Table of Contents Author Guidelines Submit a Manuscript
Journal of Biomedicine and Biotechnology
VolumeΒ 2008, Article IDΒ 518093, 10 pages
http://dx.doi.org/10.1155/2008/518093
Research Article

Fast Parallel Molecular Algorithms for DNA-Based Computation: Solving the Elliptic Curve Discrete Logarithm Problem over 𝐺𝐹(2𝑛)

Kenli Li,1,2Β Shuting Zou,1Β and Jin Xv2

1Embedded System and Networking Laboratory, College of Computer and Communication, Hunan University, Changsha 410082, China
2Department of Control Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China

Received 16 July 2007; Accepted 25 January 2008

Academic Editor: DanielΒ Howard

Copyright Β© 2008 Kenli Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Elliptic curve cryptographic algorithms convert input data to unrecognizable encryption and the unrecognizable data back again into its original decrypted form. The security of this form of encryption hinges on the enormous difficulty that is required to solve the elliptic curve discrete logarithm problem (ECDLP), especially over 𝐺𝐹(2𝑛), π‘›βˆˆπ‘+. This paper describes an effective method to find solutions to the ECDLP by means of a molecular computer. We propose that this research accomplishment would represent a breakthrough for applied biological computation and this paper demonstrates that in principle this is possible. Three DNA-based algorithms: a parallel adder, a parallel multiplier, and a parallel inverse over 𝐺𝐹(2𝑛) are described. The biological operation time of all of these algorithms is polynomial with respect to 𝑛. Considering this analysis, cryptography using a public key might be less secure. In this respect, a principal contribution of this paper is to provide enhanced evidence of the potential of molecular computing to tackle such ambitious computations.

1. Introduction

This paper proposes theoretical work that introduces powerful algorithms of molecular computation that could potentially compromise the security that is afforded by certain cryptography algorithms. Molecular computation [1] involves biochemistry and DNA rather than silicon chips to tackle formidable computations. Theoretical aspects of this interdisciplinary field are important to develop the potential and interest in this form of computation [2].

Elliptic curve cryptography (ECC) is a mathematical approach to public key cryptography using elliptic curves that are typically defined over finite fields [3]. Elliptic curves [4, 5] constitute a major area of current research that is particularly important to number theory, for example, elliptic curves had a role in the recent proof of Fermats last theorem. As applied to cryptography, not only has ECC become applied in Diffie-Hellman key exchange but also in the digital signature algorithm (DSA), a US federal government standard for digital signatures. It is known as the elliptic curve DSA (ECDSA) or that variant of the DSA operating on elliptic curve groups.

The security of these cryptosystems relies on the difficulty of solving the elliptic curve discrete logarithm problem [6, 7]. If 𝑃 is a point with order π‘š on an elliptic curve, and 𝑄 is some other point on the same curve, then the elliptic curve discrete logarithm problem is to determine an 𝑙 such that 𝑄=𝑙𝑃, where 𝑙 is an integer and 0β‰€π‘™β‰€π‘šβˆ’1. If this problem can be solved efficiently, then elliptic curve-based cryptosystems can be broken efficiently.

In order to tackle such a problem, Feynman proposed molecular computation in 1961 [8]. However, his idea was not implemented experimentally for some decades. In 1994, Adleman succeeded in solving an instance of the Hamiltonian path problem in a test tube, simply by the manipulation of DNA strands [1]. Following this, Lipton demonstrated that the Adleman techniques offered a solution to the satisfiability problem (the first considered NP-complete problem) [9].

Recent advances in molecular biology [10, 11] have made it possible to produce roughly 1018 DNA strands in a test tube. Those 1018 DNA strands can be made to represent 1018 bits of information. In a distant future, if biological operations may be run error free using a test tube with 1018 DNA strands, then it would be possible to process 1018 bits of information simultaneously. More details about test tube distributed systems are given in [2]. The objective for biological computing technology is to provide this enormous amount of parallelism for dealing with computationally intensive real world problems [12–14].

Advancement in DNA computing has already been made in many areas. In the field of cryptology, Boneh et al. have cracked DES using identical principles to those of Adleman's solution of the travelling salesman problem. Also, Chang et al. have developed a way to factor integers. They proposed three DNA-based algorithms: parallel subtractor; parallel comparator; and parallel modular arithmetic unit [15, 16].

In this paper, we take a step further with respect to Chang's work [16] in order to solve the elliptic curve discrete logarithm problem. We develop DNA-based algorithms for a parallel adder; a parallel multiplier; a parallel divider over 𝐺𝐹(2𝑛) (i.e., a Galois field of characteristic 2); and a parallel adder for adding points on elliptic curves. We accomplish all of these by means of basic biological operations. We also showed that cryptosystems based on elliptic curves can be broken. Our work presents clear evidence of molecular computing abilities to accomplish complex mathematical operations.

The paper is organized as follows. Section 2 gives a brief background on DNA computing. Section 3 introduces the DNA computing that solves the elliptic curve discrete logarithm problem, for solution spaces of DNA strands. Conclusions are drawn in the final section.

2. Background

DNA (DeoxyriboNucleic Acid) is the molecule that plays the main role in DNA-based computing. DNA is a polymer, which is strung together from monomers called deoxyriboNucleotides. Distinct nucleotides are detected only with their bases, which come in two sorts: purines and pyrimidines. Purines include adenine and guanine, abbreviated A and G. Pyrimidines contain cytosine and thymine, abbreviated C and T. A DNA strand is essentially a sequence (polymer) of four types of nucleotides detected by one of four bases they contain. Two strands of DNA can form (under appropriate conditions) a double strand, if the respective bases are the Watson-Crick complements of each otherβ€”A matches T and C matches G. Hybridization is a special technology term for the pairing of two single DNA strands to make a double helix and also takes advantages of the specificity of DNA base pairing for the detection of specific DNA strands (for more discussions of the relevant biological background, refer to [10, 11]).

In the past decade, there have been revolutionary advances in the field of biomedical engineering, particularly in recombinant DNA and RNA manipulating. Due to the industrialization of the biotechnology field, laboratory techniques for recombinant DNA and RNA manipulation are becoming highly standardized. Basic principles about recombinant DNA can be found in [17–20]. In the following, we describe five biological operations that are useful for solving the elliptic curve discrete logarithm problem.

