MALAYSIAN JOURNAL OF MATHEMATICAL SCIENCES VOLUME …einspem.upm.edu.my/journal/fullpaper/vol13saugust/Full Volume.pdf · Since the time of Julius Caesar and possibly up until the

MALAYSIAN JOURNAL OF MATHEMATICAL SCIENCES

VOLUME 13(S) August . 2019 .ISSN 1823 - 8343 . e-ISSN 2289-750X

(Special Issue)

Guess Editor:Muhammad Rezal Kamel Ariffin

Typesetting & Formatting:Amir Hamzah Abd Ghafar & Nor Azlida Aminudin

A scientific journal published by Universiti Putra Malaysia Press

Preface

Since the time of Julius Caesar and possibly up until the Greek era, cryptog-raphy (a word that is derived from the Greek term “cryptos”) has been anintegral tool for organizations (and indeed for individuals too) to ensure in-formation that is intended only for authorized recipients remain confidentialonly to this set of people. Cryptography had far reaching implications for or-ganizations in the event information leakage occurred. Often referred to as the“last bastion of defence” - after all other mechanisms had been overcome by anadversary, encrypted information would still remain useless to the attacker (i.e.that is, under the usual security assumptions). Nevertheless, this simple facthas remained oblivious to the practitioners of information security - omittingcryptographic mechanism for data being transferred and also during storage.

Fast forward to World War 2, the war between cryptographic and cryptan-alytic techniques. While the Germans were efficiently transferring informationvia the Enigma encryption machine, the Allies in Bletchley Park, England werebusy intercepting these ciphered information being transmitted via telegraphby the Germans. Leading mathematicians, linguists, engineers etc. were allworking to cryptanalyze these ciphers in the most information way. It is herethat the first electrical machine (i.e. the “bomba”) was born - and revolu-tionized computing. Post World War 2 saw the emergence of the “computer”.Every organization that had to process data had to acquire a computer so asnot to be left behind by their competitor. The banking sector advanced on aglobal scale due to the invention of the computer. Techniques to secure informa-tion among the headquarters of these banks had to be developed. Encryptionprocedures using the same key (i.e. symmetric encryption) played this role inthe early days. Then came the unthinkable problem - computers were beingdeployed almost everywhere. How is it possible to deploy cryptographic keys insecure manner so that symmetric encryption could take place? Thus, leadingto the so-called “key distribution” problem. It was not until 1975, when Diffieand Hellman provided us with a secure key exchange method - and in 1976when Rivest, Shamir and Adleman with the “asymmetric encryption” scheme(i.e. to encrypt using key e and decrypt using key d, where e 6= d). Sincethen, cryptographic procedures evolved, not only playing the role of ensuringconfidentiality of data, but also to ensure integrity and authenticity of data. Itis also able to ensure that non-repudiating of data does not occur.

Mechanisms to transfer and store data has changed of the centuries andmore so every 5 years (in this modern age). Cryptography that has long existedbefore mechanisms changed from manual - telegraphic - electrical - electronic(WAN/LAN/internet) - wired until wireless procedures, has to be properlydeployed in order to maintain a high level of security confidence among the

stakeholders of a certain organization. The concept of securing information viaencryption procedures has to be properly understood in order to avoid a nullintersection to occur between cryptography and computer security practition-ers. This scenario would not be to the best interest for stakeholders. As a“friendly” reminder, this scenario could already been seen in other discipline ofknowledge where the “minuting” (“minute-ting”) of knowledge has forced theoriginal body of knowledge to look as though it is independent and disassoci-ated. Ever since mass usage of computers became a reality, computer securityissues have never been this complicated. However, as the human race advancesso will ingenious ideas emerge to overcome challenges.

It is hoped that Cryptology2018 will not only provide a platform for everyparticipant to exchange ideas in their respective fields, but also to exchangenew ideas on a broader scale for the advancement of the field of cryptologyand computer security. The organizing committee hopes every participant willhave an enjoyable and beneficial conference.

The editors would like to thank all participants for their contributed papers.A special thanks to the members of scientific committee and panel of review-ers who had taken the time to review the papers thoroughly and suggestingimprovements so as to enhance the quality of papers. Finally, we extend ourappreciation for the efforts of conference organiser and everyone whose contri-butions have made the publication of this special issue in Malaysian Journal ofMathematical Sciences possible.

Thank you.

Guest Editors:Muhammad Rezal Kamel Ariffin

Typesetting & Formating:Amir Hamzah Abd GhafarNor Azlida Aminudin

Malaysian Journal of Mathematical SciencesVolume 13(S) August 2019

Contents

On the Smallest-Basis Problem of the GGH Cryptosystem 1

- Mandangan, A., Kamarulhaili, H. and Asbullah, M.A.

Alternative Method to Find the Number of Points on Koblitz Curve 13

- Hadani, N.H., Yunos, F., Ariffin, M.R.K., Sapar, S.H. andRahman, N.N.A

SSE Security Definitions 31

- Mohamad, M.S., Tan, S.Y. and Chin, J.J.

On Generalised AMD Codes 49

- Ramchen, K.

Construction of Endomorphisms for the ISD Method on EllipticCurves with j-invariant 1728 67

- Antony, S.N.F.M.A. and Kamarulhaili, H.

An Innovative Bicartisian Algebra for Designing of Highly Per-formed NTRU Like Cryptosystem 77

- Yassein, H.R. and Al-Saidi, N.M.G

Hierarchical Identity-Based Identification Scheme Without Pairing 93

- Vangujar, A.K., Chin, J.J., Tan, S.Y., and Ng, T.S.

A New Attack on Special-Structured RSA Primes 111

- Ghafar, A.H.A., Ariffin, M.R.K. and Asbullah, M.A.

QuCCs: An Experimental of Quantum Key Distribution usingQuantum Cryptography and Communication Simulator 127

- Zukarnain, Z.A., Buhari, A., Harun, N.Z. and Khalid, R.

Successful Cryptanalytic Attacks Upon RSA Moduli N = pq 141

- Abubakar, S.I., Ariffin, M.R.K. and Asbullah, M.A.

Malaysian Journal of Mathematical Sciences 13(S) August: 111 (2019)Special Issue: The 6th International Cryptology and Information Security Conference(CRYPTOLOGY2018)


Journal homepage: http://einspem.upm.edu.my/journal

On the Smallest-Basis Problem underlying the

GGH Lattice-based Cryptosystem

Mandangan, A.1,2, Kamarulhaili, H.1, and Asbullah, M.A.∗3,4

1School of Mathematical Sciences, Universiti Sains Malaysia,

Malaysia2Mathematics, Real Time Graphics and Visualization Laboratory,

Universiti Malaysia Sabah, Malaysia3Laboratory of Cryptography, Analysis and Structure, Institute for

Mathematical Sciences, Universiti Putra Malaysia, Malaysia4Centre of Foundation Studies for Agricultural Science, Universiti

Putra Malaysia, Malaysia

E-mail: [email protected]∗Corresponding author

ABSTRACT

The security of the Goldreich-Goldwasser-Halevi (GGH) cryptosystemis relying on the Smallest-Basis Problem (SBP) and the Closest-VectorProblem (CVP) instances. Previously, these instances were just implic-itly mentioned and discussed without any proper denition. In this pa-per, we explicitly dened the underlying SBP instance that arose fromthe GGH cryptosystem. From that, we showed how the solution to theseproblems could be obtained and how the obtained solutions could leadto the security breach in the GGH cryptosystem. Finally, we proposedsome possible strategies for strengthening the security of the GGH cryp-tosystem.

Keywords: GGH cryptosystem, Smallest-Basis Problem, Closest-VectorProblem, Shortest-Vector Problem.

Mandangan, A., Kamarulhaili, H. & Asbullah, M.A.

1. Introduction

Lattice-based cryptography emerges as one of the high potential alterna-tives in the post-quantum cryptography era. The construction of cryptographicschemes based on lattice-based problems instead of the number of theoretical-based problems makes the lattice-based cryptosystems conjectured to be un-aected by the Shor's quantum attack, see Shor (1999). In Goldreich et al.(1997) proposed a trapdoor one-way function, addressed as the GGH trapdoorone-way function (Mandangan et al., 2018). The security of this function isinspired by two lattice-based problems, namely the Smallest-Basis Problem(SBP) and the Closest-Vector Problem (SVP). From the GGH trapdoor one-way function, Goldreich et al. (1997) proposed an encryption scheme known asthe GGH cryptosystem.

The GGH cryptosystem was recognized as the rst lattice-based cryptosys-tem with a competent level of eciency and practicality. With low-cost math-ematical operations involving matrices and vectors, the GGH cryptosystemoers a better eciency level compared to the famous RSA and ElGamal cryp-tosystems. In the security aspect, the underlying lattice-problems that arosefrom the GGH cryptosystem was conjectured as invulnerable once the cryp-tosystem is implemented in a lattice dimension of 300 and above (Goldreichet al., 1997). Although the GGH cryptosystem is broken due to the Nguyen'sattack (Nguyen, 1999), some attempts for improving the security of the GGHcryptosystem can be found in literature, for instance, de Barros and Schechter(2015), Micciancio (2001), Paeng et al. (2003), Sipasseuth et al. (2019), Yoshinoand Kunihiro (2012).

Since the proposal of the GGH cryptosystem, the underlying lattice-basedproblems that arose from the GGH cryptosystem were just implicitly men-tioned and discussed. In (Mandangan et al., 2018), we dened the underlyingCVP instance as the GGH-CVP instance together with the simplied versionsof this instance that are derived by the Nguyen's attack (Nguyen, 1999) andthe Lee-Hahn's attack Lee and Hahn (2010) on it. As a continuity, we proposedthe denition for another lattice-based problem that arose from the GGH cryp-tosystem.

In this paper, we explicitly dened the underlying SBP instance of the GGHcryptosystem. From that, we investigated some features of this instance relatedto the solution and the method for solving this instance. Finally, we proposedsome strategies for strengthening the security of the GGH cryptosystem. Thispaper is arranged in the following ow.

2 Malaysian Journal of Mathematical Sciences

On the Smallest-Basis Problem of the GGH Cryptosystem

We provide some related mathematical background in Section 2 then fol-lowed by a brief yet necessary introduction to the GGH cryptosystem in Section3. Furthermore, we dened the underlying lattice-based problems of the GGHcryptosystem in Section 4. Further discussion is presented in Section 5 andconclusion remark is given in Section 6.

2. Mathematical Background

Along this paper, we standardize some mathematical notations. Firstly,we denote m,n ∈ N. Then, all vectors are considered as column vectors anddenoted using standard vector notation. For instance, ~b ∈ R

m is a columnvector with m real entries bi ∈ ~b, for all i = 1, . . . ,m.. A set of vectors ~bi ∈ Rm,denoted as B =

~b1,~b2, . . . ,~bn

is representable in matrix form as B ∈ Rn×n

where the vectors ~bi be the columns of the matrix B for all i = 1, . . . , n. If theset B is linearly independent, then it can be used to span a lattice.

Denition 2.1: (Hostein et al., 2008) For m ≤ n, let B =~b1,~b2, . . . ,~bn

be

the set of linearly independent vectors. The lattice L(B) = L ⊂ Rn generated

by the basis B is dened as the set of all linear combinations of the basis vectors~b1,~b2, . . . ,~bn with integer scalars, i.e.,

L(B) =a1~b1 + a2~b2 + · · ·+ an~bn : ai ∈ Z,∀i = 1, . . . , n

(1)

Based on Denition 2.1, the dimension of the lattice L(B) is dim(L(B)) = nand the rank of the lattice L(B) is rank(L(B)) = m. If m = n, then the latticeL(B) is referred to as a full-rank lattice. This paper is dealing only with thiskind of lattice.

Theorem 2.1: (Goodaire, 2013). A square matrix is invertible if and only ifits columns are linearly independent.

Thus, the bases for the full-rank lattices are representable as non-singular ma-trices. A lattice can be spanned by a more than one basis. Two dierent basesare mathematically related by a unimodular matrix. The matrix U ∈ Zn×n iscalled a unimodular matrix if det(U) = ±1.

Proposition 2.1: (Galbraith, 2012). Let G,B ∈ Rn×n be two non-singularmatrices. The matrices G and B span the same lattice L ⊂ R

n, i.e., L(G) =L(B) = L, if and only if G = BU where the matrix U ∈ Zn×n is a unimodularmatrix.

Malaysian Journal of Mathematical Sciences 3


When n ≥ 2, there are innitely many unimodular matrices. This impliesthat the lattice in n ≥ 2 can be spanned by innitely many bases. Normally,these bases are classied as a good basis and a bad basis. A good basis is alattice basis consisting of reasonably short and slightly non-orthogonal basisvectors. On the contrary, a lattice basis with long and highly non-orthogonalbasis vectors is classied as a bad basis. The non-orthogonality of a latticebasis can be measured by computing the dual-orthogonality defect of the basis.

Denition 2.2: (Goldreich et al., 1997). Let G ∈ Rn×n with columns ~g1, ~g2, . . . , ~gn ∈Rn be a basis for the lattice L ⊂ Rn. The dual-orthogonal defect of the basis G

is computed as follow,

dualOD(G) =

∏ni=1 ‖~g′i‖|detG−1| (2)

where ‖~g′i‖ is the Euclidean norm of the i-th row vector in G−1.

To be classied as a good basis, the dual-orthogonality defect of the basis Gis required to be small, i.e, dualOD(G) is close to 1. If dualOD(G) is large andfar from 1, then the basis G is classied as a bad basis. Consider the followingdenition related to successive minima of a lattice.

Denition 2.3: (Nguyen, 1999). Let L ⊂ Rn be a full-rank lattice. The i-th

minimum of the lattice L, denoted as λi (L), is the radius of the smallest spherecentered in the origin containing i linearly independent lattice vectors.

Basically, the rst minimum of the lattice L is λ1 (L) = ‖~v1‖, where ~v1 ∈L is shortest non-zero vector in the lattice L such that ‖~v1‖ < ‖~vi‖ for alli = 2, . . .. Most of the lattice-based problems are related to norm or distanceminimization. The most established lattice-based problems are the Smallest-Basis Problem (SBP), Closest-Vector Problem (CVP) and the Shortest-VectorProblem (SVP). Any variant derived from these problems are referred to asinstance.

Denition 2.4: (Goldreich et al., 1997). Let B ∈ Rn×n be a basis for the full-rank lattice L ⊂ Rn. Given the basis B, the Smallest Basis Problem (SBP)is tond the smallest basis B′ for the same lattice L where the basis B′ has a smallorthogonal defect.

Denition 2.5: (Hostein et al., 2008). Let L ⊂ Rn be a full-rank lattice.

Given a basis of the lattice L and a target vector ~t ∈ Rn, the Closest-VectorProblem (CVP) is to nd a non-zero vector ~v ∈ L such that the Euclidean norm‖~t− ~v‖ is minimum.



Denition 2.6: (Galbraith, 2012). Let L ⊂ Rn be a full-rank lattice. Given abasis for the lattice L, the Shortest-Vector Problem (SVP) is to nd a non-zerovector ~v ∈ L such that the Euclidean norm ‖~v‖ is minimal, i.e., ‖~v‖ = λ1(L).

3. GGH Cryptosystem

Consider a communications scenario where Bob wants to send a secret mes-sage to Alice and they agree to use the GGH cryptosystem. The key generation,encryption and decryption algorithms of the GGH cryptosystem are given inthe following tables:

Table 1: Key Generation Algorithm done by Alice

Input Security parameter n.Output Public key (B, σ, n) and private key (G,U).Steps Generate the private basis G ∈ Rn×n.

Generate the unimodular matrix U ∈ Zn×n.Compute the public basis B ∈ Rn×n as B = GU−1.Determine the threshold parameter σ ∈ N.

Table 2: Encryption Algorithm done by Bob

Input Alice's public key (B, σ, n) and plaintext ~m ∈ Zn.Output Ciphertext ~c ∈ Rn.Steps Generate the error vector ~e ∈ −σ,+σn.

Generate the plaintext vector ~m ∈ Zn.Encrypt the plaintext as ~c = B~m+ ~e.

Table 3: Decryption Algorithm done by Alice

Input Bob's ciphertext ~c ∈ Rn and private key (G,U).Output Bob's plaintext ~m ∈ Zn.Steps Compute ~x = G−1~c.

Round each entry xi ∈ ~x to the nearest integerbxie ∈ Z such that |xi − bxie| < 1

2 for all i = 1, . . . , n.Decrypt the ciphertext as ~m = Ub~xe.



Consider following computation in the decryption algorithm,

U ~bxe = UbG−1~ce, since ~x = G−1~c

= UbG−1(B~m+ ~e)e, since ~c = B~m+ ~e

= UbG−1B~m+G−1~ee= bUG−1B~me+ UbG−1~ee= bB−1GG−1B~me+ UbG−1~ee, since U = B−1G

= b~me+ UbG−1~ee= ~m+ UbG−1~ee, since ~m ∈ Zn

To avoid the decryption error, the selection of the threshold parameter σ, whichis the entry of the error vector ~e, must be properly done based on the followingtheorem:

Theorem 3.1: (Mandangan et al., 2018). Let G ∈ Rn×n be the private basisfor the lattice L ⊂ R

n and ρ ∈ R denotes the maximum l1-norm of the rowsof G−1. As long as the threshold parameter σ ∈ R satises σ < 1

2ρ , then nodecryption error can occur.

By determining the threshold parameter σ as required by Theorem 3.1, thenthe condition bG−1~ee = ~0 can be fullled (Mandangan et al., 2018). Thus,

Ub~xe = ~m+ Ub~0e = ~m

which indicates that the decryption is done without error.

4. The Smallest-Basis Problem Instance

In this section, consider Eve as an unauthorized third party between thecommunication of Alice and Bob. Suppose that Eve has Alice's public key(B, σ, n) and Bob's ciphertext ~c. To break the GGH cryptosystem, Eve aimsto recover Bob's plaintext ~m using the available information. The securityof the GGH cryptosystem is relying on several lattice-based problems. Thus,the most obvious way to break the security of the GGH cryptosystem is bysolving the underlying lattice-based problem instances that arose from the GGHcryptosystem. For that purpose, Eve launches the Babai's round-o attack andthe embedding attack. Since Eve does not has Alice's private basis G, then shecould not perform the eective decryption as done by Alice. The only availableinformation to her is the public basis of B, which is a bad basis. Suppose that,Eve proceeds to perform the decryption using the public basis B. Before that,consider the following proposition:



Proposition 4.1: For σ ∈ N, let ~σ = +σn, ~e ∈ −σ,+σn and M ∈ Rn×n.If bM~σe = ~0, then bM~ee = ~0.

Proof:Consider the vector M~σ as follows,

M~σ =

m1,1 m1,2 · · · m1,n

m2,1 m2,2 · · · m2,n

......

. . ....

mn,1 mn,2 · · · mn,n

σσ...σ

=

σ (m1,1 +m1,2 + · · ·+m1,n)σ (m2,1 +m2,2 + · · ·+m2,n)

...σ (mn,1 +mn,2 + · · ·+mn,n)

Suppose that bM~σe = ~0. This implies that

|σ (mi,1 +mi,2 + · · ·+mi,n)| <1

2

for all i = 1, . . . , n. Now, consider the vector M~e as follows,

M~e =

m1,1 m1,2 · · · m1,n

m2,1 m2,2 · · · m2,n

......

. . ....

mn,1 mn,2 · · · mn,n

±σ±σ...±σ

=

(±σ) (m1,1 +m1,2 + · · ·+m1,n)(±σ) (m2,1 +m2,2 + · · ·+m2,n)

...(±σ) (mn,1 +mn,2 + · · ·+mn,n)

Assume that the k-th row of the matrix M has the maximum l1-norm, i.e.,

n∑

j=1

|mk,j | >n∑

j=1

|mi,j |

where 1 ≤ k ≤ n for all i = 1, . . . , n and k 6= i. Consider the absolute value ofthe k-th row of the vector M~e as follows,

|(±σ) (mk,1 +mk,2 + · · ·+mk,n)| = |±σ| |mk,1 +mk,2 + · · ·+mk,n|= |σ (mk,1 +mk,2 + · · ·+mk,n)| .

Since

|σ (mi,1 +mi,2 + · · ·+mi,n)| <1

2

for all i = 1, . . . , n, then

|σ (mk,1 +mk,2 + · · ·+mk,n)| <1

2

as well. Since σ (mk,1 +mk,2 + · · ·+mk,n) is the largest entry in the vectorM~e, then the absolute value of each entry of the vector M~e is less than 1

2 as

well. Consequently, bM~ee = ~0 and this ends the proof.



Now, consider the following attack by Eve on the GGH cryptosystem:

Lemma 4.1: Let B ∈ Rn×n be a basis for the lattice L(B) = L ⊂ Rn, σ ∈ N

be a threshold parameter, ~e ∈ −σ,+σn be an error vector and ~σ = +σn.Suppose that ~y ∈ Rn such that ~y = B−1~c. If bB−1~σe = ~0, then b~ye = ~m ∈ Zn.

Proof:Note that,

b~ye = bB−1~ce= bB−1 (B~m+ ~e)e= bB−1B~m+B−1~ee= b~me+ bB−1~ee= ~m+ bB−1~ee

since ~m ∈ Zn. Suppose that, bB−1~σe = ~0. According to Proposition 4.1, wehave bB−1~ee = ~0 as well. Therefore,

b~ye = ~m+ b~0e = ~m

which indicates that decryption by Eve succeeds.This ends the proof.

Instead of performing decryption using the bad basis B, alternatively, Evecould use the reduced-form of the basis B. By reducing the basis B using alattice-reduction algorithm, the orthogonality of the bad basis B can be im-proved. Suppose that, Eve uses the LLL-algorithm as the lattice-reductiontool. Then, denote the LLL-reduced form of the basis B as BLLL wheredualOD(BLLL) < dualOD(B).

Now, consider the following lemma:

Lemma 4.2: Let B ∈ Rn×n be a basis for the lattice L(B) = L ⊂ Rn, BLLL ∈Rn×n be the LLL-reduced form of the basis B such that BLLL = BT where T ∈Zn×n is a unimodular matrix, σ ∈ N be the threshold parameter, ~e ∈ −σ,+σn

be the error vector, ~σ = +σn and ~c ∈ Rn be the ciphertext vector such that~c = B~m + ~e where ~m ∈ Zn is the plaintext vector. Suppose that ~z ∈ Rn suchthat ~z = B−1LLL~c. If bB−1LLL~σe = ~0, then T b~ze = ~m.

Proof:



Note that,

T b~ze = T bB−1LLL~ce= T bB−1LLL (B~m+ ~e)e= T bB−1LLLB~m+B−1LLL~ee= bTB−1LLLB~me+ T bB−1LLL~ee= bB−1BLLLB−1LLLB~me+ T bB−1LLL~ee= b~me+ T bB−1LLL~ee= ~m+ T bB−1LLL~ee

since T = B−1BLLL and ~m ∈ Zn. Suppose that, bB−1LLL~σe = ~0. According to

Proposition 4.1, we have bB−1LLL~ee = ~0 as well. Therefore,

T b~ze = b~m+~0e = ~m

which indicates that decryption by Eve succeeds.This ends the proof.

