Abstract
This article describes a new implementation of MST-based encryption for generalized Suzuki 2-groups. The well-known MST cryptosystem based on Suzuki groups is built on a logarithmic signature at the center of the group, resulting in a large array of logarithmic signatures. An encryption scheme based on multiparameter non-commutative groups is proposed. The multiparameter generalized 2 - Suzuki group was chosen as one of the group constructions. In this case, a logarithmic signature is established for the entire group. The main difference from the known one is the use of homomorphic encryption to construct coverings of logarithmic signatures for all group parameters. This design improves a secrecy of the cryptosystem is ensured at the level of a brute-force attack.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Recent advances in quantum computing for solving complex problems formulate new trends for building secure public-key cryptosystems. The main directions in this area are the solution of the problem of finding the conjugate element in the theory of non-commutative groups and the word problem in groups and semigroups. The word complexity problem was proposed by Wagner and Magyarik [1] and implemented in several cryptosystems. One of the best known and most studied is a cryptosystem based on factorization in finite groups of permutations, called the logarithmic signature [2]. In 2009, Lempken et al. described an MST3 public-key cryptosystem based on a logarithmic signature and a Suzuki 2-group [2]. In 2008 Magliveras et al. [4] presented a comprehensive analysis of the MST3 cryptosystem identifying limitations for the logarithmic signature and stated that the transitive logarithmic signature is not suitable for the MST3 cryptosystem. In 2010, Swaba et al. [5] analyzed all known attacks on MST cryptography and built a more secure eMST3 cryptosystem by adding a secret homomorphic coverage. In 2018, T. van Trung [7] proposed a general method for constructing strong aperiodic logarithmic signatures for Abelian p-groups, which is a further contribution to the practical application of MST cryptosystems.
The construction of MST cryptosystems based on multiparameter non-commutative groups was proposed in [7,8,9]. MST cryptosystems based on multi-parameter groups allow optimizing the costs of cryptosystem parameters and secrecy.
Generalized Suzuki 2-groups are multivariable and have the highest group order compared to other multivariable groups. The first implementation of the cryptosystem on the generalized Suzuki 2-group is presented in [8] and does not provide protection against brute force attacks with sequential brute force key recovery. Analysis of MST cryptosystems by group shows their vulnerability to highlighted text attacks. The design feature of all known MST implementations is the presence of known texts and, as a consequence, the possibility of such cryptanalysis. A secure encryption scheme is proposed based on the generic Suzuki 2-group with homomorphic encryption.
2 Proposal
The generalizations of Suzuki 2-groups is defined over a finite field, \(F_{q}\), \(q = 2^{n}\), \(n > 0\) for a positive integer \(l\) and \(a_{1} ,a_{2} ,...,a_{l} \in F\) for some automorphism \(\theta\) of F as [10]:
Each element of \(A_{l} (n,\theta )\) can be expressed uniquely and it follows that \(\left| {A_{l} (n,\theta )} \right| = 2^{nl}\) and \(A_{l} (n,\theta )\) define a group of order \(2^{nl}\). If \(l = 2\), this group is isomorphic to a Suzuki 2-group \(A(n,\theta )\).
Group operation is defined as a product:
with the Identity element being \(S(0_{1} ,0,...,0)\).
The inverse element is given by:
The group \(G\) is nonabelian group and has nontrivial center:
Assume that \(\theta\) is the Frobenius automorphism of \(F,\theta :x \to x^{2}\). For the fixed finite field, the group \(A_{l} (n,\theta )\) order is greater than the classical Suzuki 2 - group.
In the new implementation of the cryptosystem, we have changed the encryption algorithm and suggest using homomorphic encryption for random covers. In this case, the complexity of the key recovery attack will be determined by exhaustive search over the entire group.
2.1 Description of the Scheme
Our proposal is to create a logarithmic signature for the whole generalized Suzuki 2-group and homomorphic encryption of random covers in the logarithmic signature.
Let’s take a look at the basic steps of encryption.
Key Generation.
We fix a large group \(A_{l} (n,\theta ) = \left\{ {S(a_{1} ,a_{2} ,...,a_{l} )|a_{i} \in F_{q} } \right\}\), \(q = 2^{n}\).
Let’s build a tame logarithmic signatures \(\beta_{k} = \left[ {B_{1(k)} ,...,B_{s(k)} } \right] = \left( {b_{ij} } \right)_{k} = S\left( {0,..,0,b_{ij(k)} ,0,...,0} \right)\) of type: \(\left( {r_{1(k)} ,...,r_{s(k)} } \right)\), \(i = \overline{0,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(b_{ij(k)} \in F_{q}\), \(k = \overline{1,l}\).
