rational numbers field, real numbers field, and complex numbers field, respectively, and \( \mathbb {Z}\) be the integers ring. Let \( E \subset \mathbb {C}\) be an algebraic numbers field of degree n, and \(R \subset E\) be the ring of algebraic integers of E. Suppose that \(A \subset R\) is a non-zero ideal(all ideals in this chapter are non-zero), then the factor ring R/A is a finite ring, we denote by N(A) the number of elements of R/A, which is called the norm of A, and denote by \( \varphi (A)\) the number of invertible elements of R/A, which is called the Euler totient function of A. For any \(\alpha \in R,\) the principal ideal generated by \(\alpha \) is denoted by \(\alpha R\), then \(\alpha \) is an invertible element of R/A if and only if \((\alpha R,A)=1.\) It is known (see Theorem 1.19 of Narkiewicz (2004)) that
where the product is extended over all prime ideals P dividing A. Moreover, if \(\alpha \in R\) and \( (\alpha R,A)=1,\) then
To generalize that RSA to arbitrary algebraic number fields E, we first show the following assertion.
Theorem 1
Let \(P_{1}\) and \(P_{2}\) be two distinct prime ideals of R and \(A=P_{1}P_{2}\), then for any \(\alpha \in R\) and integer \(k\ge 0,\) we have
Proof
Let \( \alpha \in R.\) If \((\alpha R, A)=1,\) then (3) follows directly from (2). If \((\alpha R, A)=A,\) then \( \alpha R \subset A\) and \( \alpha \in A,\) (3) is trivial. Thus, we only consider the cases of \((\alpha R, A)=P_{1}\) and \((\alpha R, A)=P_{2}\). If \( (\alpha R, A)=P_{1}\), then \( (\alpha R, P_{2})=1\), by (2) we have
It follows that
Therefore, there exists an element \(\beta \in P_{2}\) such that
We thus have
since \( \alpha \beta \in A.\) The same reason gives (3) when \( (\alpha R, A)=P_{2}\).
According to Theorem 1, one can easily extend the classical RSA over an algebraic number field as follows (also see Takagi and Naito (2015)), but it does not give the proof of (3)).
Obviously, if \(n=1\), the above algorithm is the ordinary RSA. However, it is difficult to find the prime ideals in R and to construct a set of coset representatives of R/A yet. In Takagi and Naito (2015), the author supposed the ring R is a Euclidean ring, so that S can be constructed by Euclidean algorithm in R. The simplest way is to select an prime element \(\alpha \) in R, so that the principal ideal \(\alpha R\) is a prime ideal. In algorithm I, we would precisely construct a set of coset representatives for the factor ring R/A by the lattice theory. Here we give an approximate construction of the set of coset representatives for factor ring R/A.
If \(P \subset R\) is a prime ideal, then \(P \cap \mathbb {Z}=p \mathbb {Z}\), where \(p \in \mathbb {Z}\) is a rational prime number. Since R/P is a finite field and \(\mathbb {Z}/(p\mathbb {Z})\subset R/P\), thus \(N(P)=p^{f}\), where \(f\left( 1 \le f \le n\right) \) is called the degree of P. We write \(p R=P_{1}^{e_{1}} P_{2}^{e_{2}} \cdots P_{g}^{e_{g}}\), where \(P=P_{1}\) and \(P_{i}\) are distinct prime ideals, \(e_{i}\) is called the ramification index of \(P_{i}\). There exists a remarkable relation among ramification indexes and degrees (see Theorem 3 of page 181 of Ireland and Rosen (1990))
Let \(\left\{ \alpha _{1}, \alpha _{2}, \cdots \alpha _{n}\right\} \subset R\) be an integral basis for \(E/Q, A=P_{1} P_{2}\). Suppose that \(P_{1} \cap \mathbb {Z}=p\mathbb {Z}\) and \(P_{2} \cap \mathbb {Z}= q\mathbb {Z}\), then \(A \cap \mathbb {Z}= pq\mathbb {Z}\), where p and q are two distinct rational prime numbers.
Lemma 1
Let
Then \(S_{1}\) covers a set of coset representatives of R/A. Moreover, if the degrees of \(P_{1}\) and \(P_{2}\) are n, then \(S_{1}\) is precisely an set of coset representatives of R/A.
Proof
Since \(A=P_{1}P_{2}\), \(P_{1} \cap \mathbb {Z}=p\mathbb {Z}\), and \(P_{2} \cap \mathbb {Z}=q\mathbb {Z}\), we have \(pq R \subset A\), thus R/pqR maps onto R/A. To prove the first assertion, it is enough to show that \(S_{1}\) is a set of coset representatives of R/pqR. Since \(\left\{ \alpha _{1}, \alpha _{2}, \ldots \alpha _{n}\right\} \) is an integral basis and
Suppose that \(\alpha =\sum _{i=1}^{n} m_{i} \alpha _{i} \in R\), write \(m_{i}=a_{i} pq+r_{i}\), where \(0 \le r_{i}<pq\). Clearly
Thus every coset of pqR contains an element of \( S_{1}\). If \(\sum _{i=1}^{n} r_{i}\alpha _{i}=\sum _{i=1}^{n} r'_{i}\alpha _{i} \) are in \(S_{1}\) and in the same coset mod pqR, then
Since \( \alpha _{i}\) are linearly independent, it follows that
Next, suppose that the degrees of \(P_{1}\) and \(P_{2}\) are n, then \(N\left( P_{1}\right) =p^{n}\) and \(N\left( P_{2}\right) =q^{n}\), by (4) we thus have \(P_{1}=p R\), \(P_{2}=q R\), and \(A=pq R\). The second assertion follows immediately.