From Lemma 4.2, it can be observed that the attempt by Eve to performdecryption using the reduced basis BLLL succeeds once the reduced basis BLLLsatises the condition bB−1LLL~σe = ~0. This condition can be met if the reducedbasis BLLL has much shorter and more orthogonal basis vectors compared tothe original basis of B.

In other words, the reduced basisBLLL must have a small dual-orthogonalitydefect. Finding such a lattice basis is an SBP instance. Thus, we propose thefollowing denition for the underlying SBP instance that arose from the GGHcryptosystem, addressed as the GGH-SBP instance.

Denition 4.1: Let B ∈ Rn×n be the basis for the lattice L(B) = L ⊂ Rn,

σ ∈ N be the threshold parameter and ~σ = +σn. Suppose that the reducedform of the basis B is denoted as Breduced such that Breduced = BT where T ∈Zn×n is a unimodular matrix. The GGH-SBP instance is to nd the reduced

basis Breduced such that dualOD(Breduced) < dualOD(B) and bB−1reduced~σe = ~0.

In Denition 4.1, we generalize the lattice-reduction algorithm to be used forreducing the public basis of B. Eve may use any latice-reduction algorithmsuch as the LLL-algorithm or any of its variants. By solving the GGH-SBPinstance, then Eve could perform eective decryption as done by Alice to obtainthe plaintext ~m ∈ Zn exactly as sent by Bob to Alice.



5. Discussion

As stated in Lemma 4.1, the computed public basis B needs to satisfythe condition bB−1~σe 6= ~0 to avoid unauthorized decryption by Eve using thepublic basis B succeeds. In the GGH key generation algorithm, Alice needto check this condition other than ensuring that the public basis B is a badbasis. Although Alice does not know the exact entries of the error vector~e ∈ −σ,+σn generated by Bob, but Alice could check the condition since itonly involves the vector ~σ rather than the error vector ~e.

On the other hand, another condition that needs to be fullled by the pub-lic basis B is as stated in Lemma 4.2. The computed public basis B mustbad enough with large dual-orthogonality defect and the chosen lattice di-mension n also must large enough. This is important for ensuring that anylattice-reduction algorithm could not eciently reduce the public basis of B inreasonable amount of time. If Eve could eciently reduce the public basis Band the condition bB−1reduced~σe = ~0 holds, then Eve could use the reduced basisBreduced as good as Alice's private basis G to perform eective decryption andeventually break the GGH cryptosystem. These strategies can be consideredfor strengthening the GGH cryptosystem and its variants.

6. Conclusion

In this paper, we explicitly dened the underling GGH-SBP instance of theGGH cryptosystem. By properly and explicitly dening the underlying latticeproblem instances that arose from the GGH cryptosystem, more investigationon the features and behaviors of these instances could be done thoroughly.From that, we could discovered more strategies for strengthening the securityof the GGH cryptosystem by preventing any potential attacks related to theseinstances.

Acknowledgements

The present research is partially supported by the Putra Grant with projectnumber GP 2017/9552200. The corresponding author also want to acknowl-edge the Malaysian Ministry of Education and Universiti Malaysia Sabah fornancial support.



References

de Barros, C. F. and Schechter, L. M. (2015). Ggh may not be dead afterall. Proceeding Series of the Brazilian Society of Computational and AppliedMathematics, 3(1).

Galbraith, S. D. (2012). Mathematics of public key cryptography. CambridgeUniversity Press.

Goldreich, O., Goldwasser, S., and Halevi, S. (1997). Public-key cryptosys-tems from lattice reduction problems. In Annual International CryptologyConference, pages 112131. Springer.

Goodaire, E. G. (2013). Linear algebra: pure & applied. World ScienticPublishing Company.

Hostein, J., Pipher, J., Silverman, J. H., and Silverman, J. H. (2008). Anintroduction to mathematical cryptography, volume 1. Springer.

Lee, M. S. and Hahn, S. G. (2010). Cryptanalysis of the ggh cryptosystem.Mathematics in Computer Science, 3(2):201208.

Mandangan, A., Kamarulhaili, H., and Asbullah, M. A. (2018). On the un-derlying hard lattice problems of ggh encryption scheme. In Cryptology andInformation Security Conference 2018, page 42.

Micciancio, D. (2001). Improving lattice based cryptosystems using the hermitenormal form. In International Cryptography and Lattices Conference, pages126145. Springer.

Nguyen, P. (1999). Cryptanalysis of the goldreich-goldwasser-halevi cryptosys-tem from crypto'97. In Annual International Cryptology Conference, pages288304. Springer.

Paeng, S.-H., Jung, B. E., and Ha, K.-C. (2003). A lattice based public keycryptosystem using polynomial representations. In International Workshopon Public Key Cryptography, pages 292308. Springer.

Shor, P. W. (1999). Polynomial-time algorithms for prime factorization anddiscrete logarithms on a quantum computer. SIAM review, 41(2):303332.

Sipasseuth, A., Plantard, T., and Susilo, W. (2019). Enhancing goldreich,goldwasser and halevi's scheme with intersecting lattices. Journal of Math-ematical Cryptology, 13(3-4):169196.

Yoshino, M. and Kunihiro, N. (2012). Improving ggh cryptosystem for largeerror vector. In 2012 International Symposium on Information Theory andits Applications, pages 416420. IEEE.





Alternative Method to Find the Number of

Points on Koblitz Curve

Hadani, N.H.1, Yunos, F. ∗1,2,, Arin, M.R.K.1,2,, Sapar, S.H.1,2,,

and Rahman, N.N.A.2,3

1Laboratory of Cryptography, Analysis and Structure, Institute for

Mathematical Research, Universiti Putra Malaysia, Malaysia2Department of Mathematics, Faculty of Science, Universiti Putra

Malaysia, Malaysia3Pusat Teknologi Pintar UKM-MTDC, Kolej PERMATApintar

Negara, Malaysia


ABSTRACT

A Koblitz curve Ea is dened over eld F2m . Let τ = (−1)1−a+√−7

2where

a ∈ 0, 1 denotes the Frobenius endomorphism from the set E(F2m) toitself. It can be used to improve the performance of computing scalar

multiplication on Koblitz Curves. In this paper, another version of for-

mula for τm = rm + smτ where rm and sm are integers is introduced.

Through this approach, we discover an alternative method to nd the

number of points through the curve Ea.

Keywords: Koblitz curve, scalar multiplication, Frobenius endomor-

phism, elliptic curve cryptosystem, number of points.

Hadani, N.H., Yunos, F., Arin, M.R.K., Sapar, S.H. & Rahman, N.N.A.

1. Introduction

Elliptic Curve Cryptography (ECC) was discovered by (Koblitz, 1987). El-liptic curve based schemes have scalar multiplication (SM) as the dominantoperation on it. Let P and Q be the point on Koblitz Curve. SM is therepeated addition of a point along the curve up to n times and denoted asnP = P + P + · · · + P for some scalar n such that nP = Q. Frobenius endo-morphism can be used to improve the performance of computing SM on Koblitzcurves. Koblitz curves are dened over F2 as follows:

Ea : y2 + xy = x3 + ax2 + 1

where a ∈ 0, 1 as suggested by (Koblitz, 1992). The Frobenius map τ :Ea(F2m)→ Ea(F2m) for a point P = (x, y) on Ea(F2m) is dened by τ(x, y) =(x2, y2), τ(∞) =∞ where∞ is the point at innity. It stands that (τ2 +2)P =tτ(P ) for all P ∈ Ea(F2m) and the trace of Frobenius map is t = (−1)1−a.The τ -NAF proposed by (Solinas, 2000) is one of the most ecient algorithmto compute SM on Koblitz curves.

To proceed the discussion of this paper, the following denitions that canbe found in (Ali et al., 2017), (Hankerson et al., 2006), (Hazewinkel, 1994),(Koblitz, 1987), (Solinas, 1997), (Suberi et al., 2016), (Yunos et al., 2015a),(Yunos et al., 2014b), (Yunos et al., 2015b) and Hadani and Yunos (2018) willbe applied.

Denition 1.1. An element of the ring Z(τ) is dened as r+sτ where r, s ∈ Z.

Denition 1.2. A τ -adic Non-Adjacent Form (TNAF) of nonzero n of an

element of Z(τ) is dened as τNAF(n) =∑l−1i=0 ciτ

i where l is the length of theexpansion τNAF(n), ci ∈ −1, 0, 1, cl−1 6= 0 and cici+1 = 0.

Denition 1.3. A Reduced τ -adic Non-Adjacent Form (RTNAF) of nonzero

n of an element of Z(τ) is dened as RTNAF(n) =∑l−1i−0 ciτ

i in modulo τm−1τ−1

where l is the length of the expansion RTNAF(n), ci ∈ −1, 0, 1, cl−1 6= 0 andcici+1 = 0.

The detail example on nding the TNAF and RTNAF can be refer to (Yunosand Suberi, 2018) and (Suberi et al., 2018).

Denition 1.4. Let N : Q(τ)→ Q the rational set as a function of norm. Letα = r+ st an element Q(τ).The norm of α is dened as N(α) = r2 + trs+ 2s2

where t = (−1)(1−a) for a ∈ 0, 1.


Alternative Method to Find the Number of Points on Koblitz Curve

Denition 1.5. Lucas sequence is a sequence of integers that can be used incalculation of irrational quadratic numbers. Lucas sequence, Ui and Vi aredened as follows;

U0 = 0, U1 = 1 and Uκ = tUκ−1 − 2Uκ−2for κ ≥ 2;

V0 = 2, V1 = t and Vκ = tVκ−1 − 2Vκ−2for κ ≥ 2;

Theorem 1.1 from (Yunos et al., 2014a) shown below will be applied in thediscussion of this paper.

Theorem 1.1. If a0 = 0, b0 = 1, am = am−1 + bm−1 and bm = −2am−1, thenτm = bmt

m + amtm+1τ for m > 0.

(Solinas, 2000) generated the formula for τm = Umτ−2Um−1 that to be is usedto nd TNAF(n)mod (τm − 1). (Yunos et al., 2014a) produced Theorem 1.1as an alternative version for the formula τm. That is, if x0 = 0, y0 = 1, xm =xm−1 + ym−1 and ym = −2xm−1, then τm = ymt

m + xmtm+1τ for m > 0.

As a result, the process to convert the expansion of TNAF(∑l−1

m=0 cmτm)into

an element of Z(τ) became easier. Both τm formulas that were produced by(Solinas, 2000) and (Yunos et al., 2014a) can be used to calculate the numberof points on the curve Ea. The formulas are as follows ;

#Ea(F2m) = p ·#Ea(F2)

where p > 2 is a prime ,

#Ea(F2m) = 2m + 1− Vm,#Ea(F2m) = N(τm − 1), (1)

#Ea(F2m) = #Ea(F2m) ·N(τm − 1

τ − 1

)

where |P | = N(τm − 1

τ − 1

),

#Ea(F2m) = b2m + 2a2m + ambm + 1

−(2bm + am)tm.

Formula N(∑l−1m=0 cmτ

m) = r2 + trs + 2s2 where r =∑l−1m=0 cmbmt

m and

s =∑l−1m=0 cmamt

m+1 was applied by (Ali and Yunos, 2016) to nd maximumand minimum norms.



In this paper, our approach is to introduce aim for 2 ≤ i ≤ m+12 . Subsequently,

alternative formula for τm is proposed. As a result, by using the new τm, wend the number of points that passes through the curve Ea.

In the next section, we introduced alternative form of τm by proving the Propo-sitions 2.1 and 2.2 hence provide alternative version dier from τm that wasintroduced by (Solinas, 2000) and (Yunos et al., 2014a).

2. Alternative formula for τm

We begin with the identity of τ2 = tτ − 2. We expand τ for m ∈ Z+ inform of rm + smτ . For example, for m = 1 and m = 2, we obtain τ1 = 0 + 1τand τ2 = −2 + tτ respectively. We input the data onto Table 1 for value ofrm and sm for m ∈ 1, 2, 3, . . . , 12 using the method of expansion of τ identity.

Table 1: All rm and sm of τmfor 1 ≤ m ≤ 12

m rm sm1 0 12 −2 t3 −2t t2 − 24 −2t2 + 4 t3 − 4t5 −2t3 + 8t t4 − 6t2 + 46 −2t4 + 12t2 − 8 t5 − 8t3 + 12t7 −2t5 + 16t3 − 24t t6 − 10t4 + 24t2 − 88 −2t6 + 20t4 − 48t2 + 16 t7 − 12t5 + 40t3 − 32t9 −2t7 + 24t5 − 80t3 + 64t t8 − 14t6 + 60t4 − 80t2 + 1610 −2t8 + 28t6 − 120t4 + 160t2 − 32 t9 − 16t7 + 84t5 − 160t3 + 80t11 −2t9 + 32t7 − 168t5 + 320t3 − 160t t10 − 18t8 + 112t6 − 280t4 + 240t2

−3212 −2t10 + 36t8 − 224t6 + 560t4 − 480t2 t11 − 20t9 + 144t7 − 448t5 + 560t3

+64 −192t

Denition 2.1 was introduced through this table.

Denition 2.1.

Given τm = rm + smτ is an element of Z(τ) for any positive integer m. Leta1m = 1. We dene aim is the coecient in sm expansion for i ∈ 1, ..., bm−12 c.

Next, we start with the generation of Table 2. By using Denition 2.1 and



Table 1, we disintegrate the sm of τm for 1 ≤ m ≤ 12 as given in the followingtable.

Table 2: sm of τmfor 1 ≤ m ≤ 12

sm =∑mi=1 aimt

m−2i+1

ma1mt

m−1 a2mtm−3 a3mt

m−5 a4mtm−7 a5mt

m−9 a6mtm−11

1 12 13 1 −24 1 −4t5 1 −6t2 46 1 −8t3 12t7 1 −10t4 24t2 −88 1 −12t5 40t3 −32t9 1 −14t6 60t4 −80t2 1610 1 −16t7 84t5 −160t3 80t11 1 −18t8 112t6 −280t4 240t2 −3212 1 −20t9 144t7 −448t5 560t3 −192t

From Table 2, we can observed the pattern of a2m for 1 ≤ m ≤ 12 to obtainthe general form of sm. We found that the sequence ofa2mm=12

m=3 = −2,−4,−6,−8,−10,−12,−14,−16,−18,−20 can be writtenin the form of (−1)2−1 2

(2−1)! (3−2) , (−1)2−1 2(2−1)! (4−2),

(−1)2−1 2(2−1)! ( 5 − 2 ), . . . , ( −1 )2−1 2

(2−1)! ( 12 − 2) that is

a2m = (−1)2−1 2(2−1)!

∏2(2)−2j=2 (m − j). We obtained the following conjecture

from this pattern.

Conjecture 2.1. Sequence a2mm=∞m=3 = −2,−4,−6,−8,−10, . . . has a gen-

eral formula of a2m = a2m−1 − 2.

Followed by the following result for the purpose to proof argument in Lemma2.2.

Lemma 2.1. If a2m = a2m−1 − 2, then the coecient

a2m = −2(m− 2)

for any integer m ≥ 3.

Proof. The proof of this lemma can be found in Hadani and Yunos (2018).



Now, we observe the sequence of a3mm=12m=3 = 4, 12, 24, 40, 60, 84, 112, 144.

We identied that this sequence can be written in the form of (−1)3−1 23−1

(3−1)! (5−3) (5−4) , (−1)3−1 23−1

(3−1)! (6−3) (6−4) , (−1)3−1 23−1

(3−1)! (7−3)(7−4), . . . ,

(−1)3−1 23−1

(3−1)! (12 − 3)(12 − 4) that is a3m = (−1)3−1 23−1

(3−1)!∏2(3)−2j=3 (m − j).

From the pattern of the sequence that we obtained, we can conclude the generalform of aim as in the following Lemma.

Lemma 2.2. If a1m = 1 then coecient in sm expansion is

aim = (−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− j)

for 2 ≤ i ≤ m+12 and m ≥ 2i− 1.

Proof.

We prove by using mathematical induction as follows.For i = 2, then

a2m = −2(m− 2) from Lemma 2.1

= (−1)2−122−1

(2− 1)!

2(2)−2∏

j=2

(m− j) is true.

Assume that i = k, then akm = (−1)k−1 2k−1

(k−1)!∏2k−2j=k (m − j) is true for 2 ≤

k ≤ m+12 .



Now, let i = k + 1,

ak+1m = akm

((−1)

2

k

(m− 2k + 1)(m− 2k)

m− k)

=(

(−1)k−12k−1

(k − 1)!

2k−2∏

j=k

(m− j))

((−1)

2

k

(m− 2k + 1)(m− 2k)

m− k)

=(

(−1)k−12k−1

(k − 1)!(m− k)(m− (k + 1))

(m− (k + 2)) · · · (m− (2k − 2)))

((−1)

2

k

(m− 2k + 1)(m− 2k)

m− k)

=((−1)k+1−1) 2k+1−1

(k + 1− 1)!

((m− (k + 1))

(m− (k + 2)) · · · (m− (2k − 2)) ·(m− (2k − 1))(m− (2(k + 1)− 2))

)

= (−1)k+1−1 2k+1−1

(k + 1− 1)!

2(k+1)−2∏

j=k+1

(m− j)

Subsequently it is true for all integers i ∈ N.

Below is the propositions of sm and rm from τm = rm + smτ which usedLemma 2.2 to assist the proving of the proposition. These propositions willbring out another version for the expansion of τm.

Proposition 2.1.

Given τm = rm + smτ is an element of Z(τ) for any positive integer m. Lets1 = 1 and s2 = t. If aim from Lemma 2.2, then the coecient sm can bewritten as

sm =

bm+12 c∑

i=1

aimtm−2i+1 (2)

where a1m = 1 and m ≥ 3.



Proof. By mathematical induction we have the followingIf m = 3, then from Table 2, we obtain

s3 = t2 − st

= 1t2 + (−1)2−122−1

(2− 1)!(3− 2)t2

= 1t2 + (−1)2−122−1

(2− 1)!

2(2)−2∏

j=2

(3− j)t2

= a13t2 + a23t

= a13t3−2(1)+1 + a23t

3−2(2)+1

=

b 3+12 c∑

i=1

ai3t3−2i+1.

The hypothesis (2) is true for m = 3.Assume that if m = k, then

sk =

b k+12 c∑

i=1

aiktk−2i+1 where a1k = 1 and k ≥ 3 is true.

Now, if m = k + 1, we can separate the proof into two dierent cases. That isfor k is an odd number (O) and k is an even number (E) as follows.



For k ∈ O,

sk+1 = t

b k+12 c∑

i=1

aikk + 1− ik − 2i+ 2

tk−2i+1

= t

(a1kt

k−1 + a2kk − 1

k − 2tk−3 + a3k

k − 2

k − 4tk−5 + · · ·+

ab k+12 ck

k + 1− bk+12 c

k − 2bk+12 c+ 2

tk−2bk+12 c+1

)

= a1ktk + a2k

k − 1

k − 2tk−2 + a3k

k − 2

k − 4tk−4 + · · ·+

ab k+12 ck

k + 1− bk+12 c

k − 2bk+12 c+ 2

tk−2bk+12 c+2

By using aik from Lemma 2.2 and since bk + 1

2c = bk + 2

2c

when k ∈ O, we have the following.

sk+1 = 1tk + (−1)2−122−1

(2− 1)!XXXX(k − 2)

(k − 1XXXk − 2

)tk−2 +

(−1)3−123−1

(3− 1)!(k − 3)XXXX(k − 4)

(k − 2XXXk − 4

)tk−5 + · · ·+

(−1)bk+12 c−1 2b

k+12 c−1

(bk+12 c − 1)!

(k − bk + 1

2c)(k − bk + 1

2c − 1) · · · (k − 2bk + 2

2c+ 3)

(XXXXXXXXk − 2bk + 2

2c+ 2)

( k + 1− bk+12 cXXXXXXk − 2(bk+2

2 c+ 2

)tk+2−2b k+1

2 c,

= 1tk−2(1)+2 + (−1)2−122−1

(2− 1)!(k + 1− 2)tk−2(2)+2 +

(−1)3−123−1

(3− 1)!(k + 1− 3)(k + 1− 4)tk−2(3)+2 + · · ·+

(−1)bk+1+1

2 c−1 2bk+1+1

2 c−1

(bk+1+12 c − 1)!

(k + 1− bk + 1 + 1

2c)(k − bk + 1 + 1

2c)

(k − bk + 1 + 1

2c − 1) · · · (k + 1− 2(bk + 1 + 1

2)c+ 2)tk−2b

k+1+12 c+2



= a1k+1tk+1−1 + a2k+1

tk+1−3 + a3k+1tk+1−5 + · · ·+

ab k+1+12 ck+1

tk+1−2(b k+1+12 c)+1

=

b k+1+12 c∑

i=1

aik+1tk+1−2i+1

Therefore, the hypothesis (2) is also true for m = k + 1 where k is an oddnumber.Now, we consider if k is even. That is, for k ∈ E,

sk+1 = t

b k+12 c∑

i=1

aikk + 1− ik − 2i+ 2

tk−2i+1 + ab k+22 ck+1

tk−2bk+22 c+2

=

(a1kt

k + a2kk − 1

k − 2tk−2 + a3k

k − 2

k − 4tk−4 + · · ·+

ab k+12 ck

k + 1− bk+12 c

k − 2bk+12 c+ 2

tk−2bk+12 c+2

)+ ab k+2

2 ck+1tk−2b

k+22 c+2

By using aik from Lemma 2.2, we have the following

=

(1tk + (−1)2−1

22−1

(2− 1)!XXXX(k − 2)

(k − 1XXXk − 2

)tk−2 +

(−1)3−123−1

(3− 1)!(k − 3)XXXX(k − 4)

(k − 2XXXk − 4

)tk−5 + · · ·+

(−1)bk+12 c−1 2b

k+12 c−1

(bk+12 c − 1)!

(k − bk + 1

2c)(k − bk + 1

2c − 1) · · ·

(XXXXXXXXk − 2bk + 2

2c+ 2)

( k + 1− bk+12 cXXXXXXk − 2(bk+2

2 c+ 2

)tk+2−2b k+1

2 c)

+(−1)bk+22 c−1 2b

k+22 c−1

(bk+22 c − 1)!

(k + 1− bk + 2

2c)(k − bk + 1

2c) · · ·

(k − 2bk + 2

2c+ 2)



= 1tk + (−1)2−122−1

(2− 1)!(k − 1)tk−2 + (−1)3−1

23−1

(3− 1)!(k − 2)(k − 3)tk−5

+ · · ·+ (−1)bk+12 c−1 2b

k+12 c−1

(bk+12 c − 1)!

(k + 1− bk + 1

2c)(k − bk + 1

2c)

(k − bk + 1

2c − 1) · · · (k + 1− 2(bk + 1

2)c)tk+2−2b k+1

2 c

+(−1)bk+22 c−1 2b

k+22 c−1

(bk+22 c − 1)!