Let’s set a random cover:
of the same type as \(\beta_{k}\), where \(a_{ij} \in A_{l} (n,\theta )\), \(a_{ij(k)}^{(v)} \in F_{q} \backslash \left\{ 0 \right\}\), \(i = \overline{1,s}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,l}\).
Select the random covers:
\(w_{(k)} = \left[ {W_{1(k)} , \ldots ,W_{s(k)} } \right] = \left( {w_{ij} } \right)_{(k)} = S\left( {w_{ij(k)}^{(1)} ,w_{ij(k)}^{(2)} , \ldots ,w_{ij(k)}^{(l)} } \right)\) of the same types as \(\beta_{(k)}\), where \(w_{ij} \in A_{l} (n,\theta )\), \(w_{ij(k)} \in F_{q} \backslash \left\{ 0 \right\}\), \(i = \overline{0,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,l}\).
Let’s generate random \(t_{0(k)} ,...,t_{s(k)} \in A_{l} (n,\theta )\backslash Z\), \(t_{i(k)} = S(t_{i1(k)} ,...,t_{il(k)} )\), \(t_{ij(k)} \in F^{ \times }\), \(i = \overline{0,s(k)}\), \(k = \overline{1,l}\). Choose
Let’s take \(t_{s(k - 1)}^{{}} = t_{0(k)}\), \(\tau_{s(k - 1)}^{{}} = \tau_{0(k)}\), \(k = \overline{1,l}\).
Let’s define an additional group operation:
The inverse element \(S^{ - (k)}\) for the group operation \(\circ^{\left( k \right)}\) is
where
The application of additional group operation \(\circ^{\left( k \right)}\) leads to homomorphic representation of group elements \(S(a_{1} ,a_{2} ,...,a_{l} )\,\mathop{\longrightarrow}\limits^{{ \circ^{\left( k \right)} }}\,S(a_{1} ,a_{2} ,...,a_{k} ,\alpha_{k + 1} ,...,\alpha_{l} ) = S^{(k)}\).
We apply inverse homomorphic transformation for the inverse and direct elements \(S_{1}^{ - (k)}\), \(S_{2}^{(k)}\) of the group for the calculation in group with left inverse element \(S_{1}^{ - (n) \circ }\).
\(S_{3} = S_{1}^{ - (k) \circ } \cdot S_{2}^{(k) \circ }\) For \(S_{1}^{ - (k)}\) we have:
\(S^{ - (k) \circ } = S^{ \circ } (a_{1} ,a_{2} ,...,a_{k} ,\alpha_{k + 1} ,...,\alpha_{l} ) = S(\alpha_{1} ,...,\alpha_{k} ,\alpha_{k + 1} ,...,\alpha_{l} )\), where
and for \(S_{2}^{(k)}\) respectively to \(S_{3} = S_{1}^{ - (k) \circ } \cdot S_{2}^{(k) \circ }\) we get
Homomorphic transformations for \(S^{ - (k) \circ }\), \(S^{(k) \circ }\) are needed to for not breaking the group operation when calculating the elements of the group \(A_{l} (n,\theta )\).
Let \(f(e)\) be a homomorphic cryptographic transformation with respect to addition \(f(a + b) = f(a) + f(b)\), \(e,a,b \in F_{q}\) and the corresponding inverse transformation \(\hat{f}(e) = e\). We calculate the covering of the logarithmic signatures:
and coverings of the homomorphic cryptographic transformation:
\(g_{(k)} = \left[ {g_{1(k)} ,...,g_{s(k)} } \right] = \tau_{(i - 1)(k)}^{ - (k)} \circ^{(k)} f\left( {w_{ij} } \right)_{(k)} \circ^{(k)} \tau_{i(k)}\), where
An output public key is \((a_{k} ,h_{k} ,g_{k} )\), and a private key \(\left[ {f,\beta_{(k)} ,\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right),\left( {\tau_{0(k)} , \ldots ,\tau_{s(k)} } \right)} \right]\), \(k = \overline{1,l}\) respectively.
Encryption
Let the message to be \(x = S\left( {x_{1} ,...,x_{l} } \right)\) and the public key \((a_{k} ,h_{k} ,g_{k} )\), \(k = \overline{1,l}\) respectively. Choose a random \(R = (R_{1} ,...,R_{l} )\), \(R_{1} ,...,R_{l} \in {\mathbb{Z}}_{{\left| {F_{q} } \right|}}\).
