A general construction for monoid-based knapsack protocols

We present a generalized version of the knapsack protocol proposed by D. Naccache and J. Stern at the Proceedings of Eurocrypt (1997). Our new framework will allow the construction of other knapsack protocols having similar security features. We will outline a very concrete example of a new protocol using extension fields of a finite field of small characteristic instead of the prime field Z/pZ, but more efficient in terms of computational costs for asymptotically equal information rate and similar key size.


Introduction
Building new asymmetric encryption schemes has always been one of the main goals of cryptographers. After the idea of public key cryptography was presented in [1], only few more public key encryption schemes were developed such as the RSA [2], the El Gamal [3], the McEliece cryptosystem [4], the NTRU [5] or the HFE [6] (for an overview [7,8]). Some new ideas for building new cryptographic schemes based on semigroup actions can also be found in [9], while in the context of knapsack quantum cryptographic schemes we refer for instance to [10]. What D. Naccache and J. Stern built in [11] was a proposal for an asymmetric protocol (NSK) following the earlier ideas of Morii and Kasahara in [12], further developed by Kasahara et al. in [13,14]. The NSK protocol consists of a shuffling modulo p of an easy problem over the integers, i.e. the factorization of a composite integer where the prime factors are chosen among a fixed set of small size. Given p a prime and Z/pZ the finite field of remainder classes, the NSK protocol is based on the unique factorization property of Z, which guarantees the uniqueness of the encryption.
This approach can be generalized to the case of multiplicative monoids (Section 2), and the NSK protocol is just a particular instance for the monoid (Z, ·) of the general framework (subsection 2.1). Using this new general setting we are able to construct an analogous of the NSK protocol relying on the unique factorization properties of F q [x], instead of Z, where F q is the finite field of order q (Section 3). The security of our particular proposal will rely on the arithmetic structure of the finite field F q [x]/(h(x)) for some h(x) ∈ F q [x], irreducible of suitable degree (instead of the finite field of remainder classes Z/pZ). One of the main advantages of this kind of setting is that the security is based on an exponentiation over a finite field in such a way that it will be unfeasible for an attacker even to set up a discrete logarithm problem (DLP). Indeed, as we will show in the following, since the optimal version of the NSK protocol requires that the chosen prime be next to i p i , the factorization of p − j for some small j could allow for a reduction to a DLP. In our case, instead, we choose a set of irreducible polynomials and fix the degree of the reducing polynomial. By doing so there is no information leakage. Our new structural conditions will be related only to the degree of the carrier polynomials used for the encryption, avoiding any kind of DLP reduction.
In subsection 3.2.3 some issues concerning the security of the protocol will be addressed, in particular to avoid subgroup attacks, that could possibly lead to information.
This new setting will lead to some advantages in terms of computational costs of encryption and decryption. In fact, arithmetics over finite fields F q m is considered to be preferrable than arithmetics over Z p when p ≃ q m and q ≪ p in terms of computations. We will analyse the key features of our protocol, such as the number of parameters involved for the setting up of the public key, and this will allow us to show a greater deal of flexibility, in comparison with the NSK protocol.
In subsection 3.2.2 we will analise the asymptotics of the information rate of our protocol, showing that it is equal to that of [11]. An exact formula for the information rate will also be provided.
As a subproduct, we present in Section 3.3 a variation of the polynomial protocol where the irreducibility of h(x) is dropped. The encryption is performed over a suitable direct sum of fields, and a decryption is available thanks to the Chinese Remainder Theorem.

The new class
In this section we will present a generalized version of the protocol presented in [11].
Let S be a monoid and ∼ a finite index congruence on S. We will denote the class of an element s ∈ S with respect to ∼ as [s]. Definition 1. A morphism ψ will be said to be ∼proper, if • the induced application ψ : S/∼ −→ S/∼ is invertible. Definition 2. Given L ∈ N we will say that S is L-cryptable under ∼ if there exists a ∼proper morphism ψ and elements s 1 , . . . , s L ∈ S such that is an injective application.
The following proposition will be useful later on Proposition 1. Given a monoid S that is L-cryptable under ∼, the following maps are also injective: Proof. The proof follows by observing that, since ψ is ∼proper morphism, then also α ∼ is injective. Also α ψ ∼ injective implies that α ψ is injective. Again, since ψ is an injection, also α is injective.
As we have already pointed out, this properties are necessary to keep the encryption meaningful. In the following we will see how it is possible to find non trivial examples of this construction. Now, denote the image of any map f between sets by ℑ(f ), and consider the following problems: Let now S, be an L-cryptable monoid under a congruence ∼. Whenever a given triple (S, ∼, ψ) is such that Problem 1 is difficult, Problem 2 is easy we define a cryptosystem as follows. Let Remark 1. The reader should observe that in the definition of the protocol we did not use the injectivity of ψ nor the fact that S/ ∼ is a quotient of a monoid S. This is nevertheless the case in all the examples of this protocol we could find, where Problem 2 is easy since a suitable lift to S is given. Indeed, in practical situations the problem will be solved computing (α −1 • Γ)(c ′ ) where Γ is a lift S/ ∼−→ S such that the following diagram commutes when Γ := Γ| ℑ(α∼) Remark 2. Notice that the information rate is given by L/b where b is the number of bits that are needed to represent an element of S/ ∼ In what follows we will show how the NSK protocol fits in this rather general framework, as well as brand new protocols involving polynomials over finite fields.