(k + 1− bk + 2

2c)(k − bk + 1

2c) · · ·

(k − 2bk + 2

2c+ 2)

= 1tk−2(1)+2 + (−1)2−122−1

(2− 1)!(k + 1− 2)tk−2(2)+2 +

(−1)3−123−1

(3− 1)!(k + 1− 3)(k + 1− 4)tk−2(3)+2 + · · ·+

(−1)bk+1+1

2 c−1 2bk+1+1

2 c−1

(bk+1+12 c − 1)!

(k + 1− bk + 1 + 1

2c)(k − bk + 1 + 1

2c)

(k − bk + 1 + 1

2c − 1) · · · (k + 1− 2(bk + 1 + 1

2)c+ 2)tk−2b

k+1+12 c+2

= a1k+1tk+1−1 + a2k+1

tk+1−3 + a3k+1tk+1−5 + · · ·+

ab k+1+12 ck+1

tk+1−2b k+1+12 c+1

=

b k+1+12 c∑

i=1

aik+1tk+1−2i+1.

Proposition 2.1 is important as it will aid the proving of next propositionfor rm in τm = rm + smt.

Next, we will show the proving of proposition for rm given τm = rm + smτ .

Proposition 2.2.

If sm from Proposition 2.1, then the coecient rm can be written as

rm = −2sm−1 (3)

where a1m = 1 and m ≥ 3.



Proof. By mathematical induction we have the following.If m = 3, then from Table 2, we obtain

r3 = −2t

= −2a12t

= −2s2.

The hypothesis (3) is true for m = 3.Assume that if m = k, then

rk = −2sk−1 is true for k − 2i+ 1 ≤ 0

= −2

b k2 c∑

i=1

aik−1tk−2i

is true for k ≥ 3.Now, if m = k + 1, we can separate the proof into two dierent cases. That isfor k is an even number (E) and k is an odd number (O) as follows.For k ∈ E,

rk+1 = −2t

b k2 c∑

i=1

aik−1

k − ik − 2i+ 1

tk−2i

= −2t

(a1k−1

tk−2(1) + a2k−1

k − 2

k − 2(2) + 1tk−2(2) +

a3k−1

k − 3

k − 2(3) + 1tk−2(3) + · · ·+ ab k2 ck−1

k − bk2 ck − 2bk2 c+ 1

tk−2bk2 c)

By using aik from Lemma 2.2 and since bk2c = bk + 1

2c

when k ∈ E, we have the following.

rk+1 = −2

(1tk−1 + (−1)2−1

22−1

(2− 1)!(k − 2)tk−3 +

(−1)3−123−1

(3− 1)!(k − 3)(k − 1− 3)tk−5 + · · ·+

(−1)bk+12 c−1 2b

k+12 c−1

(bk+12 c − 1)!

(k − bk + 1

2c)(k − 1− bk + 1

2c)(k − 2− bk + 1

2c) · · ·

(k − 2bk + 1

2c)tk−2b k+1

2 c+1

)



= −2

(a1kt

k−1 + a2ktk−3 + a3kt

k−5 + · · ·+ ab k+12 ck

tk+1−2b k+12 c)

= −2

b k+12 c∑

i=1

aik+1−1tk+1−2i

= −2sk+1−1.

Therefore, the hypothesis (3) is also true for m = k + 1 where k is an evennumber.

Now, we consider if k is odd. That is, for k ∈ O,

rk+1 = −2

(t

b k2 c∑

i=1

aik−1

k − ik − 2i+ 1

tk−2i + ab k+12 ck

tk+1−2b k+12 c)

= −2

(1tk−1 + (−1)2−1

22−1

(2− 1)!(k − 2)tk−3 +

(−1)3−123−1

(3− 1)!(k − 3)(k − 1− 3)tk−5 + · · ·+

(−1)bk2 c−1 2b

k2 c−1

(bk2 c − 1)!(k − bk

2c)(k − 1− bk

2c)(k − 2− bk

2c) · · ·

(k − 2bk2c)tk−2b k2 c+1 + (−1)b

k+12 c−1 2b

k+12 c−1

(bk+12 c − 1)!

·

(k − bk + 1

2c)(k − 1− bk + 1

2c) · · ·

(k − 2bk + 1

2c)tk−2b k+1

2 c+1

)

= −2

(a1kt

k−1 + a2ktk−3 + a3kt

k−5 + · · ·+

ab k2 cktk−2b

k2 c+1 + ab k+1

2 cktk−2b

k+12 c+1

)

= −2

b k+12 c∑

i=1

aik+1−1tk+1−2i

= −2sk+1−1



Proved Propositions 2.1 and 2.2 therefore resulted in the introduction ofTheorem 2.1 as a new version for the expansion of τm.

Theorem 2.1. Let a1m = 1, then

τm = −2

(tm−2 +

bm2 c∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− 1− j)tm−2i)

+

(tm−1 +

bm+12 c∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− j)tm−2i+1

)τ

Proof. We have

τm = rm + smτ

= −2sm−1 + smτ from Proposition 2.2

= −2

bm2 c∑

i=1

aim−1tm−2i +

bm+12 c∑

i=1

aimtm−2i+1 from Proposition 2.1

= −2

(tm−2 +

bm2 c∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− 1− j)tm−2i)

+

(tm−1 +

bm+12 c∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− j)tm−2i+1

)τ from Lemma 2.2

Below is the example to illustrate this version.



Example 2.1. Consider m = 3 and let a1m = 1, then

τ3 = −2

(t1 +

b 22 c∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(2− j)t3−2i)

+

(t2 +

b 3+12 c∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(3− j)t4−2i)τ

= −2t+(t2 − 2

2∏

j=2

(3− j))τ

= −2t+ (t2 − 2)τ.

By introducing Theorem 2.1 as a new properties for τm, hence we can calculatethe number of points using alternative method as follows ;

From 1 we have

#Ea(F2m) = N(τm − 1)

= N(rm + smτ − 1) by letting τm = rm + smτ

By Proposition 2.2, we obtain,

#Ea(F2m) = N((−2sm−1) + smτ − 1)

= (2sm−1 + 1)2 − t(2sm−1 + 1)sm + 2sm2

from Denition 1.4

=(

2

m−1∑

i=1

aim−1tm−2i + 1

)2− t(

2

m−1∑

i=1

aim−1tm−2i + 1

)

( m∑

i=1

aimtm−2i+1

)+ 2( m∑

i=1

aimtm−2i+1

)2

by Proposition 2.1

=

(2(m−1∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− 1− j)tm−2i)

+ 1

)2

−t(

2(m−1∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− 1− j)tm−2i)

+ 1

)



(m∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− j)tm−2i+1

)+

2

(m∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(m− j)tm−2i+1

)2

from Lemma 2.2 (4)

Example shown below is the illustration for #Ea(F2m).

Example 2.2. Consider a eld F23 with an elliptic curve

E1 : y2 + xy = x3 + x2 + 1,

since the coecient a = 1 is selected.Now we can calculate the number of points that passes through this curve usingformula 4 .

#Ea(F23) =

(2( 2∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(2− j))

+ 1

)2

−(

2( 2∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(2− j))

+ 1

)

(3∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(3− j))

+

2

(3∑

i=1

(−1)i−12i−1

(i− 1)!

2i−2∏

j=i

(3− j))2

= 14

The points are ( (100, 011), (101, 000), (110, 011), (011, 000), (001, 101),(111, 111), (000, 001), (111, 000), (010, 111), (011, 011), (110, 101), (101, 101),(100, 111) ) and ∞. Refer to (Yunos and Atan, 2016) on how to nd thesepoints.

3. Conclusion

As a conclusion, we propose new method to discover the number of pointsthrough the curve Ea i.e using τm = rm + smτ for

sm =∑mi=1(−1)i−1 2i−1

(i−1)!∏2i−2j=i (m− j)tm−2i+1.



Acknowledgement

The authors are grateful to Universiti Putra Malaysia for a support viaGeran Putra GP/2018/9595400.

References

Ali, N. A. and Yunos, F. (2016). Maximum and Minimum Norms for τ -NAFExpansion on Koblitz Curve. Indian Journal of Science and Technology,28(9):17.

Ali, N. A., Yunos, F., and Jamal, N. H. (2017). A Total Norm of τ -AdicNon-Adjacent Form Occurring Among All Element of Z(τ): An AlternativeFormula. In AIP Conference Proceedings, volume 1795, pages 18. AIPPublishing.

Hadani, N. H. and Yunos, F. (2018). Alternative Formula of τm in ScalarMultiplication on Koblitz Curve. In AIP Conference Proceedings, volume1974, pages 19. AIP Publishing.

Hankerson, D., Menezes, A., and Vanstone, S. (2006). Guide to Elliptic CurveCryptography. Springer-Verlag, Berlin, Germany.

Hazewinkel, M. (1994). Arithmetic Series. Kluwer Academic.

Koblitz, N. (1987). Elliptic Curve Cryptosystems,. Mathematics Computation,48:203209.

Koblitz, N. (1992). CM-Curves with Good Cryptographic Properties. In Pro-ceedings of the 11th Annual International Cryptology Conference on Advancesin Cryptology, pages 279287. Springer Verlag, London.

Solinas, J. A. (1997). An Improved Algorithm for Arithmetic on a Family ofElliptic Curves. In Proceedings of the International Annual Conference onCryptology, pages 357371. Springer, Berlin, Germany.

Solinas, J. A. (2000). Ecient Arithmetic on Koblitz Curves. In Designs, Codesand Cryptography. Springer, Boston, Massaachusetts.

Suberi, S., Yunos, F., and Said, M. R. M. (2016). An Even and Odd Situationfor the Multiplier of Scalar Multiplication with Pseudo τ -Adic Non-Adjacentform. In AIP Conference Proceedings, volume 1750, pages 19. AIP Publish-ing.



Suberi, S., Yunos, F., Said, M. R. M., Sapar, S. H., and Said Husain, S. K.(2018). Formula of τ -adic Non Adjacent form with the Least Number of NonZero Coecients. Jurnal Karya Asli Lorekan Ahli Matematik, 11(1):2330.

Yunos, F. and Atan, K. A. M. (2016). Improvement to Scalar Multiplicationon Koblitz Curves by Using Pseudo τ -adic Non-Adjacent Form. In AIPConference Proceedings, volume 1750, pages 18. AIP Publishing.

Yunos, F., Atan, K. A. M., Arin, M. R. K., and Said, M. R. M. (2014a). AReduced τ -adic Naf (RTNAF) Representation for an Ecient Scalar Multi-plication on Anomalous Binary Curves (ABC). Pertanika Journal of Scienceand Technology, 22:489506.

Yunos, F., Atan, K. A. M., Arin, M. R. K., and Said, M. R. M. (2015a).Pseudo τ -Adic Non Adjacent Form for Scalar Multiplication on KoblitzCurves. Malaysian Journal of Mathematical Sciences, 9:7188.

Yunos, F., Mohd Atan, K. A., Md Said, M. R., and Kamel Arin, M. R.(2014b). Pseudo τ -adic NAF for Scalar Multiplication on Koblitz Curves. InConference Proceeding of the 4th International Cryptology and InformationSecurity Conference 2014, pages 120130. AIP Publishing.

Yunos, F., Mohd Atan, K. A., Md Said, M. R., and Kamel Arin, M. R.(2015b). Kembangan Pseudo TNAF bagi Pendaraban Skalar ke atas LengkukKoblitz. PhD thesis, Universiti Putra Malaysia, Serdang, Selangor, Malaysia.

Yunos, F. and Suberi, S. (2018). Even and Odd Nature for Pseudo τ -AdicNon-Adjacent form. Malaysian Journal of Science, 37(2):94102.





Searchable Symmetric Encryption Security

Denitions

Mohamad, M.S. ∗1,2, Tan, S.Y.3, and Chin, J.J.4

1Faculty of Computing and Informatics, Multimedia University,

Cyberjaya2Information Security Lab, Mimos Berhad, Kuala Lumpur

3Faculty of Information Science and Technology, Multimedia

University, Melaka4Faculty of Engineering, Multimedia University, Cyberjaya

E-mail: [email protected]∗ Corresponding author

ABSTRACT

After many searchable symmetric schemes have been proposed and provensecure, a few published work show empirical evidence of successful attackson all published schemes. The attacks indicate a gap between the currentsecurity models and the practical attackers. This work reviews indistin-guishability and semantic security games for SSE. Finally, a new securitydenition against the practical attacks is proposed and proven to implycurrent security denitions.

Keywords: searchable encryption, SSE, security model.

Mohamad, M.S., Tan, S.Y. & Chin, J.J.

1. Introduction

Searchable symmetric encryption (SSE) is a category of schemes with ci-phertext searching function utilising symmetric cryptographic algorithms. Thepurpose of SSE is for a user to store a document collection in a storage facil-ity without exposing the documents to the storage owner or co-resident. Inaddition, the data owner or authorized users may perform searches to nddocuments of interest, while maintaining security.

In order to achieve sublinear search complexity, SSE scheme designs deploysinverted index where the index key is encoded keywords and the index valuesare document identiers. Examples of such design includes Curtmola et al.(2006), Chase and Kamara (2010), Naveed et al. (2014), Cash et al. (2014) andKamara and Moataz (2017).

The trade o in enabling search on ciphertexts is the disclosure of someinformation regarding the documents, called leakage. Despite the leakage, anSSE scheme aims to protect the condentiality of the stored documents andthe queried keyword using symmetric cryptographic schemes. Currently, the L-security (Chase and Kamara, 2010) is the denition accepted for SSE schemessecurity.

However, attacks by Islam et al. (2012), Zhang et al. (2016) and Cash et al.(2015) were successful in recovering query keywords in published index-basedSSE schemes. Wright and Pouloit (2017) generalized the attacks as statisticinference attack and produced a statistical method framework to detect suchvulnerabilities in an SSE scheme. Cash et al. (2015) studied the practicalattacks and dened the attack goals and adversary capabilities. In addition,they categorize SSE leakage proles to identify the extent of vulnerability of anSSE design to the dierent attacks. Here we are only concerned with leakageprole L1 which reveals keyword occurrence pattern only after search queriesare performed.

Our Contribution This work takes the provable security perspective bycomparing the indistinguishability and semantic security denitions for SSE tothe attacks. Then, a security game is proposed to dene strength against thedistribution-based query recovery attacks.


SSE Security Denitions

2. Preliminaries

2.1 Searchable Symmetric Encryption Scheme

There are two types of SSE, static and dynamic. A static SSE is where thedata is prepared and uploaded to the storage server once and after that onlysearch queries are made. A dynamic SSE allows for data adding, removingor modied after the rst uploading. A static SSE scheme consists of sixalgorithms.

KeyGen This is a probabilistic algorithm run by the client. From a security pa-rameter 1k, this algorithm generates a set of symmetric keys, K, includingan encryption key.

BuildIndex This algorithm is run by the client, taking the document-keywordsmapping DB and keys K and output the index I.

Encrypt This a symmetric encryption algorithm is run by the client and isusually probabilistic. For input a set of document D and keys K, thisalgorithm outputs a set of ciphertexts c of the documents.

Trapdoor This algorithm is run by the client and is usually deterministic. Ittakes as input the keyword w and the key K and outputs a trapdoor tw.

Search This is a deterministic interactive algorithm run by the server. Inputsare tw sent by the client and the index I stored on the server. This algo-rithm nds the set of document identiers corresponding to documentscontaining the keyword w. The set of document identiers being outputis returned to the client.

Decrypt This the corresponding symmetric decryption algorithm which runson the client. Taking input ciphertexts c1, . . . , cn and key K to outputdocuments d1, . . . , dn.

There are schemes presented with four algorithms KeyGen, Setup, Search andDecrypt where Setup consists of BuildIndex, Trapdoor and Encrypt, and Search is in-teractive and includes Trapdoor and Search. Dynamic SSE schemes include anotheralgorithm, Update which takes as input a document, the list of keywords and an op-eration name such as add, remove and modify. The algorithm outputs a new indexand ciphertext.

Let D(w) denote the set of documents containing keyword w and id(d) denote theidentier for document d ∈ D. An SSE scheme is correct if the symmetric encryption



scheme deployed is correct and for all keywords w,

Search(TrapdoorK(w), I) = id(d)|d ∈ D(w).

2.2 SSE Scheme Leakage

An SSE scheme leakage is the information revealed to the storage server by thedata submitted by the client. The leakage is dened as a function of history whichis the documents D, keyword-document mapping DB and the sequence of keywordsfor search queries w1, w2, . . . , wq. The leakage function varies from scheme to scheme.The leakage function is denoted as

L(D,DB, w1, w2, . . . , wq) = (Lsetup(D,DB),Lquery(w1, w2, . . . , wq)).

Setup leakage Lsetup(D,DB) results from the index I ←BuildIndex(D,DB) andciphertexts c ←EncryptK(D) where K ←KeyGen(1k). Clearly, Lsetup contains atleast the number of ciphertexts |D| and the length of ciphertexts. However, Naveedet al. (2014) SSE design hides the document lengths until the documents occurs insearch results. Depending on the design of index, I may reveal the number of keywordsof the particular document set. For example, the index in (Chase and Kamara, 2010)gives the number of keywords but in (Cash et al., 2014) the number is hidden.

The query leakage increases as more search queries are made. The leakage upto the q-th query Lquery(w1, w2, . . . , wq), is leakage from the keyword trapdoorsti ←Trapdoor(wi) and the set of document identiers in the search results id(d)|d ∈D(wi) ←Search(I, ti). Lquery contains at least the Access Pattern(AP) from thesearch results and the Query Pattern(QP) from the trapdoors. SP is a record ofrepeated (and unrepeated) queries in the query sequence in the history. AP is arecord of the document identiers and the ciphertexts returned in each of the queriesin the history. Clearly, AP reveals the number of documents associated to each ofthe trapdoor too, which incrementally provide the server with the keyword distribu-tion information of D. Intersection pattern (IP) which indicates which documentscontains two or more keywords can be extracted from AP, and IP reveals keywordco-occurrence distribution. From AP one can also extract the number of trapdoorsassociated to each documents.

For dynamic SSE schemes there is update leakage, Lupdate. Since this work focuseson static SSE, we do not discuss update leakage further. The leakage functions areusually written without the inputs because it is always the same as dened in thissection.

2.3 Adversary Model

Cash et al. (2015) dened the attack goals and adversary capabilities as shown in



Table 1. This model is used to study SSE security denitions in the next section.

Attack Mode Adversary Knowledge Attack Goals

Passive1 Query distribution Query recoveryChosen query attack Known queries Plaintext recovery2

Chosen document attack Document distributionKnown document

Table 1: Adversary model proposed by Cash et al. (2015). 1Passive adversary includes honest-but-curious server. 2The plaintext recovery goal includes partial plaintext recovery.

In the denition of the security games, there are non-adaptive and adaptive adver-saries. In SSE, these adversaries dier at the stage of choosing keywords for trapdoorqueries. For a non-adaptive adversary, after obtaining the index and ciphertexts fromthe challenger, the adversary has to generate the keyword sequence and submit it al-together. On the other hand, an adaptive adversary submits one keyword at a time,and gets a reply before the next keyword is queried. As such the adaptive adversarymay use the information gained from a trapdoor to choose the next keyword with astrategy to gain as much information as it can.

Besides the adversary model, (Cash et al., 2015) presents categories of SSE leakageproles to identify the extent of vulnerability of an SSE design to the dierent attacks.

L4 Full plaintext under deterministic word-substitution cipher

L3 Fully revealed occurrence pattern with keyword order

L2 Fully revealed occurrence pattern

L1 Query revealed occurrence pattern

Category L3 and L2 are SSE schemes in which the index reveals the keyworddistribution. Such designs has an index with entries being a list of document identierswithout any padding or unencrypted list. Most published SSE schemes fall under L1.The leakage abuse attacks are targeted towards the L1 schemes.

3. Security Denitions Review

For encryption schemes the preferred security is indistinguishability (IND) andsemantic security. Here we review the games which dene IND and semantic securityfor SSE schemes.



3.1 Indistinguishability

The IND game for encryption scheme involves the adversary providing two plain-texts of the same length and then when given the encryption of one of them, havingto identify the corresponding plaintext. This denition implies that information re-garding the plaintext is fully hidden in the ciphertext, except for its length.

The rst security denition for SSE is by Goh (2003). In that work, every docu-ment ciphertext is appended with the list of encoded keyword contained in the doc-uments. For this design the indistinguishability game is where the adversary choosestwo list of keywords associated to some documents and then is given as challengethe encoded list of one of them. The adversary is asked to identify which keywordlist has been encoded to be the challenge. By this, the SSE is secure when the en-coded keyword list does not reveal which document it belongs to, up to the subset ofdocuments having the same number of keywords.

Curtmola et al. (2006) adopted the game by Goh (2003) for index-based SSEdesign. That is for all documents in the storage, there is one index whose key is theencoded keyword and the entry lists identiers of documents containing the keyword.The adversary is given the power to choose two sets of documents with the conditiontheir history (include search sequence) produce equal leakage. Then, the adversaryis given the corresponding two sets of index and ciphertexts and allowed to maketrapdoor queries. However, instead of two keyword lists, the adversary chooses twokeywords, one from each document set. When given the encoded keyword challenge,the adversary have to guess which document set the keyword belong to. An SSEscheme proven secure by rendering the adversary's advantage in this game insignif-icant, means the scheme produces trapdoors, index and ciphertexts which do notreveal any content of the documents.

The IND game for SSE as dened by (Curtmola et al., 2006) is presented here.

Denition 3.1. Let Σ=(KeyGen, Encrypt, BuildIndex, Trapdoor, Search, Decrypt) bean index-based SSE, k ∈ N be a security parameter and A=(A0,A1, . . . ,Aq+1) besuch that q ∈ N. Consider the following probabilistic experiment IndA,Σ(k): Thechallenger begins with generating K ←KeyGen(1k) and then randomly selecting b ←0, 1. The adversary A0 generates two sets of documents D0,D1 with the restric-tion that Lsetup(D0)=Lsetup(D1). The challenger returns cb ←EncryptK(Db) andIb ←BuildIndexK(Db). Next, for i = 1, . . . , qthe adversary Ai chooses a keyword w0,i

from D0 and w1,i from D1 such that Lquery(w0,1, . . . , w0,q)=Lquery(w1,1, . . . , w1,q).For every query Ai waits for the reply, tb,i ←TrapdoorK(wb,i) before making the nextquery. Finally, Aq+1 outputs b′. If b′ = b, the experiment outputs 1, otherwise out-puts 0. We say the that Σ achieves adaptive indistinguishability if for all polynomialsize adversaries A=(A0,A1, . . . ,Aq+1) such that q is polynomial in terms of k,

Pr [IndΣ,A(k) = 1] 6 1

2+ negl(k)

where the probability is over the choice of b and the coins of KeyGen and Encrypt.



3.2 Semantic Security

Semantic security of an encryption scheme carries the meaning that no adversarycan recover partial information about the plaintexts from the ciphertexts. In thecontext of SSE, semantic security means the same with the exception of the declaredleakage.