If one replaces S by \(S_{1}\) in Table 1, then the successful probability of decryption is
where \(f_{1}\) and \(f_{2}\) are the degrees of \(P_{1}\) and \(P_{2}\), respectively.
We note that \(f_{1}=f_{2}=n\) if and only if \(P_{1}=p R\) and \(P_{2}=q R\); in this special case, we may give a numerical explanation. It is easy to see that
By Theorem 1, for any \( a \in \mathbb {Z}\), we have
Since \(S_{1}\) is a set of coset representatives of R/A, \(\alpha =\sum _{i=1}^{n}a_{i}\alpha _{i}\in S_{1}\), we may regard \(\alpha \) as a vector \(\left( a_{1}, a_{2}, \ldots , a_{n}\right) \in \mathbb {Z}_{pq}^{n}\). Let \(m =pq\), \(1 \le e<\left( p^{n}-1\right) \left( q^{n}-1\right) \) and \(1 \leqslant d<\left( p^{n}-1\right) \left( q^{n}-1\right) \) such that
Then for every input message \(\alpha =\left( a_{1}, a_{2}, \cdots ,a_{n}\right) \), we use the public key (m, e) and private key (p, q, d) to encryption and decryption for each \(a_{i}\) in order, obviously, these are the algorithms given by Takagi and Naito (2015), we consider these algorithms are just a simple repeat of RSA.
The main purpose of this chapter is to show that the high dimensional form of RSA algorithm is a lattice based on cryptosystem in general. To do this, we first establish a relationship between an algebraic number field E and the Euclidean space \(Q^{n}\). Let \(\mathbb {R}^{n}\) be the Euclidean space which is a linear space over \(\mathbb {R}\) with the Euclidean norm |x|,
We use the column notation for vector in \(\mathbb {R}^{n}\), and \(x^{\prime }\) is the transpose of x, which is called a row vector in \(\mathbb {R}^{n}\). \(Q^{n} \subset \mathbb {R}^{n}\) is a subspace of \(\mathbb {R}^{n}.\)
Without loss of generality, an algebraic number field E of degree n may be expressed as \(E=Q(\theta )\), where \(\theta \) is an algebraic integer of degree n and \(Q(\theta )\) is the field generated by \(\theta \) over Q. Let \(\phi (x)\) be the minimal polynomial of \(\theta \),
where all \(\phi _{i} \in \mathbb {Z}.\) It is known that
We define an one to one correspondence between E and \(Q^{n}\) by \(\tau \):
and write \(\tau (\alpha )=\overline{\alpha }\) or \(\alpha {\mathop {\rightarrow }\limits ^{\tau }} \overline{\alpha }\). In fact, \(\tau \) is a homomorphism of additive group from E to \(Q^{n}\), because of \(\tau (a \alpha )=a \tau (\alpha )\) for all \(a\in \mathbb {Q}.\)
As usual, the trace and norm mappings from E to Q are denoted by
It is known (see corollary of page 58 of Narkiewicz (2004)) that
A full-rank lattice L is a discrete addition subgroup of \(\mathbb {R}^{n}\), the equivalent expression for L is (See Micciancio and Regev (2009), Zheng et al. (2023))
where \(B=\left[ \overline{\beta }_{1}, \overline{\beta }_{2}, \cdots , \overline{\beta }_{n}\right] _{n \times n} \in \mathbb {R}^{n \times n}\) is an invertible matrix of \(n\times n\) dimension, B is called a generated matrix of L. If \(L \subset Q^{n}\), we call L a rational lattice, if \(L\subset \mathbb {Z}^{n}\), we call L an integer lattice. It is not difficult to see that every ideal of R corresponds to an rational lattice, we have the following.
Lemma 2
Let \(A \subset R\) be an ideal and \(A \ne 0\), then \(\tau (A)\) is a rational lattice.
Proof
Let \(\left\{ \beta _{1}, \beta _{2},\cdots , \beta _{n}\right\} \subset A\) be an integral basis for E/Q, one has
It follows that
where \( \overline{\beta }_{i}= \tau ( \beta _{i}) \in Q^{n}\). Let \(B=[\overline{\beta }_{1},\overline{\beta }_{2},\cdots ,\overline{\beta }_{n} ]\), since \( \{ \beta _{1},\beta _{2},\cdots ,\beta _{n}\}\) is linearly independent over Q, thus B is an invertible matrix, and we have
The lemma follows at once.
