Preimage Selective Trapdoor Function: How to Repair an Easy Problem

Wang, Baocang

doi:https://doi.org/10.1155/2014/475678

Mathematical Problems in Engineering

On this page

Abstract Introduction Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2014 | Article ID 475678 | https://doi.org/10.1155/2014/475678

Preimage Selective Trapdoor Function: How to Repair an Easy Problem

Baocang Wang¹

Academic Editor: Yi-Kuei Lin

Received23 Aug 2013

Accepted09 Mar 2014

Published27 Apr 2014

Abstract

Public key cryptosystems are constructed by embedding a trapdoor into a one-way function. So, the one-wayness and the trapdoorness are vital to public key cryptography. In this paper, we propose a novel public key cryptographic primitive called preimage selective trapdoor function. This scenario allows to use exponentially many preimage to hide a plaintext even if the underlying function is not one-way. The compact knapsack problem is used to construct a probabilistic public key cryptosystem, the underlying encryption function of which is proven to be preimage selective trapdoor one-way functions under some linearization attack models. The constructive method can guarantee the noninjectivity of the underlying encryption function and the unique decipherability for ciphertexts simultaneously. It is heuristically argued that the security of the proposal cannot be compromised by a polynomial-time adversary even if the compact knapsack is easy to solve. We failed to provide any provable security results about the proposal; however, heuristic illustrations show that the proposal is secure against some known attacks including brute force attacks, linearization attacks, and key-recovery attacks. The proposal turns out to have acceptable key sizes and performs efficiently and hence is practical.

1. Introduction

1.1. Background

Public key cryptosystem (PKC) is an important cryptographic primitive in the area of network and information security. The basic idea to construct a PKC is to embed a trapdoor into a mathematically intractable problem. The trapdoor helps the trapdoor holder reverse the underlying one-way function. However, without the trapdoor, one should attack a presumed intractable problem in order to reconstruct the plaintext corresponding to a given ciphertext. So the existence of mathematically hard problems is vital in public key cryptography. This explains why we say bad news in computational complexity is good news for cryptography.

In the cryptographic community, a PKC is always considered as synonymous with the so-called trapdoor one-way function. Bellare et al.’s observation [1] provides a better understanding of the two concepts. On one hand, a probabilistic public key encryption does not necessarily imply a trapdoor one-way function. For example, the underlying encryption function of ElGamal [2] is not one-way in that the auxiliary key randomly chosen by the encrypter cannot be recovered knowing the trapdoor satisfying . On the other hand, in some cases, noninjective trapdoor one-way functions cannot be used to construct PKCs because a PKC is required to recover a unique plaintext from any valid ciphertext. So the encryption function underlying a PKC should be injective. Bellare et al. showed that any one-way function implies a highly noninjective trapdoor one-way function. However, the authors derived no PKCs from their universal constructions. They only showed that if the image of a trapdoor one-way function has polynomially bounded number of preimages, the trapdoor one-way function can be used to derive a PKC.

In this paper, we propose a probabilistic public key encryption algorithm from a highly noninjective one-way function. We think that our construction not only enriches the cryptographic basket and deepens our insights into public key cryptographic designs but also provides weaker cryptographic assumptions. Our confidence in the hardness of noninjective one-way functions rests on the proven fact that it is not easier to reverse a given one-way function equipped with an additional noninjectivity property than an injective one-way function [3]. More importantly, what we observed in this paper is that it remains possible to develop a secure PKC by fully exploiting the noninjectivity property of functions even if these functions turn out to be not one-way.

1.2. Our Contribution

In this paper, we firstly formalize a novel public key cryptographic scenario called preimage selective trapdoor one-way function (PSTOF, for short) and then use the compact knapsack problem to realize such a scenario.

1.2.1. Preimage Selective Trapdoor One-Way Function (See Figure 1)

A PSTOF is in fact a noninjective public key encryption function. When encrypting a message in the message space , the encrypter firstly encodes the message into a plaintext in the plaintext space and then derives a ciphertext in the ciphertext space . When decrypting a ciphertext , the decrypter utilizes the trapdoor to decrypt a valid ciphertext into a unique plaintext and then uniquely decodes into a message .

The scenario allows us to base the security of a PKC on the high noninjectivity rather than the one-wayness of a function (an intractable problem). In this scenario, is a subset of the equivalent plaintext space , and the ciphertext space . For any valid ciphertext , will have many preimages in , which are called equivalent ciphertexts in that all of them can be mapped into under the function , and a unique preimage (the plaintext) with respect to the function , which is a valid plaintext and hence can be further decoded into a meaningful message. The message encoding function simulates the process of randomly selecting a subset as the plaintext space from the whole preimage domain , from which the name PSTOF comes. In other words, the message encoding function imposes some restrictions on the preimage set to get a subset with a predesignated special structure as the plaintext space . The equivalent plaintexts in are used to hide a (valid) plaintext in . If is preassumed one-way, any polynomial-time adversary cannot obtain a preimage in given a ; let alone the unique preimage (the plaintext) . If the underlying function is not one-way and when a has exponentially many preimages in , the corresponding plaintext in is hidden by these exponentially many preimages. A polynomial-time adversary only obtains polynomially many preimages, which can be seen as randomly output from all the exponentially many preimages and hence include the target plaintext with a negligible probability.

1.2.2. Probabilistic Compact Knapsack PKC

By using the concept of PSTOF and from the compact knapsack problem, a probabilistic public key encryption scheme is designed. An easy compact knapsack-type problem is defined, and an algorithm called Onion Algorithm is developed to peel off the solutions to the easy problem. The easy problem is used to construct a probabilistic PKC. The main results are that the trapdoor one-way function underlying the proposal is PSTOFs under different linear attack models (See Theorems 25, 26, and 30), and the images of the PSTOFs have exponentially many preimages (see Table 3). Some design tricks are adopted to make the PKC immune from some known key-recovery attacks such as GCD attack [4, 5], Diophantine approximation attack [6, 7], and orthogonal lattice attack [8, 9].

