Novel Hybrid Public/Private Key Cryptography Based on Perfect Gaussian Integer Sequences

This paper proposes a novel hybrid public/private key cryptography scheme based on perfect Gaussian integer sequences (PGISs) of period N = pq. First, a review study of construction degree-4 PGIS is addressed.We show that circular convolution over PGISs is a trapdoor one-way permutation function that enables simultaneous cipher encryption and digital signatures. To implement the proposed cipher encryption scheme, a private PGIS is assigned as the encryption key sequence for circular convolution with the plaintext to generate the ciphertext. The reverse decryption key sequence involves the time reflection and complex conjugation of the encryption sequence, which can be regenerated using a pair of public and private keys. The security level of the proposed scheme is the same as that of the Rivest-Shamir-Adleman (RSA) system; however, the capacity of a cryptosystem based on PGISs may outperform that of based on RSA, because the abundant PGISs are available. Simulation results show that the approximation error when finite digits are used to represent the irrational coefficients of a normalized PGIS can be relatively small compared with the noise. This contributes to the simplicity of this scheme’s implementation. With the fast development of IoT (internet of things), the adaptation and applicability of the proposed scheme to IoT platforms are also addressed, where lightweight cryptographic functions are preferable due to the limited resources of IoT devices.


I. INTRODUCTION
Encryption is the process of converting ordinary information (plaintext) into unintelligible text (ciphertext), which can be read only if decrypted. A cipher is a pair of algorithms that encrypt the plaintext and decrypt the ciphertext. The operation of a cipher is controlled by the algorithm and by a key in each instance. Cryptosystems are categorized into two types: symmetric and asymmetric. In symmetric systems, the same private key is used to encrypt and decrypt a message. Asymmetric systems use a public key to encrypt a message and a private key to decrypt it. Symmetric models include one-time pad, the commonly used advanced encryption standard (AES), which replaced the older data encryption standard (DES) [1], etc. Asymmetric systems include the Rivest-Shamir-Adleman (RSA) algorithm [2], the Diffie-Hellman key exchange algorithm [3], the digital signature standard [4], and the elliptic curve cryptography [5], [6].
Public-key cryptography does not require a secure channel for the initial exchange of one (or more) secret keys; thus, it is often used to secure electronic communication over an open network environment such as the Internet. By contrast, symmetric cryptosystem encounters private key distribution and management problem, in which the cost and delay imposed by key distribution are major barriers to the transfer of business communications to large networks or the Internet.
With the rapid development of the Internet and the high demand for secure communications across public networks, public-key cryptography has attracted much more attention than private-key cryptography because of its affordability. The development of public-key cryptography originated with the trapdoor one-way concept introduced by Diffie and Hellman [3]. However, they did not present an example of how such a cryptosystem could be implemented. The search for a trapdoor one-way function was left as an open problem, rendering public-key encryption a fascinating theoretical discovery but unusable in practice. The factorization of a product of two large prime numbers is an example of a trapdoor oneway permutation function. Although selecting and verifying two large primes and multiplying them together is easy, factoring the resulting product is very difficult. Motivated by the trapdoor one-way property of prime factorization, Rivest et al. implemented the first public-key cryptosystem, known as the asymmetric RSA cryptosystem [2].
In this paper, we show that circular convolution over perfect Gaussian integer sequences (PGISs) is also considered a trapdoor one-way function, and we create a novel cipher encryption and decryption scheme based on circular convolution and a set of PGISs. A sequence is regarded as perfect if it has an ideal periodic autocorrelation function (PACF), and a PGIS is a perfect sequence (PS) in which all elements are complex numbers, (i.e., a + bj, where j = √ −1 and a and b are integers). To implement this scheme, an encryption key sequence is chosen from a set of PGISs of period N = pq, where both p and q are odd primes, for circular convolution with plaintext of size N to generate a ciphertext. The encryption PGIS is kept private, and the decryption key is the time reflection and complex conjugation of the encryption PGIS. The public key consists of all information, except the private key number, which is required for generating the decryption PGIS at the receiver end. Because the private key number is available only to authorized users and can be shared by other means such as the Diffie-Hellman key exchange algorithm, the ciphertext cannot be encrypted by adversaries. The proposed scheme consists of both public and private keys, thus it is basically a public-key cryptography; however the public-key cryptography encounters no private key exchange problem. Comparing with the private-key cryptography, our scheme has the advantage that it requires only to share the private key number between two parties instead of the requirement of secure distribution of more complex decryption keys among authorized users. Therefore, it is considered a form of hybrid public/private key cryptography, and it can take the advantages of both two.
The construction of PGISs has become a prominent research topic [7]- [22], because their implementation is simpler than those of other PSs with real or complex coefficients. PGISs were applied to orthogonal frequency-division multiplexing (OFDM) systems for peak-to-average power ratio reduction [15] and were used to construct a transformation matrix for precoded OFDM systems to achieve full frequency diversity and an optimal bit error rate [16]. PGISs were also adapted as the frequency-domain comb-spectrum (CS) codes for a novel CS-CDMA system [17]. Recently, Chang developed a CDMA scheme based on PGISs, called the PGIS-CDMA system [18]. This is the first study to apply PGISs to a data encryption and decryption scheme, where the operation of data encryption is made through circular convolution. As addressed in Section VI, circular operation is considered a vector-wise operation rather than element-wise operation, where the vectorwise operation is more complex, but it can achieve higher level of confidentiality. This study begins with a review construction of a set of degree-4 PGISs of period N = pq. In this construction, the degree of a sequence is defined as the number of distinct nonzero sequence elements within one period. The resultant set of PGISs is then applied in the proposed hybrid public/private key cryptography.
Here, the development of PGIS constructions is briefly introduced. A general form of even-period PGISs was presented in [7]. Yang et al. [8] constructed PGISs of an odd prime period p by using cyclotomic classes with respect to the multiplicative group of GF(p). Ma et al. [9] later presented PGISs with a period of p(p + 2) based on Whiteman's generalized cyclotomy of order two over Z p(p+2) , where p and (p + 2) are twin primes. Degree-3 and degree-4 PGISs of arbitrary composite periods were constructed by Chang et al. [10]. Lee et al. focused on constructing degree-2 PGISs of various periods using two-tuple-balanced sequences and cyclic difference sets [11]- [12]. Pei et al. developed algorithms that could generate PGISs of arbitrary periods [13]. A systematic method for constructing sparse PGISs in which most of the elements are zero appeared in [14]. Lee et al. constructed families of PGISs with high energy efficiency [19], [20]. PGISs of period p k with degrees less than or equal to k + 1 were proposed in [21]. Chang et al. contributed a through study of constructing PGISs of period N = qp, where p and q are two primes [22]. This paper is organized as follows. The definition and properties of PGISs are introduced in Section II. We present the review study of degree-4 PGIS construction of period N = qp for the proposed scheme in Section III, showing that there exist infinite PGISs of this period. We prove in Section IV that PGIS-based circular convolution is a trapdoor oneway permutation function. The implementation and digital signatures are addressed in Section V. In Section VI, the performance of RSA, other private-key cryptography and the proposed scheme are compared. An analysis of approximation that uses finite digits to represent the irrational coefficients of a normalized PGIS is presented in Section VII.
In Section VIII, we analyze the adaptation and applicability of the proposed scheme to IoT (internet of things) platform. Finally, conclusions are drawn in Section IX.

