Some results on an encryption method using subset-sums of pseudo-recursive sequences

Abstract Let Aη := {b2ηc : n = 0, 1, 2, . . . }, where 1 ≤ η < 2. In the recent paper [Discrete Math. Lett. 4 (2020) 31–36], the authors examined the subset-sums of the set Aη and then presented an encryption algorithm. The basics of the latter part is that the encoded message is a public natural number N and everyone is allowed to query for the set (Aη uAη)∩ [1, N ] until they find an element of it. Using the results about P (Aη), the set of subset-sums of Aη, it was shown that with the secret key γ the message can be decoded in logarithmic time, but for an eavesdropper without the key it takes on average more than N/logN time. In this article, we show that the eavesdropper essentially can not figure out the codeword from the found element of S, even if she got that element from the query sequence in a relatively short time.


Introduction
The set { 2 n η | n = 0, 1, · · · }, where 1 ≤ η < 2, and its related subset-sums were investigated by Erdős and Graham in [4]. Hegyvári also examined some properties of these subset-sums in the articles [2,3]. Based on these works, in the article [1], an encryption algorithm was examined using the aforementioned set and its subset-sums. In this article, we further investigate that encryption process. We show that if an eavesdropper catches the message, she can not be certain what the codeword was.
For any η ∈ [1, 2), let a n := 2 n η and A η := {a n | n = 0, 1, 2, · · · }. We associate to A η its so-called subset-sums: It was proven in the article [1] that every element of P (A η ) has a unique representation (see Proposition 3.2 in [1]). It was also shown in [1] (see Proposition 3.3 in [1]) that the biggest gap of the set P (A η ) ∩ [1, a k ] is equal to k j=1 η j , where η = 1.η 1 η 2 · · · in binary form. Using these results, the authors of [1] also presented an encryption algorithm to send a message. The coding process is given as follows: Let c n be a binary codeword with n digits: c n = η 1 η 2 · · · η n , where each η i ∈ {0, 1} for i = 1, 2, · · · , n. We associate an η ∈ [1, 2) for the codeword c n : η = 1.η 1 η 2 · · · η n · · · (after η n we can extend arbitrarily, only one assumption is important, that we prefer the expression where η i = 0 holds infinitely many times). The message is sent by Alice to Bob in the form of N ∈ N. This N is public in the sense that an eavesdropper (Eve) can catch this message. Alice and Bob on the other hand has a secret key 0 < γ < 1, which is available only for them.
Denote by B C the restricted sum for the sets B, C ⊆ N, i.e., Towards the decoding process, let S be the following set: For the decoding process, let us define a query function f : Everyone can query an (x 0 , x 0 + 1, · · · x 0 + L) sequence of integers such that (f (x 0 ), f (x 0 + 1), · · · , f (x 0 + L))=(0, 0, · · · , 0, 1). So we can query x 0 and if it is not in S we can query x 0 + 1 and so on until we find an element of S. The length of the query sequence is L x0 η (N ) := L. For simplicity, let us denote by x L the number x 0 + L. In the 4th section of the article [1], the following two results were presented about this process.

Decomposition lemmas
As we already mentioned, our purpose is to show that Eve can not really recognize the codeword even if she finds an x L ∈ S in a relatively short time. We are going to restrict the length of a query sequence by N β , 0 < β < 1. This is not going to cause problems, because this restriction only makes things harder for Eve, while Bob will still have enough query questions to find the codeword in a short time (see Theorem 1.1). We will return to the right choice of β later. Assume now that Eve finds an element x L ∈ S after querying at most N β . What she can do is try to decompose x L into the sum of b and b , where b, b ∈ A ζ (for some 1 ≤ ζ < 2) and she hopes that eventually ζ = η. This is equivalent to the task of finding b and b , b + b = x L , b > b where in binary form the first few digits of b forms exactly b , since both of them are equal to 2 s ζ for some s ∈ N. Now, we are going to look at this task in a third equivalent form. We search for the pairs (b, k) that satisfy: our goal is to guarantee that for many k such b exists. For this, lets analyze (1) for a fixed k. Proof. First lets reshape (1): To guarantee a solution to (1), we need to prove the existence of an integer greater than We claim that there is such an integer if and only if x L ≡ −1 mod (2 k + 1). Lets look at 2 k x L in the following form: This is equivalent to the existence of an integer It follows that there is such an integer if and only if Our purpose now is to show the existence of many k, where this incongruence holds. The following lemma will ensure this.

Lemma 2.2.
Let k be an integer such that k ≥ 1 2 log 2 x L . In this case, there is an integer solution for (1) either for k or for k + 1.