Let \(L \subset Q^{n}\) be a rational lattice, of which be corresponded by an ideal A in E for some suitable algebraic number field E, we call L an ideal lattice. Ideal lattice was first introduced by Lyubashevsky and Micciancio (2006) in the case of integer lattice, here we generalize this notation to the case of rational lattices. For more detailed discussion about ideal lattice, we refer to Zheng et al. (2023).
To give an attainable algorithm for high dimensional RSA, we require the following NC-property for the algebraic number field E.
where
Some of the well-known algebraic number fields satisfy the NC-property, we list a few as follows (Table 2).
2 Ideal Matrices
Suppose that \(\theta \) is an algebraic integer of degree n, \( \phi (x)=x^{n}-\phi _{n-1} x^{n-1}-\cdots -\phi _{1} x-\phi _{0} \in \mathbb {Z}[x]\) is the minimal polynomial of \(\theta \), thus \(\phi (x)\) is irreducible. Let \( \theta =\theta _{0}, \theta _{1}, \theta _{2},\cdots ,\theta _{n-1}\) be n different roots of \(\phi (x)\), the Vandermonde matrix of \(\phi (x)\) is defined by
According to \(\phi (x)\), we denote the rotation matrix or adjoint matrix (see page 116 of Manin and Panchishkin (2005)) by
where \( I_{n-1} \) is the unit matrix of \(n-1\) dimension.
Definition 1
An ideal matrix \(H^{*}(\overline{f})\) generated by the input vector \(\overline{f} \in \mathbb {R}^{n} \) is defined by
and all ideal matrices are denoted by
Definition 2
For any two vectors \(\overline{f}\) and \(\overline{g}\) in \(\mathbb {R}^{n}\), the \(\phi \)-conventional product is defined by
and the m-multi product is denoted by
Remark 1
If \( \phi (x)=x^{n}-1\), then \(H_{\phi }\) is the classical circulant matrix (see Davis (1994)), and conventional product with circulant matrix was first proposed by Hoffstein et al. (1998), which plays a key role in their cryptosystem. In Zheng et al. (2023), we generalized this definition with more general rotation matrices.
By (18), \(H^{*}(\overline{f})=0\) is a zero matrix if and only if \(\overline{f}=0\) is a zero vector, and \(H^{*}(\overline{f}+\overline{g})=H^{*}(\overline{f})+H^{*}(\overline{g})\), then \(H^{*}(\overline{f})=H^{*}(\overline{g})\) if and only if \(\overline{f}=\overline{g}\). Thus we may regard \(H^{*} :\mathbb {R}^{n} \rightarrow \textrm{M}_{\mathbb {R}}^{*}\) as an one to one correspondence, which is also a homomorphism of Abel group.
The main aim of this subsection is to show the \(Q^{n}\) is a field under the \(\phi \)-conventional product and \(M_{Q}^{*}\) is also a field under the ordinary additive and product of matrices, both of which are isomorphic to the algebraic number field \(E=Q(\theta )\). To do this, we require some basic properties of the ideal matrices.
Let \(\overline{e}_{1}, \overline{e}_{2}, \cdots , \overline{e}_{n}\) be the unit vectors of \(\mathbb {R}^{n}\), namely
Lemma 3
Let \(\tau \) be defined by (11), then we have
Proof
\(\quad \tau \left( \theta ^{k}\right) =\overline{e}_{k+1}\) follows directly from the definition of \(\tau \). We use induction to prove \(H^{*}\left( \overline{e}_{k}\right) =H^{k-1}\). It is easy to see that \(H^{*}\left( \overline{e}_{1}\right) =I_{n}\), the unit matrix of n dimension. Suppose that \(H^{*}\left( \overline{e}_{k-1}\right) \) \(=H^{k-2}\), for \(k\ge 2\), note that \(\overline{e}_{k}=H \overline{e}_{k-1}\), it follows that
The lemma follows immediately.
Since \(\phi (x)\) is the characteristic polynomial of H, by the Hamilton-Cayley theorem, we have
Therefore, all the rotation matrices \(H^{k}(k \ge 0)\) are the ideal matrices, especially, the unit matrix \(I_{n}=H^{*}\left( \overline{e}_{1}\right) \) is an ideal matrix.
Let \(\mathbb {R}[x]\) be the polynomials ring and \(\mathbb {R}(x) /\langle \phi (x)\rangle \) be the quotient ring, where \(\langle \phi (x)\rangle \) is the principal ideal generated by \(\phi (x)\) in \(\mathbb {R}[x]\). We establish an one to one correspondence t between \(\mathbb {R}^{n}\) and \(\mathbb {R}[x]/ \langle \phi (x)\rangle \) by
and write \(t(\overline{f})=f(x)\), or \(t^{-1}(f(x))=\overline{f}\).