1.3. Organization

The rest of the paper is organized as follows. In Section 2, we formalize the definition of PSTOF and use the cryptographic scenario to explain some known PKCs. Section 3 provides a concrete probabilistic public key encryption scheme to realize the PSTOF. Sections 4 and 5 discuss the performance and security related issues, respectively. Section 6 gives some concluding remarks.

2. Preimage Selective Trapdoor One-Way Function

2.1. Symbols and Notations

The notations listed at the end of the paper will be used throughout the paper.

2.2. Message Encoding Function

When encrypting a message using a PKC, we need to firstly encode a binary string message into a plaintext (an element in the algebraic structure underlying the PKC) in order that the PKC can deal with the message. However, sometimes, it is not necessary to explicitly specify the encoding algorithm. For example, it is more convenient to just look a message as a binary integer in than to develop an algorithm to transform a message into an element in in case of RSA [10]. Formally, we define a message encoding function as follows.

Definition 1. A function with is called a message encoding function if it satisfies the following conditions.(1)The function is injective.(2)It can be efficiently performed to compute for a given , and for a given .

2.3. Preimage Selective Trapdoor One-Way Function

The PSTOF is formalized as follows.

Definition 2. A function is called a PSTOF if it satisfies the following conditions. (1)For an arbitrary , it is easy to compute .(2) is noninjective.(3)Given any , there exists at most an such that .(4)Given any and the trapdoor, there is a polynomial-time algorithm to output a unique with or the invalid ciphertext symbol .(5)Given any and without knowing the trapdoor, anyone cannot efficiently compute a preimage such that .

Remark 3. The third and the forth conditions in Definition 2 guarantee that when viewed as a public key encryption function, the PSTOF is inverted according to the knowledge of the trapdoor to derive a unique preimage (the plaintext) in , and both conditions in Definition 1 mean that the plaintext can be uniquely decoded into the original message. If we remove the last requirement in Definition 2, we just call a preimage selective trapdoor (not non-way) function.

Definition 4. The preimage density of a noninjective function is defined as the ratio of the cardinality of the preimage set to that of the image set : On average, a ciphertext will have preimages in .

Remark 5. When is exponentially large, we can use the high noninjectivity of the underlying function to hide a plaintext. On average, for a valid ciphertext for a plaintext , will have exponentially many preimages in . So a polynomial-time adversary only can obtain polynomially many preimages in of , which contains the targeted unique valid plaintext with a negligible probability . One may doubt that the function is indeed a trapdoor one-way function mapping from to . So if one breaks the one-wayness of , he also recovers the unique such that . However, if the plaintext space can be seen as randomly chosen from the whole equivalent plaintext space , the adversary cannot use the special structure of to develop an efficient algorithm for reversing the function . We will explain this point later on by using an example.

2.4. Examples

2.4.1. High-Density Knapsack PKCs

To illustrate the aforementioned definitions, we consider high-density 0-1 knapsack (subset sum) PKCs Chor-Rivest [11] and Okamoto-Tanaka-Uchiyama [12]. In both cryptosystems, a bit-string message is encoded into an -dimensional 0-1 plaintext vector with a fixed Hamming weight (the so-called predesignated special plaintext structure) by using the source encoding algorithm (message encoding function) [13]: Let the public key . The underlying PSTOF is ; that is, for , The density of both PKCs defined as can be made sufficiently high (>1), in which case asymptotically (3) will have more than one (i.e., ) binary solution [14]:

The illustrations say that when , a valid ciphertext will have exponentially many preimages in and a unique preimage in . In other words, the plaintext is hidden by exponentially many preimages. Even if a polynomial-time adversary conquers the one-wayness of the underlying subset sum problem and hence the underlying encryption function is only a preimage selective trapdoor (not one-way) function; the adversary just obtains polynomially many preimages to (3) which contain the plaintext with a negligible probability. High-density subset sum PKCs can base their security on the noninjectivity of the underlying function, which is a weaker intractability assumption.

Remark 6. There exist two ways to break Chor-Rivest [11] and the Okamoto-Tanaka-Uchiyama [12] cryptosystems: recovering the secret key [15] and solving the underlying knapsack problem. Some work still was done to make Chor-Rivest immune from key-recovery attacks [16–18]. However, some known cryptanalytic algorithms [14, 19–21] only can solve the preimages but not necessarily the unique plaintext . So in the adversary’s point of view, the underlying problem remains the knapsack problem. This explains why we say in Remark 5 that the adversary cannot use the special structure of to efficiently reverse the function .

2.4.2. Rabin Cryptosystem

We also can view Rabin cryptosystem [22] as a PSTOF. For convenience of discussions, we just set Rabin encryption function as with being the product of two primes, and . So, the ciphertext space consists of the quadratic residues modulo ; that is, . In order to uniquely recover a plaintext, we need to embed some redundant information in . The redundant information forms the special structure of . The PSTOF underlying Rabin cryptosystem is ; for , . We note that each of the quadratic residues modulo has four roots, from which we use the redundant information to pick out the exact plaintext. Hence, the noninjectivity of the PSTOF for Rabin is given as

3. The Proposed Probabilistic Public Key Encryption Scheme

3.1. Knapsack Problems

Definition 7 (knapsack problem). Given a positive integral vector and an integer , the knapsack or subset sum problem is to find a binary vector such that . A knapsack problem is denoted as . The density of the knapsack problem is defined as .

The density of a compact knapsack problem imposes an important effect on the hardness of the problem. It was shown that if the density , the knapsack problem can be solved with an overwhelming probability [23, 24].