A (test) tube is a set of molecules of DNA (a multiset of finite strings over the alphabet {𝐴,𝐢,𝐺,𝑇}). Given a tube, one can perform the following operations.

(1)Extract. Given a tube 𝑃 and a short single strand of DNA, 𝑆, the operation produces two tubes +(𝑃,𝑆) and βˆ’(𝑃,𝑆), where +(𝑃,𝑆) is all of the molecules of DNA in 𝑃 which contain 𝑆 as a substrand and βˆ’(𝑃,𝑆) is all of the molecules of DNA in 𝑃 which do not contain 𝑆.(2)Merge. Given tubes 𝑃1 and 𝑃2, yield βˆͺ(𝑃1,𝑃2), where βˆͺ(𝑃1,𝑃2)=𝑃1βˆͺ𝑃2. This operation is to pour two tubes into one, without any change in the individual strands.(3)Amplify. Given a tube 𝑃, the operation Amplify (𝑃,𝑃1,𝑃2), will produce two new tubes 𝑃1 and 𝑃2 so that 𝑃1 and 𝑃2 are totally a copy of 𝑃 (𝑃1 and 𝑃2 are now identical) and 𝑃 becomes an empty tube.(4)Append. Given a tube 𝑃 containing a short strand of DNA 𝑍, the operation will append 𝑍 onto the end of every strand in 𝑃.(5)Append-head. Given a tube 𝑃 containing a short strand of DNA, 𝑍, the operation will append 𝑍 onto the head of every strand in 𝑃.

3. Finding the Discrete Logarithm on Elliptic Curve over 𝐺𝐹(2𝑛)

3.1. Elliptic Curve Public Key Cryptosystem over 𝐺𝐹(2𝑛)

An elliptic curve is defined to be the set of solutions (π‘₯,𝑦)∈𝐺𝐹(2𝑛)×𝐺𝐹(2𝑛) to the equation𝑦2+π‘₯𝑦=π‘₯3+π‘Žπ‘₯2+𝑏,(1)where π‘Ž,π‘βˆˆπΊπΉ(2𝑛) and 𝑏≠0, together with the point on the curve at infinity 𝑂, (with homogeneous coordinates (0,0)).

The points on an elliptic curve form an Abelian group under a well-defined group operation. The identity of the group operation is the point 𝑂. For 𝑃=(π‘₯1,𝑦1) a point on the curve, we define βˆ’π‘ƒ to be (π‘₯1,𝑦1+π‘₯1), so 𝑃+(βˆ’π‘ƒ)=(βˆ’π‘ƒ)+𝑃=𝑂. Now suppose 𝑃 and 𝑄 are not 𝑂, and π‘ƒβ‰ βˆ’π‘„. Let 𝑃 be as above and 𝑄=(π‘₯2,𝑦2), then 𝑃+𝑄=(π‘₯3,𝑦3), whereπ‘₯3=πœ‡2+πœ‡+π‘₯1+π‘₯2𝑦+π‘Ž,3=πœ‡(π‘₯1+π‘₯3)+π‘₯3+𝑦1,⎧βŽͺ⎨βŽͺβŽ©π‘¦πœ‡=2+𝑦1π‘₯2+π‘₯1ifπ‘₯𝑃≠𝑄,21+𝑦π‘₯1if𝑃=𝑄,(2) (refer to [21]).

In this paper, for convenience, use π‘π‘›βˆ’1π‘π‘›βˆ’2⋯𝑏1𝑏0 to denote the value of π‘π‘›βˆ’1πœ”π‘›βˆ’1+π‘π‘›βˆ’2πœ”π‘›βˆ’2+β‹―+𝑏1πœ”+𝑏0 over 𝐺𝐹(2𝑛).

Let 𝐸 be an elliptic curve defined over 𝐺𝐹(2𝑛), and let 𝐺∈𝐸 be a fixed and publicly known point. The receiver 𝐡 chooses π‘Ž randomly and publishes the key π‘ŽπΊ, while keeping π‘Ž itself secret. To transmit a message π‘š to 𝐡, user 𝐴 chooses a random integer π‘˜ and sends the pair of points (π‘˜πΊ,π‘ƒπ‘š+π‘˜(π‘ŽπΊ)). To read the message, 𝐡 multiplies the first point in the pair by his secret π‘Ž, and then subtracts the result from the second point in the pair. So, if a breaker can compute π‘Ž from public key 𝐺 and π‘ŽπΊ, he can decrypt any encryption sent to 𝐡 (refer to [3]).

3.2. The Construction of a Parallel Adder over 𝐺𝐹(2𝑛)

Over 𝐺𝐹(2𝑛), the additive operation on two numbers is just doing XOR on each bit, respectively, without any carry. For instance, (1101)+(1001)=(0100). For every bit π‘₯𝑗, two distinct 15 base value sequences are designed. One represents the value zero for π‘₯𝑗 and the other represents the value one for π‘₯𝑗. For convenience, we assume that π‘₯1𝑗 denotes the value of π‘₯𝑗 to be one and π‘₯0𝑗 denotes the value of π‘₯𝑗 to be zero. The following algorithm is used for parallel adding two 𝑛 bits binary number in a strand with one starts from the 𝑝th bit and the other one starts from the π‘žth bit and appending the result from π‘Ÿth bit (see Algorithm 1).

alg1
Algorithm 1: Procedure ParallelAdder (𝑇0,𝑛,𝑝,π‘ž,π‘Ÿ).