A. DEFINITIONS OF PGIS
Let N = pq, where p and q are distinct prime numbers. In be the periodic autocorrelation function (PACF) of s, i.e., where the superscript * denotes the complex conjugate operation, and (·) N is the modulo N operation. Define is the energy of sequence s, and δ N is a delta sequence of period N . The DFT pair relationship between R s = E · δ N and S • S * = |S| 2 indicates that a sequence s is perfect if and only if the spectrum magnitude of s is flat (i.e., Theorem 1: ( [18]) In addition to the N -tuple s = (a, 0, . . . , 0) and all N − 1 circular shifts, there are no other degree-1 PGISs of period N , where a is a nonzero Gaussian integer.

B. CONSTRUCTION AND PROPERTIES OF CIRCULANT MATRIX
We define a circulant matrix X of size N × N based on the sequence x = {x[n]} N −1 n=0 of period N , where the elements of x form the first column of X. With this definition, X = {x[(n − k) N ]}, and the (n, k) entry of X, denoted as X n,k , is } denote the circular shift of x to the right by i steps. Circulant matrix X can be expressed using the matrix form as follows: The eigenvalues of a circulant matrix comprise the DFT of the first column of the circulant matrix, and conversely, the first column of the circulant matrix is the inverse DFT of the eigenvalues. In particular, all circulant matrices have the same eigenvectors ( [23] and p.267 of [24]), where [·] T denotes a transpose. Let U be matrix consisting of the eigenvectors u m as columns in order and Ψ=diag(ψ k ) is the diagonal matrix with diagonal elements ψ 0 , ψ 1 , · · · , ψ N −1 . It is true that UU H =U H U = I N , where I N is an identity matrix and [·] H denotes transpose and conjugate operation.
where Ω=diag(ψ m β m ) is the diagonal matrix with diagonal elements ψ 0 β 0 , ψ 1 β 1 , · · · , ψ N −1 β N −1 , and CB is a circulant matrix. Lemma 2: In any circulant matrix constructed from a PGIS with a degree higher than one, the number of distinct eigenvalues of the associated circular matrix is at least two.
Proof: The eigenvalues of a circulant matrix comprise the DFT of the first row of the circulant matrix, which is identical to the associated PGIS; conversely, the first row of a circulant matrix is the inverse DFT of the eigenvalues. When the circulant matrix is constructed from degree-1 PGIS, all eigenvalues are the same by Theorem 1; this indicates that there exist at least two distinct eigenvalues when the circulant matrix is constructed from a PGIS with a degree larger than one.