Compute the ciphertext \(y_{1}\), \(y_{2}\), \(y_{3}\) as:
Here, the \(\left( * \right)\) components are determined by cross-calculations in the group operation of the product of \(t_{0(k)} ,...,t_{s(k)}\) and the product of \(w_{(k)} \left( {R_{k} } \right) + \beta_{(k)} \left( {R_{k} } \right)\).
Here, the \(\left( * \right)\) components are determined by cross-calculations in the group operation of the product of \(\tau_{0(k)} , \ldots ,\tau_{s(k)}\) and the product of \(f\left( {w_{(k)} \left( {R_{k} } \right)} \right)\).
Output: a ciphertext (y1, y2, y3) of the message \(x\).
Decryption Input: a ciphertext \(\left( {y_{1} ,y_{2} ,y_{3} } \right)\) and a private key \(\left[ {f,\beta_{(k)} ,t_{i(k)} ,\tau_{i(k)} } \right]\), \(i = \overline{0,s(k)}\), \(k = \overline{1,l}\).
To decrypt a message \(x\), we need to restore random numbers \(R = (R_{1} ,R_{2} ,...,R_{l} )\).
Compute
\(D^{(1)} (R)^{\prime} = D^{(1)} (R) \circ^{(1)} \hat{f}(G^{(1)} (R))^{ - (1)} = S(\sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {\beta_{ij(1)} } , * , * )\) Restore \(R_{1}\) with \(\beta_{(1)} \left( {R_{1} } \right) = \sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {\beta_{ij(1)} }\) using \(\beta_{(1)} \left( {R_{1} } \right)^{ - 1}\), because \(\beta_{1}\) is simple.
For the further calculation, it is necessary to remove the component \(h_{1} \left( {R_{1} } \right)\) from \(y_{2}\) and \(g_{1} \left( {R_{1} } \right)\) from \(y_{3}\). Compute
and restore \(R_{2}\) with \(\beta_{(2)} \left( {R_{2} } \right) = \sum\limits_{{i = 1,j = R_{i(2)} }}^{s(2)} {\beta_{ij(2)} }\) using \(\beta_{(2)} \left( {R_{2} } \right)^{ - 1}\), because \(\beta_{2}\) is simple. We continue the calculations iteratively until the last value \(R_{l}\) is restored. We have the following recurrent relations for \(n = \overline{1,l - 1}\):
\(y_{2}^{(n)} = h_{n} \left( {R_{n} } \right)^{ - (n) \circ } \cdot y_{2}^{(n - 1) \circ }\), \(y_{3}^{(n)} = g_{n} \left( {R_{n} } \right)^{ - (n) \circ } \cdot y_{3}^{(n - 1) \circ }\),
\(D^{(n + 1)} (R) = t_{0(n + 1)} \circ^{(n + 1)} y_{2}^{(n)} \circ^{(l)} t_{s(l)}^{ - (l)}\), \(G^{(n + 1)} (R) = \tau_{0(n + 1)} \circ^{(n + 1)} y_{3}^{(n)} \circ^{(l)} \tau_{s(l)}^{ - (l)}\),
\(D^{(n + 1)} (R)^{\prime} = D^{(n + 1)} (R) \circ^{(n + 1)} \hat{f}(G^{(n + 1)} (R))^{ - (n + 1)} = S(0,0,...,0,\sum\limits_{{i = 1,j = R_{i(n + 1)} }}^{s(n + 1)} {\beta_{ij(n + 1)} } , * )\)
Restore \(R_{n + 1}\) with \(\beta_{(n + 1)} \left( {R_{n + 1} } \right) = \sum\limits_{{i = 1,j = R_{i(n + 1)} }}^{s(n + 1)} {\beta_{ij(n + 1)} }\) using \(\beta_{(n + 1)} \left( {R_{n + 1} } \right)^{ - 1}\).
Recovery of the message \(x = a\left( {R_{1} ,R_{2} ,...,R_{l} } \right)^{ - 1} \cdot y_{1}\).
Example
We will show the correctness of the obtained expressions in the following simple example.
Let’s fix the four-parameter generalized Suzuki group \(G = A_{4} (n,\theta )\) over the finite field \(F_{q}\), \(q = 2^{5}\), \(g(x) = x^{5} + x^{3} + 1 \, \). Assume that \(\theta\) is the Frobenius automorphism of \(F_{q} ,\theta :\alpha \to \alpha^{2}\). Group operation is defined as:
The inverse element is determined as:
where \(a^{\prime}_{2} = a_{2} + a_{1}^{3}\), \(a^{\prime}_{3} = a_{3} + a_{2}^{2} a_{1} + a_{1}^{4} a^{\prime}_{2}\).
Let’s consider the basic steps of our calculations.