Consider that 𝑛=3, 𝑝=1, π‘ž=4, and π‘Ÿ=7. That is, two binary numbers to be added in parallel are both 3 bits, while one from the 1st bit and the other one from the 4th bit in a strand, and β€œappend” operation starts from the 7th bit. We then suppose, tube 𝑇0={110001,010101,001111,100011} which is regarded as an input tube for the algorithm ParallelAdder (𝑇0,𝑛,𝑝,π‘ž,π‘Ÿ). Because the value of 𝑛 is 3, step (1a) to step (1f) will be run 3 times. After the first execution of step (1a) is finished, 𝑇1={110001,100011} and 𝑇2={010101,001111}. Next, after the first execution of step (1b) and step (1c) is performed, 𝑇3=Ξ¦, 𝑇4={110001,100011}, 𝑇5={010101,001111}, and 𝑇6=Ξ¦, while 𝑇0=𝑇1=𝑇2=Ξ¦. After first execution of step (1d) is run, tube 𝑇7={110001,010101,001111,100011} and 𝑇8=Ξ¦. After first execution of step (1e) and step (1f) is run, 𝑇0={1100011,0101011,0011111,1000111}. Then, after the rest operations are performed, the result of tube 𝑇0 is shown in Table 1.

tab1
Table 1: Result of tube 𝑇0.

Lemma 1. The algorithm ParallelAdder (𝑇0,𝑛,𝑝,π‘ž,π‘Ÿ) is applied to finish the function of a parallel adder.

Proof. The algorithm ParallelAdder (𝑇0,𝑛,𝑝,π‘ž,π‘Ÿ) is implemented by means of the extract, merge, and append operations. Each execution of step (1a) is used to produce two tubes 𝑇1 and 𝑇2, where all of the molecules of DNA in 𝑇1 contain π‘₯1𝑝+𝑗 and all of the molecules of DNA in 𝑇2 contain π‘₯0𝑝+𝑗. Each execution of step (1b) and step (1c) is used to produce four tubes 𝑇3, 𝑇4, 𝑇5, 𝑇6, where all DNA strands in 𝑇3 contain π‘₯1𝑝+𝑗 and π‘₯1π‘ž+𝑗, all DNA strands in 𝑇4 contain π‘₯1𝑝+𝑗 and π‘₯0π‘ž+𝑗, all DNA strands in 𝑇5 contain π‘₯0𝑝+𝑗 and π‘₯1π‘ž+𝑗, and all DNA strands in 𝑇6 contain π‘₯0𝑝+𝑗 and π‘₯0π‘ž+𝑗. According to the additive theorem over 𝐺𝐹(2𝑛), the 𝑗th bit of the sum in 𝑇4 and 𝑇5 is 1 and the 𝑗th bit of the sum in 𝑇3 and 𝑇6 is 0.
From ParallelAdder (𝑇0,𝑛,𝑝,π‘ž,π‘Ÿ), it takes 3𝑛 extract operations, 3𝑛 merge operations, 2𝑛 append operations, and 9 test tubes to finish parallel addition. A value sequence for every bit contains 15 bases. Therefore, the algorithm will add 15𝑛 bases to all DNA strands in tube 𝑇0.

3.3. The Construction of a Parallel Multiplier over 𝐺𝐹(2𝑛)

Over 𝐺𝐹(2𝑛), the multiplicative operation runs as follows:(π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0)(π‘β€²π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏′1πœ”+𝑏′0)=π‘π‘›βˆ’1πœ”π‘›βˆ’1(π‘β€²π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏′1πœ”+𝑏′0)+β‹―+𝑏0(π‘β€²π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏′1πœ”+𝑏′0)=β„Ž2π‘›βˆ’2πœ”2π‘›βˆ’2+β„Ž2π‘›βˆ’3πœ”2π‘›βˆ’3+β‹―+β„Ž2πœ”2+β„Ž1πœ”+β„Ž0,β„Ž2π‘›βˆ’2=π‘π‘›βˆ’1π‘β€²π‘›βˆ’1,β„Ž2π‘›βˆ’3=π‘π‘›βˆ’1π‘β€²π‘›βˆ’2+π‘π‘›βˆ’2π‘β€²π‘›βˆ’1β„Ž,…,π‘›βˆ’1=π‘π‘›βˆ’1𝑏′0+π‘π‘›βˆ’2𝑏′1+β‹―+𝑏0π‘β€²π‘›βˆ’1β„Ž,…,1=𝑏1𝑏′0+𝑏0𝑏′1,β„Ž0=𝑏0𝑏′0.(3)

The algorithm ParallelMultiplier (𝑇0,𝑛,𝑝,π‘ž) is used to multiply two 𝑛bit binary numbers on every strand in parallel with one starts from the 𝑝th bit and the other one starts from the π‘žth bit. It runs as follows: at first, employ extract operation to form two tubes: 𝑇1 and 𝑇2. The first tube 𝑇1 includes all of the strands on which π‘₯𝑝=1 and the second tube 𝑇2 includes all of the strands on which π‘₯𝑝=0. Then, we copy the bits from π‘žth to (π‘ž+π‘›βˆ’1) th to the end of every strand in tube 𝑇1 and append 𝑛 bits 0 to the end of every strand in tube 𝑇2. After these operations, the (π‘ž+𝑛)th bit to (π‘ž+𝑛+π‘›βˆ’1)th bit show the coefficients of πœ”2π‘›βˆ’2 to πœ”π‘›βˆ’1. Using the same principle, we get the coefficients of πœ”2π‘›βˆ’3 to πœ”π‘›βˆ’2, πœ”2π‘›βˆ’4 to πœ”π‘›βˆ’3,…,πœ”π‘›βˆ’1 to πœ”0. At last, call algorithm ParallelAdder (𝑇0,𝑛,𝑝,π‘ž,π‘Ÿ) to compute the sum of coefficients of πœ”2π‘›βˆ’2, the sum of coefficient of πœ”2π‘›βˆ’3,…, and so on. As a result, the length of every strand will increase 𝑛×𝑛+2π‘›βˆ’1 bits.

From ParallelMultiplier (𝑇0,𝑛,𝑝,π‘ž), it takes 𝑂(𝑛2) extract operations, 𝑂(𝑛2) merge operations, 𝑂(𝑛2) append operations, and 𝑂(1) test tubes to finish the function of a parallel multiplier.