C. PROPERTIES OF PGIS
Some properties of PGISs, which are essential for determining the cardinality of a set of PSISs, are summarized in the following. 3) All s 1 ⊗ s 2 ⊗ · · · ⊗ s n , 2 ≤ n ≤ k, are PGISs of period N ; 4) {s i ⊗ s j , s i ⊗ s i , s j ⊗ s j } ⊈ {c 1 · s i , c 2 · s j }, where 1 ≤ i, j ≤ k, and c 1 and c 2 are two non-zero Gaussian integers.
Proof: 1) The proof that s i ⊗ s i , s i ⊗ s −i , and s 1 ⊗ s 2 ⊗ · · · ⊗ s n are PGISs of period N is straightforward and is omitted here for brevity.
2) To prove s i ⊗ s i ̸ = c 1 · s i , let S i be the circulant matrix constructed by sequence s i ; the circulant matrix constructed by s i ⊗ s i is then S 2 i by Lemma 1. Because the degree of s i is larger than one, there exist at least two distinct eigenvalues of S i by Lemma 2, and the i th eigenvalue of S 2 i is the square of the i th eigenvalue of S i . This indicates that there exists no Gaussian integer c 1 such that s i ⊗ s i = c 1 · s i is true.
3) The circulant matrix constructed by s i ⊗ s j is S i S j , where circulant matrix S j is constructed by s j , and the i th eigenvalue of matrix S i S j is the product of the i th eigenvalue of S i and S j . This demonstrates that s i ⊗ s j cannot belong to set {c 1 · s i , c 2 · s j } by Lemma 1 and Lemma 2.
The properties of theorem 4 show that for a set of PGISs of the same period, A = {s 1 , s 2 , . . . , s m }, the cardinality m of set A has no upper bound. New PGISs can be constructed by applying these properties. In particular, the property 4 of Theorem 4 indicates that applying circular convolution to two arbitrary PGISs generates a new PGIS that cannot be spanned by the two original PGISs. This explains the abundant PGISs available for the proposed scheme.

III. CONSTRUCTION OF DEGREE-4 PGIS OF PERIOD N=PQ A. REVIEW STUDY OF DEGREE-4 PGIS CONSTRUCTION
We can make a brief review of degree-4 PGIS construction from [22]. Let Z N denote the ring {0, 1, . . . , N − 1} with integer multiplication modulo N and integer addition modulo N , and Z × N = Z N \{0}. First, we would summarize some results of degree-4 PGIS of period N = pq from [22]. Three subsets of Z × N are defined as follows: In [22], three nonlinear equations to govern four coefficients, a i = x i + jy i , i = 0, 1, 2, 3, of sequence s = {s[n]} N −1 n=0 to be a degree-4 PGIS are expressed below The decomposition method is applied to transform these nonlinear constrained equations of (3) into three linear systems of four equations with x 2 , y 2 , x 3 , and y 3 as the variables. These linear systems can be expressed using the matrix notation and b i is a data column vector. It has where . By choosing constants x 0 , y 0 , x 1 , and y 1 such that all |A i | ̸ = 0, we can always adjust these four constants and derive the integer solutions of four variables (x 2 , y 2 , These eight parameters x n , y n , n = 0, 1, 2, 3, meet the system of three nonlinear equations (3).

B. NEW CONSTRUCTION OF DEGREE-4 PGIS
We can add three new linear systems of four equations to facilitate the cryptographic applications, where the detailed procedures are derived here. The second equation of (3) can be replaced by subtracting from the top equation of (3), after which it becomes The nonlinear equation (10) can be decomposed into two parts, which results in a linear system of two equations. We provide three different decomposition methods, which are respectively presented below Based on the results of (11), (12) and (13), the nonlinear constrained equations of (3) can also be transformed into three linear systems of four equations with x 1 , y 1 , x 3 , and y 3 four variables. These linear systems can be expressed using the matrix notation . By choosing constants x 0 , y 0 , x 2 , and y 2 such that all |A i | ̸ = 0, i = 4, 5, and 6, we can always adjust these four constants and derive the integer solutions of four variables These eight parameters x n , y n , n = 0, 1, 2, 3, meet the system of three nonlinear equations (3).
Note that more degree-4 PGISs of period N = pg can refer to [22]. Theorem 5: There exist infinite degree-4 PGISs of composite period N = pq, where p and q are odd prime numbers. Proof: We present two construction examples in Example1 that one solution set (x 2 , y 2 , x 3 , y 3 ) is derived from one set of four parameters (x 0 , y 0 , x 1 , y 1 ) and the other solution set (x 1 , y 1 , x 3 , y 3 ) is derived from another set of four parameters (x 0 , y 0 , x 2 , y 2 ), which these four coefficients x i + jy i , i = 0, 1, 2, 3, construct two different degree-4 PGISs. Because there exist unbounded sets of four parameters (x 0 , y 0 , x 1 , y 1 ) or (x 0 , y 0 , x 2 , y 2 ) that can make coefficient matrix A i nonsingular, there exists an infinite number of degree-4 PGISs of composite period N = pq.