NSK as a particular instance
In this section we will show how the Naccache-Stern (NSK) protocol fits in our general framework, in the case S = (Z, ·).
Consider the prime ideal P = p generated by a prime number p ∈ Z. Let us denote by ∼ the congruence induced by the ideal P . Such a congruence is obviously of finite index. Let v be a positive integer with u = v −1 mod p − 1, and let ψ : It can be easily checked that ψ is a ∼proper morphism of Z. Now choose L distinct prime numbers p i such that is an injection and (Z, ·) is therefore L-cryptable under the relation induced by the ideal generated by p.
Remark 3. Notice that we are able to express equation (3) because we can always consider the canonical representative x ∈ {0, . . . , p − 1} in the remainder class modulo p. This representative is also the only representative in ℑ(α) by construction, and therefore we have a canonical lift satisfying (1).
Remark 4. The reader should observe that when p = t + i p i for t small, than the information rate is maximal. Unfortunately in this case factoring p − t is easy because p − t is p L -smooth and p L ≪ p, and this gives informations about the bare carriers p i 's. Indeed in this case breaking the NSK protocol is not harder than solving the DLP for the p i 's. Nevertheless the protocol remains interesting for additional features like [11, Section 3].

A polynomial version
In this section we give a version of the protocol that works over F q d instead of Z/pZ in such a way that q d will be of the same order of magnitude than the size p of the field Z/pZ in the NSK but q ≪ p. In this case the specific difficult problem we want to rely on is the following Problem 3. Let F be a finite field and L ∈ N.Given y 1 , . . . , y L ∈ F, Let now k = F q and k[x] the polynomial ring in one variable over k. Let h(x) be an irreducible element in k[x] of degree d. Set ∼ to be the congruence associated to the ideal H = h(x) generated by the irreducible polynomial h(x). An efficient algorithm to find irreducible polynomials of fixed degree is given, for instance in [15]. Set and Remark 5.
Notice that in the present description of the protocol there are several different strategies to choose the polynomials; we will analyse the properties of some interesting choices in the following sections. Again, we have the encryption map: Proof. Definition 2 requires that the map α ψ ∼ be an injection. Assume where, in the last equation, we can assume no reduction has happened, since property (4) holds. Indeed Recalling that k[x] is a unique factorization domain we have m i = n i ∀i.
So our cyphered text is given by c(x) = α ψ ∼ (m 1 , . . . , m L ). The explicit decryption for this protocol is simply given by the polynomial division of the decyphered code (c(x)) u , that is to say Remark 6. We stress once again the fact that in obtaining equation (6) we used the canonical lift where, for any representative l( , and it is obviously independent of the choice of l(x). The decryption is effectively performed in ℑ(α) and the solution to Problem 2 is then given by The information rate I = L/ deg(h) log 2 (q) depends on the choice of the carrier polynomials. We will explain later how to maximise this value. Remark 7. Once the p i 's are fixed the top information rate for this protocol is obtained when we choose h(x) such that Indeed the information rate can always be maximised since it is always possible (8) is satisfied (cf. Remark 4) without allowing for a straightforward reduction to a DLP. This case will be analysed in detail in 3.2.1.

