1 Introduction

In 1975 Diffie–Hellman proposed the public key cryptosystem [1]. It is a key exchange algorithm that is used to share public and private keys for ciphering and deciphering of messages in a secure way. To our best knowledge all cryptosystems are based on the difficulty of three problems namely the problem of factoring large integers, problem of computing nth residue classes and problem of computing discrete logarithms. Cryptosystems that are based on factoring large integers are the RSA cryptosystem that was described by Rivest–Shamir–Adleman [2] and probabilistic ciphering system that was described by Goldwasser and Micali [3]. Cryptosystems that are based on the difficulty of computing the nth residue classes are Paillier ciphering scheme described in [4], BGN described in [5] by Boneh–Goh–Nissim and Okamoto–Uchiyama in [6] which resembled the Paillier ciphering scheme. Taher ElGamal described a public cryptosystem and signature scheme based on the difficulty of computing discrete logarithms in [7]. Athena et al. introduced elliptic curve cryptography (ECC) uses the properties of elliptic curves to generate keys in [8]. In [9] Freeman used prime-order elliptic curve groups to construct secure pairing-based cryptosystem. In [10], Bahadori et al. proposed a method to speed up a secure generation of RSA public and private key values that are equipped on smart cards. In [11], Blackburn et al. involved the certification authority to generate RSA-keys. The certification authority (CA) does not now about the user’s private key. In [12], Sharma et al. presented a modified version of subset-sum problem over RSA algorithm called RSA algorithm using modified subset sum cryptosystem that relies on the fact that given a set of integers, does the sum of some non-empty subset equal exactly zero. However, this method still relies on RSA cryptography which makes it computationally too slow. Moreover, it is useless for authentication by cryptographic signing of documents. In [13], Ge et al. presented an efficient authentication method for secure key exchange among set of devices that have a single trusted administrator. In [14], Nagar et al. proposed a new method to exchange the values of the RSA-key offline generations between gateways. All generated key values are saved in tables within a database. Each key value includes the public and private key values. In [15], Patidar et al. proposed a modified form of RSA algorithm to speed up the implementation of RSA algorithm during data exchange across the network. The authors introduced a third prime number to produce modulus \(n\) that is not easily decomposed by intruders. In [16], Ashutosh Kumar Dubey et al. proposed a novel cloud-user security method which is based on RSA cryptography and MD5 for resource attestation and sharing in java environment. In [17], Wuling Ren et al. proposed a hybrid-ciphering algorithm based on the integration between DES and RSA to enhance the security of data transmission in Bluetooth communication. In this approach, DES algorithm is used for data transmission because of its higher efficiency in block ciphering, and RSA algorithm is used for the ciphering of the key of the DES because of its management advantages in key cipher. In [18], Arazi integrated the Diffie–Hellman key exchange into digital signature algorithm (DSA) by replacing a message in digital signature algorithm (DSA) with exchange key in the Diffie–Hellman to achieve mutual authentication of exchanged keys. In [19], Harn et al. proposed an enhanced integration of the Diffie–Helman and DSA for key exchange by providing three round protocols. In [20], Bernstein, released a key exchange protocol referred to as, Curve25519 that is an elliptic curve Diffie–Hellman key exchange protocol to establish a shared secret. More details on Curve25519 found in [21]. In [22, 23] a high-performance elliptic curve referred to as FourQ was introduced by Costello, C. and Longa, P. FourQ is 128-bit security level. In [24], Alvarez et al. showed that standard Diffie–Hellman is little slower than the elliptic curve variants in key pair generation and much slower than elliptic curve invariants in secure key exchange. In [25], Kumar et al. proposed an enhanced Diffie–Hellman algorithm for reliable key exchange by employing the concept of primitive roots. In this algorithm, the sender and receiver to obtain a shared-secret key use conventional Diffie–Hellman algorithm. Then the sender and receiver find the primitive root of their shared-secret key. The Diffie–Hellman algorithm is used again to get a second secret key. Finally, the sender and receiver multiply their second shared-secret key with their own random number and exchange it for getting a new-shared secret key for every message and even for the same message. This enhanced Diffie–Hellman algorithm still relies on the conventional Diffie–Hellman algorithm for two rounds and use exponentiation computation in employing the primitive roots which make this algorithm computationally too slow. All the previous public key cryptosystems based on the standard Diffie–Hellman key exchange algorithm that based on the difficulty of discrete logarithmic problem. All ciphering schemes based on discrete logarithms require exponentiation operations for ciphering and deciphering which is computationally time consuming. The modified subset sum cryptosystem relies on RSA cryptography that requires the generation of two large prime numbers \(p\) and \(q\) which is the most difficult process in the RSA algorithm. All methods rely on RSA cryptography are computationally slow. Moreover, the modified subset sum cryptosystem does not allow for secure key exchange between two ends of a conversation. The proposed key exchange algorithm allows for secure exchange of shared secret key that does not require exponential time computation because no exponentiation operations are used. RSA cryptosystems based on elliptic curves are difficult to implement and computationally too slow. The elliptic curve Diffie–Hellman (ECDH) key exchange algorithm allow for two parties to exchange a shared secret key but it is also based on Diffie–Hellman algorithm in integration with elliptic curve cryptography which makes this cryptosystem computationally too slow. Compared to all above cryptosystems, the proposed public key cryptosystem and signature scheme do not depend on exponentiation computation that makes them simpler, computationally faster and provides a higher security level.