IV. CIRCULAR CONVOLUTION-TRAPDOOR ONE-WAY PERMUTATION FUNCTION
Let y = {y[n]} N −1 n=0 = x ⊗ s denote the circular convolution between x and s; that is, The result of y = x ⊗ s can be expressed using matrix expression where the circulant matrix X is given in (21).
When the result of y in (20) is given, s can be derived from y and x through circular deconvolution, which is equivalent to solving a system of N linear equations in the N unknowns {s[n]} N −1 n=0 . The matrix expression of the solution is given by In (22), the inverse of a nonsingular N × N matrix X −1 can be computed through Gauss elimination and back-substitution with N 3 multiplication/division and N 3 -2N 2 +N addition/subtractions [25]. With an increase in N , the increasingly heavy computing load can make circular VOLUME 6, 2020 deconvolution infeasible. However, when x is a PGIS with energy E, we have x ⊗ x * −1 = E · δ N . This indicates that the inverse of the coefficient matrix is given by X −1 = 1 E X H , and the solution s = 1 E X H y is obtained directly without a system of N linear equations being solved.
Theorem 6: There exist numerous pairs of nonzero sequences x i and s i of length N , such that n=0 be the DFTs of y x i and s i . Taking the DFT of equations showing that the following solutions exist.
For any fixed constant Y [k], there exist numerous pairs of . 2) Let M i and M k be two circulant matrices constructed using x i and x k , respectively. The matrix expression of y = x i ⊗s i is given by y = M i s i , from which the unique solution is proven. Theorem6 indicates that for a given y, numerous pairs of (x i , s i ) exist that can satisfy equation y = x i ⊗ s i ; however, when one vector in this pair is given, the other one is uniquely determined. Example 3 presents an example for demonstration. An eavesdropper who hears only the transmitted y (ciphertext) cannot apply (22) to decrypt y and obtain s, where the unique solution of equation (22) is evaluated on the basis of the assumption that y and x are available.
In contrast to the factorization of a product of two prime numbers featuring one-to-one mapping between a pair of two primes (p, q) and N (= pq), circular convolution features multiple-to-one mapping among a pair of two sequences (x i , s i ) and the resultant y(= x i ⊗ s i ). The multiple-toone mapping property of circular convolution complicates or even prevents the operation of circular deconvolution, and is thus considered one-way. When x i is available and is a PGIS, the operation of circular deconvolution becomes straightforward, with PGIS x i acting as the trapdoor for circular convolution. In addition, circular convolution is commutative, with x i ⊗s i = s i ⊗x i . The circular convolution operation over PGISs is trapdoor one-way permutation.
i=0 be six sequences of period 13. These sequences are given by where a = 10 + 25j, and b = −3 − j.

V. PGIS-BASED HYBRID PUBLIC/PRIVATE KEY CRYPTOGRAPHY A. CIPHER ENCRYPTION AND DECRYPTION SCHEME
As described in [2], the encryption and decryption procedures typically consist of a general method and an encryption key. RSA uses exponentiation modulo a product of two very large primes for data encryption and decryption. Its security is connected to the extreme difficulty of factoring large integers. The encryption key is the pair of positive integers (e, n), and the private decryption key is another pair of positive integers (d, n).
In our proposed cipher encryption and decryption scheme, the N -point circular convolution and a set of PGISs of period N = pq can function as the general method and the encryption key, respectively. The public key is (N, x 0 , y 0 , x 1 , y 1 , A i , b i ). In section III, four coefficients x i + jy i , i = 0, 1, 2, 3 for constructing a degree-4 PGIS are governed by a system of four linear equations The associated degree-4 PGIS s constructed using this set of four coefficients x i + jy i can serve as the encryption sequence to generate ciphertext by circularly convoluting it with block data plaintext of size N . Because the elements of x = [x 2 y 2 x 3 y 3 ] T = A −1 i b i are uniquely determined by six values of x 0 , y 0 , x 1 , y 1 , p, and q, the decryption sequence s * −1 can easily be generated by an authorized user with the assigned public key (N, x 0 , y 0 , x 1 , y 1 , A i , b i ) and private key number p or q. However, to malicious cryptanalysts, the public key cannot generate the decryption sequence without the actual value of p or q. When both p and q are long strong primes, the difficulty of factoring N into p and q provides the same security level as that of the RSA scheme.
Let The plaintext m i is circularly convoluted with the encryption key s to generate the ciphertext c i = s ⊗ m i . Note that the encryption key associated with user B should properly be subscripted as s B , because each user has a private key sequence. However, we consider only a typical case, and the subscript is omitted.
The detailed procedures for encryption using PGIS s and decryption using s * −1 are summarized as follows: 1) At the transmitter end, circular convolution between the encryption key s and m i generates the ciphertext 2) The ciphertext c = (c 1 , c 2 , . . . , c k ) and public key (N, x 0 , y 0 , x 1 , y 1 , A i , b i ) are transmitted through the common channel. The private key p can be shared by the Diffie-Hellman key exchange algorithm [3].