The rst simulation based security denition is by Chang and Mitzenmacher(2005). In their game, the adversary A is given the actual communications betweenserver and user, Cq, while another adversary A∗ is given information learned (leakage)from the communication, C∗q . The dening statement

∣∣∣Pr[A(Cq, 1

k)

= f (Hq)]−Pr

[A∗(C∗q , 1

k)

= f (Hq)]∣∣∣ 6 negl(k).

expresses that the adversaries A and A∗ has the same amount of information regard-ing the documents and queried keywords. Eectively, this semantic security denitionimplies that the communications Cq leaks exactly the dened leakage C∗q which con-tain only the relation of keyword trapdoor to document identiers.

In this denition the history (document set and query sequence) is `given' in theenvironment. This means the adversaries A and A∗ are passive. The leakage C∗qincludes the ciphertexts and the access pattern.

The game is put into the Real-Ideal game framework by Curtmola et al. (2006).In the Real environment, the challenger runs the SSE scheme to reply the adversary'squeries, while in the Ideal environment a simulator creates the replies based on thegiven leakages. The adversary's task is to identify whether it is playing in a Realenvironment or in the Ideal environment. To proof the security of an SSE scheme,one has to describe a simulator which will produce ciphertexts, index and trapdoorsthat the adversary cannot distinguish from the SSE scheme outputs.

Besides that change, the adversary is given the capability to choose the documentsand keywords for the search query sequence. Also, the leakages now includes moreitems, namely access pattern and query patterns.

A major change on the leakage function was proposed by Chase and Kamara(2010). The function L is dened as a tuple of Setup and Search leakage functions,(Lsetup,Lquery). For dynamic SSE, another element in the tuple is the Update leak-age, Lupdate. The leakage function is part of the SSE scheme specication and isdeclared explicitly in the security statement. This is in accord to the meaning ofsemantic security of SSE: no partial information regarding the documents and key-words can be recovered except for the declared leakage. Following this the semanticsecurity of SSE is renamed as L-security.

Prior to L-security denition, SSE leakage is set at the SSE security denition.Now, every SSE scheme is allowed to dene its leakage. Nevertheless, previous de-



ned leakage is the minimum leakage for any SSE scheme. Some schemes leak more toaccommodate their design or data type. In fact this was proposed in (Chase and Ka-mara, 2010) because they are applying searchable encryption on structured data suchsuch as matrix and graphs. In their SSE constructions some structure information isleaked to complete the search result.

The widely used SSE security denition is the L-security game as presented below.

Denition 3.2 (L-security CKA). Let Σ=(KeyGen, Encrypt, BuildIndex, Trapdoor,

Search, Decrypt)be an SSE scheme. Consider the following probabilistic experiments

where A is an adversary, S is a simulator and L =(Lsetup,Lquery

)is a tuple of

stateful leakage algorithms:

RealΣ,A(k) : the challenger begins by running KeyGen(1k) to generate a key K. Aoutputs a document set and a document-keyword mapping (M,DB) and receives(γ, c) from the challenger where γ ← BuildIndexK(DB) and c← EncryptK(M).The adversary makes a polynomial number of adaptive queries and, for eachquery q, receives a trapdoor t ← TrapdoorK(q) from the challenger. Finally Areturns a bit b that is output by the experiment.

IdealΣ,A,S(k) : A outputs a document set and a document-keyword mapping (M,DB).Given Lsetup(M,DB), S generates and sends a pair (γ, c) to A. The adversarymakes a polynomial number of adaptive queries and for each query q the sim-ulator S is given Lquery(DB, q). Then S returns a trapdoor t to A. Finally, Areturns a bit b that is output by the experiment.

We say that Σ is L-secure against adaptive chosen keyword attacks(CKA2) if for allPPT adversaries A, there exists a PPT simulator S such that

|Pr [RealΣ,A(k) = 1]− Pr [IdealΣ,A,S(k) = 1]| 6 negl(k).

3.3 Summary

Relation between IND and semantic security has been proven by Curtmola et al.(2006). Refer to their work for the proofs.

Theorem 3.1. (Curtmola et al., 2006)[Theorem 4.9] Non-adaptive indistinguisha-bility security of SSE is equivalent to non-adaptive semantic security of SSE.

Theorem 3.2. (Curtmola et al., 2006)[Theorem 4.12] Adaptive semantic security ofSSE implies adaptive indistinguishability of SSE.

Since L-security in Denition 3.2 is the most accurate semantic security denition,the theorems implies it is the strongest security denition for SSE. Consequently,published SSE schemes opt for the adaptive L-security as the denition for its schemesecurity.



Security Security Attack Mode Leakage

Denition Goal Prole

Goh (2003) IND of documentsw.r.t. index

Chosen keyword& document

L4

Chang andMitzenmacher(2005)

Semantic security ofdocuments and queries

Passive L2

Curtmola et al.(2006) semanticsecurity

Semantic security ofdocument set

Chosen keyword& document

L1

Curtmolaet al. (2006)indistinguishability

IND of document sets Chosen keyword& document

L1

Chase and Ka-mara (2010) L-security

Semantic security ofdocument set

Chosen query &document

L1

Table 2: Comparison of security denitions and the best leakage prole which achieves it accordingto Cash et al. (2015) model as in Table 2.3. In all of the denitions, the adversary has no priorknowledge about the document set.

3.4 Practical Attacks

The practical attacks aims for query recovery and exploit keyword distributionrevealed by AP. They are called Leakage Abuse Attacks (LAA).

Islam et al. (2012) creates the rst practical attack and is known as the IKKattack. In this attack, the attacker has the whole document set and some keyword-trapdoor pairs. From the document set, the attacker computed the keyword co-occurrence matrix. Then, by observing a number of search queries, the observedco-occurrence, inferred from AP in Lquery and the estimated co-occurrence are putthrough simulated annealing to guess the keyword corresponding to the trapdoor.Then, Cash et al. (2015) introduced count attack which identies unique keywordfrequency in the known document and nds a count match in AP in Lquery, beforeapplying the IKK attack.

File injection attack was created by Zhang et al. (2016). In this attack, theattacker insert documents into the SSE to make its keyword distribution estimationmore accurate. The attacker create documents containing intersecting subsets ofkeywords. If the inserted document appears in a search result disclosed by AP inLquery, the attacker can infer the keyword of the search trapdoor. Less injectedles are required in the attack if the attacker has partial knowledge of the storeddocuments.



3.5 Comparing Security Model to Attacks

Table 3: Comparing security/attack goals and adversary capabilities of L-security to count attackand le injection attack.

.

L-security Count

Attack

File Injection

Attack

Security&AttackGoals

Documents Semanticsecurity

Know document keywords

Queries Semanticsecurity

Query keyword recovery

AdversaryCapability

Documents Chosendocument

Knowndocument

Chosendocument

Queries Adaptivelychosen query

Observed queries

By comparing the L-security game to the attacks, as in Table 3, the attackers areat most as powerful as the adversary in the game. However, the attackers are ableto break the semantic security of both the documents and the search queries. Onegap immediately identied is the usage of the complete knowledge about the keyworddistribution from the generated document.

We illustrate the gap by an example attack where the adversary can perform aperfect count attack: an adversary can perform 100% query recovery with probability1. When allowed to choose the documents in the game, the adversary can generatea document set such that each keyword has unique number of documents contain-ing it. As such, by the number of document identiers in Lquery, the attacker canimmediately identify the correct keyword.

However, in the current Real-Ideal game the ability to choose the document setand keywords is useless. The power is also useless for the Ind game in (Curtmolaet al., 2006) because the choice of two distinct histories is conditioned to produce thesame leakage.

Therefore, the gap between the security denitions and the attacks is query secu-rity. The Real-Ideal security game do not signify the vulnerability due to the storeddocuments keyword distribution revealed in Lquery. Although SSE is initiated withthe allowance for access pattern to be revealed, the practical attacks now have shownthat the disclosure of access pattern is a threat to semantic security of queries anddocuments under chosen document and known distribution attacks.



3.6 Update in Security Denitions

The main gap in adversary model and the attackers is the ability to choose thedocument. The attack has shown this is a very powerful adversary. Hence the rstchanges noticed in the games is the source of the document set. The document set isgiven in the environment in (Kamara and Moataz, 2017) and (Pouloit et al., 2017).

A more formal change made by Bost and Fouque (2017) denes a structure calledConstraint to declare the adversary's knowledge. This is deployed in the IND gameas in Denition 3.1. The documents sets have to fulll the Constraint as set by theadversary.

Despite the changes, the security games maintain the status where the leakage isallowed and does not identify whether the scheme secure against LAA. In the nextsection we dene a game which if a scheme can be proven to allow only negligibleadvantage for the adversary to win implies that the scheme is secure against queryrecovery under LAA.

4. New Security Denition

Here, a security game is dened to discriminate SSE schemes whose leakage enablequery recovery attacks. The strength against query recovery is dened by providingassurance that even knowing the set of all keywords and access to the trapdoor oracle,the adversary would not be able to identify keywords of other trapdoors.

The adversary's prior knowledge determines the source of documents during thegame initiation as follows.

• Without prior knowledge: Document set D is in the environment.

• Known document distribution: D is set by environment. Challenger givesadversary distribution information.

• Known document: D is set by environment. Challenger gives adversary all orsome document.

Denition 4.1 (Query indistinguishability(Q-IND)). Let SSE be an index-based SSEscheme consisting of (KeyGen, Encrypt, Trapdoor, Search, Decrypt), k∈N be the secu-rity parameter and A be an adversary.

Initiation The document set D is generated according to the adversary knowledgeabove. The challenger C generate the secret keys K=KeyGen(1k) and index Ion the document set D. C sends I, ciphertexts c, set of all keywords W to A.

Queries A is allowed to make adaptive trapdoor queries by keyword wi ∈ W toobtain ti=Trapdoor(K,wi).



Challenge Next, A chooses two keywords w0, w1 ∈W which has not been queriedand submit to C. C randomly choose b ∈ 0, 1 and give A the correspondingtrapdoor tb=Trapdoor(K,wb). After the challenge is issued, A can make moretrapdoor queries except for w0, w1.

Response Finally, A outputs b′ as a guess of b. The adversary A wins if b′ = b.

The advantage of A is dened as the probability of winning this game beyond guessing,AdvA(k)=

∣∣Pr [b = b′]− 12

∣∣ where the probability is over A and C's coin tosses. An SSE

scheme is said to achieve query indistinguishability if for any D, AdvA(k) 6 negl(k).

The schemes on which the count attack applies, would not achieve Q-IND becausethe distinguisher can use the attack to identify b correctly. On the other hand, schemeswith less leakage, especially those which obfuscate the keyword distribution, will beable to achieve this.

Since Curtmola et al. (2006) has proven that IND implies semantic security underadaptive attacks, the soundness of the new security denition is demonstrated byproving that Q-IND implies IND and L-security.

Theorem 4.1. Adaptive Q-IND under chosen document and keyword attack impliesInd under adaptive chosen document and keyword attack as in Denition 3.1.

Proof. Assume there exists an adversary A who has non-negligible advantage in theInd game as dened by Curtmola et al. (2006). We show that there exists an adver-sary B who has non-negligible advantage in guessing b correctly in the Q-IND game.Consider the adversary B who works as below.

Setup

1. B initiates Ind game and receives D0 and D1 from A.2. B submits D=D0 ∪D1 to the challenger C who returns W, I and c.

3. B create ciphertext set c′ by including in c′ exactly half of every set of equallength ciphertexts in c. Next, index I ′ is created by generating a random entrysuch that |I ′[ti]|= 1

2|I[ti]| for every key ti of I.

4. B gives A I ′ and c′.

Queries: For i = 1 to q − 1,

1. A submits (w0,i, w1,i) to B.2. B passes w0,i to C and obtains trapdoor ti.

3. B gives ti to A.



Challenge: When A submits (w0,q, w1,q), B forwards (w0,q, w1,q) to C. C returnstb=Trapdoor(K,wb,q) where b

R←− 0, 1 as the challenge for B.

Response: B passes tb to A and obtain a reply b′. If b′ = 0 then B submits 0 toC, otherwise submits 1.

First, we argue that I ′ and c′ is indistinguishable from the index and ciphertextsfor Db to A. Since τ(D0)=τ(D1), the trace of the index and ciphertexts for A areexactly one half of the trace τ(D).

Denote the ciphertext size |di,j | as ì,j . Then τ(D0)=(`0,1, `0,2, . . . , `0,n) andτ(D1)=(`1,1, `1,2, . . . , `1,n). Since τ(D0)=τ(D1), `0,j = `1,j for all j = 1, . . . , n, let`j = `0,j = `1,j , and hence τ(D)=(`1, `1, `2, `2, . . . , `n, `n) because D=D0 ∪D1. Theconstructed c′ consists of one ciphertext for each `j , and hence indistinguishable fromthe ciphertext sets for either D0 or D1 because it produce the same trace as τ(D0) orτ(D1). Similar argument applies to the indistinguishability of I ′ from ID0 and ID1 .

At the query stage, from A's perspective, it is playing the Ind game when itschallenger chooses b = 0. The keywords w0,i passed to C is input to the Trap-

door algorithm and hence ti returned to A is exactly what it will receive in theInd game because it is produced using the correct key. By the construction of I ′,I ′[ti] will produce τ(wi) = (α(wi), σ(wi)) such that |αD(wi)| = 1

2|αD(wi)| because

τ(w0,i)=τ(w1,i). For the same reason, σ(w0,i)=σ(w1,i).

Secondly, we show that the probability of B's response to C is correct with non-negligible probability. If the challenge given to B is Trapdoor(w0,q) then in A's per-spective it has been receiving (t0,1, t0,1, . . . , t0,q−1, t0,q) and hence replies b′ = 0 withprobability 1

2+ AdvA(k). On the other hand, if the challenge for B is Trapdoor(w0,q)

then in A's perspective it has received (t0,1, t0,1, . . . , t0,q−1, t1,q) which is not consis-tent with the Ind challenger choosing b = 0 or b = 1. We assume here that A willmake a random guess. Therefore, we have that

Pr[B wins] = Pr[b = 0]·Pr[0←B|b = 0] + Pr[b = 1]·Pr[1←B|b = 1]

=1

2Pr[b′ = 0|b = 0] +

1

2Pr[b′ = 1|b = 1]

=1

2(1 + AdvA(k))

=1

2+

1

2AdvA(k)

which means AdvB(k)= 12AdvA(k) and hence non-negligible.

Therefore, if an adversary which can distinguish between document sets exists,then an adversary who can distinguish queries exists. In conclusion, if an SSE schemeachieves adaptive query indistinguishability, then it also achieves adaptive (documentset) indistinguishability (Ind).



Theorem 4.2. Adaptive query indistinguishability under chosen document and key-word attack implies adaptive L-security under chosen keyword attack as in Deni-tion 3.2.

Proof. Assume for any polynomial-sized simulator there exists an adversary A anda distinguisher D such that after A makes q adaptive trapdoor queries, D can dis-tinguish the Real environment from Ideal with non-negligible advantage. We showthat there exists an adversary B who has non-negligible advantage in distinguishingqueries. Consider B below.

Setup

1. B initiate the L-security game.

2. A submits a document set D and a keyword-documents mapping DB to B.3. B submits D to C and obtain (I, c,W).

4. B gives (I, c) to A.

Queries: For i = 1 to q − 1

1. A submits query wi to B.2. B submits wi to C and obtain trapdoor ti.

3. B gives ti to A.

Challenge

1. When A submits the last query wq.

2. B chooses a keyword w ∈W which has not been queried by A.3. B submits (w0 = w, w1 = wq) to C.

4. C returns the challenge t∗=Trapdoor(wb) where bR←− 0, 1 to B.

5. B passes t∗ to A.

Response: Finally, A replies b′ to B which is forwarded to C as response from B.

The game is played by B in a way that A is playing in the Real environmentbecause (I, c, t1, t2, . . . , tq−1) is computed by C using the SSE scheme. Hence, A isreceiving expected replies from B except for the last query.

If C chooses b = 1, A would have (I, c, t1, t2, . . . , tq−1, Trapdoor(wq)) which is aconsistent Real environment replies. Hence, A would output b′ = 1 with probability12+AdvA. Otherwise, if C chooses b = 0, A would have (I, c, t1, t2, . . . , tq−1,Trapdoor(w))



which is not consistent with both Real and Ideal. In this case, A may output b′ = 0or b′ = 1 with equal probability. Thus,

Pr[B wins] = Pr[b = 0]·Pr[0←B|b = 0] + Pr[b = 1]·Pr[1←B|b = 1]

=1

2Pr[b′ = 0|b = 0] +

1

2Pr[b′ = 1|b = 1]

=1

2(1 + AdvA(k))

=1

2+

1

2AdvA(k)

That implies AdvB(k)= 12AdvA(k) which is non-negligible.

This contradicts the assumption that Q-IND holds. This means that adversary Acannot exists. Therefore, adaptive Q-IND implies adaptive L-security under chosenkeyword attack.

Figure 1: The implication relation of the Q-IND denition to the current IND-CKA and L-securitydenitions.

By these theorem, we conclude that the Q-IND security is consistent with theexisting SSE security denitions.

5. Conclusion

The review of both indistinguishability and semantic security game for SSE hasshown that the gap between the SSE security denitions and the practical attacks isthe adversary capability power of choosing the documents and the signicance of thekeyword distribution in an SSE scheme search leakage to recover the query keywords.The query indistinguishability game is proposed to identify schemes which obfuscatekeyword distribution information. Query indistinguishability implies both the INDand L-security games. Nevertheless, the dening game for semantic security of boththe documents and the queries which manifest safe leakage is still an open question.



References

Bost, R. and Fouque, P.-A. (2017). Thwarting leakage abuse attacks against search-able encryption a formal approach and applications to database padding. Cryptol-ogy ePrint Archive, Report 2017/1060. http://eprint.iacr.org/2017/1060/.

Cash, D., Grubbs, P., Perry, J., and Ristenpart, T. (2015). Leakage-Abuse AttacksAgainst Searchable Encryption. In Proceedings of the 22nd ACM SIGSAC Confer-ence on Computer and Communications Security, pages 668679. ACM.

Cash, D., Jaeger, J., Jarecki, S., Jutla, C., Krawcyzk, H., Rosu, M.-C., andSteiner, M. (2014). Dynamic Searchable Encryption in Very Large Databases:DataStructures and Implementation. Cryptology ePrint Archive, Report 2014/853.http://eprint.iacr.org/2014/853.

Chang, Y. and Mitzenmacher, M. (2005). Privacy Preserving Keyword Searches onRemote Encrypted Data. In Ioannidis, J., Keromytis, A. D., and Yung, M., editors,ACNS 2005, volume 3531 of LNCS, pages 442455. Springer.

Chase, M. and Kamara, S. (2010). Structured Encryption and Controlled Disclosure.In Abe, M., editor, ASIACRYPT 2010, volume 6477 of LNCS, pages 577594.Springer.

Curtmola, R., Garay, J. A., Kamara, S., and Ostrovsky, R. (2006). Searchable Sym-metric Encryption: Improved Denitions and Ecient Constructions. In Juels, A.,Wright, R. N., and di Vimercati, S. D. C., editors, ACM Conference on Computerand Communications Security, CCS 2006, pages 7988. ACM.

Goh, E.-J. (2003). Secure indexes. Cryptology ePrint Archive, Report 2003/216.http://eprint.iacr.org/2003/216/.

Islam, M. S., Kuzu, M., and Kantarcioglu, M. (2012). Access Pattern Disclosureon Searchable Encryption: Ramication, Attack and Mitigation. In 19th AnnualNetwork and Distributed System Security Symposium, NDSS 2012. The InternetSociety.

Kamara, S. and Moataz, T. (2017). Boolean searchable symmetric encryption withworst-case sub-linear complexity. Cryptology ePrint Archive, Report 2017/126.http://eprint.iacr.org/2017/126/.

Naveed, M., Prabhakaran, M., and Gunter, C. A. (2014). Dynamic Searchable En-cryption via Blind Storage. In 2014 IEEE Symposium on Security and Privacy, SP2014, pages 639654. IEEE Computer Society.

Pouloit, D., Griy, S., and Wirght, C. V. (2017). The strength of weak randomization:Eciently searchable encryption with minimal leakage. Cryptology ePrint Archive,Report 2017/1098. http://eprint.iacr.org/2017/1098/.



Wright, C. V. and Pouloit, D. (2017). Early detection and analysis of leakage abusevulnerabilities. Cryptology ePrint Archive, Report 2017/1052. http://eprint.

iacr.org/2017/1052/.

Zhang, Y., Katz, J., and Papamanthou, C. (2016). All Your Queries Are Belong ToUs: The Power of File-Injection Attacks on Searchable Encryption. CryptologyePrint Archive, Report 2016/172. http://eprint.iacr.org/2016/172/.





On Generalised AMD Codes

Ramchen, K.

The University of Melbourne, Australia

E-mail: [email protected]

ABSTRACT

Algebraic manipulation detection codes are a class of error detectingcodes which have found numerous applications in cryptography. In thiswork we extend these codes to defeat generalised algebraic attacks - wecall such codes general algebraic manipulation detection (GAMD) codes.We present ecient construction of GAMD codes for the families of tam-pering functions corresponding to point additions and degree-boundedpolynomials over a nite eld and a construction of non-malleable codesfor the latter.

Keywords: AMD codes, fuzzy extractors, random codes, non-malleablecodes, error detection.

Ramchen, K.

1. Introduction

Fault injection attacks are a class of attacks that involve the deliberate in-troduction of errors into the circuitry or memory modules of a cryptographicdevice in attempt to deduce some secret state. Algebraic manipulation detec-tion codes Cramer et al. (2008) are a class of error detecting codes that canthwart such attacks when the class of induced faults corresponds to additionson code-words over a nite space. More precisely, let s be a message suppliedby an adversary, and suppose c, an element of an abelian group G, is the cor-responding code-word. If for any ∆ ∈ G it holds that c + ∆ decodes to s′ forany s′ 6= s, with probability bounded by ε, the scheme is said to be an AMDcode with error probability ε.

Even though AMD codes provide an elegant, keyless alternative to thewidely used message authentication codes for robust transmission over an error-prone channel, they cannot defeat some types of powerful adversaries. Supposethat an AMD code is used to protect the output of a one time pad scheme. LetE(K⊕M) be the output on ciphertext c = K⊕M . If it happens that E possessesa linear homomorphism, φ, then we have ∆M φ E(c) = ∆M φ E(K ⊕M) =E(K ⊕ (M ⊕∆M)) = E(K ⊕M ′), where M ′ is the message to be substituted.It is therefore desirable to consider a more powerful adversarial model in whichan attacker can choose, in addition to the source message, a tampering func-tion F from a rich class of tampering functions F . In this work, we considerprecisely this model, when the class F corresponds to algebraic functions oversome nite eld or the rationals corresponding to the co-domain of the AMDcode. We call such a code a generalised algebraic manipulation detection code(GAMD code). Following previous works on algebraic manipulation detection,we distinguish the case when the source message is assumed to be uniformlydistributed over the message space, from the usual (which provides tamperingdetection with bounded error probability for any message). These are calledweak generalised algebraic manipulation detection (weak GAMD) and gener-alised algebraic manipulation detection (GAMD) respectively.