This paper introduces a new public key cryptosystem that based on a proposed secure key exchange algorithm and signature scheme that both rely on the difficulty of computing the nth partial sum of an infinite numerical series over a finite field. In case the infinite numerical series, the first term in this series \(a\) and large number of terms \(k\) are all kept secret i.e. unknown, it believes that for an attacker to compute the nth partial sum of an infinite numerical series is computationally intractable. The real contribution of this paper is a new algorithm for a secure key exchange other than the standard Diffie–Hellman algorithm or the enhanced Diffie–Hellman algorithm which both rely on exponentiation computation which makes them computationally too slow. The proposed key exchange algorithm depends on the difficulty of calculating the nth partial sum of infinite numerical series without using exponentiation computation. This makes the proposed algorithm simple, computationally faster, easy to implement and can be used for online ciphering and deciphering of messages and online signing documents. The proposed signature verification scheme can be used as a cryptographic hash function as the hash value significantly changes if there is any change in the document.

This paper organized as follows: Sect. 2 explains infinite numerical series over a finite field and a way to find the nth partial sum. Section 3 shows how to implement the proposed key exchange algorithm based on the difficulty of computing the nth partial sum of an infinite numerical series then shows how the proposed key exchange algorithm used in ciphering and deciphering of messages. Section 4 introduces a proof of the secure key exchange algorithm. Section 5 introduces a new digital signature scheme based on infinite numerical series over a finite field. Section 6 introduces a security analysis of the new digital signature scheme. Section 7 gives some properties of the proposed public key cryptosystem and the signature scheme. Section 8 dedicated for the implementation and experimental results. Section 9 contains conclusion.

2 Sum of series

Definition 1

Suppose we have an infinite sequence of numbers:

$$u_{1} ,u_{2} ,u_{3} , \ldots ,u_{n} , \ldots$$

The expression

$$u_{1} + u_{2} + u_{3} + \cdots + u_{n} + \cdots$$
(1)

is called a numerical series, the numbers \(u_{1} ,u_{2} ,u_{3} , \ldots ,u_{n} , \ldots\) are called the terms of the series [26].

Definition 2

The sum of a finite number of terms (the first \(n\) terms) of a series called the nth partial sum of the series such that [26]:

$$s_{n} = u_{1} + u_{2} + u_{3} + \cdots + u_{n}$$
(2)

If there exists a finite limit:

$$s = \mathop {\lim }\limits_{n \to \infty } s_{n}$$
(3)

Then \(s\) called the sum the series in Eq. (1) and we say that the series converges.

If the \(\mathop {\lim }\limits_{n \to \infty } s_{n}\) does not exist i.e. \(s_{n} \to \infty\) as \(n \to \infty\) then the series has no sum and we say this series diverges.

3 Proposed public key system

Suppose that sender \(A\) and receiver \(B\) wants to share a secret key using two different infinite numerical series \(t_{1}\) and \(t_{2}\). Let \(A\) use series \(t_{1}\), \(B\) use series \(t_{2}\) and \(p\) is a large prime number that chosen by A. The two infinite numerical series \(t_{1}\) and \(t_{2}\) can randomly be chosen from a pool of infinite numerical series, the first term \(a\) and large number of terms \(k\) for each series are randomly chosen using true random number generator so that the last term \(k\) in each series is much greater than the first term \(a\) i.e. \(k \gg a\). Assume that user \(A\) randomly chose the first term \(a\) and large number of terms \(k\) in numerical series \(t_{1}\). In addition, user \(B\) randomly chose the first term \(b\) and large number of terms \(r\) in numerical series \(t_{2}\). Assume \(S_{A}\) is the kth partial sum of \(k\) terms in \(t_{1}\) and \(S_{B}\) is the rth partial sum of \(r\) terms in \(t_{2}\). Both users \(A\) and \(B\) can securely share a secret key as follows:

3.1 Key exchange algorithm

  • Select a very large prime number \(p\).

  • Private keys

    • \(S_{A}\): computed by user \(A\).

    • \(S_{B}\): computed by user \(B.\)

  • Public keys

    • Let \(A\) computes \(y_{A}\) such that:

      $$y_{A} = S_{A } \,mod\,p$$
      (4)

    • \(A\) sends \((y_{A} ,p)\) to \(B\).

    • Let \(B\) computes \(y_{B}\) as follows:

      $$y_{B} = S_{B} \,mod\,p$$
      (5)

    • \(B\) sends \(y_{B}\) to \(A\).