Lemma 4
For any \(\overline{f} \in \mathbb {R}^{n}\), the ideal matrix \(H^{*}(\overline{f})\) is given by
Moreover, if \(F(x) \in \mathbb {R}[x]\) and \(F(x)\equiv f(x)(\text {mod}\ \phi (x))\), then \(f(H)=F(H)\).
Proof
Writing \(\overline{f}=f_{0} \overline{e}_{1}+f_{1} \overline{e}_{2}+\cdots +f_{n-1} \overline{e}_{n}\), by Lemma 3, we have
Suppose that \( F(x) \equiv f(x)(\text {mod}\ \phi (x))\), by (24), we have \(f(H)=F(H)\) immediately.
Lemma 5
Let \(\overline{f}\) and \(\overline{g}\) be two vectors in \(\mathbb {R}^{n}\), and f(x), g(x) be the corresponding polynomials, respectively, then we have
Proof
Since t is a bijection, it is suffice to show that
Let \(g(x)=g_{0}+g_{1} (x)+\cdots +g_{n-1} x^{n-1} \in \mathbb {R}[x] /\langle \phi (x)\rangle \), then
It follows that
More generally, we have
Let \(f(x)=f_{0}+f_{1} x+\cdots +f_{n-1} x^{n-1}\), then
The lemma follows immediately.
Lemma 6
For any two vectors \( \overline{f}=\left( \begin{array}{c} f_{0} \\ f_{1} \\ \vdots \\ f_{n-1} \end{array}\right) \in \mathbb {R}^{n},\ \ \overline{g}=\left( \begin{array}{c} g_{0} \\ g_{1} \\ \vdots \\ g_{n-1} \end{array}\right) \in \mathbb {R}^{n}, \) we have the following properties for ideal matrices:
-
i
\(H^{*}(\overline{f}) H^{*}(\overline{g})=H^{*}\left( \overline{g}) H^{*}(\overline{f}\right) ;\)
-
ii
\(H^{*}(\overline{f}) H^{*}(\overline{g})=H^{*}( H^{*}(\overline{f}) \overline{g}) ;\)
-
iii
\(H^{*}(\overline{f})=V_{\phi }^{-1} {\text {diag}}\left\{ f\left( \theta _{0}\right) , f\left( \theta _{1}\right) , \cdots , f\left( \theta _{n-1}\right) \right\} V_{\phi }\);
-
iv
\({\text {det}}\left( H^{*}(\overline{f})\right) =\prod _{i=0}^{n-1} f\left( \theta _{i}\right) \);
-
v
If \(\overline{f} \in Q^{n}\), \(\overline{f} \ne 0\), then \(H^{*}(\overline{f})\) is an invertible matrix and
$$\begin{aligned} \left( H^{*}(\overline{f})\right) ^{-1}=H^{*}(\overline{u}), \end{aligned}$$
where \(u(x) \in Q[x]\) is the unique polynomial such that \(u(x) f(x) \equiv 1 (\text {mod}\ \phi (x))\) in Q[x].
Proof
By Lemma 4, we have
To prove (ii), we write \(H^{*}(\overline{f}) \overline{g}=\overline{f} \otimes \overline{g}\), it follows that
By Theorem 3.5 of Davis (1994), we have
It follows that
Since \({\text {diag}}\left\{ f\left( \theta _{0}\right) , f\left( \theta _{1}\right) , \cdots ,f\left( \theta _{n-1}\right) \right\} \) is a diagonal matrix, we have
To show the last assertion, since \(\overline{f} \in Q^{n}, \overline{f} \ne 0\), and \(\phi (x)\) is an irreducible polynomial, thus we have \((f(x), \phi (x))=1\) in Q[x], There are \(u(x) \in Q[x]\) and \(v(x) \in Q[x]\) such that
By (29) and noting that \(t^{-1}(1)=\overline{e}_{1} \in \mathbb {R}^{n}\), we have \(\overline{u} \otimes \overline{f}=\overline{e}_{1}\). It follows that
We complete the proof of Lemma.
Next, we discuss the algebraic number field \(E=Q(\theta )\) and recall \(\tau \) is an one to one correspondence between E and \(Q^{n}\).
Lemma 7
For any two elements \(\alpha \) and \( \beta \) in E, we have
Proof
Let \(\beta =\beta _{0}+\beta _{1} \theta +\cdots +\beta _{n-1} \theta ^{n-1}\), where \(\beta _{i}\in Q\), it is easily seen that
thus we have \(\tau (\theta \beta )=H \tau (\beta )=H \overline{\beta }\), and
Let \(\alpha =\alpha _{0} + \alpha _{1} \theta +\cdots +\alpha _{n-1} \theta ^{n-1}\), by Lemma 4, we have
the lemma follows immediately.
Let \(A=\left( a_{i j}\right) _{n \times n}\) be a square matrix, and the trace of A is defined by \({\text {Tr}}(A)=\sum _{i=1}^{n} a_{ ii}\) as usual. The main result of this subsection is the following theorem.