Definition 8 (compact knapsack problem). Given a positive integral vector , an integer , and an integer , the compact or general knapsack problem is to find a vector with such that . A compact knapsack problem is denoted as . The density of a compact knapsack problem is defined as .
If the density of a compact knapsack problem is , it was shown that the compact knapsack problem can almost always be efficiently solved with lattice reduction algorithms [25]. In this paper, we consider the compact knapsack problem with .

3.2. The Proposed Message Encoding Function

The message space consists of blocks with each block 3 bit long; namely, . For a message , we firstly define a message encoding function that maps the message into a vector in under an auxiliary key , which is randomly chosen by the encrypter. We define for as

Remark 9. We note that 97 is a prime and 5 is a primitive root modulo 97, so the function forms a permutation when runs through and hence permutates when and run through and , respectively. We denote It is easy to verify that forms a partition of . So we can deduce that if , , and are uniformly distributed over , and , respectively, is uniformly distributed over . This means that the generating of each can simulate the process of randomly choosing an integer from , which allows the predesignated special structure of defined in (9) as random as possible.

The message encoding function is defined as : where the plaintext space is In the rest of the paper, we also define the equivalent plaintext space including the plaintext space .

Remark 10. Another fact about is for and because . Hence, we have that if , .

Remark 11. Now we remark on how to encode a message and decode a plaintext with respect to . We can construct tables similar to truth-value tables to show the functions . By observing (10), we see that the tables have a periodic structure with period 12. That is to say those sharing a common residue modulo 12 have a same table. So only 12 tables suffice to list the values of . See Table 1. Here, we spend some more words on the message encoding function and Table 1. At present, we only consider the preceding three columns of the 12 subtables in Table 1, which list the values of , , and the corresponding , respectively. To encode a message and given a randomly chosen auxiliary key , for , we determine the one by one by looking up the subtable indexed by in Table 1 denoted as Sub-T. When (or 1, resp.), we only search the 8 rows covered by (or 1, resp.) in Sub-T, and output the integer in the column marked by that lies in the same row with as the value of . For example, to encode under the control of , by looking up Sub-T, we determine . Similarly, we get , , . So, we encode as . On the contrary, we can decode a plaintext by looking up the table. For example, . We search the third column of Sub-T for which lies in the same line with , so . Similarly, we get , , . Hence, .

3.3. Onion Algorithm

3.3.1. Indistinguishability and Associated Integer Pairs

Given an integer pair and , we define and the set . In fact, we can look as a transformation on . If the two cardinalities are identical, , the transformation forms a bijection.

Definition 12. Given an integer pair , if , we call to be distinguishable modulo , or is an associated integer pair with .

Example 13. Decide whether is distinguishable modulo and or not, respectively. We note that contains the integers listed in the third column of Sub-T. Calculations show that . The 16 values in are listed in the forth column of Sub-T₁. So, is distinguishable modulo . However, in that 4 and 42 modulo produce a same integer pair , and 24 and 138 modulo produce a same integer pair . So is not distinguishable modulo .

Remark 14. When is distinguishable modulo , there is a bijection between the integers in and the integer pairs in . For example, the third and the forth columns of Sub-T₁ listed the integers in and the integer pairs in . For example, if we know an integer satisfies , we search the forth column generated by for in Sub- T₁ and find that lies in the same line with , so .

Remark 15. From Remark 10, we have that, for congruent indices ’s modulo , we get a same set . For each , we give two integer pairs and associated with , and the corresponding integer pairs modulo and , respectively, in the forth and fifth column of Sub-T. We denote the set consisting of the two integer pairs and as AIP. For example, AIP=AIP . In Table 2, we list all the 12 sets of AIP.

Remark 16. Note that is distinguishable modulo if and only if is distinguishable modulo . For example, also contains integer pairs associated with . If we know that an integer satisfies , we also can determine the value of by searching the forth column generated by in Sub-T for , and we find a unique with . So the unique integer is such that .

3.3.2. Simultaneous Diophantine Equation

Now, we consider a simultaneous Diophantine equation problem as follows; given integers and and positive integer sequences and , find defined in (9) such that It is pointed out that if and , for some constants and subject to , will have exponentially many preimages in satisfying (11); namely, which is . What we mean is that if we require and , (11) will be a many-to-one function. In the subsequent contents, we will define a condition such that (11) will have at most one solution in (to guarantee the unique decipherability for ciphertexts) and propose an algorithm to solve (11). Besides, some transformations will be introduced in the construction of the proposed PKC to derive a compact knapsack problem equipped with noninjectivity, a trapdoor, and one-wayness natures.

3.3.3. An Easy Problem and the Algorithm Solving It

For some special and , we can efficiently determine in (11) as stated in the following lemma.

Lemma 17. Assuming that (11) has solutions in , , and , then can be efficiently and uniquely determined.

Proof. We first note that and , for , so the two equations in (11) modulo and , respectively, give and . Observing that , we can invert and similarly : If , we determine the unique corresponding value according to Remark 14. If , we use the method given in Remark 16 to determine the unique .

The above lemma says that for some special and , we can determine the solution to (11) one by one as if we peel off an onion, so the name Onion Algorithm comes.

Theorem 18. Assuming that (11) has solutions in : and that, for , the solution to (11) can be efficiently and uniquely determined.

Proof. From Lemma 17, can be efficiently and uniquely determined.
For , assuming that have been uniquely determined, we know that We note that for , so divides the right side and hence the left side of (16). We set A similar analysis also applies to the second equation of (11), so we set to obtain If we view (18) as a new simultaneous Diophantine equation problem with integer sequences and , what follows shows that the new problem satisfies the conditions in Lemma 17.
Firstly, (11) has solutions, and have been uniquely determined, so (18) must have solutions.
Secondly, recalling the meaning of , we claim that these entries divided by their gcd must be relatively prime:
Thirdly, From (15) and the previous two proven things, we know that (18) indeed satisfies the conditions in Lemma 17. So we can efficiently determine a unique .
Finally, once have been uniquely determined, it is a trivial thing to determine a unique just by computing Both values on the right side of the above equation must be not only identical but also in because (11) has solutions in and have been uniquely determined.