B. EFFICIENT SCHEME FOR PROCESSING DIGITAL SIGNATURES
n=0 be a nonzero sequence of length N , in which b[n] ∈ {1, 0} is preferable to lighten the computing load. We can apply an additional private encryption sequence s b to generate sequence d = s b ⊗ b. d and b can be attached to ciphertext c = (c 1 , c 2 , . . . , c k ) as the overhead of the document; that is, the transmitted ciphertext becomes (d, b, c 1 , c 2 , . . . , c k ). After the receipt and detection of d and b, the receiver performs an authentication check to verify the origination of the consecutive ciphertext by examining whether the condition S H b b = d holds, where S b is the circulant matrix constructed using encryption sequence s b . The pair of two sequences (d, b) can serve VOLUME 6, 2020 as efficient digital signatures for the associated PGIS-based cipher encryption scheme because a pair of (d, b) cannot be forged. In addition, a signer cannot later deny the validity of his or her signature because d(= s b ⊗ b) is uniquely determined by a private key s b . To operate digital signatures simultaneously with cipher encryption, the public key becomes (N, x 0 , y 0 , x 1 , y 1 , x 0b , y 0b , x 1b , y 1b , A i , b i ), where the additional four coefficients x 0b , y 0b , x 1b , and y 1b are assigned for generating s b by authorized users.

VI. COMPARISON OF PROPOSED SCHEME WITH OTHER CRYPTOSYSTEMS
The proposed scheme is considered a form of hybrid public/private key cryptography, and the comparison of public, private and the proposed key cryptography is addressed in this section. Public-key cryptography has two primary use cases: authentication and confidentiality, which messages can be signed with a private key, and then anyone with the public key is able to verify that the message is created by someone possessing the corresponding private key. Without authentication, it is easy for attackers to modify the message, and in many flawed systems even decrypt messages. However, most public-key encryption schemes can only encrypt small chunks of data at a time, much smaller than the messages we want to be able to send. Public-key schemes are also generally quite slow, much slower than their private key counterparts. By contrast, private-key cryptography encounters private key distribution and management problem. The number of key exchanges grows about as fast as the number of people squared. The fundamental problem of large number of key exchanges has not been solved yet. The computing load of the proposed scheme, which circular convolution is applied to encrypt and decrypt a message, is smaller than the other two schemes. However, this scheme still relies on key exchange algorithm to share a common secret key number. The proposed scheme might take the advantages of the other two schemes, which can make a balance between two extremes. We make the more detailed comparisons in the following two subsections.

A. COMPARISON BETWEEN RSA AND PROPOSED SCHEME
RSA and the proposed scheme based on PGISs are compared as follows: 1) Data encryption using exponentiation modulo N (c = m e mod N ) does not increase the size of a message. This is the merit of the RSA scheme. However, when plaintext is circularly convoluted with a PGIS that has large coefficients, the ciphertext also contains larger values. In addition, the energy level of ciphertext is proportional to the period of the PGIS, which should be sufficiently large to provide the desired security. The escalation of the energy level poses a major challenge to the implementation and transmission of the resultant ciphertext. This topic is further addressed in Section VII.
2) The public-key cryptosystem based on the RSA scheme provides an effective method for key management and authentication, but it is inefficient for the bulk encryption of data. In addition, to apply the RSA scheme for data encryption, the message can only be an integer in the interval [0 N − 1]; however, there is no such data type restriction when data encryption is conducted through circular convolution operation. Therefore, the proposed scheme has more potential applications.
3) The capacity (C) of a cryptosystem is defined as the maximum number of authorized users the associated system can support simultaneously. Consider either a multiple-toone or a multiple-to-multiple secure communication scenario, where the capacity of a cryptosystem based on the RSA scheme is determined by the number of available pairs of exponents (d, e), because each pair of two parties should have a unique (d, e) key pair. For each N i = p i q i , the number of pairs of private key d i and public key e i , which satisfies d i e i ≡ 1 mod (p i − 1)(q i − 1), cannot compete the unbounded cardinality of a set of PGISs of period N i = p i q i by Theorem 5. Actually, it is imperative for each pair of two parties to choose its own RSA modulo N i to avoid common modulus attack. When many pairs of (e i , d i ) are assigned associated with the same N i , knowledge of any (e i , d i ) pair allows for the factorization of the modulus N i , and hence any entity could subsequently determine the decryption exponents of all other entities in the network. Also, if a single message were encrypted and sent to two or more entities in the network, then there is a technique by which an eavesdropper (any entity not in the network) could recover the message with high probability using only publicly available information [26]. However, the proposed PGISbased scheme using circular convolution for data encryption will not encounter the common modulus attack problem. 4) To meet future high demand for secure communications over public networks, the values of N i = p i q i must be allowed to escalate without an upper bound to achieve high system capacity requirement when a cryptosystem is operated based on the RSA scheme. When N i is extremely large, it becomes unrealistic to use the exponentiation modulo N i algorithm to implement data encryption because of excessive time complexity. Therefore, a PGIS-based cryptosystem is preferred because the abundant PGISs are available for a fixed N i , although implementing such a system requires more memory and bandwidth.