1.1 Our Contributions

We formally introduce the model of generalised algebraic manipulation de-tection, in which tamperings corresponding to algebraic functions over the am-bient eld of the encoding function. In this model we review the previousconstructions for manipulation detection against point additions. We showthat such constructions translate directly to our new model, leading to directinstantiations of weak GAMD codes and GAMD codes for this class. Addition-



ally we present an ecient (possibly new) construction for weak GAMD codesin the case of encoding over any nite eld of characteristic two based upon theprobabilistic method. We also consider attacks corresponding to the class ofpolynomial functions. Such attacks in the ane case have been considered inthe context of non-malleable cryptography by Aggarwal et al. (2014), Kiayiaset al. (2016). We demonstrate an explicit construction of a GAMD code secureagainst the class of polynomial functions of bounded degree. We show thatexact constructions imply corresponding weak GAMD codes with inverse poly-nomial rate and low error-probability. We present a black-box transformationof any weak GAMD code to a GAMD code. This construction is quite e-cient, implying in view of the above results, the existence of GAMD codes withconstant rate and low error probability for the classes of point additions andpolynomial functions respectively. We show how to construct non-malleablecodes for the class of bounded degree polynomials.

1.2 Related Work

Cabello et al. constructed AMD codes in the context of robust secret shar-ing Cabello et al. (2002). The notion was made explicit by the works of Crameret al. (2008), Dodis et al. (2006) and some further applications provided includ-ing robust fuzzy extraction and message authentication codes with key manip-ulation security. In the former one wishes to guarantee recovery of a uniformlyrandom key from biometric or other noisy data with the property that correct-ness is maintained under addition of errors up to some prior xed bound evenif the public parameters are compromised. In a similar vein the goal of thelatter is to prevent forgery of message authentication tags even in the case thatthe adversary has algebraic manipulation access to the device storing the key.Other applications include robust information dispersal and anonymous mes-sage transmission Cramer et al. (2008). Dziembowski et al. (2010) introducedthe notion of non-malleable coding schemes and gave existential constructionsfor arbitrary tampering classes as well as ecient constructions in the randomoracle model. Liu and Lysyanskaya (2012) constructed computationally securenon-malleable codes for split-state tampering in the CRS model. Dziembowskiet al. (2013) initiated the study of non-malleable codes from two-source ex-tractors. Aggarwal et al. (2014) and Chattopadhyay and Zuckerman (2014)constructed explicit ecient non-malleable codes in the split-state model. Weshow how to construct non-malleable codes from polynomial evasive GAMDcodes.


Ramchen, K.

2. Preliminaries

We describe the preliminary tools and denitions to be used throughout thiswork. We begin rstly by reviewing non-malleable codes Dziembowski et al.(2010), secondly by stating some combinatorial results and nally, in Section2.3, by stating our generalisation of classical algebraic manipulation detectioncodes Cabello et al. (2002), Cramer et al. (2008), Dodis et al. (2006).

2.1 Non-Malleable Codes

We recall the notion of non-malleable codes for a class of tampering func-tions. Informally a non-malleable code is one which guarantees that after de-coding either the original message is recovered or the message that is recoveredis completely unrelated to the original.

Denition 1 (Non-Malleable Code Dziembowski et al. (2010)). Let F be afamily of tampering functions. For each F ∈ F and s ∈ 0, 1k, dene thetampering experiment

TamperFs =:

c← Enc(s), c← F (c), s = Dec(c)

Output s.

dening a random variable over the randomness of the encoding function Enc.Say that a coding scheme (Enc,Dec) is non-malleable w.r.t. F if for each F ∈F , there exists a distribution DF over 0, 1k ∪ ⊥, same∗, such that, for alls ∈ 0, 1k, we have:

TamperFs ≈

s← DF

Output s if s = same∗, and s otherwise.

and DF is eciently samplable given oracle access to F (·).

2.2 Combinatorial Tools

We describe some combinatorial tools used in our constructions of GAMDs.

Denition 2 (Trace Cramer et al. (2015)). Let K and L be elds. Supposethat L is separable over K and n := [L : K] >∞. Fix some algebraic closure Lof L. Let σ1, . . . , σn be the distinct K-embeddings of L into L. The trace mapTrL/K for each x ∈ L is:

TrL/K(x) =

n∑

i=1

σi(x) ∈ K



Denition 3 (Dierence Set Colbourn and Dinitz (2006)). Let (G,+) be an ad-ditive abelian group of order v. A subset D ⊆ G is a (v, c, λ)-external dierenceset if |D| = c and every non-zero element of G has exactly λ representations asa dierence d− d′ for d, d′ ∈ D. If every non-zero element of G has at most λrepresentations d− d′, say that D is a (v, c, λ)-bounded dierence set.

Denition 4 (Authentication Code Stinson (1990, 1994)). Let S be a set ofsource states, K a set of authentication keys and A be a mapping A : S ×K → T where T is a set of tags. Let Π be a probability distribution on K.The probability of a successful substitution attack, with respect to family ofsubstitution functions F , is

psubF =: maxF∈F,s 6=s′∈S

PrK←Π

[F (A(s,K)) = A(s′,K)].

Lemma 2.1 (Schwartz-Zippel). Let K be a eld and let P ∈ K[x1, . . . , xn]where (xi)1≤i≤n are indeterminates. Let S ⊆ K be a nite set and let (ui)1≤i≤nbe selected independently and uniformly at random in S. Then

Pr[P (u1, . . . , un) = 0] ≤ deg(P )

|S|

Lemma 2.2 (Prime Number Theorem Rose (1994)). Let π(x) denote the num-ber of primes p which satisfy 2 ≤ p ≤ x. Then

limx→∞

π(x) · ln(x)

x= 1

.

2.3 Generalised Algebraic Manipulation Detection Codes

In this section we dene a code which is a generalisation of the classicalalgebraic manipulation detection coding schemes. The main dierence is simplythat we allow manipulation functions to be a class of algebraic functions overa eld rather than the restriction to point additions on its group considered byCabello et al. (2002), Cramer et al. (2008). In this paper K will always be anite eld or number eld, i.e., nite extension of the rationals, however belowwe allow K to be arbitrary for completeness.

Denition 5. Let K be a eld with associated metric d : K2 → R+ ∪ 0. LetG := K and let F be a family of algebraic tampering functions on G. Let S be aset of symbols. Let E : S → G be a probabilistic encoding and D : G → S ∪ ⊥be a deterministic decoding procedure such that PrE [D(E(s)) = s] = 1 for alls ∈ S.


Ramchen, K.

• The tuple (E ,D) is an ε-generalised algebraic manipulation detection (GAMD)code if ∀s ∈ S,∀F ∈ F PrE [D(F (E(s))) 6∈ s,⊥] ≤ ε.

• The tuple (E ,D) is a weak ε-generalised algebraic manipulation detectioncode if ∀F ∈ F PrE,s∈RS [D(F (E(s))) 6∈ s,⊥] ≤ ε.

Let Bd(0, δ) be the set of points at distance at most δ from 0G . The (infor-mation) rate of a GAMD code is dened as r = limδ→∞

log |E(S)∩Bd(0,δ)|log |G∩Bd(0,δ)| .

2.3.1 Families of Tampering Functions

In this paper we consider two classes of tampering functions on a GAMD(E ,D) with co-domain G = Fpn for some prime p and positive integer n.

• Point Additions: let Fadd = F∆∆∈G where F∆ := x 7→ x+ ∆ over G.

• Polynomial Functions: let FP≤d = F(~a)~a∈Gd+1 where F(~a) := x 7→∑di=0 aix

i over G.

2.4 Notation

For prime p let Fpn denote the nite eld of order pn. Write f = o(g) if

limn→∞f(n)g(n) = 0. Write f = Ω(n) if ∃ c > 0 and N0 > 0 such that for all

n > N0, f(n) ≥ c · g(n). Let e(·) denote the real-valued exponential function.Let SD(, ·, ) denote the statistical distance. For discrete probability distribu-tions with outcome space X , SD(P0, P1) = 1

2

∑x∈X |P0(x) − P1(x)|. Given a

collection of metrics dαα∈A on collection of sets Sαα∈A, the supremum

metric d is dened as d(x, y) := supdα(xα, yα) | α ∈ A ∀x, y ∈ SA. A func-tion is algebraic i it is the root of a polynomial equation. Let Q be the set ofrationals. For eld K, let P≤d be the space of univariate polynomials of degreeat most d over K. For even integer n denote by In, the subset of permutationson n objects consisting of involutions with no xed points.

2.5 Tail Bounds on Sums of Dependent Variables

Lemma 2.3 (Multiplicative Cherno Bound). Let Xi1≤i≤n be a sequence ofindependent random variables such that 0 ≤ Xi ≤ 1, E[Xi] = p for 1 ≤ i ≤ n.



Let X =∑ni=1Xi and µ = E[X] = np. Fix 0 < δ < 1. Then

Pr[X < µ(1− δ)] ≤ e(−δ2µ

2)

Pr[X > µ(1 + δ)] ≤ e(−δ2µ

3)

3. Constructions

In this section we review some constructions for GAMD codes against theclass of tampering functions corresponding to point additions and also degree-bounded polynomials. Our results show that ecient GAMD codes (i.e, oneones with constant rate and low error probability) exist for the former class,while for the latter, the rate degrades quadratically in the degree of the function.For the class of point additions, we present two constructions of GAMD codesbased upon dierence sets. Our rst can be seen as a specic instantiation ofthe AMD codes in Section 4.1 Cabello et al. (2002). Our second which is basedupon the probabilistic method allows the construction of GAMD codes for abroader class of functions.

3.1 Point Additions

Cabello et al. (2002) constructed a dierence set in Fpl × Fpk from anysurjective map φ : Fpl → Fpk . An ecient instantiation of φ for arbitrary p canbe found using the eld trace (Denition 2). Using this construction we canbuild a weak-GAMD with rate 1 − o(1) and arbitrarily low error probability,described in Lemma 3.2.

Lemma 3.1. Cabello et al. (2002) Let p be an odd prime and l and k be positiveintegers such that l ≡ 0 (mod k). Let (G,+) be the product of groups, Fpl×Fpkunder addition. Dene

Dk,l = (α, φFpl/Fpk

(α2)) : α ∈ Fpl ⊆ G

Then Dl,k is a (pl+k, pl, pl−k)-external dierence set.

Lemma 3.2. For a prime p and positive integer n let G = Fnp . Then thereexists a explicit weak (p−1)-GAMD code with respect to the family of pointadditions, Fadd, on G, with ecient encoding and decoding procedure and rate1− o(1).

Proof. Note G ∼ (Fpn ,+). By Lemma 3.1 we know that for any n > 1 thereexists a (pn, pn−1, pn−2)-external dierence set D1,n−1 ⊆ G. Let E(S) = D1,n−1


Ramchen, K.

and consider the quantity p∆ := Prs∈RS [F∆(E(s)) 6∈ s,⊥]. Since E is deter-ministic, and s is chosen uniformly at random, p∆ = #s′ ∈ S : E(s′)− E(s) = ∆/|S|.Thus for each ∆ ∈ G, since E(S) is a (pn, pn−1, pn−2)-dierence set, p∆ ≤pn−2/pn−1 = p−1. The rate of E is

log |D1,n−1|log |G| = 1 − n−1 = 1 − o(1), as

required.

3.1.1 A New Construction

We note that so far the constructions of GAMD codes against the classof point additions have followed a similar recipe to the constructions of AMDcodes presented in Cabello et al. (2002), Cramer et al. (2008). In this sectionwe present a construction for this class with new parameters based upon theprobabilistic method.

Lemma 3.3. Let G be an abelian group of order n where n is even. Let0 ≤ c < 1 be arbitrary. Let I ′n ⊂ In be of polynomial size. Then there exists asubset S ⊂ G and maps E : [|S|] → G and D : G → [|S|] which dene a weaknc−1-GAMD with respect to the set I ′n. The rate is ρ is c− o(1). The samplingerror is e(− 1

4nρ) + |I ′n| · e(−2n2ρ−1).

Proof. We show that for any positive constants 0 ≤ γ < ν < 1, there exists aset S ⊂ G for which |S| ∈ γ|G|(1±ε) and |S∩F (S)| ≤ ν|S| hold for any F ∈ I ′n.Taking S = [|S|], ν = nc−1, γ = n(c−1)−o(1) and E and D as in the statement ofthe lemma, yields a code with error probability nc−1 and rate log γn

logn = c−o(1).We will demonstrate the existence of S via a probabilistic argument. Considerthe set S dened by sampling each element of G independently with probabilityγ. Clearly the size of S, N0, has a Binomial distribution with parameters(n, γ). We now analyse the size of the intersection S ∩ F (S), where F ∈ I ′nis arbitrary. Observe that each such F induces a matching on G given by(x, F (x)) : x < F (x). Moreover, since F contains no xed points, each suchpair occurs independently with probability γ2. Thus N1 := |S∩F (S)|/2 followsa Binomial distribution, with parameters (n2 , γ

2). Now by applying Lemma 2.3,if ε is such that γ < ν(1− ε) < 2γ then

Pr[N0 ≤ nγ(1− ε)] ≤ e(−nγε2

2) (1)

Pr[N1 ≥νnγ(1− ε)

2] ≤ e(−n(ν(1− ε)− γ)2

6) (2)

Secondly, applying a union bound over all F ∈ I ′n, we have PrS [|S| ≥ nγ(1−ε)∩|S∩F (S)| ≤ νnγ(1−ε) for all F ∈ I ′n] ≥ 1−e(−nγε22 )−|I ′n|e(−n(ν(1−ε)−γ)2

6 ).



As |I ′n| is polynomial in n, for large enough n this probability is strictly greaterthan 0. Let k > 1 and ν = εk−1, γ = εk. Then the function g(·) = (εk−1(1 −ε) − εk)2 is maximised on the interval (0, 1) by ε0 = k−1

2k . In particular for

ε = ε0, ρ ≥ log2(n·2−(k+1))log2 n

and Equation 1 implies Pr[N0 ≤ nγ(1 − ε0)] ≤e(−nεk+2

0

2 ) ≤ e(−n · ( 12 )k+3) ≤ e(−nρ4 ). Equation 2 on the other hand implies

Pr[N1 ≥ νnγ(1−ε0)2 ] ≤ e(−nε

2k−10 (1−2ε0)2

6 ) ≤ e(−n · ( 12 )2k+1) ≤ e(−2n2ρ−1).

Thus the sampling error is e(−nρ

4 ) + |I ′n| · e(−2n2ρ−1).

Corollary 3.1. Let G = (Fn,+) where n is an arbitrary power of two. Thenthere exists a weak (n−1/2)-GAMD with respect to the family Fadd, with rate12 − o(1). The sampling error is e(− 1

4n1/2) + n−0.1.

Proof. The family Fadd denes a subset of In of order n. Thus S ⊆ G existswith the properties of Lemma 3.3, taking c = 1/2 yields a n−1/2-GAMD with

rate 1/2−o(1). Let ρ = (1−ln 2+ln(1.1 lnn))2 . Then the sampling error is e(−nρ4 )+

n ·e(−2n2ρ−1) ≤ e(−n1/2

4 )+n ·e(− ln(1.1 ·n)). S denes an (n,√n, 1)-bounded

dierence set.

We remark that the parameters achieved by Lemma 3.3 are essentially op-timal - matching those of classical parameter sets modulo two Colbourn andDinitz (2006). We also prove the following result concerning the class Fadd overthe cartesian power of a eld K corresponding to the nite extensions of Kunder addition.

Lemma 3.4. Let (E ′,D′) be a weak γ-GAMD over eld (K,+) for the classFadd with rate ρ′. Then there exists (E ,D), a weak γ-GAMD for Fadd over(Km,+), with rate ρ = ρ′ and γ = 1− (1− γ′)m.

Proof. Since γ ≤ 1−(1−γ′)m it suces to prove that limδ→∞|S∩F (S)∩Bd(0,δ)|

|S| ≤(1 − γ′)m for each choice of F ∈ Fadd over Km. Therefore we need to showthat for each ε > 0 there exists δε > 0 so that for all F ∈ Fadd,

|S ∩ F (S) ∩Bd(0, δ)| ∈ |S ∩Bd(0, δ)| · ((1− γ′)m ± ε). (3)

Decompose F as∏mi=1 Fi where Fi ∈ Fadd acts on the ith copy of K in Km.

Let ε′ = (1 − γ′) ln(1 + ε)m−1. Let δ′ε′ be such that ∀δ′ > δ′ε′ , |S′ ∩ Fi(S′) ∩Bd′(0, δ

′)| ∈ |S∩Bd′(0, δ′)| ·((1−γ′)±ε′). Then∏mi=1 |S′∩Fi(S′)∩Bd′(0, δ′)| ∈∏m

i=1(|S′∩Bd′(0, δ)|·((1−γ′)±ε′)). Let S = S′m and d = d′m be the supremummetric on Km. Then (

∏mi=1 |S′ ∩ Bd′(0, δ′)| · (1 − γ′ + ε′)m) ≤ |∏m

i=1 S′ ∩∏m

i=1 Fi(S′)∩∏m

i=1Bd′(0, δ′)| ≤ (

∏mi=1 |S′∩Bd′(0, δ′))|·(1−γ′+ε′)m). Now ((1−


Ramchen, K.

γ′)−ε′)m = (1−γ′)m(1−ε′(1−γ′)−1)m ≥ (1−γ′)me−mε′/(1−γ′) ≥ (1−γ′)m(1+ε)−1. Similarly one can prove (1 − γ′ + ε′)m ≤ (1 − γ′)m(1 + ε). Thus takingδε = δ′ε′ shows that Equation 3 holds for each choice of ε and F in Fadd overK

m.

To complete the proof, observe that the rate of E is limδ→∞log2 |S∩Bd(0,δ)|

log2 |Bd(0,δ)| =

limδ→∞log2(

∏mi=1 |S′∩Bd′ (0,δ)|)

log2(∏mi=1 |S′∩Bd′ (0,δ)|)

≥ limδ→∞log2 |S′∩Bd′ (0,δ)|

log2 |Bd′ (0,δ)| = ρ′.

3.2 Polynomial Functions

In this section we show to construct explicit GAMD codes secure againstthe class of all polynomials of nite degree d modulo a prime, extending theconstructions in Aggarwal (2015), Aggarwal et al. (2014). We rst present aninformal overview of our construction, while the construction itself is describedin section 3.2.1.

Our Construction In A Nutshell Aggarwal (2015) constructed codes se-cure against ane functions by constructing ane-evasive sets modulo a prime.The construction uses the reciprocals of all primes less than some inverse powerin the underlying modulus. Fix an ane function F and let the reciprocalprimes in its domain be denoted ai and the primes in its range be denoted bi.In that case an explicit bi-variate quartic relation is derived on the ai and biAggarwal (2015). We follow this principle but instead use Lagrange interpola-tion to derive a (cyclically) symmetric relation on the ai and bi. Unfortunatelythe setting d > 1 necessitates some changes. Firstly there is no longer symme-try between the ai and bi which appears to be unique to the ane setting only.This implies divisibility relations appear possible only from the bi (primes inthe range of the polynomial). We are able to utilise these at slight expense(roughly O(log log k) in bit-length) by an additive combinatorics-like construc-tion of a set of primes with the property that no dierence of elements of the setis divisible by another element. We believe this construction, which Lemma 3.5is devoted to, may be of independent interest.

3.2.1 Construction of Polynomial Evasive GAMDs

Lemma 3.5. For any positive integer N there exists a positive integer B, sothat N primes lie in the interval [0, B] and such that no prime divides the

dierence of two others for B = O(N ln1+o(1)N).

Proof. By Lemma 2.2 we can nd Θ( BlnB ) primes qi in the interval (B/2, B].



Suppose qi | qj − qk for some qi 6= qj 6= qk. Then B/2 < qi ≤ |qj − qk| ≤ B/2which is a contradiction.

For positive integer N , denote the above set DN .

Theorem 3.2. Let p a prime of k bits. There exists an explicit weak ε-GAMDsecure against the class FP≤d modulo p of rate 2/Θ(d2) and error probability

ε = O(k)d · 2−

kΘ(d2) for any positive integer d.

Proof. As mentioned above, dene N(p) = d2p2/(d2+3d−2)/4 ln1.1 p so that q ∈DN(p) satises q < (1− d−1.9) · p2/(d2+3d−2). Let

Pd := q−1| q prime, q ∈ DN(p)

Fix ~a = (a0, . . . , ad−1) ∈ Fdp and dene F~a(x) =∑d−1i=0 aix

i. We will prove

that |S ∩F~a(S)| ≤ d. Suppose to the contrary that there exist distinct (xi)d+1i=1

and (yi)d+1i=1 in Fp such that F~a(xi) = yi. Let Lj be the jth Lagrange basis

polynomial in the interpolation of (xi, yi)d+1i=1 . In that case one has

L(x) =

d+1∑

j=1

Lj(x) =

d+1∑

j=1

yj

∏k 6=j(x− xk)∏k 6=j(xj − xk)

Observe that F~a(x) =∑d−1i=0 aix

i is of degree d− 1, while L(x) is nominally ofdegree d. It follows that the leading coecient of L(·) is zero and hence that

d+1∑

j=1

yj∏k 6=j(xj − xk)

≡ 0 mod p (4)

Write xj = a−1j and yj = b−1

j . WLOG a1 6= b1, since for any non-trivial F~a thepolynomial F~a(x)− x has at most d− 1 roots. Therefore

d+1∑

j=1

adj∏k 6=j ak

bj ·∏k 6=j(aj − ak)

≡ 0 mod p

Multiplying out and clearing common terms

d+1∑

j=1

((−1)jad−1j ·

∏

k 6=jbk ·

∏

l>k,k 6=j(al − ak)) ≡ 0 mod p (5)


Ramchen, K.

Since aj , bj < (1 − d−1.9) · p2/(d2+3d−2) and |al − ak| < maxak, al for everyk < l, Equation 5 holds over the integers. In particular, since b1 appears inevery summand except the rst

b1 | ad−11 ·

d+1∏

k=2

bk ·∏

l>k,k≥2

(al − ak) (6)

We now derive a contradiction as follows. By assumption b1 is distinct fromand hence coprime to a1 and (bi)i≥2. Then b1 | (al − ak) for some l > k whichby our construction of Pd is impossible.

We now prove

Theorem 3.3. Let p be a prime. There exists some constant c so that for any0 < ε < 1 there exists a ε-non-malleable code (Enc,Dec) for the class FP≤dwhere Enc : ZT → Fp and Dec : Fp → ZT whenever p > (Tε )c·d

2

.

Proof. By Theorem 3.2 we know that there exists a set S ⊂ Fp with the prop-

erty that |S| ≤ (log p · p2

d2+5d+2−1

) · p and |S ∩ F (S)| ≤ log p·p−2

d2+5d+2

2d · |S| forall F ∈ FP≤d. Consider partitioning S into sets (Sm)m of equal size |S|T . De-ne Enc : ZT → Fp by Enc(m) = c : c ∈R Zm and Dec(c) = m : c ∈ Sm.