3.4. The Construction of a Parallel Shifter for Multiplicative Result

Because over 𝐺𝐹(2𝑛), the exponent of πœ” cannot be beyond π‘›βˆ’1, the result of parallel multiplying should be shifted by a certain irreducible polynomial, called primitive polynomial: πœ”π‘›+π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0=0. The algorithm ParallelShifter β‡”πœ”π‘›=π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0, (𝑇0,𝑛,𝑝) representing that the multiplicative result starts from the 𝑝th bit, is used to parallel shift the multiplicative result 𝑝 to legal form 𝑏2π‘›βˆ’2πœ”2π‘›βˆ’2+𝑏2π‘›βˆ’3πœ”2π‘›βˆ’3+β‹―+𝑏1πœ”+𝑏0 over π‘π‘›βˆ’1πœ”π‘›βˆ’1+π‘π‘›βˆ’2πœ”π‘›βˆ’2+β‹―+𝑏1πœ”+𝑏0 which can be designed as follows: appends the primitive polynomial's coefficients from 𝐺𝐹(2𝑛) to πœ”π‘›βˆ’1 to the end of every strand at first. Employ the extract operation to form two test tubes πœ”0 and 𝑇1. Tube 𝑇2 includes all of the strands on which 𝑇1 and tube π‘₯𝑝=1 includes all of the strands on which 𝑇2. Then, we add the coefficients, from item π‘₯𝑝=0 to item πœ”2π‘›βˆ’3, to the coefficients of irreducible polynomial in parallel in tube πœ”π‘›βˆ’2. This forms the new coefficients from 𝑇1 to πœ”2π‘›βˆ’3 and has deleted the πœ”π‘›βˆ’2 item. The coefficients from πœ”2π‘›βˆ’2 to πœ”π‘›βˆ’3 are without any change. For the πœ”0 includes all of the strands that have 𝑇2, so just copy the coefficients from π‘₯𝑝=0 to πœ”2π‘›βˆ’3 without any change. After all the executions before are run, the highest exponent of πœ”0 is reduced to πœ”. Then, merge 2π‘›βˆ’3 and 𝑇1 and begin new reduction. The principle of rest reducing turn is all like this above. When this algorithm is run out, the highest exponent of 𝑇2 is reduced to πœ”. This algorithm will totally append π‘›βˆ’1 bits more to every strand.

From ParallelShifter 𝑛×𝑛+(π‘›βˆ’1)(π‘›βˆ’2)/2, it takes (𝑇0,𝑛,𝑝) extract operations, 𝑂(𝑛2) merge operations, 𝑂(𝑛2) append operations, and 𝑂(𝑛2) test tubes to finish the function of a parallel shifter.

3.5. The Mathematical Principle of Division on 𝑂(1)

Over 𝐺𝐹(2𝑛), to do a division operation for a dividend and a divisor, one should get the divisor's inverse first and then multiply the dividend. For the primitive polynomial 𝐺𝐹(2𝑛) is irreducible, there exists a polynomial πœ”π‘›+π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0 and a polynomial 𝑔(πœ”) that fit the equation (according to Euclid algorithm):𝑓(πœ”)

Because 𝑔(πœ”)Γ—divisor+𝑓(πœ”)Γ—(πœ”π‘›+π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0)=1.(4), πœ”π‘›+π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0=0, which is to say 𝑔(πœ”)Γ—divisor=1 is the inverse of the divisor. To find 𝑔(πœ”) and 𝑔(πœ”), one can do as follows, which is called Euclid algorithm, also called division algorithm; first, 𝑓(πœ”) is divided by the divisor. If the value of the remainder is 1, that is to say, πœ”π‘›+π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0 with (πœ”π‘›+π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0)+𝑔(πœ”)Γ—divisor=1 is the division result and the inverse of divisor has found which is 𝑔(πœ”); else let remainder be 𝑔(πœ”), let the divisor be the dividend and π‘Ÿ(πœ”) be the divisor and do division operation again. Repeat the process until the remainder is 1. Because the highest exponent of π‘Ÿ(πœ”) of remainder reduces by 1 in each repeat, it is at most repeating πœ” times. So in the first time division, the dividend is π‘›βˆ’1 bits and the divisor is 𝑛+1 bits and the remainder is at most 𝑛 bits, and in the second time division the dividend is π‘›βˆ’1 bits and the divisor is 𝑛 bits and the remainder is at most π‘›βˆ’1 bitsπ‘›βˆ’2 and in last time division the dividend is 3 bits and the divisor is 2 bits and the remainder is 1 bit. Then, trace back to get the ,…,.

3.6. The Construction of a Parallel Comparator

Prior to each step of long division, comparison should be done first. Suppose the divisor is 𝑔(πœ”) bits at that time. At first compare the first two bits of dividend with divisor to determine that addition operation between first two bits of dividend and divisor should be done or not, then compare the first three bits of result with divisor𝑛 compare the first ,…, bits of result with divisor, the last time (finally), compare the last 𝑛 bits of result with divisor for this time the first bit of result is 0. The following algorithm is used to compare the divisor which is from 𝑛th bit to 𝑝th bit with the bits from π‘žth bit to 𝑗th bit in parallel, and forms tube π‘˜ and 𝑇1. 𝑇2 contains all strands on which add execution will be done and 𝑇2 contains all strands on which add execution will not be done (see Algorithm 2).

alg2
Algorithm 2: Procedure ParallelComparator 𝑇1.

Lemma 2. The algorithm Parallel Comparator 𝑇0=βˆͺ(𝑇0,𝑇5)(𝑇0,𝑝,π‘ž,𝑗, is applied to finish the function of parallel comparator.

Proof. If π‘˜,𝑇1,𝑇2), that means the bits of divisor is more than the bits of the result which are intended to compare this time. Step (1) considers the excessive bits of divisor and if any one bit is 1, which means the divisor is β€œbigger" than the bits of the result which are intended to compare this time and pour the strands to π‘žβˆ’π‘>π‘˜βˆ’π‘—. Step (2) considers the rest of the bits of divisor and the bits of result which are intended to compare this time. 𝑇1 contains all strands on which certain bit of divisor is 1 and corresponding bit of the result is 1; 𝑇3 contains all strands on which certain bit of divisor is 1 and corresponding bit of the result is 0; 𝑇4 contains all strands on which certain bit of divisor is 0 and corresponding bit of the result is 0; 𝑇5 contains all strands on which certain bit of divisor is 0 and corresponding bit of the result is 1. So add execution can be done over strands in 𝑇6 and 𝑇3, which can not be done over strands in 𝑇6, and strands in 𝑇4 need more consideration.
From ParallelComparator 𝑇5, it takes (𝑇0,𝑝,π‘ž,𝑗,π‘˜,𝑇1,𝑇2) extract operations, 𝑂(𝑛) merge operations, and 𝑂(𝑛) test tubes to finish the function of a parallel comparator.