    • \(A\) and B compute \(y_{AB}\) as follows:

      $$y_{AB} = y_{A} \cdot y_{B}$$
      (6)

  • Shared key

    • \(A\) computes \(S_{AB}\) as follows:

      $$S_{AB} = ((y_{AB} \cdot y_{\varvec{B}} ) \cdot S_{A} )\,mod\,p$$
      (7)

    • \(B\) computes \(S_{AB}\) as follows:

      $$S_{AB} = ((y_{AB} \cdot y_{\varvec{A}} ) \cdot S_{B} )\,mod\,p$$
      (8)

Note that:

$$((y_{AB} \cdot y_{\varvec{B}} ) \cdot S_{A} ) \,mod\,p = ((y_{AB} \cdot y_{\varvec{A}} ) \cdot S_{B} )\,mod\,p$$
(9)

For an attacker it is difficult to compute the shared key \(S_{AB}\) as it is equivalent to computing the kth partial sum and rth partial sum of two different infinite numerical series \(t_{1}\) and \(t_{2}\) over two different finite fields without knowing the first term and the number of terms in each numerical series.

3.2 Ciphering

Suppose user \(B\) wants to encipher message \(m\) and sends it to user \(A\). The ciphering algorithm works as follows:

  • \(B\) computes the ciphered message \(m^{{\prime }}\) using the shared secret key \(S_{AB}\):

    $$m^{{\prime }} = m \cdot S_{AB}$$
    (10)

  • \(B\) sends \(m^{{\prime }}\) to \(A\).

Note that new \(S_{A}\), \(S_{B}\) and \(S_{AB}\) are generated for every message to improve security. So \(S_{A}\), \(S_{B}\) and \(S_{AB}\) are called ephemeral keys.

3.3 Deciphering

The deciphering algorithm works as follows:

  • \(A\) receives \(m^{{\prime }}\).

  • \(A\) uses the shared secret key \(S_{AB}\).

  • \(A\) recovers \(m\) by dividing \(m^{{\prime }}\) by \(S_{AB}\):

    $$m = \frac{{m^{{\prime }} }}{{S_{AB} }} = \frac{{m \cdot S_{AB} }}{{S_{AB} }}$$
    (11)

4 Proof of secure key exchange algorithm

The proposed key exchange algorithm is based on the difficulty of calculating the nth partial sum of an infinite numerical series problem. Calculating the nth partial sum is based on the subset sum problem that is NP-complete [27]. The subset sum problem is the following: given a set of \(n\) positive integers \(\left\{ {a_{1} ,a_{2} , \ldots ,a_{n} } \right\}\)  and a positive integer \(S\), determine whether there is a subset of \(a_{i}\) that sum to \(S\). The subset sum problem is a decision problem in the complexity theory that states that NP-complete problems are the hardest problems in NP in the sense that they are at least as difficult as every other problem in NP [27]. The problem of calculating the subset sum problem can be reduced to the nth partial sum of an infinite numerical series problem in polynomial time i.e. the subset sum problemP nth partial sum problem. The following algorithm reduces the subset sum problem to nth partial sum problem in polynomial time as follows:

  • Step 1 Let \(m\) be the number of terms in numerical series \(t\) such that \(m < n\), where \(n\) is the number of positive integers in the subset sum problem.

  • Step 2 Select \(z\) terms from the set of positive integers \(\left\{ {a_{1} ,a_{2} , \ldots ,a_{n} } \right\}\)  of the subset sum problem such that \(z \gg m\).

  • Step 3 Sort all the \(z\) terms in an ascending order.

  • Step 4 Repeat for each (\(z_{i} ,z_{i + 1}\)) in the sorted list of z terms:

    $${\text{If}}\;(z_{i} = z_{i + 1} )\,{\text{remove}}\,z_{i + 1} \;{\text{from}}\,{\text{the}}\,{\text{list}} .$$

  • Step 5 Choose the first \(m\) terms form the list obtained from step 4 as the terms of the numerical sequence \(t\).

The time complexity of step 1 is \({\text{O}}(1)\), the time complexity of step 2 is \({\text{O(z)}}\), the time complexity of sorting in step 3 is \({\text{O}}\left( {z^{2} } \right),\) the time complexity of step 4 is \({\text{O(z)}}\) while the time complexity of step 5 is \({\text{O}}({\text{m}})\). \({\text{Therefore}},\) the time complexity of the reduction algorithm is:

$$\begin{aligned} & {\text{O(1) + O}}(z) + {\text{O}}(z^{2} ) + {\text{O}}(z) + {\text{O}}(m) \\ & \quad = {\text{O}}(z^{2} ) + 2 {\text{O}}(z) + {\text{O}}(1) + {\text{O}}(m) \\ \end{aligned}$$
(12)

Since \({\text{m}}\) ≪ z therefore \({\text{O(m)}} \ll {\text{O(z)}}\) and since \({\text{O}}(z^{2} )\) is the highest order in Eq. (12), therefore \({\text{O}}(z^{2} )\) is dominating the time complexity of the reduction algorithm. This means that the reduction algorithm required to reduce the subset sum problem to the nth partial sum problem is a polynomial time algorithm. Since the subset sum problem is NP-complete therefore calculating the nth partial sum of an infinite numerical series \(t\) is also NP-complete problem.

For an attacker to compute the private key \(S_{A}\) for user \(A\) or the private key \(S_{B}\) for user \(B\) who are involved in a conversation is equivalent to the problem of calculating the nth partial sum of an infinite numerical series without knowing what numerical series is used by each user, the first term and number of terms in each numerical series which is proved to be NP-complete. This proves the security of the proposed key exchange algorithm, proves the security of the proposed cryptosystem and proves the security of the proposed signature scheme.