Theorem 2
Let \(E=Q(\theta )\) be an algebraic number field of degree n, and \(\phi (x) \in \mathbb {Z}[x]\) be the minimal polynomial of \(\theta \). Then the linear space \(Q^{n}\) is a field under the \(\phi \)-conventional product, and all of the ideal matrices \(M_{Q}^{*}\) generated by rational vectors is also a field with the ordinary additive and product of matrices. Both of them are isomorphic to E, namely
Moreover, let \(\alpha \in E\), \({\text {tr}}(\alpha )\) and \(N(\alpha )\) be the trace and norm of \(\alpha \), then we have
Proof
\(\tau : E \rightarrow Q^{n}\) given by (11), it is clearly that
Thus \(Q^{n}\) is a field under the \(\phi \)-conventional product and \(E \cong Q^{n}\). By Lemma 6, we have
thus \(M_{Q}^{*}\) is also a field and \(E \cong Q^{n} \cong M_{Q}^{*}\).
The main difficulty is to prove (34). We observe that \(\theta \) induces a linear transformation of E/Q by \(\alpha \rightarrow \theta \alpha \), and the matrix of this linear transformation under basis \(\left\{ 1, \theta , \theta ^{2},\cdots , \theta ^{n-1}\right\} \) is just H, namely
By the definition of trace, we have
Let \(\alpha =\alpha _{0}+\alpha _{1} \theta +\cdots +\alpha _{n-1} \theta ^{n-1} \in E\), it follows that
To show that conclusion on the norm, let \(\alpha ^{(i)}(0 \le i \le n-1)\) be the n conjugations of \(\alpha \) in the smallest normal extension of Q containing E, where \(\alpha ^{(0)}=\alpha =\alpha _{0}+\alpha _{1} \theta +\cdots + \alpha _{n-1} \theta ^{n-1}\). It is easily seen that
By property (iii) of Lemma 6, we have
We complete the proof of Theorem 2.
The cyclic lattice in \(\mathbb {R}^{n}\) was introduced by Micciancio (2007), (also see Zheng et al. (2023)), which plays an important role in Ajtai’s construction of collision resistant Hash function (see Ajtai and Dwork (1997)). As an application, we show that every ideal in an algebraic number field corresponds to a cyclic lattice:
Corollary 1
Let \( A\subset R \) be an ideal and \(A\ne 0\), then \(\tau (A) \subset Q^{n}\) is a cyclic lattice.
Proof
Suppose that \(\alpha \in A\). Since \(\theta \in R\), then \(\theta \alpha \in A\). By (31), we have
Thus \(\tau (A)\) is a cyclic lattice.
3 High Dimensional RSA
In this section, we give an attainable algorithm for the high dimensional RSA by making use of lattice theory, and this algorithm is significant both from the theoretical and practical point of view. Suppose that the algebraic numbers field E satisfying the NC-property, then \(R=\mathbb {Z}[\theta ]\) is the ring of algebraic integers of E, the restriction of correspondence \(\tau \) gives a ring isomorphism from R to \(\mathbb {Z}^{n}\). Let \(\mathbb {Z}(x)\) be the ring of integer coefficients polynomials and \((\phi (x))\) be the principal ideal generated by \(\phi (x)\) in \(\mathbb {Z}(x)\), it is easy to see that \(R \cong \mathbb {Z}[x] / (\phi (x))\). Let \(M_{\mathbb {Z}}^{*}\) be the set of ideal matrices generated by an integral vector, i.e.
Then the following four rings are isomorphic from each other
For any polynomial \( \alpha (x)=\alpha _{0}+\alpha _{1}x+\cdots +\alpha _{n-1}x^{n-1} \in \mathbb {Z}[x]/(\phi (x))\), the corresponding algebraic integer is \( \alpha =\alpha _{0}+\alpha _{1}\theta +\cdots +\alpha _{n-1}\theta ^{n-1}\in R\), we write this isomorphism by
A \( \phi \)-ideal lattice means an integer lattice of which corresponds an ideal of \(\mathbb {Z}(x) /(\phi (x))\), it was first introduced by Lyubashevsky and Micciancio in (see also Zheng et al. (2023)), which also plays a key role in Gentry’s construction for the full homomorphic cryptosystem (see Gentry (2009)), and Fluckiger and Suarez (2006) extended this definition to total real number field.