Given the problem (11), satisfying the conditions presented in Theorem 18, the Onion Algorithm for solving (11) is summarized as shown in Algorithm 1.

(1) Compute according to (13).
(2) if then
(3) Search for in Sub- generated by
to get such that
. Store .
(4) end if
(5) if then
(6) Search for in Sub- generated by
to get such that
. Store .
(7) end if
(8) for do
(9) Compute (18) and
(*)
(10) if then
(11) Search the column in Sub- generated
by modulo
for such that
. Store
.
(12) end if
(13) if then
(14) Search the column in Sub- generated
by modulo
for such that
. Store
.
(15) end if
(16) end for
(17) Compute and store .
(18) return .

Now we use a toy example to illustrate what we discuss in this subsection about the Onion Algorithm.

Example 19. Assume that the following equations have solutions in ; find the solution to + + , + + . We can verify that , , , and , so (14) and (15) are satisfied. Hence, we use the Onion Algorithm to compute . We look up Sub-T₃ and find that . So . We compute , . Then we compute . We search Sub-T₂ for and find that . So we determine . Finally, we get . Thus, a unique is determined.

3.4. The Proposed Probabilistic Public Key Encryption

In this subsection, we use the results obtained in previous subsections to derive a probabilistic public key encryption.

3.4.1. Key Generation

Randomly choose two sequences and , satisfying conditions (14) and (15) given in Theorem 18, and a two-dimensional invertible square matrix with positive integer entries upper bounded by a constant, Compute Randomly choose two primes such that Let . Compute the vector using the Chinese remainder theorem, Randomly choose an integer and compute The public key is . The secret key consists of , , and , . When decrypting a ciphertext, the decrypter also needs to store the values of , , , and Table 1.

3.4.2. Encryption

To encrypt a message , the encrypter randomly chooses an auxiliary key and computes the plaintext and the ciphertext using the public key ,

3.4.3. Decryption

To decipher a ciphertext , the decrypter firstly computes , and then , . Secondly, the decrypter computes Thirdly, the decrypter uses the Onion Algorithm to determine a unique solution to (11). Finally, the decrypter decodes into the corresponding message by using the method illustrated in Remark 11.

3.4.4. Why Decryption Works

To illustrate why the decryption works, we observe that from (26), so and according to (25). From (23), we know that , so from (24). Now we conclude that and similarly . Hence, we have from which (11) is derived. It is easy to verify that (11) satisfies the conditions listed in Theorem 18, and hence can be efficiently solved with Onion Algorithm to give a unique solution . Then is decoded into the original message .

3.4.5. On Generating and

Now, we give an algorithm to generate the -dimensional positive integer sequences and satisfying conditions (14) and (15) in Theorem 18.

Theorem 20. The generated and satisfy (14) and (15).

Proof. We note that, for , Similarly, . We immediately have . Thus, (14) is satisfied. For , we have so (15) is satisfied, as desired.

Now we use an example to illustrate Algorithm 2.

(1) For , randomly choose
with repetition permitted.
(2) Randomly choose numbers and
and set such that
for , and
for .
(3) for do
(4) , . (★)
(5) end for
(6) return , .

Example 21. We randomly choose , and , , , , and set , so we can compute , , , and , , , which are the coefficients in Example 19.

3.4.6. Remarks and Suggested Security Parameters

The suggested parameters are listed in Table 3.

We provide some remarks on the proposed PKC as follows.

Remark 22. We can choose a 2-dimensional square matrix with determinant equal to because the inverse can be easily represented when .

Remark 23. We should choose and slightly greater than and , respectively. See (24). So for convenience of discussions, we always assume that

Remark 24. In Algorithm 2, we suggest choosing and with some special lengths in order that the generated ’s (’s, resp.) share an almost same binary length; that is, So, for , we have For convenience of discussions, we also assume that and have an almost same binary length, so from (34), we have

4. Performance

This section analyzes the performance related issues, such as the computational complexity of the encryption and decryption algorithms, the public key size and the information rate.

4.1. Estimation of Public Key Size

We first point out two facts. Firstly, when generating and by using Algorithm 2, for , we randomly choose in the first step. We also set . So from Table 2, we see that , for . Secondly, .

From (23), we rewrite and as and with , and from (35), we have .

We recall that the public key consists of integers , and the length of each of them is upper bounded by that of , so from (32) we have So the public key size is estimated via which is upper bounded by .

4.2. Computational Complexity

We analyze the computational costs for encrypting a message and decrypting a ciphertext. Given and , we only need bit operations to compute . To encrypt , the encrypter only needs to perform multiplications with the multipliers bounded by and , and additions. So bit operations suffice to do the computations in (27). The computational complexity for the encryption algorithm is given as .

The decrypter first performs a modular multiplication , and two modular reductions , , which cost bit operations in total. To solve (11) for each and hence , the decrypter computes to determine with the moduli , . So it will take bit operations to compute each . The look-up operation on Sub-T for and only costs bit operations. So the decrypter only needs bit operations to use the Onion Algorithm to solve (11) for and . The computational complexity of the decryption algorithm is also .

4.3. Information Rate

The information rate of a cryptosystem is defined as the ratio of the binary length of the message to that of the cipher-text. In the proposed cryptosystem, the information rate is We need to evaluate the binary length of . Note that If we rewrite (36) as we obtain So the information rate is evaluated by which is asymptotically .

The public key sizes and information rates for the suggested security parameters are listed in Table 3, from which we see that the public key size is about dozens of a 1024-RSA modulus. The public key size is acceptable.