Lemma

Let \(S\) be the nth partial sum of an infinite numerical series \(t\). Since the problem of computing \(S\) is NP-complete then multiplying \(S\) by a constant \(C\) is also NP-complete.

Proof

Let \(t = a_{1} + a_{2} + \cdots + a_{n} + \cdots\) is an infinite numerical series over a finite field. Let \(S\) be the nth partial sum of \(t\) as follows:

$$S = \mathop \sum \limits_{{i = a_{1} }}^{{a_{n} }} a_{i}$$
(13)

Multiply \(S\) by a constant \(C\) to get \(S_{C}\):

$$S_{C} = C \cdot S$$
(14)

Therefore:

$$\begin{aligned} S_{C} = & C \cdot \mathop \sum \limits_{{i = a_{1} }}^{{a_{n} }} a_{i} \\ = & \mathop \sum \limits_{{i = a_{1} }}^{{a_{n} }} Ca_{i} \\ \end{aligned}$$
(15)

Substitute \(d_{i} = Ca_{i}\), \(\forall i = 1, \ldots ,n\)

Therefore:

$$S_{C} = \mathop \sum \limits_{{i = a_{1} }}^{{a_{n} }} d_{i}$$
(16)

which still nth partial sum of the infinite numerical series \(t\) that is NP-complete. Therefore \(S_{C}\) is also NP-complete problem.

5 Proposed digital signature scheme

A new signature scheme is described where the private key \(y_{r}\) depends on the sequence \((t_{1} , a, r)\) such that \(t_{1}\) is an infinite numerical series over a finite field, \(a\) is the first term in \(t_{1}\) and \(r\) is a large number of terms. The public key \(y_{k}\) depends on a different sequence \((t_{2} , b, k)\) such that \(t_{2}\) is a different infinite numerical series over a different finite field, \(b\) is the first term in \(t_{2}\) and \(k\) is a large number of terms. Assume \(m\) is a document to be signed by user \(A\) such that:

$$0 \le m \le p - 1\,{\text{where}}\,p\,{\text{is}}\,{\text{a}}\,{\text{very}}\,{\text{large}}\,{\text{prime}}\,{\text{number}} .$$

  • \(A\) generates the private key \(y_{r}\) as follows:

    $$y_{r} = S_{r} \,mod\,p$$
    (17)

    where \(S_{r}\) is the rth partial sum of numerical series \(t_{1}\).

  • \(A\) generates the public key \(y_{k}\) as follows:

    $$y_{k} = S_{k} \,mod\,p$$
    (18)

    where \(S_{k}\) is the kth partial sum of numerical series \(t_{2}\).

5.1 The signing procedure

  • \(A\) signs document \(m\) with the private key \(y_{r}\):

    $$m_{r} = m \cdot y_{r}$$
    (19)

  • \(A\) signs document \(m\) with the public key \(y_{k}\):

    $$m_{k} = m \cdot y_{k}$$
    (20)

  • \(A\) calculates \(m_{rk}\) as follows:

    $$m_{rk} = m_{r} \cdot m_{k}$$
    (21)

  • The signature for document \(m\) is (\(m_{rk} ,m_{r}\)).

  • \(A\) publishes the signature of document \(m\) and his public key \(y_{k}\) for any user to verify the signature.

5.2 The verification procedure

Assume user \(B\) wants to verify the signature of user \(A\) on document \(m\) by using the published sequence \((m_{rk} ,m_{r} ,y_{k} )\) as follows:

  • \(B\) computes \(m_{k}^{'}\) as follows:

    $$m_{k}^{{\prime }} = m \cdot y_{k}$$
    (22)

  • \(B\) computes \(m_{rk}^{'}\) as follows:

    $$m_{rk}^{{\prime }} = m_{k}^{{\prime }} \cdot m_{r}$$
    (23)

  • If \(m_{rk} = m_{rk}^{'}\) then the signature of user \(A\) is verified otherwise the signature is unverified or the original document \(m\) may be changed.

6 Security analysis

The security of the proposed digital signature scheme based on the assumption that given two infinite numerical series \(t_{r}\) and \(t_{k}\) it is computationally intractable to compute \(m_{r}\) from its partial sums \(S_{r}\) and compute \(m_{k}\) from its partial sum \(S_{k}\) given the following unknowns:

  • The numerical series used.

  • The first term \(a\) of series \(t_{r}\).

  • Large number of terms \(r\) of series \(t_{r}\) which are randomly chosen from \([1,n_{r} ]\) where \(n_{r}\) is the total number of terms in the infinite numerical series \(t_{r}\).

  • The first term \(b\) of series \(t_{k}\).

  • Large number of terms \(k\) of series \(t_{k}\) which are randomly chosen from \([1,n_{k} ]\) where \(n_{k}\) is the total number of terms in the infinite numerical series \(t_{k}\).

  • A very large prime number p.