Generation of public and private keys
First stage is to generate a tame logarithmic signature with the dimension of corresponding selected type \(\left( {r_{1(k)} ,...,r_{s(k)} } \right)\) and finite field \(F_{q}\). The construction of arrays of logarithmic signatures is presented in [11]. For our example, we use the construction of simple logarithmic signatures without analyzing the details of their secrecy. Let’s \(\beta_{(k)}\) for \(k = \overline{1,3}\) have the types of \(\left( {2^{2} ,2^{3} } \right)\), \(\left( {2,2^{2} ,2^{2} } \right)\), \(\left( {2^{2} ,2,2^{2} } \right)\), \(\left( {2^{2} ,2^{2} ,2} \right)\). They are represented as a strings and elements of the group over the field \(F_{q}\) in the table provided below (Table 1).
Construct random covers \(\alpha_{k}\), for the same type as \(\beta_{(k)}\)
where \(a_{ij} \in A_{l = 4} (n,\theta )\), \(a_{ij(k)}^{(v)} \in F_{q} \backslash \left\{ 0 \right\}\), \(i = \overline{1,s}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,4}\).
In the field representation \(\alpha_{k}\) has the following form (Table 2)
Choose random \(A_{l} (n,\theta )\) \(t_{0(k)} ,t_{1(k)} ,...,t_{s(k)} \in A_{l} (n,\theta )\), \(s_{(k)}\), \(k = \overline{1,4}\) and \(t_{2(1)}^{{}} = t_{0(2)}\), \(t_{3(2)}^{{}} = t_{0(3)}\), \(t_{3(3)}^{{}} = t_{0(4)}\) (Table 3)
The inverse elements \(t_{0(k)}^{ - (k)} ,t_{1(k)}^{ - (k)} ,...,t_{s(k)}^{ - (k)}\) of the group \(A_{4} (n,\theta )\) were computed with reference below (Table 4):
Similarly, we choose random \(\tau_{0(k)} ,\tau_{1(k)} ,...,\tau_{s(k)} \in A_{l} (n,\theta )\), \(s_{(k)}\), \(k = \overline{1,4}\) and \(t_{2(1)}^{{}} = t_{0(2)}\), \(t_{3(2)}^{{}} = t_{0(3)}\), \(t_{3(3)}^{{}} = t_{0(4)}\):
and the inverse elements \(\tau_{0(k)}^{ - (k)} ,\tau_{1(k)}^{ - (k)} ,...,\tau_{s(k)}^{ - (k)}\) (Table 5):
Construct random covers \(w_{k}\), for the same type as \(\beta_{(k)}\)
\(w_{(k)} = \left[ {W_{1(k)} , \ldots ,W_{s(k)} } \right] = \left( {w_{ij} } \right)_{(k)} = S\left( {w_{ij(k)}^{(1)} ,w_{ij(k)}^{(2)} , \ldots ,w_{ij(k)}^{(l)} } \right)\), where \(w_{ij} \in A_{l = 4} (n,\theta )\), \(w_{ij(k)}^{(v)} \in F_{q}\), \(i = \overline{0,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,4}\) (Table 6 and 7).
The next step is to calculate the arrays \(h_{k}\). Within the condition of the example, we obtain:
\(h_{(k)} = \left[ {h_{1(k)} ,...,h_{s(k)} } \right] = t_{(i - 1)(k)}^{ - (k)} \circ^{(k)} \left( {w_{ij} } \right)_{(k)} \circ^{(k)} \left( {b_{ij} } \right)_{(k)} \circ^{(k)} t_{i(k)}\)
\(i = \overline{1,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,4}\).
Let’s a homomorphic cryptographic transformation for a field element \(e \Rightarrow \rho_{i} e\) where \(\rho_{i}\) is a secret parameter. The transformation is chosen to be the simplest. You can also use more complex homomorphic transformations with respect to the addition operation. We define homomorphic cryptographic transformation for a group element \(S\) as
and let’s \(\rho = \left( {\rho_{1} ,\rho_{2} ,\rho_{3} ,\rho_{4} } \right) = \left( {\alpha^{4} ,\alpha^{5} ,\alpha^{6} ,\alpha^{7} } \right)\).
Let’s a homomorphic cryptographic transformation for a field element \(e \Rightarrow \rho_{i} e\) where \(\rho_{i}\) is a secret parameter. The transformation is chosen to be the simplest (Table 8).
You can also use more complex homomorphic transformations with respect to the addition operation. We define homomorphic cryptographic transformation for a group element \(S\) as
and let’s \(\rho = \left( {\rho_{1} ,\rho_{2} ,\rho_{3} ,\rho_{4} } \right) = \left( {\alpha^{4} ,\alpha^{5} ,\alpha^{6} ,\alpha^{7} } \right)\).