5. Security Analysis

The adversary has two methods to attack the proposed cryptosystem: solve the cracking problem [26], that is, breaking the one-wayness of the underlying encryption function without knowing the trapdoor, and solve the trapdoor problem, that is, reversing the basic mathematical construction of the trapdoor in a PKC. Efficient algorithms for the latter also help to efficiently solve the former. In this section, we first analyze the hardness of the cracking problem by investigating the underlying PSTOFs under some attack models, and then examine the intractability for key-recovery attacks.

5.1. Brute Force Attack

5.1.1. Brute Force Attack I

One straightforward way to attack the system is to solve (27) for by exhausting all the with . But note that , so the brute force attack will take on the order of steps. The computational costs under brute force attack I (BFA I for short) given in Table 3 are measured in bit operations with respect to the suggested parameters.

5.1.2. Brute Force Attack II

A better method is to compute and sort each of the sets and then scan and , looking for a common element. If a common element is found, then . The entire procedure takes steps [27]. See Table 3 for the computational costs under brute force attack II (BFA II for short) with respect to the suggested parameters.

5.2. Linearization Attack

In this subsection, we assume that the adversary aims at recovering the corresponding plaintext (and hence the message) by reversing the underlying encryption function without learning the trapdoor information. When a concrete attack model is concerned, we firstly formalize and then prove the underlying PSTOF.

5.2.1. Linearization Attack I

Encryption function (27) of the proposed PKC is a linear function mapping an element in into an integer in the ciphertext space . Now we define

Theorem 25. If the compact knapsack is intractable, is a PSTOF.

Proof. It is easy to verify that the five conditions except the second one in Definition 2 are satisfied; (45) below guarantees the noninjectivity of function . So is indeed a PSTOF underlying the proposed PKC under the compact knapsack intractability assumption.

The distinction between the two functions (27) and (44) is that the preimage sets are different. Given a ciphertext , will have a unique preimage in , namely, the corresponding plaintext, while will have many preimages in the equivalent plaintext space .

We have pointed out in Remark 9 that the message encoding function can simulate the process of randomly choosing an element from . That is to say, if one can obtain a preimage of with respect to , the preimage is a randomly output preimage from all the preimages in and not necessarily the plaintext .

Now, we explain why we say we can further weaken the underlying cryptographic hardness assumption. If we assume that the compact knapsack problem is easy; that is, is not one-way, the proposed cryptosystem seems still secure. Under the assumption, there exists an oracle for the compact knapsack problem . We note that each time the adversary can obtain a (at most polynomially many) preimage of by accessing the oracle . However, we will show that has exponentially many (denoted as ) preimages, over which the plaintext seems uniformly distributed. So we can heuristically argue that the adversary only obtains polynomially many preimages by performing polynomially many accesses to the oracle , and hence those preimages contain the target plaintext with a negligible probability . Thus, we can conceive as a preimage selective trapdoor (not one-way) function assuming that the underlying compact knapsack problem is easy. In fact, under the assumption, the security of the proposed PKC is based on the assumption that it is computationally infeasible to recover a solution to a highly noninjective compact knapsack problem with a predesignated special structure (i.e., the structure of ).

To illustrate, we need to show that a ciphertext has exponentially many preimages with respect to . We use the preimage density given in Definition 4 to roughly evaluate the number of preimages for a ciphertext. To begin with, we need to estimate the cardinalities for the image set (ciphertext space ) and the preimage set (i.e., the equivalent space ). It is obvious that . We note (41) and , so we have and hence the preimage density is where . See Table 3 for the manipulations of for the suggested security parameters.

5.2.2. Linearization Attack II

Now, we consider an attack transforming (27) into a standard 0-1 knapsack problem. The adversary can combine all of these 16 values in denoted as with each entry in to derive a new integer sequence such that with , . Under the linearization attack model, we define the following function: where . We set

Theorem 26. If the knapsack problem is intractable, is a PSTOF.

Proof. To verify and in Definition 2, we consider a mapping as follows. Given an arbitrary , we must have that for , there should exist a unique such that with . Now we define with when and otherwise. So we must have for , , and . So . Furthermore, any must have a preimage with . We further note that and can argue that is a bijection from to . By observing we know that is a solution to (27) if and only if is a solution to (46). So and in Definition 2 are satisfied.
To show the noninjectivity of (46), we first note that the image set is and that The last symbol in (49) is due to (40). Hence, we have . So we compute the preimage density via where . See Table 3 for the manipulations of for the suggested security parameters. Thus, is indeed a PSTOF.

The computational infeasibility for the linearization attack is supported by either of the following arguments.

Remark 27 (noninjectivity-based security argument). If we assume that the adversary can solve the knapsack problem , then is a preimage selective trapdoor function. A given ciphertext will have exponentially many binary solutions. So a polynomial-time adversary only obtains polynomially many preimages including the target solution in with a negligible probability .

Remark 28 (density-based security argument). It is known that knapsack problems achieving a density smaller than 0.9408 are solvable with an overwhelming probability by accessing an oracle for the shortest vector problem over lattices [23, 24]. We show that the underlying knapsack problem (46) obtain a sufficiently large density. Note that Observing (40), we have that approaches when approaches infinity.

Remark 29 (dimension-based security argument). In real life practice, we use known efficient lattice reduction algorithms to simulate a shortest vector oracle in low-dimensional lattice. However, when the dimension is sufficiently large, say larger than 500, known lattice reduction algorithms fail to output a relatively short lattice vector. Under the suggested parameters, knapsack problem (46) achieves sufficiently large dimensions , 1440, 1920, respectively.

5.2.3. Linearization Attack III

Now we consider another linear attack III, which also transforms the problem (27) into a knapsack problem. We note that , so bits are needed to represent each . For , we define with and obtain an -dimensional integer sequence . Now we provide the following function: where . We set

Theorem 30. If the knapsack problem is intractable, is a PSTOF.