3.7. The Construction of a Parallel Long Division

Suppose the divisor is 𝑂(1) bits and is from 𝑛th bit and the dividend is 𝑝 bits and is from the 𝑛+1th bit in each strand. To do the long division, first compare the divisor with first two bits of dividend using ParallelComparator to get the first bit of the result of division and note down the result of first time addition result. Then, compare the divisor with the first three bits of the addition result last time to get the second bit of the result of the long division, and note down the addition result. Finally, compare the divisor with the last π‘ž bits of addition result last time to get the last bit of division result and the remainder (see Algorithm 3).

alg3
Algorithm 3: Procedure SimilarDiv 𝑛.

Lemma 3. The algorithm SimilarDiv 𝑇0=βˆͺ(𝑇1,𝑇2) is applied to finish the function of parallel long division.

Proof. Each execution of step (1) is to get each bit of the long division result. The rest part is to get the last bit of the long division result. Consider the first cycle of step (1), step (1a) compares the divisor with the first two bits of the dividend, and form two tubes (𝑇0,𝑛,𝑝,π‘ž) and 𝑇1 that 𝑇2 contains all strands on which add execution can be done, contrarily the 𝑇2. Step (1b) appends 0 to all strands in 𝑇1 and appends 1 to all strands in 𝑇1. This bit is the first bit of the division result. Step (1c) just finishes to append the dividend in tube 𝑇2. Step (1d) adds the divisor and the first two bits of the dividend in 𝑇1. Step (1e) copies the rest of the bits of the dividend in 𝑇2. Step (1f) pours 𝑇2 and 𝑇1 together and finishes the first execution of step (1) to get the first bit of the division result and the first time addition result. The second execution of step (1) is to compare the divisor with the first three bits of the addition result last time and get the second bit of the division result. The principle of other cycles and the rest of the steps are similar to the principle above. The length of each strand will reach to 𝑇2 bits when this algorithm is run out.
From SimilarDiv π‘ž+𝑛+(𝑛+2)𝑛, it takes (𝑇0,𝑛,𝑝,π‘ž) extract operations, 𝑂(𝑛2) append operations, 𝑂(𝑛2) merge operations, and 𝑂(𝑛2) test tubes to finish the function of a parallel long division.

3.8. The Construction of Parallel Traceback

Suppose the irreducible polynomial 𝑂(1) and suppose 𝐴(πœ”)=πœ”π‘›+π‘π‘›βˆ’1πœ”π‘›βˆ’1+β‹―+𝑏1πœ”+𝑏0 and 𝑔(πœ”) satisfy that 𝑓(πœ”), for the purpose of finding the divisor's inverse, 𝑔(πœ”)Γ—divisor+𝑓(πœ”)𝐴(πœ”)=1, we need to do sometimes long division introduced in Section 3.7; let 𝑔(πœ”) be the dividend and divisor mentioned above be the divisor in first time and suppose the result is 𝐴(πœ”), and if the remainder is 1, then the division result 𝑔1(πœ”) is 𝑔1(πœ”). Else, let the divisor last time be the dividend and let the remainder last time be the divisor and do the long division. Suppose the result is 𝑔(πœ”) and 𝑝(πœ”), if the remainder is 1, the 𝑔2(πœ”)=𝑝(πœ”)×𝑔1(πœ”)+1 is 𝑔2(πœ”). Else, let the divisor last time be the dividend and let the remainder last time be the divisor and do the long division. Suppose the result is 𝑔(πœ”) and 𝑝(πœ”), if the remainder is 1, the 𝑔3(πœ”)=𝑝(πœ”)×𝑔2(πœ”)+𝑔1(πœ”) is 𝑔3(πœ”). Generally speaking, we need to trace back after long division each time: first time, the tracing result is the division's result; the second time, the tracing's result is the sum of 1 and the product of the division's result and the tracing's result last time; from the third time, the tracing's result is the sum of the tracing's result last second time and the product of the division's result and the tracing's result last time. The following algorithm is used to do tracing operation from the third time in which 𝑔(πœ”), 𝑑, and 𝑑 mean that the tracing's result last second time is from the 𝑝th bit and the last tracing's result is from the 𝑑th bit and the division result is from the 𝑑th bit (see Algorithm 4).

alg4
Algorithm 4: Procedure Traceback 𝑝.

Lemma 4. The algorithm TraceBack (𝑇0,𝑛,𝑑,𝑝+𝑀,𝑝+𝑛+𝑀) is used to trace back after long division from the third time in order to get the divisor's inverse.Proof. In this and following procedures, (𝑇0,𝑑,𝑑,𝑝,𝑛), which represent the total number of increased bits when ParallelMultiplier 𝑀=𝑛2+2π‘›βˆ’1+𝑛2+(π‘›βˆ’1)(π‘›βˆ’2)/2 and ParallelShifter (𝑇0,𝑛,𝑝,π‘ž) are called. Step (1) is used to multiply the last tracing's result from (𝑇0,𝑛,𝑝)th bit to the long division result from 𝑑th bit in parallel. The result will be from the 𝑝th bit to (𝑝+𝑛+𝑛×𝑛)th bit. Step (2) is to shift the result of multiplication to legal form which will append (𝑝+𝑛+𝑛×𝑛+2π‘›βˆ’1) bits to every strand. And its result is from ((π‘›βˆ’1)(π‘›βˆ’2)/2+𝑛2)th bit to (𝑝+𝑀)th bit. Step (3) is used to add the result to the last second time's tracing's result in parallel.
From TraceBack (𝑝+𝑛+π‘€βˆ’1), it takes (𝑇0,𝑑,𝑑,𝑝,𝑛) extract operations, 𝑂(𝑛2) append operations, 𝑂(𝑛2) merge operations, and 𝑂(𝑛2) test tubes to finish the function of tracing back.