A simple example
We now give an example in which k[x] = F 2 [x] and the space of messages has size 2 9 . In order to reach a message size of 9 bits, we need exactly 9 keys, that is to say monic irreducible polynomials in F 2 [x]. From finite field theory, we know that there are exactly q monic polinomials of degree 1, and irreducible monic polynomials of prime degree d. So, for q = 2 we have two polynomials of degree 1, one polynomial of degree 2, two polynomials of degree 3 and six polynomials of degree 5. For the sake of simplicity, even if the example is non optimal as we will explain, let us choose all the irreducible monic polynomials of degree 1,2 and 5, summing up to exactly 9 keys, namely: Then, the public key h(x) must be of degree and irreducible. For instance we may take and set our protocol onto . We choose the secret key and the decryption exponent, accordingly, to be v = 3821 and u = 25169564954, so that uv = 1 mod(2 35 − 1). Then we may publish the 9 carrier keys p v i mod (h(x), 2): Suppose we want to send the message m = 111000111 ∈ Z 9 2 , we encode it into Once the message has been received, it is sufficient to take the u-th power, and the result is as follows: whose factorization yields: We used the factorization algorithm in this simple example because we are working with small messages. The decryption algorithm presented in (7) is to be considered preferential.
The information rate associated to this encryption protocol is with the size of the space of messages being 2 9 .
Remark 8. A similar example is presented in [11], with 2 8 messages. In the cited example the information rate is slightly higher than ours, yet comparable, but the space of messages is smaller.
If we wanted to match the size of space of messages it would be sufficient to remove one polynomial of degree 5, obtaining an information rate of I = 8/30 ∼ 26, 7%.
Remarkably enough, as in the NSK-protocol there is apparently no key leakage, our protocol preserves the security of the carrier keys. As a matter of fact, factoring the cyphertext c, one gets no information whatsoever on the cleartext, as it can be seen in the given example: Remark 9. More generally, let g(x) be the public modulus and . Now notice that infering on the factorization of P (x) from the data of c(x) in terms of the factor basis {p vm1 1 , . . . , p vmL L } is the difficult problem on which the protocol relies, since the factorization of polynomials behaves badly with respect to reductions modulo irreducible polynomials. As a matter of fact, we base the security of our protocol on the randomness of the factorization of elements in the image of the map In general, the usual security one expects using prime numbers as carriers (NSK) can be extended to monic irreducible polynomials.
As we already pointed out, we are using here a non-optimal setting for our example, in that we skipped the polynomials of degree 3 and 4, and used all those of degree 5 instead. If we decided to optimize the information rate, we could take the two polynomials of degree 1, the single polynomial of degree 2, two of degree 3 and three of degree 4, for an overall encoding power of 2 8 messages. Notice that the space of messages is again equal to the example given in [11].
Choosing polynomials of degree 3 and 4 instead of 5 allows us to reduce the degree of h(x), that is to say the number of bits that are needed to encrypt a message. So, if we compute the information rate in this case we obtain a much better result: which is slightly higher than the information rate presented in [11] for the same message size. The procedure works exactly the same when we change the ground field from p = 2 to p = 3. This time we may choose three polynomials of degree 1, three of degree 2 and two of degree 3, all monic and irreducible, allowing us to reduce the overall degree of h(x) to deg(h(x)) = 16. In this case, for the same message size, we get an information rate of which is not better than the information rate in [11], for a space of messages of the same size, yet comparable.

Flexibility of the protocol
We have already pointed out in the previous sections that the important condition (4) can be fulfilled in several different ways according to the strategy we use in choosing the carrier polynomials p i 's. In what follows we will present a strategy that optimises the information rate and one that, to our analysys, improves security. We will give a detailed analysis of the asymptotics of the information rate of our protocol and of NSK, showing that they have the same behaviour. In what follows our finite field k will be F q for some prime power q.