In this section, we analyse the possible attacks on the signature scheme which are equivalent to computing the nth partial sum of an infinite numerical series over a finite field. Some of these attacks are focused on recovering the secret key \(y_{r}\) and other attacks focus on forging the signature (\(m_{rk} ,m_{r}\)). The attacks to recover private key \(y_{r}\) is difficult because it requires recovering \(S_{r}\) from its \(y_{r}\). Since \(y_{r}\) depends on \(S_{r}\) which is not used twice to sign a new document, and by using very large prime number \(p\) it is difficult for an intruder to recover \(S_{r}\) from \(y_{r}\).

For attacks focus on forging the signature (\(m_{rk} ,m_{r}\)) of user \(A\) a forger may try to find the sequences \((t_{r} , a, r)\) and \((t_{k} , b, k)\). The forger tries different infinite numerical series with different random values for \(a, r\) to compute \(S_{r}\) and different random values for \(b, k\) to compute \(S_{k}\) which are equivalent to compute the rth partial sum of infinite numerical series \(t_{r}\) and the kth partial sum of infinite numerical series \(t_{k}\) with unknown parameters \(a\), \(r\) and \(b, k\) respectively. Suppose there is a pool of \(l\) different infinite numerical series with different finite fields to choose from, therefore the probability for choosing the correct infinite numerical series \(t_{r}\) is \(\frac{1}{l}\). The probability to recover \(m_{r}\) is equivalent to the joint probability \(p\left( {t_{r} ,n_{r} } \right)\) of choosing the correct numerical series \(t_{r}\) and the correct number of terms \(n_{r}\). As choosing \(t_{r}\) is independent of choosing \(n_{r}\) therefore the joint probability \(p\left( {t_{r} ,n_{r} } \right)\) is the product of the probabilities \(p\left( {t_{r} } \right)\) and \(p\left( {n_{r} } \right)\) where \(p\left( {n_{r} } \right)\) is the probability of choosing the correct infinite numerical series \(t_{r}\) and \(p\left( {n_{r} } \right)\) is the probability of choosing the correct \(n_{r}\) terms to calculate the partial sum \(S_{r}\), therefore:

$$\begin{aligned} p(t_{r} ,n_{r} ) = & \,p(t_{r} ) \times p(n_{r} ) \\ = & \frac{1}{l} \times \frac{{n_{r} }}{N} = \frac{{n_{r} }}{l \times N} \\ \end{aligned}$$
(24)

where \(N\) is the size of the numerical set an attacker can choose the \(n_{r}\) terms from it.

In order for the attacker to increase the possibilities to pick up the correct \(n_{r}\) terms, the size of the set of the numerical set \(N\) must increase.

Therefore:

$$\mathop {\lim }\limits_{{\begin{array}{*{20}c} { N \to \infty } \\ \\ \end{array} }} \frac{{n_{r} }}{l \times N} = 0$$
(25)

Also, the probability to recover \(m_{k}\) is equivalent to the joint probability \(p\left( {t_{k} ,n_{k} } \right)\) of choosing the correct numerical series \(t_{k}\) and the correct number of terms \(n_{k}\). Since choosing \(t_{k}\) is independent of choosing \(n_{k}\) therefore the joint probability \(p\left( {t_{k} ,n_{k} } \right)\) is the product of the probabilities \(p\left( {t_{k} } \right)\) and \(p\left( {n_{k} } \right)\) where \(p\left( {n_{k} } \right)\) is the probability of choosing the correct infinite numerical series \(t_{k}\) and \(p\left( {n_{k} } \right)\) is the probability of choosing the correct \(n_{k}\) terms to calculate the partial sum \(S_{k}\), therefore:

$$\begin{aligned} p(t_{k} ,n_{k} ) = &\, p(t_{k} ) \times p(n_{k} ) \\ = & \frac{1}{l} \times \frac{{n_{k} }}{N} = \frac{{n_{k} }}{l \times N} \\ \end{aligned}$$
(26)

where \(N\) is the size of the numerical set an attacker can choose \(n_{k}\) terms from it.

For the attacker to increase the possibilities to pick up the correct \(n_{k }\) terms, the size of the set of elements \(N\) must increase.

Therefore:

$$\mathop {\lim }\limits_{{\begin{array}{*{20}c} { N \to \infty } \\ \\ \end{array} }} \frac{{n_{k} }}{l \times N} = 0$$
(27)

Since choosing the infinite numerical series \(t_{r} ,t_{k}\) is independent of each other therefore the probability to recover \(m_{rk}\) from its components \(m_{r}\) and \(m_{k}\) is the product of the probabilities to recover \(m_{r}\) and \(m_{k}\) such that:

$$p(t_{r} ,t_{k} ,n_{r} ,n_{k} ) = p(t_{r} ,n_{r} ) \times p(t_{k} ,n_{k} )$$
(28)
$$p(t_{r} ,t_{k} ,n_{r} ,n_{k} ) = \frac{{n_{r} }}{l \times N} \times \frac{{n_{k} }}{l \times N} = \frac{{n_{r} \times n_{k} }}{{i^{2} \times N^{2} }}$$
(29)

Therefore:

$$\mathop {\lim }\limits_{N \to \infty } \frac{{n_{r} \times n_{k} }}{{i^{2} \times N^{2} }} = 0$$
(30)

where \(N\) is the size of the numerical set an attacker can choose \(n_{r} , n_{k}\) terms from it.