3.9. The Construction of a Parallel inverse

From the algorithms introduced above, we can find divisors' inverses in parallel as follows: first pick out the strands on which divisor equals to 1. Then, let the primitive polynomial be the dividend and the divisor be the divisor and do long division. Trace back to get the tracing's result first time and pick up the strands on which the remainder equals to 1 and store them in tube 𝑂(1). Then, let the divisor last time be the dividend and the remainder last time be the divisor and do long division. Collect the quotient and trace back. Pick up the strands on which the remainder equals to 1 and store them in tube 𝑇1𝑇2 these executions, including long division, collecting every bit of the quotient and tracing back, are run ,…, times at most. In the following algorithm, the parameters π‘›βˆ’1 and 𝑛 mean that the divisor is 𝑝 bits and it starts from 𝑛th bit in every strand. The last parameter 𝑝 is used to represent that each strand in tube is π‘Ÿ bit long and we begin append operation from π‘Ÿβˆ’1th bit of every strand.

Among the algorithm, the procedure Picking π‘Ÿ is used to pick out the strands on which the (𝑇0,𝑛,𝑝,𝑇𝑠)th bit to the 𝑝th bit are all 0 and the (𝑝+π‘›βˆ’2)th bit is 1 and store them in (𝑝+π‘›βˆ’1). It is easy to program, so just omitted here (see Algorithm 5).

alg5
Algorithm 5: Procedure ParallelInverse 𝑇𝑠.

Lemma 5. The algorithm ParallelInverse 𝑇0=βˆͺ(𝑇𝑧,𝑇1,𝑇2,…,π‘‡π‘›βˆ’1) is applied to find inverses over (𝑇0,𝑛,𝑝,π‘Ÿ) in parallel.Proof. Step (2) is used to append 𝐺𝐹(2𝑛) bits irreducible polynomial, which is the dividend in first long division, to every strand. The execution of step (3) calls the algorithm SimilarDiv 𝑛+1 to finish long division. Now the length of strands is added up to (𝑇0,𝑛,𝑝,π‘Ÿ) bits. Step (4) finishes the function of collecting every bit of quotient and will add π‘Ÿ+𝑛+(𝑛+2)𝑛 bits to every strand. This is the first time tracing result. Step (5) calls the procedure Picking 𝑛 to pick out the strands on which the remainder is 1 and store them in tube (𝑇0,𝑛,𝑝,𝑇𝑠). Step (6) finishes the operation of appending the dividend, which is divisor last time, to the strands. Note that 𝑇1. Step (7) calls the algorithm SimilarDiv 𝑠1=𝑛+1+(𝑛+2)𝑛+𝑛 to accomplish the second time long division. Step (8) employs the append operation to append a bit 0 in order to make the quotient to be (𝑇0,𝑛,𝑝,π‘ž) bits. Step (9) finishes the function of collecting every bit of quotient and will add 𝑛 bits to every strand. Steps (10) and (11) call the algorithm ParallelMultiplier π‘›βˆ’1 and ParallelShifter (𝑇0,𝑛,𝑝,π‘ž). Step (12) is used to add 1 to the product. These three steps accomplish the function of tracing back of the second time. Now the length of every strand is (𝑇0,𝑛,𝑝). Step (13) calls the algorithm Picking π‘Ÿ+𝑠1+𝑛+(𝑛+1)(π‘›βˆ’1)+𝑛+𝑀+π‘›βˆ’1 to pick out the strands on which the remainder is 1 and store them in tube (𝑇0,𝑛,𝑝,𝑇𝑠). One execution of step (14) finishes the function of long division and tracing back and picking out the strands on which the remainder is 1. The step will be looped 𝑇2 times, because the long division should be done π‘›βˆ’3 times to make sure that the remainder of each strand equals to 1 and long division has been done twice before. Note that while π‘›βˆ’1, 𝑗β‰₯2. Step (15a) is used to append certain bits 0 to each tube 𝑠𝑗=𝑛+2βˆ’π‘—+(𝑛+3βˆ’π‘—)(𝑛+1βˆ’π‘—)+𝑛+𝑀+𝑛 to make sure that strands in 𝑇𝑗 to 𝑇1 are all π‘‡π‘›βˆ’1 bits long. Step (15b) is used to append the inverse gotten before to the last of every strand in π‘Ÿ+𝑠1+β‹―+π‘ π‘›βˆ’1βˆ’1 to 𝑇1. Step (18) pours strands in all tubes together to one tube π‘‡π‘›βˆ’1. From all above, getting inverse one time needs increasing 𝑇0 bits to every strand.
From ParallelInverse 𝑠1+𝑠2+β‹―+π‘ π‘›βˆ’1+𝑛, it takes (𝑇0,𝑛,𝑝,π‘Ÿ) extract operations, 𝑂(𝑛3) append operations, 𝑂(𝑛3) merge operations, and 𝑂(𝑛3) test tubes to finish the function of finding inverse in parallel.

3.10. The Construction of a Parallel Divider

To do a division operation on 𝑂(𝑛), first one should calculate divisor's inverse using above mentioned algorithm then multiply the dividend. The following algorithm is used to finish the function of parallel division over 𝐺𝐹(2𝑛) where the dividend begins with the 𝐺𝐹(2𝑛),th bit and the divisor begins with the π‘žth bit, and current bit is the 𝑝th bit (see Algorithm 6).

alg6
Algorithm 6: Procedure ParallelDivision π‘Ÿ.