Proof. It is easy to verify that and in Definition 2 are satisfied. In fact, any element stands for a binary representation of an element , and in turn, the binary representation of any element falls into the set . So if we define a mapping from to , , is a bijection. Furthermore, we note that So is a solution to (52) if and only if is a solution to (27). So conditions and in Definition 2 are satisfied. To show the noninjectivity of , we first evaluate the cardinalities of and . It is obvious that . To estimate , we first note that So the preimage density of can be estimated via where . See Table 3 for the values of under the suggested security parameters. Thus, condition in Definition 2 is satisfied, so is indeed a PSTOF.

Remark 31 (noninjectivity-based security argument). If one conquers the knapsack problem , then is a pre-image selective trapdoor function. A ciphertext will have exponentially many binary solutions. So a polynomial-time adversary only obtains polynomially many preimages which include the solution in with a negligible probability .

Remark 32 (density and dimension based arguments). The density to (52) is estimated via which is when approaches infinity. The knapsack problem (52) has sufficiently large dimensions , 540, and 960 for the suggested parameters.

5.3. Key-Recovery Attacks

When we discuss the cracking problem, we only study the computational infeasibilities for the adversary to solve (27) without considering the structure of the public integer sequence . To claim the security of the proposed PKC, we need to examine whether the trapdoor is easy to discover or not. So we need to examine the security of the proposed PKC against known attacks.

The public integer sequence distinguishes with a randomly chosen positive integer sequence in two respects, that is, the special structures defined in (14) and (15) and the size conditions given in (24). We discuss the effects of these conditions on the security.

5.3.1. GCD Attack

The GCD attack in [4] was used to successfully attack the knapsack-based probabilistic public key encryption [28]. The attack illustrates that if the entries of assume a linear combinatorial relation with small integer combinatorial coefficients, we can recover the secret modulus by computing the greatest common divisor for a set of numbers. This point will be explored later on, or the readers can refer to [4] for more details. We first note that if the modulus is known, under the suggested parameters, , 90, and 120, the binary length of is upper bounded by 355, 523, 690, respectively. See (36). It is not intractable to factor the moduli by using the fastest factorization algorithm [29]. Hence, one can factor into its prime products. Once and have been obtained, the adversary can do the modular reductions, and . If we denote the modular reductions of modulo and as and , from (25) and (26), we know and and then exhaust the matrix to reverse the process of (23) as where for convenience, we just set . So we have We note that , for , and are publicly computable once and have been obtained, and and can be efficiently exhausted (and hence we can assume that they are all known). So, for , we have with integer unknowns , , (, resp.) being the incomplete quotient of (, resp.) divided by (, resp.), and and are the quotients of and divided by and , respectively. So we have , , , and . We can use an efficient heuristic algorithm for solving a system of linear Diophantine equations with lower and upper bounds on the variables given in [30] (see also Section 3 of [4] for a simplified description) to determine these unknowns, and eventually the full secret keys. So we caution that in implementation, we must keep the modulus secret. However, we will show that the GCD attack is useless to derive modulus .

The condition for the GCD attack to succeed in finding modulus is that we can construct some linear relations using the entries of the public sequence . To illustrate, we recall (26) and argue that there must exist integers such that . We assume that the entries of share some linear combinatorial relations with small coefficients, say , , where by saying small coefficients we mean we can efficiently do exhaustive search for these ’s. So we conclude that and and hence can expect . We must admit that the entries of (and ) do share a linear combinatorial relation; for example, from (★) we derive . However, we should bear in mind that is fully scrambled by (23) and (25) especially through the confusion role of the Chinese remainder theorem in (25). So it is unlikely for the adversary to derive modulus by launching a GCD-like attack on the proposal.

5.3.2. Simultaneous Diophantine Approximation Attack

After Shamir broke the basic Merkle-Hellman knapsack cryptosystem [31, 32], cryptanalysts began to investigate the security of the multiply iterated Merkle-Hellman cryptosystem. Lagarias observed that the size conditions and the modular transformation in the multiply iterated Merkle-Hellman cryptosystem help him construct a simultaneous Diophantine approximation problem [7]. Lagarias showed that he can successfully launch a key-recovery attack on the doubly iterated Merkle-Hellman cryptosystem through his simultaneous Diophantine approximation approach.

Many knapsack-type cryptosystems use size conditions to disguise an easy knapsack problem. In such a cryptosystem, the designer randomly generates an easy knapsack problem, , and chooses a modulus and a multiplier , . He uses the size condition to disguise the easy knapsack sequence as a seemingly hard knapsack sequence by a modular multiplication, . The size condition and the public sequence can be utilized to derive a simultaneous Diophantine approximation problem, namely, the problem to find a set of rational numbers sharing a common and relatively small denominator to simultaneously approximate a given set of real numbers. By launching the simultaneous Diophantine approximation attack, the adversary can obtain some useful information about . See [6, 7] for more details about the relation between the simultaneous Diophantine approximation problem and knapsack public key cryptanalytics.

The trapdoor of the proposed system is disguised using the Chinese remainder theorem, which involves no size conditions. Hence, the adversary cannot expect finding some information about the trapdoor by launching a simultaneous Diophantine approximation attack. However, the reader may doubt that the size condition has been used in (24). We should observe that if the adversary wants to launch a simultaneous Diophantine approximation attack, he must peel off the outmost shuffle in (25) and (26). This seems intractable in that the adversary does not know the primes and .

5.3.3. Orthogonal Lattice Attack

To examine the security, we must consider the orthogonal lattice attacks introduced by Nguyen and Stern [8, 9], which were used to successfully though heuristically recover the secret keys of two PKCs [33, 34]. We first illustrate why the orthogonal lattice attack can be used to reconstruct the secret key of the PKC in [34], and then show why our proposal is immune from the orthogonal lattice attack.