We believe it is not feasible to calculate \(y_{r}\) by solving the following equation using \(S_{r}\):

$$y_{r} = S_{r} \,mod\,p$$
(31)

Also, we believe it is not feasible to calculate \(y_{k}\) by solving the following equation using \(S_{k}\):

$$y_{k} = S_{k} \,mod\,p$$
(32)

The proposed cryptosystem provides forward secrecy. Forward secrecy protects past encrypted messages from future compromises of shared secret keys. By generating a unique shared secret key for each message to be ciphered then the compromise of a single shared secret key will not affect any message other than that ciphered using that particular shared secret key. Since the proposed cryptosystem relies on the difficulty of computing the nth partial sum of an infinite numerical series this allows for an infinite numerical space to choose different values for the first term and the number of terms in the numerical series each time a new message is encrypted.

A semantic security ciphering scheme must fulfill the following requirement which is: “It is infeasible to learn anything about the plaintext from the cipher text”. In other words: “Whatever an eavesdropper can compute about the plain text given the cipher text, he can also compute without the cipher text” [28]. Semantic security is commonly defined by the following game:

Let \(M\) be the set of all possible messages and \(T\) be the set of all possible numerical series.

  • Initialize The challenger \(A\) gives the public key \(key_{A}\) to adversary \(B\) and keeps the shared key \(S_{AB}\) with himself.

  • Phase 1 The adversary asks different ciphering queries to encrypt message \(m_{i} \in M, i = 1 \ldots N\). Each query uses different infinite numerical series \(t_{i} \in T, i = 1 \ldots N\) with different first term \(a_{i}\) and different number of terms \(k_{i}\) such that:

    $$m_{i}^{\prime} = E(m_{i} ,y)\,{\text{where}}\,E\,{\text{is}}\,{\text{the}}\,{\text{ciphering}}\,{\text{algorithm}} .$$

  • Challenge When the adversary decides that phase 1 is over he chooses two equal length plaintext messages (\(m_{i} , m_{j}\)) such that \(i \ne j\) on which he wishes to be challenged. The challenger picks message \(m_{i}\) and sends the adversary \(m_{i}^{'} = E\left( {m_{i} ,S_{AB} } \right)\) as a challenge to the adversary.

  • Phase 2 The adversary issues more ciphering queries as in Phase 1.

  • Guess The adversary outputs a guess \(m_{i}^{{\prime \prime }}\) and wins the game if \(m_{i}^{{\prime \prime }} = m_{i}^{{\prime }}\).

7 Proposed scheme properties

  1. A.

    The proposed ciphering scheme has an additive homomorphic property: by the distribution property, it is clear that ciphering the sum of \(m_{1}\) and \(m_{2}\) produces a ciphertext equivalent to the sum of \(E\left( {m_{1} } \right)\) and \(E\left( {m_{2} } \right)\) so that:

    $$E(m_{1} + m_{2} ) = E(m_{1} ) + E(m_{2} )$$
    (33)

Proof

Given two different messages \(m_{1}\) and \(m_{2}\):

$$\begin{aligned} E(m_{1} + m_{2} ) = & (m_{1} + m_{2} ) \cdot S_{AB} \\ = & m_{1} \cdot S_{AB} + m_{2} \cdot S_{AB} \\ = & E(m_{1} ) + E(m_{2} ) \\ \end{aligned}$$
(34)

Unfortunately, the proposed ciphering scheme has no multiplicative homomorphic property.

  1. B.

    For the secure key exchange, ciphering and deciphering of messages no exponentiation computations are required which make the proposed scheme significantly faster and more practical than the state-of-the-art key exchange algorithms and cryptosystems that are based on the difficulty of discrete logarithmic problem or factoring large prime numbers while producing a higher security level.

  2. C.

    For signing the documents no exponentiation computations are required and the same for signatures verification.

  3. D.

    The signature scheme can be used as cryptographic hash function to verify that a document is not tampered with as the hash value of a document is changed significantly if there is any change in the document. For example, if an upper case letter is changed to lower case letter or vice versa the hash value of the document is changed significantly.

See “Appendix 2”.

8 Implementation

The proposed key exchange cryptosystem is implemented on Intel Core i3 using MatLab R2017a. In this implementation a random number generator is used to choose the first term and a large number of terms in two different numerical series. The last term generated by the random number generator must be much greater than the first term in each numerical series.

User \(A\) enters a very large prime number \(p\) to be used in the ciphering and deciphering processes. Assume \(A\) chose an infinite numerical series \(n^{2}\) as follows:

$$1^{2} ,2^{2} , \ldots ,i^{2} , \ldots$$

The partial sum of its \(k\) terms starting from the ath term to the kth is:

$$\mathop \sum \limits_{i = a}^{k} i^{2}$$
(35)

where \(a\) the first term and \(k\) is the last term in the numerical series.

Assume \(B\) chose another infinite numerical series \(2n + 1\) which is:

$$3, 5, 7, 9, \ldots , 2i + 1, \ldots$$

The partial sum of its \(r\) terms starting from the bth term is:

$$\mathop \sum \limits_{i = b}^{r} \left( {2i + 1} \right)$$
(36)

where \(b\) is the first term and \(r\) is the last term in this numerical series.