B. COMPARISON BETWEEN PRIVATE-KEY AND PROPOSED SCHEME
To most private-key cryptography, the operation of data encryption between private key and message is based on element-wise operation. We can take one-time pad scheme as an example, where the XOR operation between two binary streams is made in a bit-by-bit manner, which is a special case of element-by-element manner. Circular convolution of two sequences produces one sequence of the same period, where value of the n th entry y (19), is the inner product of two sequences(vectors) s and the n steps circular shift of x −1 , denoted by x (n) We would call this kind of data encryption is based on vector-wise operation, because the resultant output of each entry is obtained from processing two sets of data, which are two vectors, rather than two data elements.
Let sequence s = {s[n]} N −1 n=0 , where s[n] = s n . This implies where δ N (n) denotes the circular shift of δ N to the right by n steps. Based on the fact that m⊗δ N (n) =m (n) , we can express circular convolution between m and s as follows: Private-key cryptography and the proposed scheme based on PGISs are compared as follows: 1) Equation (28) implies that circular convolution between m and s is a linear combination of m and its circular shifts, which linear combination is obvious a vector-wise operation, and the coefficients of linear combination and the number of circular shifts are determined by the number of nonzero elements of s. The vector-wise operation is more complex than the element-wise operation, but the former one has more potential to achieve confidential capacity to the proposed cryptosystem. The reason is that the combination of individual parts into single one is straightforward; however, the inverse operation of decomposition the resultant output into individual parts is difficult.
2) Different inner product of two vectors can result in the same scalar output, and this is the reason circular convolution features multiple-to-one mapping between different pairs of sequence set {(x i , s i )} and the resultant output y(= x 1 ⊗ s 1 = · · · = x i ⊗ s i = · · · ). Without the PGIS key, an eavesdropper trying to extract information from a set of ciphertexts is difficult, especially when the period N = pq of the PGIS key is large enough, where the computing load of solving multiple-to-one mapping problem is formidable.
3) Private key can only be used one time to the one-time pad scheme, and to other private-key cryptosystem such as DES and AES, reusing private key is still not suggested from confidentiality point of view, especially because it is an element-wise operation. Thus, to communicate between n users in a public network, it needs n(n−1) 2 key exchanges, which the number of key exchanges grows about as fast as the number of people squared. The vector-wise operation of the proposed scheme contributes not only confidentiality but also the applicability of reusing the same PGIS key in a public network. As shown in Section VIII, operating linear combination to message and its circular shifts can contribute larger differences to the resultant ciphertext, even though messages have smaller differences between each other.

VII. ANALYSIS OF APPROXIMATION ERROR
Let A = {s 1 , s 2 , . . . , s m } be a set of PGISs. The cardinality m of A can be as large as needed, depending on the capacity requirement of the cryptosystem. When more PGISs of the same pattern are constructed from the solutions of the same constraint equations, the values of the resultant coefficients gradually increase. Therefore, energy levels of these PGISs escalate. When plaintext is circularly convoluted with a PGIS that belongs to a higher energy level, the energy of the associated ciphertexts escalates beyond that of the ciphertexts convoluted with PGISs that contain smaller coefficients.
Differing ciphertext energy levels might provide a method for adversaries to sift through PGISs and initiate a ciphertext attack. To overcome this problem and reduce the number of digits required to represent the resultant ciphertext, all PGISs in the same set should be normalized to the same unit energy. In this case, the energy level of a ciphertext can remain the same as that of the original plaintext; thus, all ciphertexts have the same energy level. However, when the square root energy √ E of a PGIS is an irrational number, the coefficients of the normalized PGIS become irrational as well. This presents a considerable challenge for the implementation and transmission of the resultant ciphertexts, given that an infinite number of digits are required to represent an irrational number. In this section, the performance of the proposed encryption scheme is analyzed when the irrational coefficients of the normalized PGISs are stored and processed using a finite number of digits.