Optimization of the information rate
The optimization of the information rate is ensured by the following: Proposition 4. There exists a strategy that maximises the information rate I for any choice of q and L. Moreover, in this strategy the information rate is determined by the closed formula where µ(x) is the Möbius function.
Proof. We defined the information rate to be I = L/(deg h log 2 q) and we know that the degree of h depends on the particular choice of carrier polynomials. The strategy we will consider is simply given by choosing all irreducible polynomials of all degrees up to a given degree N . Denote the number of degree-n irreducible polynomials in F q [x] by D q n , we have the formula is the Möbius function. The overall number of chosen polynomials, that is the number of bits that the plain text is composed by, as well as the sum of the degrees of the p i 's are given by a closed formula, namely: for some maximal degree N (which is dependent on L if we consider L to be the fundamental parameter). Then, the information rate I as a function of the prime power q and (implicitly) the parameter L has the desired closed expression.
It is easy to gather that such a choice of the polynomials guarantees maximal information rate, in that we are lowering as much as possible the degree of h(x) and as a result the number of bits of the encrypted message.
Remark 10. The obvious disadvantage of the strategy above is that one can always assume that the bare carrier polynomials are known, for we take all of them progressively up to degree N. As a matter of fact, the strategy above gives us a clear upper bound for the information rate, for all different combinations of L and q. Notice, however, by comparison with the tables of [11], that this is the same strategy adopted by Naccache and Stern, where the chosen prime p has the same size of NextPrime( p i ).
Within this strategy it is important to notice that all the variations proposed in [11,Section 2.3] are importable in the present context. For example, it is possible to express the message m in a basis different from 2, and this would lead to some modification to the suitable degrees for our carriers. Moreover, it is possible to restrict the space of messages to constant-weight strings. This last choice increases the information rate since it allows to lower the degree of h(x). In fact, if w is the constant weight, the bound on the degree of h is: where N is the highest degree of the chosen carriers.
Apart from these extensions, the standard NSK protocol is summarized in the table presented in [11,Section 2.2], where the information rate for 512, 1024 and 2048 bits-sized p's is given. The strategy we have just outlined to reach the maximal information rate, allows us to obtain the exact values presented in [11] matching the degree of our polynomial h with the size of their prime p and L with the size M of the message. So we are able to obtain the same information rate.
The matching procedure works as follows: compute the degree of h obtained by choosing all polynomials up to a given degree, say 9 to obtain deg h = 977.  Then, top it to the next block, in this case 1024 bits, choosing some polynomials of one degree higher, in this case 11. This leads to an increase in the number L of carrier polynomials from 127 to 131, and the information rate is then given by the ratio L/ deg h.
In Table 1 we show how to match the examples presented in [11], and the last row is obtained by extending their calculations to 4096 bits. If we go further and compute the relevant figures in the case of 8192 bits we find almost perfect agreement also in this case (cf. Table 2). It will be clear in what follows why this happens.

Asymptotics comparison with previous works
We will prove in this section that our protocol has the same asymptotic information rate of [11]. A naive explanation of this fact is given by arguing that the number of primes below a certain number of bits has the same behaviour as the number of irreducible polynomials in F q [x] below a certain degree. Let us fix the notation We will make use of the following Lemma 5.
Now, denote by S N := N n=1 N n q n−N and observe that it might be expressed in terms of the recursive sequence for the initial value S 1 = 1. Consider S − = lim inf N →∞ S N and S + = lim sup N →∞ S N . Passing to the lim sup and lim inf in (40) we get the same equation for S ± : provided that they are both finite. Assuming that they are, we conclude that This assumption is legitimate since S N ≥ 0 for all N ∈ N, thus S − ≥ 0, and for S + we observe that • When x ∈ R + we have that q x x is increasing for x ≥ 1 log q ≥ 2, since q ≥ 2, and in particular this is true for x ∈ N * ; It follows that where the last inequality comes from the fact that N n=2 q n n are the lower sums of where the second equality follows from the De L'Hôpital rule. This proves that and yields the claim.
We are now ready to prove Proposition 6.
Proof. Observe that nD q n ∼ q n and therefore, from (35) then, plugging the results of (43) and of Lemma 5 into (35), we obtain We would like to compare this result with the information rate of the NSK protocol. Notice that in order to make a consistent comparison we must understand the role of our parameter N in the NSK.
Once q is fixed, bounding the degree of the carrier polynomials by N is the same as bounding the number of bits required to represent any of them by the quantity M = ⌊N log 2 (q)⌋.
The analogous bound for the NSK is then given by bounding the number of bits of the prime carriers by M . This is the same as bounding the prime carriers themselves by 2 M ≃ q N . In the following proposition the comparison is made explicit.

Proposition 7.
Let N be the bound on the degree of the carrier polynomials and M = ⌊N log 2 (q)⌋ the analogous bound for the bits of the prime carriers in the NSK. The information rate for the NSK protocol is asymptotically given by Proof. It is known [18,Equation 2] that for large m ∈ N p<m p ∼ e m .
Let us consider m = 2 M ≃ q N , then p<q N p ∼ exp q N . Now, the number of prime numbers up to q N asymptotically goes, by the prime number theorem, as In our case this will be the number of carrier prime numbers up to q N . On the other hand exp q N , which is the size of the prime modulus of [11], has q N log 2 e digits, and therefore the information rate is computed as By comparing Propositions 6 and 7 it is now clear that the two information rates have the same behaviour. This explains that the matching procedure we perform at the end of the previous section will attain the information rate of NSK also in the asymptotic limit. Moreover it justifies the claim on the large-N behaviour of irreducible polynomials with respect to prime numbers.