Note that \(a\), \(b\), \(r\) and \(k\) are all chosen using a true random number generator such that \(k \gg a\) and \(r \gg b\).

User \(A\) calculates the kth partial sum \(S_{A}\) using his numerical series and calculates \(y_{A}\) using the chosen large prime number \(p\). In this implementation, the length of \(p\) is 78 digits for a key of size 128 bits, 92 digits for keys of sizes 256 bits and 512 bits, 184 digits for keys of sizes 1024 bits and 693 digits for 2048 bits.

User \(A\) sends (\(y_{A} ,p\)) to user \(B\) who calculates the rth partial sum \(S_{B}\) using his numerical series then calculates \(y_{B}\) using the large prime number \(p\) sent by user \(A\). The function share_key_generation() implements the secure key exchange algorithm between the two parties in conversation so that each party will have a shared secret key. The function has no input but its outputs are the public key for user \(A\) which is \(y_{A}\), the private key for user \(A\) which is \(S_{A}\), the public key for user \(B\) which is \(y_{B}\) and the private key for user \(B\) which is \(S_{B}\) and the shared secret key \(S_{AB}\) between users \(A\) and \(B\). The function cipher() implements the ciphering of message \(m\) by user \(B\) using the shared secret key with user \(A\). This function has no inputs but the output is the ciphered message \(mciph\). The function decipher (\(mciph\)) is implemented by the receiver user A, its input the ciphered message \(mciph\) and its output the deciphered message \(m\). See “Appendix 1” for a practical example.

To significantly minimize the generation time for the kth partial sum \(S_{A}\) and rth partial sum \(S_{B}\) for these keys are evaluated using the number of terms used to generate keys of sizes \(< 512\)-bits. Finally, the final values for \(S_{A}\) and \(S_{B}\) are obtained by multiplying \(S_{A}\) with a large constant \(C_{A}\) and multiplying \(S_{B}\) with a large constant \(C_{B}\) to obtain the required key size. These large constants are selected empirically and must be changed for every new message to improve the security level.

Table 1 shows a comparison of key generation time, ciphering time, deciphering time and total execution time in milliseconds between the proposed cryptosystem, modified subset sum cryptosystem and standard RSA. Figure 1 shows a comparison in seconds between key generation time of 128-bit single key pair RSA, DH, P256, Curve25519, FourQ and 128-bits key of the proposed key exchange algorithm.

Table 1 Comparison between the proposed cryptosystem, RSA algorithm using modified subset sum (MSSRSA) cryptosystem and the RSA cryptosystem
Full size table
Fig. 1
figure 1

As adapted from [24]

Key generation time of 128-bit keys between the proposed cryptosystem, DH, P256, Curve25529 and Four Q.

Full size image

The proposed signature scheme is implemented using the functions: keys_generation() to generate the public key \(y_{k}\) and private key \(y_{r}\), sign_document() and verify_signature().

See “Appendix 2” for a practical example.

figure a
figure b

From Table 1, it is clear that the average time for generating 128-bits key in RSA and MSSRSA is 16 ms while the average time for generating the same key size using the proposed key exchange algorithm is 0.222 ms which means that it is 98.61% faster than RSA and MSSRSA. The average time to cipher messages of sizes 32 and 64 elements using MSSRSA is 165 ms and using RSA is 55 ms while it takes 6 ms using the proposed cryptosystem. This means that the proposed cryptosystem is 96.36% faster than MSSRSA to cipher a message of 32 elements and 89.09% faster than RSA to cipher the same message. The average time to decipher messages of size 32 elements and 64 elements using the MSSRSA takes 63 ms and using the RSA it takes 55 ms while using the proposed cryptosystem it takes 0.542 ms. This means that the proposed cryptosystem is 99.14% faster than MSSRSA and 99.01% faster than RSA. The total average execution time for MSSRSA is 243 ms, 118 ms for RSA and 7 ms for the proposed cryptosystem. This means that the proposed cryptosystem is faster 97.12% than MSSRSA and 94.07% faster than RSA.

The average time for generating a key of size 512-bits using MSSRSA is \(89\;{\text{ms}}\) and by using RSA is \(73 \,{\text{ms}}\) while the average key generation time for the same key size using the proposed key exchange algorithm is \(2\,{\text{ms}}\) which is 97.75% faster than MSSRSA and 97.26% faster than RSA. The average time for ciphering messages of size 32, 64 and 128 elements with 512-bits key size using MSSRSA is \(573 \,{\text{ms}}\), \(261\,{\text{ms}}\) for RSA and \(9\;{\text{ms}}\) for the proposed cryptosystem. This means that the proposed cryptosystem is \(98.42\%\) faster than MSSRSA and 96.55% faster than RSA. The average time for deciphering messages of size 32, 64 and 128 elements for MSSRSA is \(1031\;{\text{ms}}\), for RSA is \(1000 \;{\text{ms}}\) while for the proposed cryptosystem is \(2\;{\text{ms}}\). This means that the proposed cryptosystem is faster than the MSSRSA by \(99.81\%\) and faster than RSA by 99.80%. The average total execution time for MSSRSA is \(1678\;{\text{ms}}\), \(1334\;{\text{ms}}\) for RSA and \(65\;{\text{ms}}\) for the proposed cryptosystem. This means that the proposed cryptosystem is \(96.12\%\), faster than MSSRSA and 95.13% faster than RSA.