Result on security against an eavesdropper
Now, we want to underestimate the number of b's which Eve considers viable. From the previous lemma, we know that Eve can decompose x L in many ways to satisfy (1). But, to delude Eve it is not enough to just have b's which satisfy (1). Remember that Eve wants b's which can be the starting sequence of the codeword and she can check if this hypothesis of her is compatible with the queries or not. What do we mean by this? Fix a b ∈ N such that for some k: Considering Eve's point of view, she thinks that she queried from a set A ζ A ζ , where ζ ∈ [1, 2) and she hopes that ζ = η. To have this theory, she has to assume that a j = 2 j ζ = b, where j = log 2 b . In this case, the first elements of the set A ζ would be: Denote by C b the set that has exactly the same elements as above: Eve can exclude certain b's by looking up if during her query sequence she queried for some x ∈ A ζ A ζ , x < x L . She can do it because if she did indeed query such an x, then she would have got f (x) = 1. But, in this case she would have stopped querying there and would have got x as an element of S instead of x L .
Before we go further, we prove a simple statement that ensures that Eve actually knows Or in other words, the exclusion method relies only on b and not on the elements of A ζ , larger than b (which are unknown to Eve).
Proof. First, we recall that we assume b = 2 j ζ = a j . It is obvious that Notice that it is enough to prove that x = a l + a m holds for some l, m ≤ j, l = m. We know by assumption that x L = a j + a k for some k < j. Note that for every n ∈ N: 2a n = 2 2 n ζ ≤ 2 n+1 ζ = a n+1 . Assume for contradiction that x = a l + a m and l > j, in this case we would get x L = a j + a k < 2a j ≤ a j+1 ≤ a l < a l + a m = x.
We are going to say that a b is acceptable for Eve if it is a solution of (1) for some k and it can not be excluded by Eve with the previous method (checking if she queried for any x < x L , x ∈ A ζ A ζ , which is equivalent, by the above claim, to checking if she queried for any x < x L , x ∈ C b C b ). We want to emphasize here, that acceptability now relies only on b (and not on the elements of A ζ which are larger than b). Lets denote the number of acceptable solution for Eve by µ (for a fixed x L ).
We want Eve to have a lot of acceptable b's so we try to deny the ability of exclusion from her. For this purpose, from now on we restrict the length of the query sequence by N β . How does this affect Eve's exclusion method? First notice that in order to exclude a certain b it is enough for her to check if she queriedx = max{x ∈ C b C b | x < x L }, the largest element of C b C b smaller than x L . So if we can ensure that N β ≤ x L −x, then she can not exclude this b. We will use this observation in the next theorem.
As we mentioned earlier, we are proving that Eve can not figure out the codeword uniquely. We need to specify what that means exactly. So far we have investigated only solutions for (1). If Eve finds a k and a corresponding b as a solution of (1), then she assumes b = 2 s ζ for some s ∈ N, 1 ≤ ζ < 2 and hopes that ζ = η. The first n + 1 digits of ζ is equivalent to an n digit codeword (1.ζ 1 ζ 2 · · · ζ n · · · ∼ d = ζ 1 ζ 2 · · · ζ n ), so she has to get these n + 1 digits. Since the length of b is at most the length of x L , Eve only knows at most log 2 x L + 1 digits of ζ. So she can choose the values of the remaining h = n + 1 − ( log 2 x L + 1) = n − log 2 x L digits arbitrarily, leaving her with at least 2 h different ζ, which have the property, that their first log 2 b + 1 digits form the number b. And this is only for one acceptable b. (We know that at least one always exists, which is the one corresponding to η, which is determined by the real codeword.) So if x L is too small, then this leaves Eve with a lot of unknown information about the codeword. The second part of the next theorem is about the case when she finds an x L where n − log 2 x L is small (i.e. x L is large). In this case there are many acceptable ways to decompose x L . So she has many b's to start the codeword with, leaving her in inconsistency, even though she has low level of freedom to extend them into possible codewords.
We are going to call an integer d = ζ 1 ζ 2 · · · ζ n (where each ζ i ∈ {0, 1} for i = 1, 2, · · · , n) possible codeword viable if there is an acceptable b which is the prefix of d in binary form. For a fixed x L denote the number of viable codewords by ν. Obviously µ ≤ ν, since every acceptable b can be extended (possibly in many ways) into a viable d.
In the upcoming theorem we will consider two cases, x L ≥ N α or x L ≤ N α , where 0 < α < 1, and we will give a lower bound on µ and ν respectively. We will give some more restriction on α later and we will also discuss its relationship to other variables N, γ, β.

Concluding remarks
It is worth to take a look at what the results of Theorem 3.1 really mean. In both parts of this theorem, we get more acceptable solutions if N is large. We can guarantee this part, but after a certain point an absurdly large N is not very practical. So, we want to optimize the parameters α and β as well.
The parameter β is best to be as small as possible (but can not be too small because Bob has to be able to find the codeword). Theorem 1.2 tells us that the lower bound log 2 N + 1 < N β is required to give Bob the ability to get the codeword with the secret key γ, regardless of the restriction on the length of a query sequence. So, we can choose for example β = log N (2 log N ), which tends to 0, as N → ∞.
In the case of α, it is a bit more complicated than that β. We can say that α is a double-edged weapon in the following sense: According to part (i), α is better to be small, while according to part (ii) it is better to be large (close to 1).
We gather here the acquired bounds on N with respect to the parameters. Here, we consider the case when we only want to ensure more than one viable codeword. From Theorem 3.1, we get that if we want ν > 1 in part (i) and µ > 1 in part (ii), then N has to satisfy the following lower bounds: (i) → N > (