Next, we compute the arrays \(g_{k}\) via the homomorphic transformation
\(i = \overline{1,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,4}\). See the Table 9 for the results.
An output public key \((a_{k} ,h_{k} ,g_{k} )\), and a private key \(\left[ {f,\beta_{(k)} ,\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right),\,\left( {\tau_{0(k)} , \ldots ,\tau_{s(k)} } \right)} \right]\), \(k = \overline{1,4}\).
Encryption
Input: a message \(m \in A_{l} (n,\theta )\), \(m = S\left( {m_{1} ,m_{2} ,m_{3} ,m_{4} } \right)\), \(m_{i} \in F_{q}\) and the public key \(\left[ {f_{k} ,(a_{k} ,h_{k} ,g_{k} )} \right]\), \(k = \overline{1,4}\).
Let \(m = \left( {\alpha^{1} ,\alpha^{2} ,\alpha^{3} ,\alpha^{4} } \right) = S\left( {\alpha^{1} ,\alpha^{2} ,\alpha^{3} ,\alpha^{4} } \right)\).
Choose a random \(R = (R_{1} ,R_{2} ,R_{3} ,R_{4} ) = (10,20,30,14)\).
We obtain the following \(R_{i}\) expansions for given types of \(\left( {r_{1(k)} ,...,r_{s(k)} } \right)\), \(k = \overline{1,4}\)
Compute the cipher text:
where:
Calculate
The components \(h^{\prime}_{k} \left( {R_{k} } \right)\) are calculated similarly to \(a^{\prime}_{k} \left( {R_{k} } \right)\) components, but using the appropriate multiplication operation. Compute the component \(y_{3}\):
We obtained output \(y_{1} = \left( {\alpha^{7} ,\alpha^{6} ,\alpha^{22} ,\alpha^{11} } \right),\) \(y_{2} = \left( {0,\alpha^{8} ,\alpha^{16} ,\alpha^{17} } \right)\), \(y_{3} = \left( {\alpha^{16} ,\alpha^{14} ,\alpha^{1} ,\alpha^{4} } \right)\).
Decryption
Input: a ciphertext \(\left( {y_{1} ,y_{2} ,y_{3} } \right)\) and private key \(\left[ {f,\beta_{(k)} ,t_{i(k)} ,\tau_{i(k)} } \right]\), \(i = \overline{0,s(k)}\), \(k = \overline{1,4}\).
Output: the message \(m \in A\left( {P_{\infty } } \right)\) corresponding to ciphertext \(\left( {y_{1} ,y_{2} ,y_{3} } \right)\).
To decrypt a message \(m\), we need to restore random numbers \(R = (R_{1} ,R_{2} ,R_{3} )\).
Compute
Restore \(R_{1}\) with \(\beta_{(1)} \left( {R_{1} } \right) = \sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {\beta_{ij(1)} }\) using \(\beta_{(1)} \left( {R_{1} } \right)^{ - 1}\), because \(\beta_{1}\) is simple.
We get \(\beta_{1} \left( {R_{1} } \right) = \alpha^{5} = ({10010})\). Perform inverse calculations \(\beta_{(1)} \left( {R_{1} } \right)^{ - 1}\).
10|010 R1 = (*, 2)
11|010 row 1 from B4(1)
10|010−11|010 = 01|000 R1 = (2, 2)
We get \(\beta_{1} \left( {R_{1} } \right)^{ - 1} = \left( {2,2} \right) = 10\)
For further calculation, it is necessary to remove the component \(h^{\prime}_{1} \left( {R_{1} } \right)\) from \(y_{2}\) and \(g^{\prime}_{1} \left( {R_{1} } \right)\) from \(y_{3}\).
Compute
and restore \(R_{2}\) with \(\beta_{(2)} \left( {R_{2} } \right) = \sum\limits_{{i = 1,j = R_{i(2)} }}^{s(2)} {\beta_{ij(2)} }\) using \(\beta_{(2)} \left( {R_{2} } \right)^{ - 1}\), because \(\beta_{2}\) is simple. We get \(\beta_{2} \left( {R_{2} } \right) = \alpha^{12} = (01111)\). Restore \(R_{2}\) with \(\beta_{2} \left( {R_{2} } \right)\). We use the same calculations as in the example for \(\beta_{2} \left( {R_{2} } \right)^{ - 1}\), and we get:
01|11|1 R2 = (*, *, 1)
10|01|1 row 1 from B3(2)
01|11|1−10|01|1 = 11|10|0 R2 = (*, 1, 1)
11|10|0 row 0 from B3(2)
11|10|0−11|10|0 = 00|00|0 R2 = (0, 1, 1)
We get \(\beta_{2} \left( {R_{2} } \right)^{ - 1} = \left( {0,1,1} \right) = 20\).