Fix F ∈ FP≤d and dene simulation experiment SimFm as in Figure 1. Note

that distribution DF satises Pr[DF = same∗] = Prc∈RFp [F (c) = c] andPr[DF = m] = Prc∈RFp [F (c) 6= c ∩ Dec(F (c)) = m] : m ∈ ZT ∪ ⊥.We claim that SD(SimF

m,TamperFm) ≤ ε where TamperFm is the tamperingexperiment of Denition 1. First suppose that F (x) ≡ x. In that casePr[TamperFm = m] = Pr[SimF

m = m] = 1 so that SD(SimFm,TamperFm) = 0.

Suppose F (x) ≡ a where a is a constant in Fp. Then Pr[TamperFm = Dec(a)] =

Pr[SimFm = Dec(a)] = 1 so again SD(SimF

m,TamperFm) = 0. If F 6∈ id.,Fp,then Prc∈RFp [F (c) = c] occurs with probability at most dp by Lemma 2.1. Thus



SimFm :

1. Pick c ∈R Fp |c ∈ Sm.2. Output same∗ if F (c) = c else Dec(F (c)).

Figure 1: Tampering simulation experiment.

SD(SimFm,Dec(F (c)) : c ∈R Fp) ≤ d

p . Now

SD(TamperFm,Dec(F (c)) : c ∈R Fp)=∑

m′

|Pr[Dec(F (c)) = m′ : c← Enc(m)]− Pr[Dec(F ((c)) = m′ : c ∈R Fp]|

≤∑

m′

|Pr[Dec(F (c)) = m′ : c← Enc(m)]|+∑

m′

|Pr[Dec(F (c)) = m′ : c ∈R Fp]|

≤ Pr[F (c) ∈⋃

m′∈ZTSm′ : c ∈R Sm] + Pr[F (c) ∈

⋃

m′∈ZTSm′ : c ∈R Fp]

≤ |S ∩ F (Sm)||Sm|

+|S ∩ Fp||Fp|

≤ ε (7)

To satisfy Equation 7 we need log p ·p1

Θ(d2) · ( TΘ(d) + 1

p ) + dp < ε so that for some

constant c it holds that p > (Tε )c·d2

yielding the result.

We remark that Theorem 3.2 extends to all nite centred Laurent expan-sions, i.e., two-sided polynomial expressions about zero, as well as to nite eldswith similar parameters.

4. A Weak GAMD to GAMD Transformation

In this section we present a sucient result for transforming any weakGAMD code to a GAMD code following a similar idea to that presented inSection 4 Cramer et al. (2008). Our main result here is Lemma 4.1 whichstates that if the classes of tampering functions can be represented by a set ofpolynomials in one or more variable of bounded degree d |K| then any weakGAMD code for this family can transformed to a GAMD code. In particularthis implies asymptotically ecient GAMD codes for the class of polynomialfunctions with negligible error probability.


Ramchen, K.

Prop 4.1. Suppose that (E ′,D′) is a weak ε′-GAMD with respect to F whereE ′ : S ′ → G′. Let A : S×S ′ → T be an authentication code. Let G = S×G′×T .Dene E : S → G by E(s) = (s, E ′(k),A(s, k)), where k ∈R S ′. Dene D : G →S ∪ ⊥ by D(s, c′, τ) = s i D′(c′) 6=⊥ and τ = A(s,D′(c′)). Then (E ,D) isan ε-GAMD with respect to F where ε = ε′ + psubF .

Proof. Suppose that c = (s, c′, τ) is a received code-word for source symbol sunder key k. Suppose that s 6= s. Then Pr[D′(c′) 6= k,⊥] ≤ ε′ since (E ′,D′)is a weak ε′-GAMD and k is chosen uniformly at random in K. Moreover,Pr[A(s, k) = τ ] ≤ psubF since s 6= s. Thus the event D(c) = s occurs withprobability at most ε′ + psubF . The result follows.

Lemma 4.1. Let ` be an arbitrary positive integer and K be a eld. LetK ⊆ K2 be a nite set and A : S ×K → T be the message authentication codedened by A((s1, . . . , s`), (x, y)) =

∑ì=1 six

i + y. Then psubFP≤d≤ `d|K| .

Proof. Let F be a xed polynomial in FP≤d . Let s 6= s′ ∈ S. Consider

the polynomial P (x, y) = F (∑ì=1 six

i + y) − (∑ì=1 s

′ixi + y) in K[x, y]. We

argue this is a non-zero polynomial as follows. First observe that if P ≡0, then deg(F ) = 1, since otherwise P (x, y) contains a non-trivial power ofy. So let F (u) = a0u + a1. Then a0 = 1 by a similar argument. Thus

P =∑ì=1(si − s′i)xi + a1, which is a contradiction since s 6= s′ implies there

exists i for which si 6= s′i. On the other hand the degree of P is at mostdeg(F ) · ` ≤ `d. Thus by Lemma 2.1, as k = (x, y) is chosen uniformly in K,the event P = 0 occurs with probability at most `d

|K| . Finally, P = 0 occurs i

F (A(s, k)) = A(s′, k), concluding the proof.

Corollary 4.1. For any n ∈ N and large enough prime p there exists an ε-GAMD of block length n with respect to the family FP≤d over Fp where ε =

2−n/Θ(d2) and the rate is 1− o(1).

Proof. Pick prime p so that p > 2n. By Theorem 3.2 we can construct E ′over Fp2 so that ε′ ≤ O(log p)

d p−1/Θ(d2). Let A : Fn−3p × F2

p → Fp be as in

Lemma 4.1. Then as deg(F ) ≤ d for all F ∈ FP≤d, we have psubFP≤d ≤(n−3)dp2 by

Lemma 4.1. The rate of E is n−3n = 1− o(1). The error probability is bounded

by ε = psubFP≤d + ε′ ≤ nd · 2−n/Θ(d2) + 2−Ω(n) = 2−n/Θ(d2).



5. An Addition Evasive GAMD over Q

To construct a code for the class of point additions over the rationals we willuse the result that for any prime power M there exists an integer 1-dierenceset of size M + 1 inside Zq = 1, . . . , q where q = M2 +M + 1 Singer (1938).We denote this set DM and consider q(·) as a function in M .

Theorem 5.1. There exists an explicit weak ε-GAMD over the rationals againstthe class of point additions with constant rate (approximately 0.75) and negli-gible error probability.

Proof. Let N > 0 be an arbitrary integer. Let r(N) be the largest prime suchthat r2 + r + 1 ≤ N . Let S ⊂ Q be given by

S := ap| p prime, a ∈ Dr(b p2 c) (8)

We prove that for any element F ∈ Fadd, |S ∩ F (S)| ≤ 1. Suppose for con-tradiction that there exist v1, v2, v3, v4 ∈ S such that v1 − v2 = v3 − v4. Letv1 = a

p , v2 = bq , v3 = c

r , v4 = ds where a < p

2 , b <q2 , c <

r2 , d <

s2 .

Case 1: p 6= q 6= r 6= s. We have (aq− bp)rs = (cs− dr)pq. Then pq|(aq− bp)and aq−bp 6= 0 as a < p. One the other hand |aq−bp| < maxaq, bp < pq

2which is a contradiction.

Case 2: At least two, not all p, q, r, s distinct. WLOG p 6= r and q 6= s.Then either p = s or q = r. If p = s, ap − b

q = cr − d

p so that (a+ d)rq =

p(br+ cq). Then r | cpq. As p 6= r and c < r, q = r. Thus p | a+ d whichcontradicts a, d < p

2 . The case q = r is similar.Case 3: p = q = r = s. In this case a− b = c− d with a 6= c and b 6= d, which

contradicts Dr(p) being a 1-dierence set.

We analyse the rate of E . We have ρ = limN→∞log2 #x∈S:x= a

N :a≤Nlog2 #x∈Q:x= a

N :a≤N . By

Lemma 2.2 for suciently large N there are at least NlnN −1.5 (N/2)

ln(N/2) primes in

the interval [N/2, N ]. We may also choose prime M so that q(M) = b (N/2)2 c+

O(N1/2). Thus S contains at least√

(bN4 c) · ( NlnN − 3N

4 ln(N/2) ) = O(N3/2

lnN )

elements whose denominator is at most N . Thus ρ = limN→∞ 1.5 lnN−ln lnNln(N2/2) =

0.75.

The following is immediate by combining Lemma 3.4, Lemma 4.1 and The-orem 5.1.


Ramchen, K.

Corollary 5.2. Let K be a number eld of degree k := [K : Q]. Then thereexists a ε-GAMD for the class Fadd over K with rate 1− o(1) and negligible εfor any choice of k at most polynomial in the message length.

6. Conclusion

We have dened a generalisation of algebraic manipulation detection codesto facilitate detection of tampering by algebraic functions over a eld. Wehave demonstrated explicit constructions of these codes for the families of pointadditions and polynomial functions and matching randomised constructions forthe former over nite elds. In future work it would be interesting to extendthese constructions as well as to investigate applications of these codes.

References

Aggarwal, D. (2015). Ane-evasive sets modulo a prime. Inf. Process. Lett.,115(2):382385.

Aggarwal, D., Dodis, Y., and Lovett, S. (2014). Non-malleable codes fromadditive combinatorics. In Proceedings of the Forty-sixth Annual ACM Sym-posium on Theory of Computing, STOC '14, pages 774783, New York, NY,USA. ACM.

Cabello, S., Padró, C., and Sáez, G. (2002). Secret sharing schemes withdetection of cheaters for a general access structure. Des. Codes Cryptography,25(2):175188.

Chattopadhyay, E. and Zuckerman, D. (2014). Non-malleable codes againstconstant split-state tampering. In 2014 IEEE 55th Annual Symposium onFoundations of Computer Science, pages 306315.

Colbourn, C. J. and Dinitz, J. H. (2006). Handbook of Combinatorial Designs,Second Edition (Discrete Mathematics and Its Applications). Chapman &Hall/CRC.

Cramer, R., Damgård, I. B., and Nielsen, J. B. (2015). Secure MultipartyComputation and Secret Sharing. Cambridge University Press, New York,NY, USA, 1st edition.

Cramer, R., Dodis, Y., Fehr, S., Padró, C., and Wichs, D. (2008). Detection ofalgebraic manipulation with applications to robust secret sharing and fuzzyextractors. In Annual International Conference on the Theory and Applica-tions of Cryptographic Techniques, pages 471488.



Dodis, Y., Katz, J., Reyzin, L., and Smith, A. (2006). Robust fuzzy extractorsand authenticated key agreement from close secrets. In Annual InternationalCryptology Conference, pages 232250. Springer.

Dziembowski, S., Kazana, T., and Obremski, M. (2013). Non-malleable codesfrom two-source extractors. In Canetti, R. and Garay, J. A., editors, Ad-vances in Cryptology CRYPTO 2013, pages 239257, Berlin, Heidelberg.Springer Berlin Heidelberg.

Dziembowski, S., Pietrzak, K., and Wichs, D. (2010). Non-malleable codes. InICS, pages 434452.

Kiayias, A., Liu, F.-H., and Tselekounis, Y. (2016). Practical non-malleablecodes from l-more extractable hash functions. In Proceedings of the 2016ACM SIGSAC Conference on Computer and Communications Security, CCS'16, pages 13171328, New York, NY, USA. ACM.

Liu, F.-H. and Lysyanskaya, A. (2012). Tamper and leakage resilience in thesplit-state model. In Safavi-Naini, R. and Canetti, R., editors, Advances inCryptology CRYPTO 2012, pages 517532, Berlin, Heidelberg. SpringerBerlin Heidelberg.

Rose, H. E. (1994). A Course in Number Theory, Second Edition. OxfordUniversity Press.

Singer, J. (1938). A theorem in nite projective geometry and some applica-tions to number theory. Transactions of the American Mathematical Society,43(3):377385.

Stinson, D. (1990). The combinatorics of authentication and secrecy codes. J.Cryptol., 2(1):2349.

Stinson, D. R. (1994). Universal hashing and authentication codes. Designs,Codes and Cryptography, 4(3):369380.





Construction of Endomorphisms for the ISD

Method on Elliptic Curves with j-invariant 1728

Antony, S.N.F.M.A.∗1 and Kamarulhaili, H. 2

1,2School of Mathematical Sciences, Universiti Sains Malaysia


ABSTRACT

In this study, we construct the eciently computable endomorphisms

on elliptic curves with j-invariant 1728, to accelerate the computation of

ISD method. The ISD method computed scalar multiplication on elliptic

curves where it requires three endomorphisms to accomplish. However,

the original ISD method only able to solve integer multiplications since

their endomorphisms are dened over Z. Besides, the endomorphisms

dened in the original ISD method are not eciently computable. We

extend the study by dening the endomorphisms in the ISD method over

the Q(√−d), so that it can solve complex multiplications. Elliptic curves

with j-invariant 1728 are dened over Q(i), where its discriminant is given

as D = −4, with a unique maximal order. The maximal order satises a

polynomial of degree two, which represents the minimal polynomial for

the rst eciently computable endomorphism. Meanwhile, we choose

the other two endomorphisms to belong to Q(i) as well.

Keywords: Ecient endomorphism, elliptic curve scalar multiplication,

Integer Sub-Decomposition method, j-invariant 1728, quadratic

eld.

Antony, S.N.F.M.A. & Kamarulhaili, H.

1. Introduction

E(Fp) with char(K) 6= 2, 3 is an ordinary elliptic curve E dened overprime eld, Fp, where

E : y2 = x3 +Ax+B

such that A,B ∈ Fp. The order of E, denoted as #E(Fp) is the number ofpoints in E(Fp) such that #E(Fp) = nh, where n is a prime number and h isthe cofactor. For cryptographic purpose, h ≤ 4. These points form a group. Itis clear that there exist a single prime subgroup of order n inside this group.

One of the most critical operation in elliptic curve cryptography (ECC) isscalar multiplication, kP , where k ∈ [1, n] and a point, P ∈ E(Fp) with ordern. It remains to be the most dominant operation in ECC, see Park et al.(2002). To overcome the high computational cost problem, many researchersdeveloped approaches such as the Gallant-Lambert-Vanstone (GLV) methodand the Integer Sub-Decomposition (ISD) method.

Gallant et al. (2001) proposed the GLV method where they decomposedscalar k into two mini scalars; k1 and k2, which satisfy k1, k2 ≤

√n. The

general form of GLV method given as

kP = k1P + k2Φ(P ) (1)

where Φ(P ) = λP . They highlight that λ is the roots of the minimal polyno-mial of degree two for the endomorphism,Φ. This implies λ is an algebraic in-teger, see Ribenboim (2001). The GLV method allows complex multiplicationsince their eciently computable endomorphism is dened over the complexquadratic eld. The eciently computable endomorphism helps to acceleratethe scalar multiplication on elliptic curve via the GLV method by 50%, see Sicaet al. (2002).

However, not all scalars k can be decomposed into scalars k1, k2 ≤√n. As

an alternative, Ajeena and Kamarulhaili (2013) proposed the ISD method tofulll the gap of GLV method. The ISD method further decomposed the GLVscalars k1, k2 >

√n into four dierent scalars k1,1, k1,2, k2,1, k2,2, where each

scalars fall within√n, see Ajeena and Kamarulhaili (2014). The ISD method

formulation is given as

kP = k1,1P + k1,2Φ1(P ) + k2,1P + k2,2Φ2(P ) (2)

where three endomorphisms denoted by Φ,Φ1,Φ2 are needed. The ISD methodincreases the percentage of successful computations as compared to the GLV


Construction of Endomorphisms for the ISD Method on Elliptic Curves with j-invariant1728

method, however, their computational costs are expensive due to their ine-ciently computable endomorphisms. They used trivial endomorphisms, denedby X −λ = 0, see Ajeena and Kamarulhaili (2015). As a result, they only ableto solve integer multiplications. Hence, their method unable to solve complexmultiplication on elliptic curves with j-invariant 1728.

In this paper, we extend the ISD method be dened over the imaginaryquadratic eld which allows it to solve complex multiplication on elliptic curveswith j-invariant 1728. Section 2 discusses some denitions and essential the-orems related to this study. Section 3 describes the eciently computableendomorphisms acted on curves with j-invariant 1728 and their respective map-ping. This section also discusses the upper and lower bound of the decomposedscalars. Other than that, the operation counts for each of the endomorphismare also being computed. Lastly, the last section concludes the paper.

2. Preliminaries

In this section, we give some important concepts which are used throughoutthis study which can refer to Washington (2008) and Cohen (1996).

Theorem 2.1. Let E be an elliptic curve which allows complex multiplication.Then, End(E) is isomorphic either to Z or an order in an imaginary quadraticeld.

Denition 2.1. Let E : y2 = x3 +Ax+B be an ordinary elliptic curve. Then,the only change of variables that preserves the structure of E is x = u2x′, y =u3y′.

Denition 2.2. Let d > 0 be a square free integer and let

K = Q(√−d) = a+ b

√−d|a, b ∈ Q.

Then, K is called an imaginary quadratic eld.

Denition 2.3. The discriminant of quadratic eld, D is the discriminant ofthe quadratic polynomial where

D =

−f2d, if d ≡ 3 (mod 4)

−4f2d, if d ≡ 1, 2 (mod 4)

where d is the square free integer and f is the conductor of the ring generatedby an order in the complex or imaginary quadratic eld,K = Q(

√−d).



Proposition 2.1. Let K = Q(√−d) with d a square free integer. Let 1,OK

be the integral basis of K. Then, the largest subring of K denoted by OK , isnitely generated by an abelian group which is dened as

OK =

Z[1+√−d

2

], if d ≡ 3 (mod 4)

Z[√−d], if d ≡ 1, 2 (mod 4).

3. Curves with j-invariant 1728

The elliptic curves with j-invariant 1728 are curves which have the form ofE : y2 = x3 + Ax, and it is dened over Fp. From Washington (2008), thiscurve is ordinary only when p ≡ 1 (mod 4). This curve corresponds to uniquediscriminant of the complex quadratic eld, D = −4 that is belong to classnumber one eld, see Cohen (1996) where K = Q(i). Follow Proposition 2.1,the maximal order for this curve is given as Z(i), which is the largest ring inthis eld, with integral basis 1, i. There exists a unique endomorphism thatacted on the curve which is dened over K = Q(i). The following propositiondescribes the minimal polynomial and the mapping for the unique ecientlycomputable endomorphism acted on curves with j-invariant 1728.

Proposition 3.1. Let p ≡ 1 (mod 4) and P ∈ E(Fp) with prime order nwhere E : y2 = x3 + Ax. Let β ∈ Fp be an element of order four. Then, theendomorphism Φ satises Φ2 + 1 = 0, where Φ (P ) = λP . Then, the map Φ isdened as

Φ : E (Fp) → E (Fp)(x, y) 7→ (−x, βy)O → O

is an endomorphism where β2 + 1 ≡ 0 (mod p).

Proof. An element u ∈ Fp of order four is chosen such that u4 ≡ 1 (mod p).This implies u4 − 1 ≡ 0 (mod p) which can be reduced into(u+ 1) (u− 1)

(u2 + 1

)≡ 0 (mod p), where u ≡ 1 (mod p),u ≡ −1 (mod p)

and u ≡ ±√−1 (mod p). Clearly, the only algebraic number is u ≡ ±

√−1

(mod p), which satises a minimal polynomial of the form u2 + 1 = 0. Notethat, Z[u] ∼= OK . And from Theorem 2.1, Φ is isomorphic to and order in animaginary quadratic eld, Φ ∼= u, hence Φ2 + 1 = 0 which implies λ2 + 1 = 0.From the Denition 2.1, the isomorphism that will preserve the equation fromE → E is given by x = u2x, y = u3y. Since u2 ≡ −1 (mod p), we then have



Φ (x, y) =(u2x, u3y

)

= ((−1)x, βy)= (−x, βy)

Supposed β ≡ u3 (mod p), this implies β4 ≡(u3)4 ≡

(u4)3 ≡ 1 (mod p). Thus,

β is also an element of order four. Therefore, β satises the equation β2+1 ≡ 0(mod p).

ISD method needs two more endomorphisms so that it is applies on ellipticcurve with j-invariant 1728. We choose the ring of the second endomorphismand the third endomorphism to be the subring of the endomorphism ring for therst endomorphism. The following lemma describes the existence of the othertwo non-maximal orders such that they belong to the same complex quadraticeld as the maximal order.

Lemma 3.1. Let E : y2 = x3 + Ax dened over a eld K = Q (i). Giventhe rst endomorphism as Φ2 + 1 = 0, where the maximal order is given asOK = Z [i]. Then, there exist two other non-maximal order which is given byZ [1− i] and Z [1 + i] which belong to the same eld.

Proof. From Proposition 2.1, we have the maximal order for the imaginaryquadratic eld with discriminant, D = −4 given by OK = Z [i], where itsintegral basis given as 1, i from Proposition 2.1. This ring of integer generatedby the maximal order is isomorphic to the endomorphism ring, which is anabelian group under addition. Any algebraic integer in this abelian group canbe written as a linear combination of the basis 1 and i where z = a (1) + b (i)with a, b ∈ Z. By letting a = 1, b = 1, we have z = 1 + i. And by lettinga = −1, b = 1, we have z = −1 + i. Both elements generated by the samegenerator, i, and they are belong to the same eld K = Q [i].

From Lemma 3.1, we have the second and third endomorphism in the secondlayer of decomposition as Φ2

1 − 2Φ1 + 2 = 0 and Φ21 + 2Φ1 + 2 = 0 where

the endomorphism rings are isomorphic to End (E) = Z [Φ2] ∼= Z [1 + i] andEnd (E) = Z [Φ2] ∼= Z [−1 + i] respectively. The following theorem describestheir respective mappings.

Theorem 3.1. Let p ≡ 1 (mod 4) and P = (x, y) be a point in E(Fp) withprime order n where E : y2 = x3 + Ax. Dene Φ2

1 − 2Φ1 + 2 = 0 and Φ22 +

2Φ2 + 2 = 0 as the second and third endomorphism respectively. Then, their



mapping is given by

Φ1,2 (x, y) =

(x2 +A

ε21,2x, y

[x2 −Aε31,2x

2

])

where ε1,2 are the roots of the minimal polynomials for the endomorphisms.

Proof. Since E : y2 = x3 + Ax, we can have the torsion point as Q = (0, 0), apoint of order two. By using Velu's algorithm, see Galbraith (2012), we have

F (x, y) = x3 +Ax− y2 = 0

Fx = 3x2 +A

Fy = −2y

uQ = 0

vQ = (Fx (Q)) = A.

Then, the mapping for the isogeny is dened by φ : (x, y) = (X,Y ) where

X = x+vQ

x− xQ+

uQ

(x− xQ)2

= x+A

x

=x2 +A

xand

Y = y − uQ2y + a1x+ a3

(x− xQ)3 − vQ

a1 (x− xQ) + y − yQ(x− xQ)

2 − a1uQ − Fx (Q)Fy (Q)

(x− xQ)2

= y −A( yx2

)

= y

[x2 −Ax2

].

Then the map φ : (x, y)→ (X,Y ) is a separable isogeny from E to

E : Y 2 +A1XY +A3Y = X3 +A2X2 +A4X +A6

whereA1 = a1, A2 = a2, A3 = a3, A4 = a4 − 5v,A6 = a6 −

(a21 + 4a2

)v − 7w.