Lemma 8
Let E be an algebraic numbers field with NC- property, \(R=\mathbb {Z}[\theta ]\) be the ring of algebraic integers of E. Then there is an one to one correspondence between ideals of R and the \(\phi \)-ideal lattices. Moreover, if \(\alpha \in R\), then we have
In general, suppose that \(A \subset R\) is an ideal and \(A \ne 0\), then there exist two elements \(\alpha \) and \(\beta \) in A such that
Proof
Since there is an one to one correspondence between the \(\phi \)-ideal lattices and the ideals of \(\mathbb {Z}[x] /(\phi (x))\) (See Corollary of Zheng et al. (2023)), by (36), the first assertion follows immediately. Let \(\alpha \in R\), then \(\alpha R=\{\alpha x \mid x \in R\}\), by Lemma 7 we have
It follows that
To prove (39), it is known that any ideal of R is generated by at most two elements (see corollary 5 of page 11 of Narkiewicz (2004) ), namely, \(A=\alpha R+\beta R\), then we have
To introduce an attainable algorithm for high dimensional RSA, we require some basic results from lattice theory. Let \(L=L(B)\subset \mathbb {R}^{n}\) be a full-rank lattice, and the determinant of L is defined by
Suppose that the generated matrix \(B=\left[ \overline{b}_{1}, \overline{b}_{2}, \cdots , \overline{b}_{n}\right] , \overline{b}_{i} \in \mathbb {R}^{n}\) is the column vectors of B. Since \(\left\{ \overline{b}_{1}, \overline{b}_{2}, \cdots , \overline{{b}}_{n}\right\} \) is a basis for \(\mathbb {R}^{n}\), let \(B^{*}=\left\{ \overline{b}_{1}^{*}, \overline{b}_{2}^{*}, \cdots , \overline{b}_{n}^{*}\right\} \) be the corresponding orthogonal basis, where \(\overline{b}_{1}^{*}=\overline{b}_{1}\), and \(\overline{b}_{i}^{*} \) is obtained by the Gram-Schmidt orthogonal process in order.
A basis B is called in Hermited Normal Form (HNF) if it is upper triangular, all elements on the diagonal are strictly positive, and any other elements \(b_{i j}\) satisfies \(0 \le b_{i j}<b_{i i}\). It is easy to see that every integer lattice \(L=L(B)\) has a unique basis in Hermited Normal Form, denoted by \({\text {HNF}}(L)\) (see Theorem 2.4.3 of Cohen (1993)). Moreover, given any basis B for lattice L, \( {\text {HNF}}(L)\) can be efficiently computed from B (see Cohen (1993), Micciancio (2001)).
Proposition 1
Let \(L=L(B)\) and \(B=(b_{ij})_{n\times n}\) be the basis in HNF. Then the corresponding orthogonal basis \(B^{*}\) is a diagonal matrix, namely
Moreover, we have
Proof
See Micciancio (2001).
Definition 3
Let \(L=L(B)\subset \mathbb {R}^{n}\) be a full-rank lattice, and \(B^{*}=\left[ \overline{b}_{1}^{*}, \overline{b}_{2}^{*}, \cdots , \overline{b}_{n}^{*}\right] \) be the corresponding orthogonal basis, the orthogonal parallelepiped \(F\left( B^{*}\right) \) is defined by
Proposition 2
Let \(L=L(B)\subset \mathbb {Z}^{n}\) be an integer lattice, \(B= {\text {HNF}}(L)\) be the basis in \({\text {HNF}}\) and \(B^{*}= {\text {diag}}\left\{ b_{11}, b_{22}, \cdots , b_{nn}\right\} \) be the corresponding orthogonal basis, \(F\left( B^{*}\right) \) is the orthogonal parallelepiped given by (43), then S is a set of coset representatives for the quotient group \(\mathbb {Z}^{n} / L\), where
Proof
See Sect. 4.1 of Micciancio (2001).
Now, we return to the algebraic numbers field \(E=Q[\theta ]\) (with NC-property). Let \(\alpha ,\beta \in R\) be two algebraic integers, by Lemma 8, the principal ideal \(\alpha R\) corresponds to the minimal \( \phi \)-ideal lattice \(L ( H^{*}(\overline{\alpha }))\). Thus \(A=(\alpha R)(\beta R)=\alpha \beta R\) corresponds to \(L\left( H^{*}( \overline{\alpha }\otimes \beta )\right) \).
Definition 4
For given \(\alpha , \beta \in R\), \( \tau (\alpha )=\overline{\alpha }\), and \(\tau (\beta )=\overline{\beta }\), we denote the lattice \(L_{\alpha , \beta }\) by
The \({\text {HNF}}\) basis of \(L_{\alpha , \beta }\) is denoted by \(B_{ \alpha , \beta }\) and the corresponding orthogonal basis is denoted by
where \(b_{i} \in \mathbb {Z}\) and \(b_{i} \ge 1\). The parallelepiped is given by
Lemma 9
Let \(\alpha \in R, \beta \in R\), and \(A=\alpha \beta R\). Then \(S_{\alpha , \beta } \) given by (46) is corresponding to a set of coset representatives of the factor ring R/A in the algebraic numbers field E with NC-property.
Proof
By Proposition 1, it is easy to see that
By Theorems 2 and (12), we have
It follows that \(N(A)=\left| S_{\alpha , \beta }\right| \). Since E satisfies NC-property, if \(\alpha \in R\), then \(\overline{\alpha }=\tau (\alpha ) \in \mathbb {Z}^{n}\), hence \(\alpha \equiv \beta (\text {mod}\ \ A)\) in R, if and only if
The lemma follows from Proposition 2 immediately.