Remove the component \(h_{2} ^{\prime}\left( {R_{2} } \right)\) from \(y_{2}^{(1)}\) and \(g_{2} ^{\prime}\left( {R_{2} } \right)\) from \(y_{3}^{(1)}\). We get
We get \(\beta_{3} \left( {R_{3} } \right) = \alpha^{19} = (11011)\).
Perform inverse calculations \(\beta_{3} \left( {R_{3} } \right)^{ - 1}\).
1|10|11 R3 = (*, *, 3)
1|01|11 row 3 from B3(3)
1|10|11−1|01|11 = 0|11|00 R3= *, 3, 3)
0|11|00 row 3 from B2(3)
0|11|00−0|11|00 = 0|00|00 R3 = (0, 3, 3)
We get \(\beta_{3} \left( {R_{3} } \right)^{ - 1} = \left( {0,3,3} \right) = 30\).
Remove the component \(h_{3} ^{\prime}\left( {R_{3} } \right)\) from \(y_{2}^{(2)}\) and \(g_{3} ^{\prime}\left( {R_{3} } \right)\) from \(y_{3}^{(2)}\).
As a result, we get:
\(01010\)
We get \(\beta_{4} \left( {R_{4} } \right) = \alpha^{29} = (01010)\). Perform inverse calculations \(\beta_{4} \left( {R_{4} } \right)^{ - 1}\).
01|0|10 R3 = (*, *, 1)
00|1|10 row 1 from B3(4)
01|0|10−00|1|10 = 01|1|00 R3 = (*, 1, 1)
00|1|00 row 1 from B2(4)
01|1|00−00|1|00 = 01|0|00 R3 = (2, 1, 1)
We get \(\beta_{4} \left( {R_{4} } \right)^{ - 1} = \left( {2,1,1} \right) = 14\).
Receive a message \(m = a^{\prime}\left( R \right)^{ - 1} y_{1} = S\left( {\alpha^{1} ,\alpha^{2} ,\alpha^{3} ,\alpha^{4} } \right)\).
3 Security Parameters Analysis and Cost Estimation
Consider a brute force attack of key recovery. There are three possible schemes for such an attack.
Brute force attack on cipher text. By selecting \(R = (R_{1} ,R_{2} ,...,R_{l} )\) try to decipher the text \(y^{\prime}_{1} = \alpha^{\prime}\left( {R^{\prime}} \right) \cdot m = \alpha^{\prime}_{1} \left( {R^{\prime}_{1} } \right) \cdot \alpha^{\prime}_{2} \left( {R^{\prime}_{2} } \right) \ldots \alpha^{\prime}_{l} \left( {R^{\prime}_{l} } \right) \cdot m\). The covers \(\alpha_{k} = \left( {a_{ij} } \right)_{k} = S\left( {a_{ij(k)}^{(1)} ,a_{ij(k)}^{(2)} ,...,a_{ij(k)}^{(l)} } \right)\) are selected randomly and the value is determined by multiplication in a group with no coordinate constraints. The resulting vector \(\alpha ^{\prime}\left( {R^{\prime}} \right)\) depends on all components \(\alpha_{i} ^{\prime}\left( {R_{i} ^{\prime}} \right)\). Enumeration of key values \(R = (R_{1} ,R_{2} ,...,R_{l} )\) has an estimation of complexity. For a practical attack, the message\(m\) is also unknown and has uncertainty to choose from \(q^{l}\). This makes a brute-force attack on a key infeasible. If we take an attack model with a known text, then the attack complexity still remains the same and equal to \(q^{l}\).
Brute force attack on the cyphertext y2. Select \(R = (R_{1} ,R_{2} ,...,R_{l} )\) to match y2. The vector y2 has a following definition over the components \(\alpha^{\prime}_{i} (R_{i} )\)
The values of the coordinates y2 are defined by calculations over the vectors \(w^{\prime}_{1} \left( {R_{1} } \right),w^{\prime}_{2} \left( {R_{2} } \right),...,w^{\prime}_{l} \left( {R_{l} } \right)\). The keys \(R = (R_{1} ,R_{2} ,...,R_{l} )\) are bound and changes in any of them leads to change y2. The brute force attack on key \(R\) has a complexity equal to \(q^{l}\).