This implies A1 = 0, A2 = 0, A30, A4 = a4− 5v = −4A,A6 = 0. Thus one have

E : y2 = x3−4Ax and φ(x, y) =(x2+Ax , y x

2−Ax2

)as the isogeny E1728 → E1728.



Since j(E) = j(E), which preserve the structure of the curve, thus E ∼= E.And it is clear that the mapping from E to E satises the change of variable asstated in Denition 2.1, where u4 = −4 = 4(−1) which implies u2 = 2

√−1 that

belongs to Q(−1). Thus, φ is applicable to dene the endomorphism mappingdened over Q(−1).

Follow the concept of dual isogeny, there exist another isogeny E to E suchthat it preserves the structure of the curves where (X,Y ) = (u2x, u3y) foru ∈ K∗. By letting u = ε1,2, the roots for second and third endomorphism,implies the mapping for the endomorphisms where Φ1,2 : (x, y) = ( X

ε21,2, Yε31,2

) as

Φ1,2 (x, y) =

(x2 +A

ε21,2x,y

ε31,2

[x2 −Ax2

])

where ε1 ≡ 1 + ı (mod p) and ε2 ≡ −1 + ı (mod p).

Dierent endomorphisms will result in dierent lower and upper bounds.The following theorem explains the bounds for the mini scalars in the ISDmethod by using the endomorphisms dened earlier.

Theorem 3.2. Let E1728 : y2 = x3 + Ax dened over Fp such that p ≡ 1(mod 4). There exist point P ∈ E1728 (Fp) with prime order n. Supposed thatkP = k1P +k2Φ (P ) be the the rst layer of decomposition in ISD method suchthat Φ2 +1 = 0. Then, the lower bound for k1, k2 are given as max(|k1| , |k2|) ≥√

2√n. And supposed that k1P = k1,1P + k1,2Φ1 (P ) and k2P = k2,1P +

k2,2Φ2 (P ) be the second decomposition layer of ISD where Φ21 − 2Φ1 + 2 = 0

and Φ22 + 2Φ2 + 2 = 0. Then, the upper bound for k1,1, k1,2, k2,1, k2,2 are given

by max(|k1,1| , |k1,2| , |k2,1| , |k2,2|) <√

5√n.

Proof. Let λ and µ be the roots of Φ2 + r′Φ + s′ ≡ 0 (mod n). Dene thetransformation T as T : (x1, x2)x 7→ x1 + x2λ (mod n) and T : (x1, x2)x 7→x1 + x2µ (mod n). For any point P ∈ Ker (T )− 0, one have

0 ≡ (x+ λy) (x+ µy) ≡ x2 + (λ+ µ)xy + (λµ) y2.

As the minimal polynomial for the rst endomorphism is a polynomial of de-gree two and any polynomial of degree two will satisfy Φ2 − (sumofroots)Φ +(productofroots) = 0 where the sum of roots is given as λ + µ = −r′ and theproduct of roots as λµ = s′, where 0 ≡ x2 + (−r′)xy + (s′) y2 (mod n). SinceΦ2 + r′Φ + s′ = 0 is irreducible in Z [Φ], then x2 + (−r′)xy + s′y2 ≥ n. And



this implies

n ≤ x2 + (−r′)xy + s′y2 ≤ x2 + |−r′|xy + s′y2

≤ maxx2 + |−r′|x2 + s′x2, y2 + |−r′| y2 + s′y2

≤ [1 + |−r′|+ s′]maxx2, y2

.

Then, maxx2, y2

≥ n

[1+|−r′|+s′] which implies max x, y ≥√

n[1+|−r′|+s′] .

Hence, one can have |v1| ≥√

n[1+|−r′|+s′] where |v1| = |(rm+1,−tm+1)| which

it can be either rm+1 ≥√

n[1+|−r′|+s′] or |tm+1| ≥

√n

[1+|−r′|+s′] . This can be

divided into two cases:

1. rm+1 ≥√

n[1+|−r′|+s′] .

From Lemma 1 in Gallant et al. (2001),rm+1 |tm+2|+rm+2 |tm+1| = n im-

plies rm+1 |tm+2| < n and rm+2 |tm+1| < n. Since rm+1 ≥√

n[1+|−r′|+s′] ,

then |tm+2| <√n√

[1 + |−r′|+ s′] and thus result |v2| = |(rm+2,−tm+2)| <√[1 + |−r′|+ s′]n.

2. |tm+1| ≥√

n[1+|−r′|+s′]

From Lemma in Gallant et al. (2001), rm |tm+1| + rm+1 |tm| = n im-

plies rm |tm+1| < n and rm+2 |tm+1| < n. Since |tm+1| ≥√

n[1+|−r′|+s′] ,

then rm <√n√

[1 + |−r′|+ s′] and thus result |v2| = |(rm,−tm)| <√[1 + |−r′|+ s′]n.

The upper bound for k1 and k2 depend on the upper bound for generatorvectors, where the upper bound for k1 and k2 in the GLV method are given asmax |k1| , |k2| <

√[1 + |−r′|+ s′]n. Since the rst endomorphism is dened

as Φ2 + 1 = 0 where r′ = 0 and s′ = 1, this implies max |k1| , |k2| <√

2n asthe upper bound for GLV method. Thus, the lower bound for the ISD methodis given by min |k1| , |k2| ≥

√2n. By using same approach, the upper bound

for the subdecomposed scalar using the second and third endomorphism aregiven as max(|k1,1| , |k1,2| , |k2,1| , |k2,2|) <

√5√n.

Next, we discuss the operation counts for the eciently computable endo-morphism dened on elliptic curves with j-invariant 1728. The rst endomor-phism is dened by Φ2 + 1 = 0 where it maps Φ : (x, y) 7→ (−x, βy). It sucesto know that Φ(P ) requires one multiplication. The following theorem explains



the operation counts for the endomorphism's mapping dened in the secondlayer of decomposition.

Theorem 3.3. Let p ≡ 1 (mod 4) and P ∈ E(Fp) be a prime order pointwhere E : y2 = x3 +Ax. Given the second and third endomorphisms' mapping

as λ1,2P =

(x2 +Aε21,2x

, y

[x2 −Aε31,2x

2

]), such that λ1, λ2 and ε1, ε2 are the roots of

minimal polynomial for the second and third endomorphism modulo n and prespectively. Then, the cost of computing Φ1,2P consists of one multiplication,one squaring and two inversion operations.

Proof. The second and third endomorphisms dene by Φ21 − 2Φ1 + 2 = 0 and

Φ22 + 2Φ2 + 2 = 0 respectively. The cost of computing the operation counts

involve in that mapping is calculated in the table below:

Multiplication Squaring Inversion

y ·[x2 −Aε31,2x

2

]x2 x2 +A

ε21,2x

x2 −Aε31,2x

2

1M 1S 2I

4. Conclusion

We extended the original ISD method on the imaginary quadratic eld sothat it is applicable on elliptic curves with j-invariant 1728. Elliptic curveswith j-invariant 1728 are dened over a unique imaginary quadratic eld, K =Q(i) with discriminant, D = −4. We constructed the endomorphisms neededto carry out the ISD method on this curves. All these endomorphisms aredened over the same imaginary quadratic eld as the curve itself. The rstendomorphism is given as Φ2 + 1 = 0, where its ring is isomorphic to thelargest ring of integer dened in this eld, Z(i). Its mapping requires only onemultiplication. We choose the second and third endomorphism as Φ2

1−2Φ1+2 =0 and Φ2

2 + 2Φ2 + 2 = 0, where their endomorphism rings are isomorphic to thesubrings in Z(i). The cost of computing the second and third endomorphismmapping is one multiplication, one squaring and two inversions, regardless ofhow large the eld might be. Instead of using repeated doublings and additions,



the existence of eciently computable endomorphisms will reduce the cost ofcomputing scalar multiplication kP .

References

Ajeena, R. and Kamarulhaili, H. (2013). Analysis on the elliptic scalar multi-plication using integer sub decomposotion method. International Journal ofPure and Applied Mathematics, 87(1):95114.

Ajeena, R. and Kamarulhaili, H. (2014). Glv-isd method for scalar multipli-cation on elliptic curves. Australian Journal of Basic and Applied Sciences,8(15):114.

Ajeena, R. and Kamarulhaili, H. (2015). On the distribution of scalar k forelliptic scalar multiplication. AIP Conf. ProcJournal of Applied Mathematicsand Information Sciences, 1682(020052):19.

Cohen, H. (1996). A Course in Computational Algebraic Number Theory.Springer-Verlag, Berlin, Heidelberg, London.

Galbraith, S. (2012). Mathematics of Public Key Cryptography. CambridgeUniversity Press, UK.

Gallant, R., Lambert, R., and Vanstone, S. (2001). Faster point multiplicationon elliptic curve with ecient endomorphism. CRYPTO 2001,Advances inCryptology, 2139:190200.

Park, Y., Jeong, S., Kim, C., and Lim, J. (2002). An alternative decomposi-tion of an integer for faster point multiplication on certain elliptic curves.PKC,LNCS, 2274:323334.

Ribenboim, P. (2001). Classical Theory of Algebraic Numbers. Springer-Verlag,New York, Berlin, Heidelberg.

Sica, R., Ciet, M., and Quisquater, J.-J. (2002). Analysis of the gallant-lambert-vanstone method based on ecient endomorphisms: Elliptic andhyperelliptic curves. SAC 2002,Selected Areas in Cryptography,9th AnnualInternational Workshop, 2595:2136.

Washington, L. C. (2008). Elliptic Curves Number Theory and Cryptography.CRC Press, London, New York, 2nd edition.





An Innovative Bicartisian Algebra for Designing

of Highly Performed NTRU Like Cryptosystem

Yassein, H.R.∗1 and Al-Saidi, N.M.G.2

1Department of Mathematics, College of Education, University of

Al-Qadisiyah , Iraq2Department of Applied Sciences, University of Technology, Iraq


ABSTRACT

With the rapid developing of quantum computers, the needs of the highly

secure cryptographic system are of great demand. NTRU is proved as a

good performed and secure public key system for such developed tech-

nology because it is lattice-based cryptosystem. Therefore, designing of

the nite eld with high complexity and good resistance against linear

algebra attacks is the primary objective for developing of highly secure

NTRU like systems. In this paper, we construct a new algebraic structure

to replace the classical NTRU polynomial ring; we called it bicartesian

algebra. It is designed to be commutative and associative to generate

BCTRU, which is an innovative high dimensional NTRU variant cryp-

tosystem. Its probability of successful decryption is demonstrated. BC-

TRU exhibits appropriate security levels due to its ability to withstand

some public attacks for such types of public key systems.

Keywords: NTRU , BCTRU, bicartesian algebra, security analysis.

Yassein, H.R. & Al-Saidi, N.M.G.

1. Introduction

Cryptographic systems with high-security level and low implementation costgained great attraction because it oers excellent security for our new networksecurity era. Nowadays, NTRU is considered one of the highly used cryptosys-tems. It gains the popularity due to its ecient computational speed withlow cost. Moreover, on the same security level, NTRU exceeds the classicalcryptosystems by more than two orders of magnitude (An et al., 2018).

Most of the modern cryptographic techniques are best on arithmetic op-erations that dened on commutative algebraic structure which is considerednowadays as weak due to the fast increasing in computing process of newlycomputer devices.The developments in cryptosystems started from using sym-metric cryptography such as stream ciphers and asymmetric cryptosystem suchas RSA in (Rivest et al., 1978). An alternate fast public key system is a chal-lenge and of great demand. In 1996 at crypt.96 conference, three J. start math-ematicians researchers in (Hostein et al., 1998) introduced as to a new led ofresearch called non commutative algebraic cryptography through introducingof NTRU (Number Theory Research Unit) cryptosystem.

They aimed to develop the cryptographic technique based on a non-commutativealgebraic structures. It was generalized by many researchers through develop-ing of its algebraic structure. Some of those developed protocols based ondierent Euclidean ring free modules and algebras beyond Z are as follows:Basic collection of objects used by the NTRU public key cryptosystem occurs ina truncated polynomial ring of degree N − 1 with integer coecients that be-long to Z[x]/(xN−1). NRTU is the rst public key cryptosystem that does notdepend on factorization and discrete log problems. Compared with the RSAand ECC cryptosystems, NTRU is faster and exhibits signicantly smaller keys(Rivest et al., 1978, Schoof, 1985).

Based on polynomial ring on F2[x] is proposed by Gaborit et al. (2002).They constructed a CTRU which is a NTRU variant cryptosystem. Matricesof polynomials of size k× k in Z[x]/(xN−1) is proposed by Coglianese and Goi(2005). This NTRU analog is called MaTRU.

Suri and Puri (2007) presented the concept of crossbred technology us-ing symmetric key as a stream cipher for encryption and decryption. NTRUpublic key cryptosystem was used in sending the secret key. Accordingly, thestudies doubled the security, thereby avoiding brute force attacks because theattacker needs rst to nd the secret key that was encrypted through publickey cryptography. In the same year, Malekian and Zakerolhosseini (2010) used


An Innovative Bicartisian Algebra for Designing of Highly Performed NTRU LikeCryptosystem

the actual performance results of NTRU with respect to current asymmetricalcryptosystems.

Atici et al. (2008) presented a low-power and compact NTRU design thatwas suitable for security applications such as, RFID and sensor nods. Their de-sign involved two architectures, namely, one that can perform both encryptionand decryption and another for encryption only. The researchers compared thedesign with the original NTRU and found that the new design saves a factorof more than two. This design improved the speed of NTRU.

Other NTRU variant cryptosystem was proposed by Malekian et al.,in 2009and 2010 respectively (Malekian and Zakerolhosseini, 2010, Malekian et al.,2009). They rely in designing of their cryptosytems on Quaterion algebraand Octonion algebra respectively. In the same period, Vats (2009) intro-duced NTRU variant which is operated in the non-commutative ring M =Mk(Z)[x]/(xN − −Ik×k), where M is a matrix ring of the k × k matrices ofpolynomials in Z[x]/(xN − 1).

Another generalized framework is proposed by Pan and Deng (2011). Theyused hiding the trapdoor technique, that is led to design of a new lattice-basedcryptosystem, which helps to solve the closest vector problem.

Kumar et al. introduced complex problems into the existing implementa-tion; eciency could be achieved through reduced implementation of polyno-mial multiplication of inverse computation.

A new ring of cubic root of unity called Eisensteian ring Z[w] is used to con-struct a new framework to NTRU called ETRU which is proposed by Jarvisand Nevins (2015). CQTRU is another NTRU variant cryptosystem proposedby Alsaidi et al. (2015). In (Thakur and Tripathi, 2016) Thakur and Tripathiutilized the rational eld to construct a ring with polynomials of one variableover this led to be used in introducing of new NTRU alternative cryptosystemcalled BTRU. After that Yassein and Al-Saidi constructed several high dimen-sional algebra as and utilized them in proposing of dierent NTRU analogcryptosystems presented in Al-Saidi and Yassein (2017), Alsaidi and Yassein(2016), Yassein and Al-Saidi (2016, 2017).

Atani et al. (2018) improved the CTRU by replacing the ring of polynomialsZ[x]/(xN−1) by nite eld Zp and it operates over the ring M = Mk(Zp)[T,x ]/(xN Ik×k), where M is a matrix ring of the k × k.



In this paper, a new algebra is constructed, we called bicartesian algebra.Itis used to construct BCTRU which is a new NTRU like cryptosystem. It isalso multidimensional public key system, because it is produced two public key.This is resulted in increasing the security of the proposed cryptosystem. Oncomparing to its variant with the same structures, BCTRU has the ability toencrypt four messages sent by a single origin or four independent messages sentby four dierent sources. With this important property, the proposed systemwill be considered as an ultimate fast new public key cryptosystem to be as abest t in many applications with limited resources, for examples smart cards,cellular phones and many others.

This study is organized as follows. Section 2 introduced new algebra calledbicartesian algebra. This innovative algebra is used to design BCTRU cryp-tosystem, which is described in the section 3. The probability of successfuldecryption of BCTRU is discussed in section 4, and its security analysis isdiscussed in section 5. Finally, section 6 is dedicated for the most importantconclusions.

2. Bicartesian Algebra

The bicartesian algebra is dened by utilizing the same parameters N , pand q used in NTRU, taking in our consideration that the integer constantsdf , dg, dm and dφ should be less than N . Also, the truncated polynomial ringis dened as K = Z[x]/(xN − 1) with degree N − 1. We dene a new algebraas follows:The bicartesian algebra is introduced in this section as a vector space of di-mension two over the eld F . Let BC = (a, b) (1, 1) + (c, d) (k, 1) |a, b, c, d ∈Fk2 = 1 where (1,1), (k,1) forms the basis of this algebra. The operationon this space is dened as follows:Let x, y ∈ BC, such that x = (a, b) (1, 1) + (c, d) (k, 1) and y = (a1, b1) (1, 1) +(c1, d1) (k, 1) , the addition is then dened by

x+ y = (a+ a1, b+ b1) (1, 1) + (c+ c1, d+ d1) (k, 1) .

The multiplication x ∗ y can be determined using Table 1 as follows

x ∗ y = (aa1 + cc1, bb1 + dd1) (1, 1) + (ac1 + ca1, bd1 + db1) (k, 1)

∗ (1,1) (k,1)(1,1) (1,1) (k,1)(k,1) (k,1) (1,1)



For any scalar α, the scalar multiplication is dened by αx= (αa,αb). It is clearthat the multiplication is commutative and associative. We now consider thetruncated polynomial ringsK(x) = (Z/Z)[x]/(xN − 1) , Kp(x) = (Z/pZ)[x]/(xN − 1)and Kq(x) = (Z/qZ)[x]/(xN − 1) and dene three bicartesian algebra ψ, ψpand ψq as follows:

ψ = (f0, f1)(1, 1) + (f2, f3)(k, 1)|f0, f1, f2, f3 ∈ K

ψp = (f0, f1)(1, 1) + (f2, f3)(k, 1)|f0, f1, f2, f3 ∈ Kpψq = (f0, f1)(1, 1) + (f2, f3)(k, 1)|f0, f1, f2, f3 ∈ Kq.

The parameters N, p, and q are xed similar to the NTRU parameters. Theconstants df , dg, dφ and dm are dened in a similar role as in NTRU.

Let F and G ∈ ψp or ψq , such that:

F = (f0, f1)(1, 1) + (f2, f3)(k, 1)

G = (g0, g1)(1, 1) + (g2, g3)(k, 1)

where f0, f1, f2, f3 and g0 , g1, g2, g3 ∈ ψp or ψq.

The addition of F and G is performed by adding the corresponding coecientsmod p or mod q, such that

F +G = (f0 + g0, f1 + g1) (1, 1) + (f2 + g2, f3 + g3)(k, 1)

the multiplication of F and G is dened as follows:

F ∗G = (f0g0 + f2g2, f1g1 + f3g3) (1, 1) + (f0g2 + f2g0, f1g3 + f3g1) (k, 1)

The multiplicative inverse of any non zero element F in BC is given by:

F−1 = ((f20 − f22 )−1f0,(f22 − f20

)−1f2) (1, 1)

+((f21 − f23 )−1f1,(f23 − f21

)−1f3) (k, 1)

3. BCTRU Cryptosystem

Similar to NTRU, the BCTRU cryptosystem is constructed based on thesame parameters, a prime number N , and two relatively prime numbers p, and



q, in which q is much larger than p. The four main subsets that NTRU andany NTRU variant cryptosystem depends on are dened as follows:

Denition 1: The subsets LF , LG, Lφ and LM ⊂ Ψ are called the subsets ofBCTRU, and these subsets are dened as follows:

Notation DenitionLF (f0, f1)(1, 1) + (f2, f3)(k, 1) ∈ K| f i has df coecients equal to

+1, (df − 1) coecients equal to -1, and the rest are 0LG (g0, g1)(1, 1) + (g2, g3)(k, 1) ∈ K| g i has dg coecients equal to

+1, dg coecients equal to -1, and the rest are 0Lφ (φ0, φ1)(1, 1)+(φ2, φ3)(k, 1) ∈ K|φi has dφ coecients equal to

+1, dφ coecients equal to -1, and the rest are 0LM (m0,m1)(1, 1)+(m2,m3)(k, 1) ∈ K| coecients ofmi are chosen

modulo p between −p/2 and p/2

df , dg and dφ are also constant parameters similar to those dened in NTRU.The main cryptosystem parts of BCTRU are:

A. KEY GENERATION

In this phase, the sender is able to generate the public key by choosing F andU randomly from the set LF and G randomly from the set LG such that,F = (f0, f1)(1, 1) + (f2, f3)(k, 1) , G = (g0, g1)(1, 1) + (g2, g3)(k, 1)and U = (u0, u1)(1, 1) + (u2, u3)(k, 1)

By considering that F must have multiplicative inverse modulo p and q referedto as F−1p , F−1q respectively, and U must have multiplicative inverse modulo prefered to as U−1p , the public keys are given by:

H = F−1q G mod (q) ,K = UF−1q mod (q) ,

where F,G and U are the private keys. BCTRU key generation needssixteen convolution multiplications and eight polynomial additions.

B. ENCRYPTION

Before performing of the encryption process, the message M should be ex-pressed by the elements of the bicartesian algebra as:



M = (m0,m1)(1, 1) + (m2,m3)(k, 1).

We choose φ ∈ Lφ, which is called the blinding value to encrypt the messageM ∈ LM :

E = pH ∗ φ+M ∗ K (mod q)

BCTRU encryption needs sixteen convolution multiplications and eight poly-nomial additions. Therefore, the speed of the key generation is faster than thatof encryption.

C. DECRYPTION

After receiving E, it is multiplied by from both left and right sides, then

A = F ∗ E ∗ F (mod q) = F ∗ (pH ∗ φ+M ∗K) ∗ F (mod q)= pF ∗H ∗ φ ∗ F + F ∗M ∗K ∗ F (mod q)= pF ∗ F−1q ∗G ∗ φ ∗ F + F ∗M ∗ U ∗ F−1q ∗ F (mod q)= pG ∗ φ ∗ F + F ∗M ∗ U (mod q)

Let B = A (mod p) = pG ∗ φ ∗ F + F ∗M ∗ U (mod p) .Since the rst term is equal to zero modulo p (because it contains p), then

B = F ∗M ∗ U (mod p) , F−1p ∗B ∗ U−1p = M (mod p)

and the resulting coecients are adjusted to lie in the interval [−p/2, p/2].

BCTRU decryption needs thirty two convolution multiplications and twelvepolynomial additions. As a result, the speed of encryption is more than twiceas fast as that of decryption.

4. Probability of Successful Decryption

The successful decryption of BCTRU depends on the probability of all coe-cients of A = pG∗φ∗F +F ∗M ∗U belongs to the interval

[−q+12 , q−12

], which

are calculated in the following theorem:

Theorem 4.1. Pr(|Aj,τ | ≤ q−1

2

)= 2 N ( q−1

2

√32p2dgdφdf

N +32df du(p−1)(p+1)

3

),

where N denotes the normal distribution, and j, τ = 0, 1, 2, 3.