In the PKC [34], the security parameter is suggested, a modulus with and being primes of lengths, respectively, and is chosen, and the secret sequence (typically ) with each entry (typically ) is generated so that the public sequence can be computed via a modular multiplication for a randomly chosen . The core for the orthogonal lattice attack to recover the secret key of [34] is to choose entries from and then obtain sufficiently many small and linearly independent solutions to . Given a solution , we must have , where . So , which means that is orthogonal to , or with . In the second case, from Cauchy-Schwarz inequality, we have when concrete parameters are concerned, which implies that either is orthogonal to or the norm of is quite large. From the observations, the authors of [9] conjectured that among the reduced basis of the -dimensional lattice consisting of the integer solutions to , the first basis vectors are orthogonal to , namely, Assumption 4 of [9]. By noting that belongs to the two-dimensional orthogonal lattice consisting of all -dimensional integer vectors orthogonal to the lattice vectors in and that is a very small value, they provide another assumption conjecturing that is a shortest vector in , namely, Assumption 5 of [9]. So given , we can expect to find the reduced basis and the shortest vector by using lattice reduction algorithms.

In the proposed cryptosystem, we generate according to (24), so we can assume that . Equation (61) turns out to be Under the suggested parameters , 90, 120, is at most 15 bits long, so the assumption will be too strong to be satisfied that the first basis vectors have norms less than and hence are orthogonal to . Furthermore, in [34], we can argue that is a very small value; however, we just obtain in the proposed cryptosystem and hence cannot assume that is a shortest vector in .

To summarize, we can conjecture that the requirement of in [34] makes both to find linearly independent short vectors and to accept the shortest vector in as the target vector possible, while in the proposed cryptosystem is only somewhat larger than those , from which we cannot formalize Assumptions 4 and 5 provided in [9]. Hence, the proposed cryptosystem is invulnerable to the orthogonal lattice attack.

Remark 33. Now we explain why we introduce the matrix when generating the public keys. If is the two-dimensional identity matrix , , we can distil a relatively large common divisor (see (★)) from the preceding entries of . Thus, if we define with being sharply reduced, then we can recover by the orthogonal lattice attack and eventually by firstly exhausting the value of and then combining and to derive . However, after the transformation of (23), we cannot expect to extract a large greatest common divisor for the entries of . We suggest choosing with determinant being in Remark 22, in which case we can make sure that . If the two gcd’s are greater than 1, say , then and hence , which may compromise the security.

6. Conclusions

In this paper, we defined a public key cryptographic scenario PSTOF and used the knapsack problem to exemplify how to further weaken the cryptographic assumptions used in public key cryptography. Extensive security scrutiny is made on the proposed probabilistic encryption scheme; however, some security drawbacks may still exist in the proposal. If some cryptanalysts announced that the proposed cryptosystem is breakable, we would not be surprised in that some cleverer and efficient cryptanalytic method may be developed. But we are confident that the proposal can be broken only by successfully launching a key-recovery attack. We think that if someone invents a PSTOF with a hard-to-discover trapdoor by fully exploring the noninjectivity property of the underlying one-way function, it can be used to provide a higher level of security. We hope that some more elegant methods can be developed in the cryptographic literature to provide more practical and secure realizations of the concept of PSTOF. Some more cryptanalytic discussions are needed to obtain all-sided and in-depth security analysis of the proposal, which belongs to our future work.

Notations

:	Ring of integers
:	Set of positive integers
:	The least nonnegative complete residue system modulo ,
:	Euler’s totient function
:	Set of invertible elements in
:	The determinant when denotes a square matrix and the cardinality when represents a set
:	The maximum value in a set
:	The minimum value in a set
	The least nonnegative residue of modulo
:
:
:	, the greatest common divisor of the preceding components of the integer sequence
:	, the Hamming weight of a binary vector
:	The modular inverse of modulo
:	divides
:
:
:	The binary length of a positive integer
:	The inverse of an invertible square matrix
:	The inner product of two vectors and
:	The Euclidean norm of a vector .

Conflict of Interests

The author declares that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (no. 61173152), the 111 Project (no. B08038), the ISN Foundation (no. ISN1103007), the Fundamental Research Funds for the Central Universities (no. JY10000901009), and the Natural Science Basic Research Plan in Shaanxi Province of China (Program no. 2012JM8005).