The main result of this subsection is the following theorem.
Theorem 3
Let E be an algebraic numbers field of degree n with NC-property, \(\alpha \in R, \beta \in R\) be two distinct prime elements, \(A=\alpha \beta R\), and \(L_{\alpha , \beta }\) be the lattice given by (44). Then for any \(\overline{a} \in \mathbb {Z}^{n}, k \in \mathbb {Z}, k \ge 0\), we have
where
Proof
Since E satisfies NC-property, \(\overline{a} \in \mathbb {Z}^{n}\), then \(a=\tau ^{-1}(\overline{a}) \in R\). By Theorem 1, we have
It is easy to see that
By Lemma 8, we have
Therefore, (47) follows immediately.
According to the above theorem, we may describe an attainable algorithm for high dimensional RSA as follows (Table 3).
Remark 2
If the class number \(h_{E}=1\), in other words, R is a UFD, then the prime elements are equivalent to irreducible elements in R, and one can find prime elements \(\alpha \) from \(\alpha (x) \in \mathbb {Z}[x]/(\phi (x))\) and \(\alpha (x)\) irreducible.
4 Security and Example
The classical RSA public key cryptosystem is nowadays used in a wide variety of applications ranging from web browsers to smart cords. Since its initial publication in 1978, many researchers have tried to look for vulnerabilities in the system. Some clever attacks have been found (see Bonech (2002), Coppersmith (2001)). However, none of the known attacks is devastating and the ordinary RSA system is still considered secure.
The security of high dimensional RSA depends on virtually factoring of an element of the algebraic integers ring R into product of of distinct prime elements. Factoring on R is much more complicated than factoring of a positive integer, and none of efficient method is known up to day, thus we consider the high dimensional RSA almost absolutely secure.
To see the size of private keys, since \({\text {det}}\left( H^{*}(\overline{\alpha })\right) =N(\alpha )\), it may be extremely huge, for example, if \(\alpha =p \in \mathbb {Z},\) \( \beta =q \in \mathbb {Z}\) are prime numbers, then
and
which is much larger than pq, the latter is the site of public key of the classical RSA cryptosystem.
The lattice based on cryptography has been intensively studied for the past two decades. The GGH cryptosystem proposed by Goldreich et al. (1997) is perhaps the most intuitive encryption scheme based on lattices. The public key is a “bad” basis for a lattice, and Micciancio proposed in (2001) to use, as the public basis, the Hermite Normal Form B = HNF(L). The private key of GGH is an exceptionally good basis for L. The security of GGH relies on the assumption that it is difficult to find a special basis for L from a known basis of L. In this sense, we regard the high dimensional RSA as secure as GGH/HNF cryptosystem at least.
Another number theoretic cryptosystem based on the lattice is NTRUEncrypt. The public key cryptosystem NTRU proposed in 1996 by Hoffstein et al. (1998) is the fastest known lattice-based encryption scheme, although its description relies on arithmetic over polynomial quotient ring \(Z[x]/\langle x^{n}-1\rangle \), it was easily observed that it could be expressed as a lattice based on cryptosystem. NTRU uses a q-ary convolutional modular lattice(see Micciancio and Regev (2009), Zheng (2022)), its public key is also the HNF basis of L, and the private key is a special basis of L containing two secrete polynomials f(x) and g(x). Obviously, our algorithm I is at least as hard as solving NTRUEncrypt.
Unfortunately, neither GGH nor NTRU is supported by a proof of security showing that breaking the cryptosystem is at least as hard as solving some underlying lattice problem; they are primarily practical proposals aimed at offering a concrete alternative to RSA or other number theoretic cryptosystems (see page 166 of Micciancio and Regev (2009)). However, the significance of this chapter is to show that the real alternative of RSA is the high dimensional RSA we present here rather than GGH and NTRU.
Example 1
Finally, we give an example and see how to work the high dimensional RSA in a quadratic field. Let \(E=Q(\sqrt{d})\), \(d \in \mathbb {Z}\) be a square-free integer and \(d\equiv 2,\) or \(3 \ \textrm{mod} \ 4\), thus E satisfies the NC-property. Let \(\delta _{E}\) be the discriminant of E, and it is known that \(\delta _{E}=4 d\) (see Proposition 13.1.2 of Ireland and Rosen (1990)). Let \(p \in \mathbb {Z}\) be an odd prime satisfying the following condition:
By Proposition 13.1.3 of Ireland and Rosen (1990), we know that p is a prime element in E.
According to Algorithm \(\textrm{I}\), we select two large primes p and q of which satisfying (49). Let \(\alpha =p\) and \(\beta =q\), then
It follows that
and
It is easy to see that
In this special case, the two-dimensional RSA may be described as follows (Table 4).