Brute force attack on the ciphertext \(y_{3}\). Select \(R = (R_{1} ,R_{2} ,...,R_{l} )\) to match \(y_{3}\). The vector \(y_{3}\) has a following definition over the components \(\rho_{i} w_{i} ^{\prime}\left( {R_{i} } \right)\)
The values of the coordinates \(y_{3}\) are defined by calculations over the vectors \(w_{1} ^{\prime}\left( {R_{1} } \right),w_{2} ^{\prime}\left( {R_{2} } \right),...,w_{l} ^{\prime}\left( {R_{l} } \right)\). The keys \(R_{1} ,R_{2} ,...,R_{l}\) are bound and changes in any of them leads to change \(y_{3}\). The brute force attack on key \(R\) has a complexity equal to \(q^{l}\).
Brute force attack on the vectors \(\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right)\) and \(\left( {\tau_{0(k)} ,\tau_{1(k)} , \ldots ,\tau_{s(k)} } \right)\). The brute force attack on \(\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right)\) is a general for the MST cryptosystems and for the calculation in the field \(F_{q}\) over the group center \(Z\left( G \right)\) has an optimistic complexity estimation equal to \(q\). For the proposed algorithm all calculations are executed on whole group \(\left| {A_{l} (n,\theta )} \right| = q^{l}\) and is a such case the complexity of the brute force attack on \(\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right)\) and \(\left( {\tau_{0(k)} ,\tau_{1(k)} , \ldots ,\tau_{s(k)} } \right)\) will be equal to \(q^{l}\).
Attack on the Algorithm. The attack on the implementation algorithm of the MST cryptosystem based on the generalized Suzuki 2-group is multifaceted. Practical attacks look at the features of logarithmic signatures and random coverings known to a cryptanalyst. One solution is to use aperiodic logarithmic signatures. In the new cryptosystem with homomorphic encryption, random covers are a secret for the cryptanalyst. In this case, the known attacks based on the weakness of logarithmic signatures are impossible.
Let’s estimate security and keys parameters for generalized Suzuki-2 group cryptosystem. We fix a generalized Suzuki 2-group \(A_{l} (n,\theta ) = \left\{ {S(a_{1} ,a_{2} , \ldots ,a_{l} )|a_{i} \in F_{q} } \right\}\), which is defined over the field \(F_{q}\), \(q = 2^{n}\). Then for \(l\)-parametric group we achieve \(K = nl\) bit cryptography. Logarithmic signature array and random covers are known parameters that are used in encryption as follows
Also, we know random cover with homomorphic encryption
for \(k = \overline{1,l}\).
The number of vectors in arrays \(\alpha_{k}\), \(h_{(k)}\), \(g_{(k)}\) is defined by the type of logarithmic signature. \(\left( {r_{1(k)} , \ldots ,r_{s(k)} } \right)\) and equals to \(N = \sum\limits_{k = 1}^{l} {\left( {r_{1(k)} + r_{2(k)} + \ldots + r_{s(k)} } \right)}\)
Since arrays \(\alpha_{k}\), \(g_{(k)}\) are random and can be constructed by random bits deterministic generator from some initial vector \(V\), then we can define \(\alpha_{k}\), \(g_{(k)}\) over the vector \(V\). Let’s fix the vector length \(V\)to be equal to \(nl\) bits.
The array size \(g_{(k)}\) equals to: \(N_{g} = l\sum\limits_{k = 1}^{l} {\left( {r_{1(k)} + r_{2(k)} + \ldots + r_{s(k)} } \right)}\) n-bits words.
The secret parameters of the cryptosystem include vectors \(t\), \(\tau\), \(\rho\):
The number of vectors \(t_{i(k)}\), \(\tau_{i(k)}\) equals to:\(N_{t} = N_{\tau } = l\sum\limits_{k = 1}^{l} {s(k)}\) n-bits words.
The length of the vector \(\rho\) equal to \(nl\) bits.
Obviously, that \(N_{g}\), \(N_{t}\), \(N_{\tau }\) depends on type of \(\left( {r_{1(k)} , \ldots ,r_{s(k)} } \right)\).
Let the secrecy of cryptographic transformations be determined by\(K\) bits.
