Asymmetric cipher based on MPF and its security parameters evaluation

. The new asymmetric cipher algorithm based on matrix power function and matrix conjugation is presented. This algorithm is some alternative between known algorithms based on conjugacy problem, see e.g. Ko–Lee et al. and Anshel–Anshel–Goldfeld algorithm based on commutator concept. The security parameters are deﬁned and their values are determined.


Intoduction
One of the well known problems used in non-commuting cryptography is the conjugator search problem (CSP) in some non-commuting group G. The problem is to find any element x satisfying equation h = x −1 gx, where h and g are public elements in G. Two different approaches to CSP based encryption schemes were suggested. The first one is called the Ko-Lee et al. scheme (see [3]). It uses commuting subgroups concept, i.e. secret elements are chosen from two mutually commuting subgroups. Another approach called Anshel-Anshel-Goldfeld algorithm was suggested in [1]. This scheme uses the commutator concept for obtaining a shared key. It was shown by Spilrain and Ushakov in [6], that instead of solving CSP an adversary can try to solve a much easier decomposition problem. Hence the Anchel-Anchel-Goldfeld scheme is reckoned being more advanced. But nevertheless this scheme has a disadvantage, since it is using tuples of generators of private keys and hence is increasing memory requirements.
In this paper we suggest a new asymmetric encryption scheme, which is some alternative to the schemes mentioned above. Our scheme is based on matrix power function (see [4,5]) and additional constraint of it's arguments, namely the conjugation equation. We reduce memory requirements for key storage.

MPF definition and properties
Matrix power function (MPF) was first introduced in [4]. This function is defined for square m × m matrix arguments X and Y and is denoted by where Q is a base m × m matrix and E is an MPF value m × m matrix with elements, defined by the system of equations: To define MPF completely we assume that matrix Q is defined over a platform group Z * n = {a: a n, gcd(a, n) = 1}. Then matrices X and Y must be chosen from matrix group over a power ring Z r = {0, 1, . . . , r − 1} as powers of elements of matrix Q. All the actions in groups Z * n and Z r are performed modulo n and r respectively. It is shown in [5], that MPF is associative and the left-right actions In this paper we consider a non-cyclic platform group Z * n , where a composite n can be expressed as n = pq and p, q are prime factors. This yields a power ring Z λ(n) , where λ(n) is theCarmichael function. This function is defined as the smallest positive integer t such that a t mod n ≡ 1 for all a coprime with n. The choice of a power ring Z λ(n) is obvious, since for all a ∈ Z * n , a λ(n) = 1, which means, that all powers can be reduced modulo λ(n). If n = pq, then λ(n) = lcm(p − 1, q − 1), where lcm stands for least common multiple.

Asymmetric cypher
The construction of suggested asymmetric cipher is based on the conjecture, that MPF is a candidate one-way function (OWF). This means, that direct MPF value i.e. matrix E calculation for instances Q, X and Y , when MPF system of equations (2) is supplemented with additional matrix conjugacy equation, is easy, while MPF inversion operation is hard. We will demonstrate how the sender (Bob) can encrypt a message, which can then be decrypted by the receiver (Alice).
Let Q be a public matrix selected over platform group and let A be a public matrix, selected over power ring. Alice has her private key -a pair of matrices (X, U ) = P rK A , where X is a randomly selected non-singular matrix and matrix U is a polynomial of A i.e. U = P U (A). Her public key is P uK Alice uses her private key to decrypt Bob's message. Bob encrypts a message M by using Alice's P uK A and performing following actions: 1. Bob chooses randomly a non-singular matrix Y and computes Y −1 AY ; 2. Bob selects a random matrix V = P V (A) and computes V Q Y . His public key 3. Bob uses Alice's public key to compute the following matrices: • Bob computes XV X −1 = P V (XAX −1 ); • Raises matrix X Q U to the power XV X −1 on the left and obtains XV Q U ; • Raises the result matrix to the power Y on the right and obtains XV Q UY , which is his encryption key matrix K B ; Since the elements of matrix K B are random and uniformly distributed, Bob can now use an obtained key K B = XV Q UY to encrypt a message M .