A. MODEL OF APPROXIMATION ERROR
Let s ai = s + e ai be the approximation of s performed containing the first i digits of an irrational number, where e ai is the approximation error. Given that all sequences are normalized with the unit energy, the values of all coefficients of the sequences are less than one, except for those of the degree-1 PGIS. Let ±0.d 1 d 2 · · · d i · · · be a typical irrational coefficient, where the value of the i th digit d i ∈ {0, 1, . . . , 9}. We apply the following algorithm to operate the irrational number approximation: When d i+1 ∈ {0, 1, . . . , 4}, we can preserve the former i digits untouched to finish the approximation, which yields ±0.d 1 d 2 · · · d i . For d i+1 ∈ {5, 6, . . . , 9}, when adding "1" to the original i th digit does not cause overflow, the former i−1 digits are maintained and d i is substituted with d i + 1 to yield ±0.d 1 d 2 · · · d i−1 (d i + 1). When adding "1" to the original i th digit causes overflow, d i = 0 and d i−1 = d i−1 + 1 are assigned, and overflow checking moves backward one digit to the resultant d i−1 + 1. This process should be performed backward one digit at a time until the overflow stops. The resultant approximation becomes ±0.d 1 d 2 · · · d r−1 (d r + 1) where 1 ≤ r < i is the entry where the overflow stops. The approximation error caused by using only i digits to represent an irrational number is similar to that of quan-VOLUME 6, 2020 tization noise caused by using finite quantization levels to approximate an analog signal in a digital signal processing unit. The quantization noise is modeled to be uniformly distributed within the interval [ −∆ 2 ∆ 2 ] and ∆ is the quantization step. When the overflow problem is ignored, the approximation error in each entry of e ai is located within the interval [ −10 −i 2 10 −i 2 ]; thus, it can be modeled to be uniformly distributed within this interval as quantization noise. Given that the variance of the uniform distribution is (10 −i ) 2 12 and the size of an approximation error vector is N × 1, the overall variance of the approximation error is N · 10 −2i 12 . When the error-to-signal power ratio is defined as Ea S = |sai−s| 2 |s| 2 , where |s| 2 = 1, the ratio is given by E a S = −20i − 10 log 12 + 10 log N dB.
Equation (30) indicates that a low error-to-signal power ratio Ea S can be achieved when more digits are used to approximate an irrational number; however, processing and transmitting the resultant ciphertexts requires additional memory and bandwidth. In addition, the large period N of an encryption key escalates the error-to-signal ratio. Fig. 1 compares the Ea S of four periods (N = 10 4 , 10 6 , 10 8 , and 10 9 ), when the number of digits varies from three to nine. This figure shows that the Ea S power ratio can reach to −50 dB level, when there are four, five, and six digits for the periods of N = 10 4 , 10 6 , and 10 8 , respectively; and the Ea S power ratio decreases by −20 dB when one more digit is used for approximation. Fig. 2 presents the number of digits required to achieve the desired Ea S levels of −35, −45, −55, and −65 dB, respectively, when the period of the PGIS is in the interval between 10 5 and 10 9 . If the threshold of Ea S power ratio is set at −45 dB level, four to six digits are required to represent an irrational number, five to seven digits are required to meet −55 dB threshold, and so on. We can summarize the relationship among Ea S , the period of PGIS, and the number of digits as follows: 1) When the period of the PGIS is fixed, the addition of one more digit to approximate an irrational number contributes a gain of 20 dB to the Ea S power ratio; thus, an inverse relationship exists between Ea S and the number of digits. 2) When the required Ea S power ratio is set as the threshold, the period of the PGIS is proportional to the number of digits required to achieve the desired Ea S level; more digits are required when the period of PGIS is increased.