The average time for generating a key of size 1024-bits using MSSRSA is \(3629\;{\text{ms}}\) and using RSA is \(484\;{\text{ms}}\) however by using the proposed key exchange algorithm is \(14\;{\text{ms}}\),which means that the proposed key exchange algorithm is 99.61% faster than MSSRSA and 97.11% faster than RSA. The average ciphering time for messages of size 32, 64, 128 and 512 elements using 1024-bits key size and using MSSRSA is \(3176 \;{\text{ms}}\), using RSA is \(1238 \;{\text{ms}}\) while using the proposed cryptosystem it is \(26\;{\text{ms}}\). This means that the proposed cryptosystem is 99.18% faster than MSSRSA and 97.89% faster than RSA. The average deciphering time for messages of size 32, 64, 128 and 512 elements using MSSRSA is \(5176\;{\text{ms}}\), RSA is \(5485\;{\text{ms}}\) while using the proposed cryptosystem is \(2\;{\text{ms}}\). It is clear that the proposed cryptosystem is 99.96% faster than MSSRSA and 99.96% faster than RSA for deciphering messages. The average total execution time for MSSRSA is 11,980 ms, \(7207\;{\text{ms}}\) for RSA and finally the average execution time for the proposed cryptosystem is \(41\;{\text{ms}}\). The proposed scheme is faster 96.66% than MSSRSA and faster than RSA by 99.43%.

The key generation time for the key of size 2048-bits using MSSRSA is 11,985 ms and using RSA is \(4591\;{\text{ms}}\) while using the proposed key exchange algorithm is \(7\;{\text{ms}}\) which means that the proposed key exchange algorithm 99.94% faster than MSSRSA and 99.85% faster than RSA. The ciphering time for messages of size 32, 64, 128, 512 and 1024 elements for the MSSRSA is \(4135\;{\text{ms}}\), \(1957\;{\text{ms}}\) for RSA and \(38 \;{\text{ms}}\) for the proposed cryptosystem that means that the proposed cryptosystem is 99.08% faster than MSSRSA and \(98.05\%\) faster than RSA. The average deciphering time for messages of size 32, 64, 128, 512 and 1024 elements for MSSRSA is 31,278 ms, 31,978 ms for RSA and \(5\;{\text{ms}}\) for the proposed cryptosystem. This means that the proposed cryptosystem is 99.98% faster than MSSRSA and 99.98% faster than RSA. The average total execution time for MSSRSA is 47,397 ms, 38,525 ms for RSA while it is \(50\;{\text{ms}}\) for the proposed cryptosystem. This means that the proposed cryptosystem is \(99.89\%\) faster than MSSRSA and 99.87% faster than RSA.

Therefore, the general average time of key generation for MSSRSA is \(3930\;{\text{ms}}\), and for RSA is \(1291\;{\text{ms}}\) while for the proposed key exchange algorithm is \(6\;{\text{ms}}\). The general average time of message ciphering for MSSRSA is \(3975\;{\text{ms}}\) and for RSA is \(878\;{\text{ms}}\) while for the proposed cryptosystem is \(4\;{\text{ms}}\). The general average time of message deciphering for MSSRSA is \(9387\;{\text{ms}}\), and for RSA is 9630 ms while for the proposed cryptosystem is \(2\;{\text{ms}}\).

Figure 1 shows a comparison of the key generation time between the proposed key exchange algorithm and state-of-the-art Curve25519, DH, P256 and FourQ cryptosystems. The average key generation time using the proposed key exchange algorithm is \(0.00012\) s which is less than the state-of-the-art cryptosystems. Table 1 shows the superiority of the proposed cryptosystem over the state-of-the art cryptosystems.

It is clear from the above analysis that the proposed cryptosystem and key exchange algorithm are significantly faster than the state-of-the-art key exchange algorithms and cryptosystems; this makes the proposed cryptosystem and signature scheme more practical to be used in practice and especially in online transactions.

9 Conclusion

This paper described a public key cryptosystem and a signature scheme which employ a proposed secure key exchange algorithm that is based on the difficulty of computing the nth partial sum of infinite numerical series over finite fields. Without using exponentiation for ciphering and deciphering of messages or signing documents and signature verifications the experimental results show that the proposed public key cryptosystem is easier to implement, computationally faster and more practical than state-of-the-art cryptosystems which are based on discrete logarithms, elliptic curves or factoring large prime numbers. Also, the proposed cryptosystem provides a higher level of security as the size of the shared secret key can be enlarged significantly with a very short time for key generation, ciphering and deciphering of messages. It supports forward secrecy because the first term and total number of terms in each numerical series involved in the key exchange algorithm are changed each time a message is ciphered. By generating a unique shared secret key each time a message is ciphered, the compromise of single shared secret key will not affect any ciphered message other than that specific message that is ciphered by that key. Finally, the signature scheme can be also used as a cryptographic hash function as the hash value changes significantly with any change in the document.