The ciphertext is
where ⊕ stands for XOR operation. Bob sends (C; P uK B ) to Alice.
To decrypt Bob's message Alice does the following: 2. Alice raises matrix V Q Y to the power Y −1 U Y on the right and then raises the result matrix to the power X on the left and hence obtains her decryption key K A = XV Q UY ; 3. Since K A = K B Alice can now decrypt a message using her decryption key K A and a relation M = K A ⊕ C.
Note that only matrices U and V are commuting. This is the main advantage of the suggested protocol as compared with the protocols based on CSP. Note also, that, since Alice and Bob choose their matrices U and V as polynomials of A, only the coefficients of polynomials must be stored. This shortens private key lengths.

Security parameters values determination
The suggested protocol has two main security parameters: parameter n, defining group Z * n , and the matrix order m. Since we obtain commutating matrices using polynomials, while non-singular matrices X and Y can be chosen freely, to determine main security parameters we are referring to the following facts: 1. The number of matrices, commuting with a public matrix A, defined over a power ring, should be at least 2 80 . Every commuting matrix should be obtained using polynomials of matrix A; 2. The number of matrices, conjugating with a public matrix A, defined over a power ring, should be at least 2 80 .
If these requirements are satisfied, then total scan of matrices X and Y is infeasible. We start with the proof of an important proposition, which will prove useful for evaluation of security parameters. We denote the idempotents of the group Z pq by 1 p and 1 q , i.e. 1 p mod p = 1, 1 p mod q = 0 and 1 q mod p = 0, 1 q mod q = 1. The existence and uniqueness of these elements follow from the extended Euclidian algorithm. If A = {a ij } and a ij ∈ Z pq , then we define A p = {a ij } mod p, A q = {a ij } mod q. Note, that according to Chinese Remainder Theorem (CRT) a ij = [a ij mod p]· 1 p + [a ij mod q] · 1 q . Proposition 1. If A p B p = C p and A q B q = C q , then matrices A, B and C satisfy identity AB = C. Proof.
since 1 p 1 q = 0. Since A p B p = C p and A q B q = C q , we get AB = C Hence the following corollaries are true: Let us denote r = λ(n) and assume that r = 2s where s is prime. We can now evaluate the number of solutions of commutation and conjugation equations, defined over a ring Z r using field theory and Proposition 1. We start with the commutation equation which is defined over the field Z p . Let us assume, that matrix A is similar to Jordan matrix, i.e. it can be expressed in canonical Jordan form where J A is a Jordan matrix We can now see from (6), that there are m different parameters a 1 , a 2 , . . . , a m . Since the order of the field Z p |Z p | = p, it is clear, that there are p m different matrices, commuting with J A . Hence we get all possible solutions of equation (3) by computing X = K −1 XK, where matrices X have the form (6). We have proven the following proposition: Proposition 2. Let A be a square matrix of order m defined over a field Z p . If A is similar to Jordan matrix (5), then equation (3) has exactly p m solutions.
We denote the set of matrices, commuting with A (i.e. solutions of equation (3)), by Com(A) and the number of these matrices by |Com(A)|. Note, that not all matrices of Com(A) have an inverse, because zero value cannot be chosen for diagonal elements. If we omit zero diagonal elements, we get exactly p m−1 (p − 1) invertible matrices, satisfying equation (3). We denote the set of these matrices by Com * (A). It has been proven, that for matrix A, satisfying proposition (2), every commuting matrix can be expressed as a polynomial of A [2]. The degree of polynomial is equal to m − 1, since there are m linearly independent matrices, commuting with A. The following corollaries of Proposition 1 give us the evaluation of number of solutions of equation (3), defined over a ring Z r : The conjugation equation i.e.
defined over the field Z p , can be considered in a similar way. It can be shown, that the conjugation equation is equivalent to commutation equation in the field Z p , if we consider only invertible matrices. Hence equation (7) has p m−1 (p − 1) solutions if defined over a field Z p and r m−1 (s − 1) solutions if defined over a ring Z r . Keeping this in mind the choice of parameters is as follows: 1. For the platform group definition we seek to minimize the group order and to maximize the maximal orders of group elements. In this case the optimal solution is to choose n = 3p with a prime number p = 2s + 1, where s is also prime. This yields r = 2s; 2. Since we consider equations (3) and (7) defined over a power ring Z r , the number r m−1 (s−1) must be greater than or equal to 2 80 . Since s−1 = n−9 6 and r = n−3
3. Since we want to make this ciphering algorithm usable in systems with limited resources, we must choose parameters values reducing memory and computation resources. We have chosen n = 33, since in this case the total amount of bits to store information is the smallest. This yields m = 25 and λ(n) = 10. Total amount of bits used to store information is 17840 bits which is approximately 2.2 kilobytes.