B. SIMULATION EXAMPLES
In this section,s denotes the normalized original PGIS s; however, we retain the four coefficients a k , k = 0, 1, 2, and 3 of PGIS for simplicity. Let a ki denote the approximation of a k performed using the first i digits. For period N = pq, the numbers of a k that appear in the PGIS are (p − 1)(q − 1), p − 1, q − 1, and 1; thus, the actual approximation power error should be The theoretical error-to-signal power ratio of equation (30), which is Ea S = −20i − 10 log 12 + 10 log N dB, provides a mathematical estimation of the approximation error. We present two extreme examples to demonstrate the results of approximation, where the coefficients of one PGIS are relatively small compared with the other one, and the period of PGIS is N = 3 · 5, where p = 3 and q = 5. The four coefficients of the first PGIS are a 0 = 20 − 10j, a 1 = 10j, a 2 = 8 + 2j, and a 3 = −135 − 161j, and the PGIS is normalized to bē a 0 , a 0 , a 2 , a 0 , a 1 , a 2 , a 0 , a 0 , a 2 , a 1 , a 0 , a 2 , a 0 , a 0 ). (31) To the second PGIS, each coefficient consists of ten digits, which b 0 = −1933763400 − 165925440j, b 1 = −133594380 + 183006000j, b 2 = −1791601386 + 1432299606j, and b 3 = 4630497750 + 152422992j. The normalized PGIS is given bȳ where the energy E l ofs l is E l ≈ 4.313209552479988 × 10 19 , requiring 20 digits to represent the actual value of E l . Lets sk ands lk be the approximations ofs s ands l obtained using the first k digits. e sk =s s −s sk and e lk =s l −s lk denote the approximation errors. The period N = 15 of the preceding examples is rather small, deviating from the longer period required for the proposed scheme to achieve the desired security. However, we can explain that as the period N increases from 15 to 15 × 10 10 , although the coefficients differ in order for the associated sequence to be a PGIS, the relative power of the error escalates from approximately 10 log 15 dB to 10 log(15 × 10 10 ) dB, incurring an additional power loss of 10 · log(10 10 ) = 100 dB. We can apply five more digits for irrational coefficient approximation to compensate for this additional power loss, because the inclusion of one more digit to approximate the irrational coefficients contributes a 20 dB power gain.
Let m = (1, −1, −1, 1, 1, 1, −1, 1, −1, 1, −1, −1, 1, −1, 1) be the message. Ciphertext c s = m ⊗s s and c l = m ⊗s l denote the exact ciphertext generated using the exact normalizeds s ands l , respectively, and those generated using the approximations are denoted by c si and c li , respectively. The results are expressed as follows: and where E l ≈ 4.313209552479988 × 10 19 , and h 0 = 1434047658 + 3348873084j, We ignore noise contamination to simplify the analysis and comparison of performance using finite numbers of digits. At the receiver end, the authorized receiver can apply the exact encryption sequence s * −1 to decrypt the transmitted approximation ciphertexts c sk and c lk , because the public key can consist of original coefficients instead of the normalized coefficients. We present only the results of m s3 and m l3 for demonstration.  To evaluate the overall errors caused from the coefficients approximation of a normalized PGIS, we have and The equations (37) and (38) implies that We conclude that The equation (40) demonstrates that the power of the errorto-signal ratio of the proposed cipher encryption is solely determined by the approximation error, without calculation of the noise contamination. When k digits are used to approximate the normalized encryption key sequence, the memory space and transmission bandwidth of the ciphertext are 2k times those of plaintext because a complex coefficient has the real and the imaginary two parts.

VIII. ADAPTATION TO IOT APPLICATIONS
With the fast development of IoT, the usage of various smart applications such as smart home, smart traffic, and smart cities are increased exponentially. However, the encryption sequence s that can be generated by an authorized user with the assigned public key (N, x 0 , y 0 , x 1 , y 1 , A i , b i ) and private key p or q might not be realized at the node of IoT devices due to the resource constraints (low computation power and less memory). Lightweight solution is the required unique security feature for IoT platform. Theorem 7 provides a theoretical mean to adapt the proposed scheme for IoT applications, where the computing load of constructing the encryption PGIS key at the IoT devices can be released.  (41) is also a PGIS with the same degree. To operate the proposed scheme at the IoT platform, PGIS w of prime period N = p can be implanted at the IoT devices in advance, where the prime number p might not be large. PGIS w should be kept secret, and we can update w when it is necessary. Given that PGIS w is available, the upsampled PGIS w ′ becomes the encryption private key to create ciphertext, where the upsampling factor m is determined by the size of plaintext. The receiver end can apply w ′ * −1 to decrypt the ciphertext. The modified version of proposed scheme is characterized by lower computing load because the upsampled w ′ is a sparse PGIS, where (m − 1)p coefficients of w ′ are zeros.
In (46), the number of Gaussian integers that are underlined is 15. These Gaussian integers are the same as those appeared in (44). The number of differences between m and m 1 is 5, while there are four times differences between c and c 1 , which is 20. Even though the encryption key w ′ is with small period and has only five nonzero coefficients, it still achieves the goal of expanding differences between c and c 1 two ciphertexts. However, if PGIS s 35 , appeared in (18), is applied to encrypt these two messages, the entire contents of two ciphertexts,c 2 and c 3 , are extremely different.

IX. CONCLUSION
This study proposes a novel hybrid public/private key cryptography based on circular convolution over a set of PGISs of period N = pq. We show that circular convolution over PGISs is a trapdoor one-way permutation function involving the simultaneous performance of encryption and digital signatures. The abundant PGISs contribute to the high capacity of the associated cryptosystem; however, this system has the drawbacks of greater memory and bandwidth consumption. Data encryption using circular convolution is considered a vector-wise operation, thus it has more potential to achieve higher level of confidentiality than those private-key crypography based on element-wise operation. In addition, circular convolution is equivalent to linear combination of message and its circular shifts, which is characterized by low computing load. These two properties make the proposed hybrid public/private key cryptography a candidate scheme for future lightweight cryptosystem. VOLUME 6, 2020