Let’s define a type of \(\left( {r_{1(k)} , \ldots ,r_{s(k)} } \right) = \left( {2, \ldots ,2} \right)\), then \(s(k) = n\) over the field \(F(2^{n} )\). We get the following values
\(N_{g} = nl\sum\limits_{k = 1}^{l} {\left( {r_{1(k)} + r_{2(k)} + \ldots + r_{s(k)} } \right)} = 2n^{2} l^{2} = 2K^{2}\) bit
\(N_{t} = N_{\tau } = nl\sum\limits_{k = 1}^{l} {s(k)} = n^{2} l^{2} = K^{2}\) bit
The length of vectors \(V\), \(\rho\) equals to \(N_{V} = N_{\rho } = nl = K\) bit. Let’s define a type of \(\left( {r_{1(k)} , \ldots ,r_{s(k)} } \right) = \left( {2^{8} , \ldots ,2^{8} } \right)\), \(s(k) = n/8\) over field \(F(2^{n} )\). We achieve
\(N_{g} = nl\sum\limits_{k = 1}^{l} {\left( {r_{1(k)} + r_{2(k)} + \ldots + r_{s(k)} } \right)} = 2^{5} n^{2} l^{2} = 2^{5} K^{2}\) bit
\(N_{t} = N_{\tau } = nl\sum\limits_{k = 1}^{l} {s(k)} = n^{2} l^{2} /8 = 2^{ - 3} K^{2}\) bit
Estimated implementation costs are presented in the table below.
Memory costs for arrays of shared and secret parameters do not depend on the field \(F(2^{n} )\) and the number of parameters of the generalized Suzuki group. Selection of field \(F_{q}\) and parameters of the Suzuki group will define the speed of calculations on the group and depends on the software implementation (Table 10).
4 Conclusions
Generalized Suzuki 2-groups are multiparameter groups and may have an arbitrarily large order. MST cryptosystems based on generalized Suzuki 2-group have an advantage over other schemes implementations in secrecy and realization. We can build a highly secure cryptosystem with group computation in a small finite field. Applying homomorphic encryption to random coverings in a logarithmic signature provides protection against known attacks on logarithmic signature implementations. To build a cryptosystem, you can use secure logarithmic signatures of a simple design, which leads to low costs for the general parameters of the cryptosystem. The proposed cryptosystem with homomorphic encryption is a good candidate for post-quantum cryptography.
References
Wagner, N.R., Magyarik, M.R.: A public-key cryptosystem based on the word problem. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 19–36. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_3
Magliveras, S.S.: A cryptosystem from logarithmic signatures of finite groups. In: Proceedings of the 29th Midwest Symposium on Circuits and Systems, pp. 972–975. Elsevier Publishing, Amsterdam (1986)
Lempken, W., Magliveras, S.S., van Trung, T., Wei, W.: A public key cryptosystem based on non-abelian finite groups. J. Cryptol. 22, 62–74 (2009)
Magliveras, S.S., Svaba, P., van Trung, T., et al.: On the security of a realization of cryptosystem MST3. Tatra Mt. Math. Publ. 41, 1–13 (2008)
Svaba, P., van Trung, T.: Public key cryptosystem MST3 cryptanalysis and realization. J. Math. Cryptol. 4(3), 271–315 (2010)
van Trung, T.: Construction of strongly aperiodic logarithmic signatures. J. Math. Cryptol. 12(1), 23–35 (2018)
Khalimov, G., Kotukh, Y., Khalimova, S.: MST3 cryptosystem based on the automorphism group of the Hermitian function field. In: IEEE International Scientific-Practical Conference: Problems of Infocommunications Science and Technology, PIC S and T 2019 - Proceedings, pp. 865–868 (2019)
Khalimov, G., Kotukh, Y., Khalimova, S.: MST3 cryptosystem based on a generalized Suzuki 2 – Groups. CEUR Workshop Proc. 2711, 1–15 (2020)
Khalimov, G., Kotukh, Y., Khalimova, S.: Encryption scheme based on the automorphism group of the Ree function field. In: 2020 7th International Conference on Internet of Things: Systems, Management and Security, IOTSMS 2020, 9340192 (2020)
Hanaki, A.: A condition on lengths of conjugacy classes and character degrees Osaka J. Math. 33, 207–216 (1996)
P. Svaba, “Covers and logarithmic signatures of finite groups in cryptography”, Dissertation, https://bit.ly/2Ws2D24
Acknowledgements
This publication is based on work supported by a grant from the U.S. Civilian Research & Development Foundation (CRDF Global).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2022 The Author(s)
About this paper
Cite this paper
Khalimov, G. et al. (2022). Encryption Scheme Based on the Generalized Suzuki 2-groups and Homomorphic Encryption. In: Chang, SY., Bathen, L., Di Troia, F., Austin, T.H., Nelson, A.J. (eds) Silicon Valley Cybersecurity Conference. SVCC 2021. Communications in Computer and Information Science, vol 1536. Springer, Cham. https://doi.org/10.1007/978-3-030-96057-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-96057-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-96056-8
Online ISBN: 978-3-030-96057-5
eBook Packages: Computer ScienceComputer Science (R0)