We can similarly deal with the cases of Cyclotomic Fields. Let \(n=\varphi (m)\) for some positive integers m, \(\xi _{m}=e^{2\pi i /m},\) \(E=Q(\xi _{m})\), and \(R \subset E\) be the ring of algebraic integers of E. Suppose that \(p\in \mathbb {Z}\) is a rational prime number, then p is a prime element of R if and only if (see Theorem 2 of page 196 of Ireland and Rosen (1990))
Suppose that \(p \in \mathbb {Z}\) and \(q\in \mathbb {Z}\) are two distinct prime numbers satisfying (53), we obtain the lattice \(L(H^{*}(\overline{p} \otimes \overline{q} ))\) and an attainable algorithm in \(Q(\xi _{m}). \)
References
Ajtai, M., & Dwork, C. (1997). A Public-key cryptosystem with worst-case/avarage—Case equivalence. In 29th ACM Symposium on Theory of Computing (pp. 284–293).
Bonech, D. (2002). Twenty years of attacks on the RSA cryptosystem. Notices of the AMS, 46(2), 203–213.
Coppersmith, D. (2001). Finding small solutions to small degree polynomials. Lecture Notes in Computer Science, 2146, 20–31.
Cohen, H. (1993). A course in computational algebraic number theory. In Graduate texts in mathematics. Springer.
Davis, P. J. (1994). Circulant matrices (2nd ed.). New York: Chelseea Publishing.
Fluckiger, E. B., & Suarez, I. (2006). Ideal lattices over totally real number fields and Euclidean minima. Archiv Der Mathematik, 86(3), 217–225.
Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. In STOC (pp. 169–178).
Goldreich, O., Goldwasser, S., & Halevi, S. (1997). Public-key cryptosystems from lattice reduction problems. In Advances in cryptology, lecture notes in computer (Vol. 1294, pp. 112–131)
Hoffstein, J., Pipher, J., & Silverman, J. H. (1998). NTRU: A ring-based public key cryptosystem. In Proceedings of ANTS-III (Vol. 1423, pp. 267–288). LNCS.
Ireland, K., & Rosen, M. (1990). A classical introduction to modern number theory. Springer.
Lyubashevsky, V., & Micciancio, D. (2006). Generalized compact knapsacks are collision resistant. In 33rd international conference on automata, languages and programming (Vol. 2, pp. 144–155). Springer.
Manin, Y. I., & Panchishkin, A. A. (2005). Introduction to modern number theory: Fundamental problems ideas and theories. Springer.
Micciancio, D., & Regev, O. (2009). Lattice-based cryptography, post quantum cryptography (pp. 147–191). Springer.
Micciancio, D. (2007). Generalized compact knapsacks, cyclic lattices, and efficient one way functions. Computational Complexity, 16(4), 365–411.
Micciancio, D. (2001). Improving Lattice based cryptosystems using the Hermite normal form. In CaLC (pp. 126–145). Springer.
Narkiewicz, W. (2004). Elementary and analytic theory of algebraic numbers. Springer.
Peikert, C. (2014). A decade of lattice cryptography. Foundations and Trends in Theoretical Computer Science, 10(4), 2–3.
Pradhan, P. K., Rakshit, S., & Datta, S.: Lattice based cryptography. In Proceedings of the Third International Conference on Computing Methodologies and Communication, ICCMC.
Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21, 120–126.
Takagi, T., & Naito, S. (2015). Construction of RSA cryptosystem over the algebraic field using ideal theory and investigation of its security. Electronics and Communications in Japan (Part III Fundamental Electronic Science), 83(8), 19–29.
Uematsu, Y., et al. (1985). On the extension of RSA cryptosystem. Tech Rep, 1985, 85–89.
Uematsu, Y., et al. (1986). A note on extension of RSA cryptosystem and consideration of amount of computation. In Encryption and Information Security Work Shop (pp. 27–29).
Washington, L. C. (1982). Introduction to cyclotomic fields (graduate texts in mathematics) (Vol. 83). Springer.
Zheng, Z. Y., Liu, F. X., Lu, Y. F., & Tian, K. Cyclic lattices, ideal lattices and bounds for the smoothing parameter. Tech. https://doi.org/10.36227/techrxiv.17626391.v1.
Zheng, Z. Y., Liu, F. X., Xu, J., Huang, W. L., & Tian, K. A generalization of NTRUEncrypt. arXiv:2112.14115 [cs.IT].
Zheng, Z. Y. (2022). Modern cryptography Volume 1—A classical introduction to informational and mathematical principle. Springer.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this paper
Cite this paper
Zhiyong, Z., Fengxia, L., Man, C. (2023). On the High Dimensional RSA Algorithm—A Public Key Cryptosystem Based on Lattice and Algebraic Number Theory. In: Zheng, Z. (eds) Proceedings of the Second International Forum on Financial Mathematics and Financial Technology. IFFMFT 2021. Financial Mathematics and Fintech. Springer, Singapore. https://doi.org/10.1007/978-981-99-2366-3_9
Download citation
DOI: https://doi.org/10.1007/978-981-99-2366-3_9
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-2365-6
Online ISBN: 978-981-99-2366-3
eBook Packages: Economics and FinanceEconomics and Finance (R0)