Lemma 6. The algorithm ParallelDivision (𝑇0,𝑛,π‘Ÿ+𝑠1+β‹―+π‘ π‘›βˆ’1+𝑛+𝑛×𝑛) is used to finish the function of parallel division over (𝑇0,𝑛,𝑝,π‘ž,π‘Ÿ).Proof. Step (1) calls the algorithm ParallelInverse 𝐺𝐹(2𝑛) to get the divisor's inverse of every strand. The length of every strand is (𝑇0,𝑛,𝑝,π‘Ÿ) bits now with the inverse from π‘Ÿ+𝑠1+β‹―+π‘ π‘›βˆ’1+π‘›βˆ’1th bit to (π‘Ÿ+𝑠1+β‹―+π‘ π‘›βˆ’1)th bit. Step (2) calls ParallelMultiplier (π‘Ÿ+𝑠1+β‹―+π‘ π‘›βˆ’1+π‘›βˆ’1) to finish the function of the inverse being multiplied by the dividend every strand with the dividend starting from the (𝑇0,𝑛,𝑝,π‘ž)th bit. Now the length of each strand adds up to π‘ž bits. Step (3) shifts the product by calling ParallelShifter π‘Ÿ+𝑠1+β‹―+π‘ π‘›βˆ’1+𝑛+𝑛×𝑛+2π‘›βˆ’1βˆ’1 and will add (𝑇0,𝑛,𝑝) bits to every strand. Generally speaking, doing parallel division one time need increasing the strands (π‘›βˆ’1)(π‘›βˆ’2)/2+𝑛×𝑛 bits.
From ParallelDivision 𝐷=𝑠1+β‹―+π‘ π‘›βˆ’1+𝑛+𝑀, it takes (𝑇0,𝑛,𝑝,π‘ž,π‘Ÿ) extract operations, 𝑂(𝑛3) append operations, 𝑂(𝑛3) merge operations, and 𝑂(𝑛3) test tubes to finish the function of parallel division.

3.11. The Construction of a Parallel Adder of Two Points on Elliptic Curve

By far the addition, subtraction (the same to addition), multiplication, and division operations over 𝑂(𝑛) have been solved. Now consider how to execute addition of two points on an elliptic curve 𝐺𝐹(2𝑛) in biological ways. We should consider five different cases: case 1, the first point is 𝑦2+π‘₯𝑦=π‘₯3+π‘Žπ‘₯2+𝑏 and the point of sum equals to the second point; case 2, the second point is 𝑂 and the point of sum equals to the first point; case 3, one point is the inverse of the other one, and the point of sum is 𝑂; case 4, one point equals to the other one, and computes the sum as the formula in part 3.1; case 5, computes the sum using the formula in part 3.1.

The algorithm AddTwoNode 𝑂 is used to add two points. The first one's position (𝑇0,𝑛,π‘₯1,𝑦1,π‘₯2,𝑦2,π‘Ÿ) starts from the π‘₯th bit and position (π‘₯1) starts from the 𝑦th bit, and the second one's position (𝑦1) starts from the π‘₯th bit and (π‘₯2) starts from the 𝑦th bit. The parameter (𝑦2) represents the current bit. In the procedure, it calls Picking01 π‘Ÿ to pick out the strands on which the first point is (𝑇0,𝑛,π‘₯1,𝑦1,π‘₯2,𝑦2,𝑇11) and store them in 𝑂, Picking02 𝑇11 to pick out the strands on which the second point is (𝑇0,𝑛,π‘₯1,𝑦1,π‘₯2,𝑦2,𝑇12) and store them in 𝑂, PickingInverse 𝑇12 to pick out the strands on which one point is the inverse of the other one and store them in tube (𝑇0,𝑛,π‘₯1,𝑦1,π‘₯2,𝑦2,π‘Ÿ,𝑇2), and PickingEqual 𝑇2 to pick out the strands on which one point equals to the other one and store them in tube (𝑇0,𝑛,π‘₯1,𝑦1,π‘₯2,𝑦2,𝑇3). These four algorithms are easy to design, so omitted here. Note that PickingInverse 𝑇3 will increase (𝑇0,𝑛,π‘₯1,𝑦1,π‘₯2,𝑦2,π‘Ÿ,𝑇2) bits to every strand in 𝑛 (see Algorithm 7).

alg7
Algorithm 7: Procedure AddTwoNode 𝑇0.

Lemma 7. The algorithm AddTwoNode 𝑇0=βˆͺ(𝑇11,𝑇12,𝑇2,𝑇0)(𝑇0,𝑛,π‘₯1,𝑦1,π‘₯2, can compute the sum of two points on elliptic curve.Proof. Step (5) employs append operation to append 𝑦2,π‘Ÿ) bits 0 to all strands in tube 𝑀. Step (6) to step (8) are operations on tube 𝑇0 to get 𝑇0 of strands in πœ‡. Step (9) to step (13) are operations on tube 𝑇0 to get 𝑇3 of strands in πœ‡. Step (14) pours 𝑇3 and 𝑇0 to 𝑇3 and the length of every strand in 𝑇0 now is 𝑇0 bits. Step (15) to step (21) accomplish to compute the position π‘Ÿ+𝑛+𝑛+𝑀+𝑛+π·βˆ’1 of point of sum and the result is from π‘₯th bit. The execution of steps (22) to (26) is used to get the position (π‘Ÿ+𝑋) of the sum which equals to 𝑦. And now, the position πœ‡(π‘₯1+π‘₯3)+π‘₯3+𝑦1 of the sum is from 𝑦th bit and the length is (π‘Ÿ+𝑋+π‘Œ) bits.
Steps (27) and (28) are applied to append the value of positions π‘Ÿ+𝑛+𝑋+π‘Œβˆ’1 and π‘₯ of the sum of two points to the last of every strand. Now, the length of every strand in 𝑦 is 𝑇0 bits with the value π‘Ÿ+𝑛+𝑋+π‘Œ+2π‘›βˆ’1 from the π‘₯th bit and (π‘Ÿ+𝑛+𝑋+π‘Œ) from the 𝑦th bit.
From AddTwoNode (π‘Ÿ+𝑛+𝑋+π‘Œ+𝑛), it takes (𝑇0,𝑛,π‘₯1,𝑦1,π‘₯2,𝑦2,π‘Ÿ) extract operations, 𝑂(𝑛3) append operations, 𝑂(𝑛3) merge operations, and 𝑂(𝑛3) test tubes to finish the function of a parallel adder for points on elliptic curve.