References

M. Bellare, S. Halevi, A. Sahai, and S. Vadhan, “Many-to-one trapdoor functions and their relation to public-key cryptosystems,” in Advances in Cryptology—Crypto 1998, vol. 1462 of Lecture Notes in Computer Science, pp. 283–298, Springer, Santa Barbara, Calif, USA, 1998.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. Q. Khoat, “Relation between the hardness of a problem and the number of its solutions,” Acta Mathematica Vietnamica, vol. 36, no. 1, pp. 55–60, 2011.
View at: Google Scholar | Zentralblatt MATH | MathSciNet
A. M. Youssef, “Cryptanalysis of a knapsack-based probabilistic encryption scheme,” Information Sciences, vol. 179, no. 18, pp. 3116–3121, 2009.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
E. F. Brickell and A. M. Odlyzko, “Cryptanalysis: a survey of recent results,” in Contemporary Cryptology, The Science of Information Integrity, pp. 501–540, IEEE Press, New York, NY, USA, 1992.
View at: Google Scholar | Zentralblatt MATH | MathSciNet
J. C. Lagarias, “The computational complexity of simultaneous Diophantine approximation problems,” SIAM Journal on Computing, vol. 14, no. 1, pp. 196–209, 1985.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
J. C. Lagarias, “Knapsack public key cryptosystems and diophantine approximation,” in Advances in Cryptology—Crypto 1983, pp. 3–23, Plenum, New York, NY, USA, 1984.
View at: Google Scholar
P. Nguyen and J. Stern, “Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations,” in Advances in cryptology—CRYPTO 1997, vol. 1294 of Lecture Notes in Computer Science, pp. 198–212, Springer, Santa Barbara, Calif, USA, 1997.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
P. Nguyen and J. Stern, “Cryptanalysis of a fast public key cryptosystem presented at SAC ’97,” in Selected Areas in Cryptography, vol. 1556 of Lecture Notes in Computer Science, pp. 213–218, Springer, Ontario, Canada, 1998.
View at: Google Scholar
R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the Association for Computing Machinery, vol. 21, no. 2, pp. 120–126, 1978.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
B. Chor and R. L. Rivest, “A knapsack-type public key cryptosystem based on arithmetic in finite fields,” IEEE Transactions on Information Theory, vol. 34, no. 5, part 1, pp. 901–909, 1988.
View at: Publisher Site | Google Scholar | MathSciNet
T. Okamoto, K. Tanaka, and S. Uchiyama, “Quantum public-key cryptosystems,” in Advances in Cryptology—CRYPTO 2000, vol. 1880 of Lecture Notes in Computer Science, pp. 147–165, Springer, Santa Barbara, Calif, USA, 2000.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. M. Cover, “Enumerative source encoding,” IEEE Transactions on Information Theory, vol. 19, no. 1, pp. 73–77, 1973.
View at: Google Scholar | Zentralblatt MATH | MathSciNet
P. Q. Nguyen and J. Stern, “Adapting density attacks to low-weight knapsacks,” in Advances in cryptology—ASIACRYPT 2005, vol. 3788 of Lecture Notes in Computer Science, pp. 41–58, Springer, Chennai, India, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
S. Vaudenay, “Cryptanalysis of the Chor-Rivest cryptosystem,” Journal of Cryptology, vol. 14, no. 2, pp. 87–100, 2001.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
L. H. Encinas, J. M. Masqué, and A. Q. Dios, “Safer parameters for the Chor-Rivest cryptosystem,” Computers & Mathematics with Applications, vol. 56, no. 11, pp. 2883–2886, 2008.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
L. H. Encinas, J. M. Masqué, and A. Q. Dios, “Analysis of the efficiency of the Chor-Rivest cryptosystem implementation in a safe-parameter range,” Information Sciences, vol. 179, no. 24, pp. 4219–4226, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
A. Kate and I. Goldberg, “Generalizing cryptosystems based on the subset sum problem,” International Journal of Information Security, vol. 10, no. 3, pp. 189–199, 2011.
View at: Publisher Site | Google Scholar
K. Omura and K. Tanaka, “Density attack to the Knapsack cryptosystems with enumerative source encoding,” IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, vol. 84, no. 1, pp. 1564–1569, 2001.
View at: Google Scholar
T. Izu, J. Kogure, T. Koshiba, and T. Shimoyama, “Low-density attack revisited,” Designs, Codes and Cryptography, vol. 43, no. 1, pp. 47–59, 2007.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
N. Kunihiro, “New definition of density on knapsack cryptosystems,” in Progress in Cryptology—AFRICACRYPT 2008, vol. 5023, pp. 156–173, Springer, Berlin, Germany, 2008.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
M. Rabin, “Digital signatures and public-key encryptions as intractable as factorization,” MIT Technical Report 212, 1979.
View at: Google Scholar
M. J. Coster, B. A. LaMacchia, A. M. Odlyzko, and C.-P. Schnorr, “An improved low-density subset sum algorithm,” in Advances in Cryptology—Eurocrypt 1991, vol. 547 of Lecture Notes in Computer Science, pp. 54–67, Springer, Brighton, UK, 1991.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
M. J. Coster, A. Joux, B. A. LaMacchia, A. M. Odlyzko, C.-P. Schnorr, and J. Stern, “Improved low-density subset sum algorithms,” Computational Complexity, vol. 2, no. 2, pp. 111–128, 1992.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
M. K. Lee and K. Park, “Low-density attack of public-key cryptosystems based on compact knapsacks,” Journal of Electrical Engineering and Information Science, vol. 4, no. 2, Article ID 197204, 1999.
View at: Google Scholar
N. Koblitz, Algebraic Aspects of Cryptography, vol. 3, Springer, Berlin, Germany, 1998.
View at: MathSciNet
A. M. Odlyzko, “The rise and fall of knapsack cryptosystems,” in Cryptology and Computational Number Theory, vol. 42 of Proceedings of Symposia in Applied Mathematics, pp. 75–88, 1990.
View at: Google Scholar | Zentralblatt MATH | MathSciNet
B. Wang, Q. Wu, and Y. Hu, “A knapsack-based probabilistic encryption scheme,” Information Sciences, vol. 177, no. 19, pp. 3981–3994, 2007.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. Kleinjung, K. Aoki, J. Franke et al., “Factorization of a 768-bit RSA modulus,” http://eprint.iacr.org/2010/006.
View at: Google Scholar
K. Aardal, C. A. J. Hurkens, and A. K. Lenstra, “Solving a system of linear Diophantine equations with lower and upper bounds on the variables,” Mathematics of Operations Research, vol. 25, no. 3, pp. 427–442, 2000.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
R. C. Merkle and M. E. Hellman, “Hiding information and signatures in trapdoor knapsacks,” IEEE Transactions on Information Theory, vol. 24, no. 5, pp. 525–530, 1978.
View at: Google Scholar
A. Shamir, “A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem,” IEEE Transactions on Information Theory, vol. 30, no. 5, pp. 699–704, 1984.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
M. H. Qu and S. A. Vanstone, “The knapsack problem in cryptography,” in Finite Fields: Theory, Applications, and Algorithms, vol. 168 of Contemporary Mathematics, pp. 291–308, 1994.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
K. Itoh, E. Okamoto, and M. Mambo, “Proposal of a fast public key cryptosystem,” in Proceedings of the Selected Areas in Cryptography (SAC '97), Ottawa, Canada, 1997.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2014 Baocang Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1223

Downloads

710

Citations