Some precautions to avoid subgroup-like attacks
The security of this protocol is strictly related to the size of the degree of h and, as a consequence, to the range of degrees that the carriers can have. Indeed, when the carriers are chosen within a large set, the attacker will not have chances (in terms of a brute force attack) to find the p i 's to set up a discrete logarithm problem for the pair (p i , p s i ) for any i. As a matter of fact, the knowledge of h will only lead to the following information on the degrees: This is not the case when working with integers and primes in Z/pZ, where we can always assume that the prime factors are known when p ≃ i p i .
We first sketch a subgroup like attack in the most unsafe case. Let G be an abelian group and p v 1 , . . . , p v L be carriers, as in Section 3. Let the order of p v i in G be n i and suppose gcd (n i , n j ) = 1 for i = j. Let now M j = n 1 · · · n j−1 · n j+1 · · · n L .
It is easy to observe that, for a generic cyphertext c, m j = 1 if and only if c Mj = 1. As it is elementary to observe, this leads to decryption in L steps. Moreover, it can also be adapted to work when the condition gcd (n i , n j ) = 1 is just partially fulfilled. In this case, indeed, only partial information on the text can be extracted.
Consider now the decomposition in cyclic subgroups of the multiplicative group of the finite field (F q d ) * . In order to avoid subgroup-like attacks on the cyphertext we will require all the p i 's to be generators of the same subgroup of large order. This will lead to certain requirements on q d − 1.
The most natural choice to solve this problem is asking that the degree d of the reducing polynomial h(x) be constrained by the following: Now we have to choose the p i 's such that When these conditions are satisfied, all the p i 's are generators for (F q d ) * .

"Chinese remainder" version
In what follows we will present another example of a protocol that fits the general picture, which stems on the well known chinese remainder theorem. To do this, let us introduce a large prime power q and a natural number L ∈ N. Consider now the monoid S = (F L+1 q ) * , with the multiplication defined componentwise, and the set R = {r 1 , . . . , r L+1 } ⊆ F q .
Let α i ∈ F q \R ∀i ∈ {1, . . . , L} and choose two large integers u, v such that uv = 1 mod (q − 1). Compute the following list of vectors p i ∈ (F L+1 q ) * as Remark 11. Observe that the information rate is L (L + 1) log 2 (q) .

Proposition 8. F is an injection.
Proof. We define a polynomial on F q [x] by whose set of zeros coincide with R. We will prove the proposition by showing how to compute the inverse over the image of F using h(x), i.e. we will show how to uniquely decrypt any cyphertext c ∈ ℑ(F ) using the secret key. Let r 1 ), . . . , k(r L )) and Γ : be the canonical lift. The decryption map D is given by checking Γ(G −1 (ψ −1 (x))) modulo g i (x) = (x − α i ): whenever it is zero it means m i = 1, where ψ −1 (x) = x u . Observe that the decryption is well defined: the map α ψ ∼ : Z L 2 −→ F q [x]/(h R (x)) is clearly injective (and then α ∼ is, by Proposition 1) since the product of all the g i (x) has degree L < L + 1. Observe that ∼ is as usual the relation induced by the ideal of h R (x).

Outlook and further research
In the present communication we have given a new setting to produce many examples of knapsack encryption schemes, showing also how a remarkable example such as [11] perfectly fits our framework. We have proposed a next-to-simplest example when the monoid is chosen to be (k[x], ·), one realization of which is given by F q [x] reduced by the ideal of an irreducible polynomial of suitable degree.
This brand new application of the knapsack idea reproduces the key results presented in [11] in terms of information rate, but allows us to improve some important features such as • the information rate is shown to be deterministic by providing an exact formula for it (cf. [11, Section 2.2]).
• it reduces the computations over F q d with p ∼ q d but q ≪ p, where F q is a field of small characteristic.
A non trivial variation of this scheme has been found, by taking into account a polynomial which splits over the base field and applying the chinese remainder theorem, allowing the computations to be performed over a direct sum of fields.
In [11] Naccache and Stern conjectured that it might be possible to elliptic curve their scheme, and the new general framework we have presented might be of some help to address this problem.
Moreover, it would be interesting to see how the recent improvements to the NSK protocol presented in [16] may apply to our polynomial instance. This will be matter of further studies.