3.12. Breaking the Elliptic Curve Cryptosystem

We have constructed the algorithm above for parallel computing the point of the sum of two points. Then, we can solve elliptic curve discrete logarithm problem as follows: consider point 𝑂(𝑛) and 𝑃 are given, and 𝑄 is what we want to get which matches 𝑙. First, we amplify 𝑄=𝑙𝑃 into two tubes and add 𝑃 in one tube. Check if 𝑃 equals to 2𝑃; if not, note down the value of 𝑄 and pour two tubes together. Then, amplify the tube into two tubes and add 2𝑃 in one tube. Check if any point equals to 2𝑃; if not, note down the value of 𝑄 and pour two tubes together, or we get the value of 4𝑃. Then, amplify the tube into two tubes and add 𝑙 in one tube4𝑃 while this loop executes ,…, times, the value from 1 to 𝑛 for 2𝑛 will have been checked, and the elliptic curve cryptosystem has been broken by the solved elliptic curve discrete logarithm problem.

4. Conclusion

This paper is the first effort in literature that demonstrates that the difficult problem for elliptic curve discrete logarithm can be solved on a DNA-based computer. While Chang's work makes great progress in application of DNA computing in cryptoanalysis [16], which is breaking RSA by factoring integer, this paper proposes application of DNA computing in another popular cryptosystem, ECC, which is more complex and has more challenge in cryptoanalysis. Though the algorithm is somewhat complex, it takes a series of steps that is polynomial in the input size, so it is feasible in theory and inspirits the development of DNA computing. Simultaneously, the paper also shows that humans' complex mathematical operations can directly be performed with basic biological operations. The property for the difficulty of elliptic curve discrete logarithm is the basis of elliptic curve cryptosystems. However, this property seems to be incorrect on a molecular computer. This indicates that the elliptic curve cryptosystems are perhaps insecure if the technique of DNA computing is skillful enough to run the algorithms efficiently as discussed in this paper.

Acknowledgments

The authors thank Daniel Howard (QinetiQ, Malvern Technology Centre, UK) for his great efforts in correcting this paper. This work is supported by National Natural Science Foundation (60603053) of China.

References

  1. L. M. Adleman, β€œMolecular computation of solutions to combinatorial problems,” Science, vol. 266, no. 5187, pp. 1021–1024, 1994. View at Publisher Β· View at Google Scholar
  2. E. Csuhaj-VarjΓΊ, L. Kari, and G. Paun, β€œTest tube distributed systems based on splicing,” Computers and Artificial Intelligence, vol. 15, no. 2-3, pp. 211–232, 1996. View at Google Scholar
  3. N. Koblitz, β€œElliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987. View at Publisher Β· View at Google Scholar
  4. N. Koblizt, Introduction to Elliptic Curves and Modular Forms, Springer, New York, NY, USA, 1984.
  5. S. Lang, Elliptic Curves: Diophantine Analysis, Springer, New York, NY, USA, 1978.
  6. V. S. Miller, β€œUse of elliptic curves in cryptography,” in Proceedings of the 5th Annual International Cryptology Conference (CRYPTO '85), Santa Barbara, Calif, USA, August 1985.
  7. A. M. Odlyzko, β€œDiscrete logarithms in finite fields and their cryptographic significance,” in Proceedings of the 2nd Workshop on Advances in Cryptology: Theory and Application of Cryptographic Techniques (EUROCRYPT '84), pp. 224–314, Springer, Paris, France, April 1985.
  8. R. P. Feynman, β€œThere's plenty of room at the bottom,” in Minaturization, D. H. Gilbert, Ed., pp. 282–296, Reinhold, New York, NY, USA, 1961. View at Google Scholar
  9. R. J. Lipton, β€œDNA solution of hard computational problems,” Science, vol. 268, no. 5210, pp. 542–545, 1995. View at Publisher Β· View at Google Scholar
  10. R. R. Sinden, DNA Structure and Function, Academic Press, New York, NY, USA, 1994.
  11. G. Paun, G. Rozenberg, and A. Salomaa, DNA Computing: New Computing Paradigms, Springer, New York, NY, USA, 1998.
  12. W.-L. Chang, M. S.-H. Ho, and M. Guo, β€œMolecular solutions for the subset-sum problem on DNA-based supercomputing,” Biosystems, vol. 73, no. 2, pp. 117–130, 2004. View at Publisher Β· View at Google Scholar
  13. M. Guo, M. S.-H. Ho, and W.-L. Chang, β€œFast parallel molecular solution to the dominating-set problem on massively parallel bio-computing,” Parallel Computing, vol. 30, no. 9-10, pp. 1109–1125, 2004. View at Publisher Β· View at Google Scholar
  14. M. S.-H. Ho, β€œFast parallel molecular solutions for DNA-based supercomputing: the subset-product problem,” Biosystems, vol. 80, no. 3, pp. 233–250, 2005. View at Publisher Β· View at Google Scholar
  15. D. Boneh, C. Dunworth, and R. J. Lipton, β€œBreaking DES using a molecular computer,” Tech. Rep. CS-TR-489-95, Princeton University, Princeton, NJ, USA, 1995. View at Google Scholar
  16. W.-L. Chang, M. Guo, and M. S.-H. Ho, β€œFast parallel molecular algorithms for DNA-based computation: factoring integers,” IEEE Transactions on Nanobioscience, vol. 4, no. 2, pp. 149–163, 2005. View at Publisher Β· View at Google Scholar
  17. J. Watson, M. Gilman, J. Witkowski, and M. Zoller, Recombinant DNA, Freeman, San Francisco, Calif, USA, 2nd edition, 1992.
  18. F. Eckstein, Oligonucleotides and Anologues, Oxford University Press, Oxford, UK, 1991.
  19. J. Watson, N. Hoplins, J. Roberts, J. Steitz, and A. Weiner, Molecular Biology of the Gene, Benjamin/Cummings, Menlo Park, Calif, USA, 1987.
  20. G. M. Blackburn and M. J. Gait, Nucleic Acids in Chemistry and Biology, IRL Press, Washington, DC, USA, 1990.
  21. M. Wiener and R. Zuccherato, β€œFaster attacks on elliptic curve cryptosystems,” in Selected Areas in Cryptography, vol. 1556 of Lecture Notes in Computer Science, pp. 190–200, Springer, New York, NY, USA, 1999. View at Publisher Β· View at Google Scholar