Proof. To compute this probability, A should be written in a BCTRU form,such that,



A = pG ∗ φ ∗ F + F ∗M ∗ U = (A0, A1) (1, 1) + (A2, A3) (k, 1) ,F = (f0, f1) (1, 1) + (f2, f3) (k, 1) ,G = (g0, g1) (1, 1) + (g2, g3) (k, 1) ,U = (u0, u1) (1, 1) + (u2, u3) (k, 1) ,φ = (φ0, φ1) (1, 1) + (φ2, φ3) (k, 1) ,M = (m0,m1) (1, 1) + (m2,m3) (k, 1) ,A0, A1, A2, A3, f0, f1, f2, f3, g0, g1, g2, g3, u0, u1, u2, u3, φ0, φ1, φ2, φ3,m0,m1

,m2,m3 which are polynomials of degree N where

A0 = p (g0φ0f0 + g0φ2f2 + g2φ0f2 + g2φ2f0 ) + (f0m0u0 + f0m2u2+

f2m0u2 + f2m2u0 ) = [ A0,0, A0,1, A0,2, . . . , A0,N−1],


f3m1u3 + f3m3u1 ) = [ A1,0, A1,1, A1,2, . . . , A1,N−1],


f2m2u0 + f2m2u2 ) = [ A2,0, A2,1, A2,2, . . . , A2,N−1],


f3m1u1 + f3m3u3 ) = [ A3,0, A3,1, A3,2, . . . , A3,N−1],

Based on the denition of LF , LM , and Lφ, the following is obtained:

fj = [fj,0, fj,1, fj,2, . . . , fj,N−1]

gj = [gj,0, gj,1, gj,2, . . . , gj,N−1]

φj = [φj,0, φj,1, φj,2, . . . , φj,N−1]

Pr (fj,k = 1) =dfN , and Pr (fj,k = −1) =

df−1N ≈ df

N

Pr (fj,k = 0) = 1− 2 dfN

Pr (uj,k = 1) = duN , and Pr (uj,k = −1) = du−1

N ≈ duN

Pr (uj,k = 0) = 1− 2 duN

Pr (gj,k = 1) = Pr (gj,k = −1) =dgN

,Pr (gj,k = 0) = 1− 2 dgN

,

Pr (φj,k = 1) = Pr (φj,k = −1) =dφN

,Pr (φj,k = 0) = 1− 2 dφN

,

Pr (mj,k = γ) =1

pγ ∈

[− p

2,p

2

], j, k = 0, 1, 2, 3.

We assume that all f j,α, gk,β and φt,λ are pairwise independent random vari-ables.



For α, β, λ = 0, 1, . . . , N − 1,

γ = − p− 1

2, . . . ,

p− 1

2, and j, k, t = 0, 1, 2, 3.

Therefore,

Pr (gj,α. φk,β . ft,λ = ∓ 1) =8dgdφdfN3

,

P r (gj,α. φk,β . ft,λ = 0) = 1− 8dgdφdfN3

,

P r (fj,α. mk,β . ut,λ = γ) =4dfdupN2

.

Based on the preceding assumptions and after a number of computations, thefollowing is obtained:

V ar (gj,α. φk,β . ft,λ)y =V ar(∑ ∑

α+β+λ=y(mod N)

gj,α. φk,β . ft,λ)

=8dgdφdf

N,

V ar (fj,α. mk,β . ut,λ)y =V ar(∑ ∑

α+β+λ=y(mod N)

fj,α. mk,β . ut,λ)

=dfdu (p− 1) (p+ 1)

3,

V ar (A0, τ) =32p2dgdφdf

N+

32dfdu (p− 1) (p+ 1)

3.

Moreover, V ar (A1, τ) = V ar (A2, τ) = V ar (A3, τ) are equal to32p2dgdφdf

N +32dfdu(p−1)(p+1)

3 obtained in a similar manner when the prob-

abilities of all coecients A0.i, A1.i, A2.i A3.i are belong to [−q+12 , q+1

2 ].Therefore, the successful decryption is performed to obtain,

Pr(|Ai,τ | ≤ q−1

2

)= Pr

(− q−12 ≤ Aj,τ ≤

q−12

)= 2 N ( q−12σ ),

where σ =

√32p2dgdφdf

N +32dfdu(p−1)(p+1)

3 ,

i = 0, 1, 2, 3 and τ = 0, 1, . . . , N − 1



Corollary 4.1. 1. The probability for any of the messages M0, M1, M2

and M3 to be successfully decrypted is

(2N ( q−1

2

√32p2dgdφdf

N +32df du(p−1)(p+1)

3

) − 1) N

2. The probability for both of the messages M0, M1, M2 and M3 to besuccessfully decrypted is

(2N ( q−1

2

√32p2dgdφdf

N +32df du(p−1)(p+1)

3

) − 1)4N .

5. Security Analysis

To prove the security of the BCTRU cryptosystems, some of the knownattacks are discussed such as brute force attack, alternate keys attack, multipletransmission attacks and nally, lattice-based attack.

A. ALTERNATE KEY ATTACK

The main objective of this attacker is to nd the alternate private keys inorder to decrypt the received encrypted media. Therefore, the attacker task isan attempt to nd the following keys:

F = (f0, f1)(1, 1) + (f2, f3)(k, 1)

´G = (g0, g1)(1, 1) + (g2, g3)(k, 1)

U = (u0, u1)(1, 1) + (u2, u3)(k, 1)

alternate to F , G and U respectively, such that F must have multiplicativeinverse modulo p and q also, U must have multiplicative inverse modulo p .

Thus, an attacker to BCTRU needs twelve polynomials f0, f1, f2, f3, g0, g1, g2g3, u0, u1, u2, u3, with the same properties of polynomials f0, f1, f2, f3, g0 ,g1, g2, g3, u0, u1, u2, u3 respectively. However, an attacker to NTRU onlyneeds extra attempts to nd the private key (in this case twelve) than thoseused to decrypt NTRU, which needs only one polynomial in LF with the sameproperties of the private key.

B. BRUTE FORCE ATTACK



An attacker to BCTRU that knows the public parameters, as well as the publickey

H = F−1q G mod (q) ,

K = UF−1q mod (q) ,

which are equivalent to the following hidden equations:

FH = G mod (q) , (1)

KF = U mod (q) , (2)

All the polynomials F ε LF (hard mathematical problem) are tested and de-termine if Eqs. (1) and (2) turn into bicartesian algebra with small coecientsuntil the private key is found. The size of the subset LF is calculated as follows:

|LF | = (N !

(df !)2(N − 2df )!

)4

.

Accordingly, the number of all attempts to nd the private keys F,G and U isequal to

N !12

(df !dg!du!)2((N − 2df )!(N − 2dg)!(N − 2du)!)

4 .

C. MULTIPLE TRANSMISSION ATTACK

This attack is based on sending a single message several times with the samepublic key. In BCTRU, when the sender sends one message M many timesusing dierent âblinding values of φ and the same public keys H,K, then theattacker âcan recover a large part of the message M . Suppose the sendertransmits âthe message M in the form

Ei = pH ∗ φi +M ∗ K (mod q)

for i = 1, 2, . . . , s.â Then, the attacker can compute

H−1(Ei − E1) (mod q) .

Therefore, the attacker can ârecovere

(Ri −R1) (mod q) .

However, the coecients of R are âsmall such that, the attacker recovers exactlyRi − R1 . Thus, the attacker âcan recover many coecients of R1. BITRU ismultidimensional and is âtherefore more resistant to attacks than NTRU.â



D. ANALYZING LATTICE ATTACKS AGAINST BCTRU

The majority of some attacks to threaten BCTRU has been investigated toprove its security. The most powerful for such type of cryptosystem that basedon polynomial algebra is the lattice attack, in which the shortest vector in thelattice vector space of the proposed cryptosystem represents the private key,which can be found by approximate solution for the corresponding vector ma-trix. Some of these attacks are discussed as follows.The BCTRU cryptosystem is broken when the attacker succeeds to nd F orG, this means nding the shortest vector in the BCTRU lattice, which satisesF ∗H = G and K ∗ F = I and as follows:âf0h0 + f2h2 = g0 + ql0f1h1 + f3h3 = g1 + ql1f0h2 + f2h0 = g2 + ql2f1h3 + f3h1 = g3 + ql3f0k0 + f2k2 = i0 + qw0

f1k1 + f3k3 = i1 + qw1

f0k2 + f2k0 = i2 + qw2

f1k3 + f3k1 = i3 + qw3

We can represent the polynomials h0, h1, h2, h3 and k0, k1, k1, k3 in the fol-lowing matrices respectively â

(Hi)N×N =

hi,o hi,1 hi,2 . . . hi,N−1hi,N−1 hi,0 hi,1 . . . hi,N−2hi,N−2 hi,N−1 hi,0 . . . hi,N−3

......

......

hi,2 hi,3 hi,4 . . . hi,1hi,1 hi,2 hi,3 . . . hi,0

(Ki)N×N =

ki,o ki,1 ki,2 . . . ki,N−1ki,N−1 ki,0 ki,1 . . . ki,N−2ki,N−2 ki,N−1 ki,0 . . . ki,N−3

......

......

ki,2 ki,3 ki,4 . . . ki,1ki,1 ki,2 ki,3 . . . ki,0

Depending on the above, we can constitute representing by £HBCTRU â and



£KBCTRU of dimension 4N are spanned by the ârows of matrices

(MH4N×4N ) =

I2N×2N H0 H1

H1 H0

02N×2N qI2N×2N

and

(MK4N×4N ) =

I2N×2N K0 K1

K1 K0

02N×2N qI2N×2N

where I denoted identity matrix , 0 denoted zero matrix with âbicartesianentries andH0 = (h0,0 + h0,1x + · · ·+ h0,N−1xN−1 , h1,0 + h1,1x + · · ·+ h1,N−1xN−1

)

K0 = (k0,0 + k0,1x + · · ·+ k0,N−1xN−1 , k1,0 + k1,1x + · · ·+ k1,N−1xN−1)

Assuming d = df = dg = du = dφ ≈N

3. â We have ||MH

4N×4N || = 2q4N ,

based on the âshortest vector problem to nd the length of the shortest nonzero vector âwith respect to H is equal to 0.48

√Nq(2)

14N .

By the same âaway, the length of the shortest non zero vector with respect toK is equal âto 0.48

√Nq(2)

14N . Therefore, the attacker is trying to nd âtwo

non zero vector every one of length 0.48√Nq(2)

14N . âHence, BCTRU is good

resistance against lattice attacks. â

6. Conclusions

In this paper, we introduced BCTRU public key cryptosystem that dependson new generated bicartesian algebra to enhance the security through discussingof some attacks. We demonstrated that, the security of BCTRU is four timesmor than NTRU, and it shows certain resistance against attacks.When designing NTRU like cryptosystems, the most crucial point that shouldbe taken in the consideration is the non-commutative calculation during theencryption and decryption process, which led to design a secure cryptosystemagainst the lattice-based attacks because the attacker needs to try two non-zerovectors, each of length 0.48

√Nq(2)

14N . Also, BCTRU has the ability to encrypt

four messages of length N in each round, which granted it a good speed facilitythat is important for many application.



References

Al-Saidi, N. M. and Yassein, H. R. (2017). A New Alternative to NTRU cryp-tosystem based on Highly Dimensional Algebra with Dense Lattice Structure.Malaysian Journal of Mathematical Sciences, 11:2943.

Alsaidi, N., Saed, M., Sadiq, A., and Majeed, A. A. (2015). An improved ntrucryptosystem via commutative quaternions algebra. In Proceedings of the In-ternational Conference on Security and Management (SAM), page 198. TheSteering Committee of The World Congress in Computer Science, ComputerEngineering and Applied Computing (WorldComp).

Alsaidi, N. M. and Yassein, H. R. (2016). BITRU: Binary Version of theNTRU Public Key Cryptosystem via Binary Algebra. International Journalof Advanced Computer Science and Applications, 7(11):16.

An, S., Kim, S., Jin, S., Kim, H., and Kim, H. (2018). Single trace side channelanalysis on ntru implementation. Applied Sciences, 8(11):2014.

Atani, R. E., Atani, S. E., and Karbasi, A. H. (2018). Netru: A non-commutative and secure variant of ctru cryptosystem. ISeCure, 10(1).

Atici, A. C., Batina, L., Fan, J., Verbauwhede, I., and Yalcin, S. B. O. (2008).Low-cost implementations of NTRU for pervasive security. In Application-Specic Systems, Architectures and Processors, 2008. ASAP 2008. Interna-tional Conference on, pages 7984. IEEE.

Coglianese, M. and Goi, B.-M. (2005). MaTRU: A new NTRU-based cryptosys-tem. In International Conference on Cryptology in India, pages 232243.Springer.

Gaborit, P., Ohler, J., and Solé, P. (2002). CTRU, a polynomial analogue ofNTRU. PhD thesis, INRIA.

Hostein, J., Pipher, J., and Silverman, J. H. (1998). Ntru: A ring-based publickey cryptosystem. In International Algorithmic Number Theory Symposium,pages 267288. Springer.

Jarvis, K. and Nevins, M. (2015). ETRU: NTRU over the Eisenstein Integers.Designs, Codes and Cryptography, 74(1):219242.

Kumar, S., Pal, S. K., et al. An Improved Post-Quantum CryptographicScheme Based on NTRU. International Journal of Computer ApplicationsTechnology and Research, 2(4):499meta.



Malekian, E. and Zakerolhosseini, A. (2010). OTRU: A non-associative andhigh speed public key cryptosystem. In Computer Architecture and DigitalSystems (CADS), 2010 15th CSI International Symposium on, pages 8390.IEEE.

Malekian, E., Zakerolhosseini, A., and Mashatan, A. (2009). QTRU: A LatticeAttack Resistant Version of NTRU PKCS Based on Quaternion Algebra.preprint, Available from the Cryptology ePrint Archive: http://eprint. iacr.org/2009/386. pdf.

Pan, Y. and Deng, Y. (2011). A general NTRU-Like framework for construct-ing lattice-based public-key cryptosystems. In International Workshop onInformation Security Applications, pages 109120. Springer.

Rivest, R. L., Shamir, A., and Adleman, L. (1978). A method for obtaining dig-ital signatures and public-key cryptosystems. Communications of the ACM,21(2):120126.

Schoof, R. (1985). Elliptic curves over nite elds and the computation ofsquare roots mod ð. Mathematics of computation, 44(170):483494.

Suri, P. and Puri, P. (2007). Application of LFSR with NTRU Algorithm. InInnovative Algorithms and Techniques in Automation, Industrial Electronicsand Telecommunications, pages 369373. Springer.

Thakur, K. and Tripathi, B. (2016). BTRU, A Rational Polynomial Analogueof NTRU Cryptosystem. International Journal of Computer Applications,Foundation of Computer Science (FCS), NY, USA, 145(12).

Vats, N. (2009). NNRU, a noncommutative analogue of NTRU. arXiv preprintarXiv:0902.1891.

Yassein, H. R. and Al-Saidi, N. M. (2016). HXDTRU Cryptosystem Based OnHexadecnion Algebra. In Proceeding of the 5th International Cryptology andInformation Security Conference, Kota Kinabalu, Malaysia.

Yassein, H. R. and Al-Saidi, N. M. (2017). A comparative performance analysisof NTRU and its variant cryptosystems. In Current Research in ComputerScience and Information Technology (ICCIT), 2017 International Confer-ence on, pages 115120. IEEE.





A Hierarchical Identity-Based Identication

Scheme Without Pairing

Vangujar, A.K. ∗1, Chin, J.J.1, Tan, S.Y.2, and Ng, T.S.2

1Faculty of Engineering, Multimedia University, Malaysia2Faculty of Information Science and Technology, Multimedia

University, Malaysia


ABSTRACT

In 2015, Chin et al. proposed an extension to the Schnorr IBI scheme us-ing two secret keys to tighten the security based on the discrete logarith-mic assumption, namely the Twin-Schnorr IBI. Twin-Schnorr IBI workswithout pairing operation and this helps to increase the eciency of thescheme as well as strengthening it's security. In this paper, we extendChin et al.'s scheme to accommodate hierarchies, namely the Hierarchi-cal Identity-based identication (HIBI). Our scheme uses no pairings andis able to operate faster than pairing based HIBIs.

Keywords: Security attacks, Hierarchical Identity-based identicationscheme (HIBI), Discrete logarithmic assumption, Twin-SchnorrIBI scheme.

Vangujar, A.K., Chin, J.J., Tan, S.Y., & Ng, T.S.

1. Introduction

1.1 Identication Scheme

Public key cryptography uses the recipient's public key for encryption andthe recipient's private key for decryption to recover the original message. Thepublic key cryptography is further sub-divided into digital signature schemesand identication schemes.

An identication scheme consists of two parties, namely prover and a veri-er in order to perform a challenge response protocol. An identication schemeallows a prover to prove himself to a verier without revealing any informationabout himself. The traditional cryptographic scheme which includes identi-cation schemes, requires the use of certicates issued by a certicate authority(CA) in order to authenticate user's public key. Maintaining certicates inlarge numbers in itself is a major issue.

Identication schemes rst proposed in (Shamir, 1984) was built based onthree-move protocol using zero-knowledge proof results into higher eciency.In Identity-based cryptography Shamir, the certicate requirement is abolishedby replacing the public key with an identity string Fiat and Shamir (1986). Itis the simplest form of cryptographic primitive without relying on certicates.Conventional IBI schemes only allow single user interaction with the verier.

1.2 Related Work

In 1989, Schnorr described the rst scheme based on the discrete logarithmassumption and it is particularly suited for the smart cards. The key genera-tion algorithm is faster and more secure than Shamir (1984) using an ecientalgorithm to pre-process the exponentiation of random numbers.

Boneh and Franklin (2003) proposed the rst identity-based encryptionscheme, which lead to the booming of identity-based cryptography. Lateryears, IBI schemes were more secure and ecient formalized in Bellare et al.(2009). Subsequently, Tan et al. (2011) proposed a variant of Schnorr IBIscheme and direct proof with tight security reduction. He described the secu-rity against impersonator under passive, active and concurrent attack based onthe Decisional Die Hellman (DDH) assumption in the random oracle model.Separately, Barapatre and Rangan (2013) also proposed another IBI schemefrom ID Key Encapsulation Mechanisms. Finally Chin et al. (2015) introducedTwin-Schnorr IBI scheme. The authors proposed to generate two secret keys


Hierarchical Identity-Based Identication Scheme Without Pairing

in key generation algorithm. The authors prove that this method tightens thesecurity for Schnorr IBI scheme to the discrete logarithm assumption only, atlittle additional cost Tan et al. (2011).

The rst idea of Hierarchical identity-based encryption (HIBE) was rstproposed by Horwitz and Lynn (2002). For hierarchical IBI (HIBI), Chin et al.(2009) extended Horwitz and Lynn (2002)'s construct in the rst hierarchicalIBI scheme. Both schemes use pairings. Fujioka et al. (2012) and subsequentlyFujioka et al. (2014) extended the work of HIBI using constructions that uti-lize the RSA and CDH assumption. Fujioka's IBI scheme is proven securein the standard security model whereas Chin et al. (2009) is proven ecientwith random oracle. However, their HIBI without random oracle has increasedcommunication cost and key size as compared to HIBI with random oracle.

This paper focuses on the Hierarchical IBI scheme without pairing and it'ssecurity proof of passive, active and concurrent attack respectively. HIBI hasroot PKG as the rst-level and n lower-level PKG where n is dened by users.Each node is connected to other node and communicates with each other bythree move protocol. The advantages of HIBI are listed as the following.

1. It is an ecient as there is no database needed for identities.

2. It has improved scalability.

3. It solves the key escrow problem with delegated key feature.

In this paper, we propose a Hierarchical version of the of Twin-Schnorr IBIscheme without pairing. The Hierarchical Twin-Schnorr IBI scheme withoutpairing has a Public Key Generator (PKG) which will distribute the secret keyonce and then partially creates multiple PKG.

1.3 Organization

The paper is organized as follows. In Section 2, we begin with some prelim-inaries including assumptions, groups, and security denitions for IBI schemes.In Section 3, we dene the Hierarchical Twin-Schnorr IBI scheme. Section5 tells us more detail about the Hierarchical IBI without pairing with JAVAcode. We dene the security proof against impersonation under active andconcurrent attack for the Hierarchical IBI scheme without pairing in Section4. In Section 6, we calculate the eciency analysis of Hierarchical IBI schemewithout pairing in comparison with other IBI schemes. We conclude this paperin Section 7.



2. Preliminaries

2.1 Discrete Logarithm Assumption

We adopt the denition of the discrete logarithm assumption from Kurosawaand Heng (2004), Bellare and Palacio (2002) Ioannidis et al. (2005) follows:

Denition 2.1. Let G be a nite cyclic group of order n. Let α be a generatorof G, and let β ∈ G. The discrete logarithm of β to the base α, denoted logαβ,is the unique integer x, 0 ≤ x ≤ n− 1, such that β = αx .

2.2 Formal Denition of IBI Schemes

Denition 2.2. An identity-based identication (IBI) scheme is based on thefour probabilistic algorithms.

ID = (S, E ,P,V)

• Key Setup (S). It takes the input as 1k and generates output as (param,masterkey).

• Extract (E). An extract oracle is used to extract the private key. Input(masterkey, ID) and returns the private key d.

• Identication Protocol (P and V). In this phase, the prover P and theverier V communicates with each other. P takes input as (param, ID, d)whereas the V takes input as (param, ID). P and V communicates witheach other with the help of (CMT,CH,RSP ) and gives output in booleandecision 0 (rejects) or 1 (accepts). The canonical protocol acts in foursteps as following :

1. P sends commitment (CMT ) to V.2. V provides challenge (CH) which is randomly chosen.

3. P calculates the response (RSP ) to V as per challenge.

4. V veries (param, ID,CMT,CH,RSP ) is DH tuple.

2.3 HIBI Schemes

Denition 2.3. An HIBI scheme is based on the four probabilistic algorithms.Gentryand Silverberg (2002) Chin et al. (2009)

ID = (S, E ,P,V)



• Root Setup (S). This algorithm selects the random generator and asecret key and generates the output pair of param and secret key.

1. Lower Level Setup. This level in which all identities at lower levelsets random parameter keeping it secret.

• Extract (E). For any identity, it calculates user secret key with the helpof ancestor secret key.

• Identication Protocol (P,V). In this phase, the prover P and theverier V communicate in three steps as following.

1. P chooses random variable to calculate value and send to V.2. V generates the random challenge and forwards to P.3. P accepts the challenge and generates response base on the challenge.

4. V accepts if and only if, it veries the nal equation.

An impersonator focuses to impersonate an honest user. The following twosection states the types of adversary.

• A passive adversary. This is the attack where an adversary obtains thecommunication transcript between the real prover and a verier. Anadversary only can steal the information but doesn't aect the commu-nication line between the prover and the verier. This is the weakestattack.

• An active adversary and concurrent adversary. An adversary can directlycommunicate with the prover playing the role of a cheating verier ac-tively. The adversary in the active attack can drop, change and congurethe information. It threatens authentication and integrity of data. Anadversary can concurrently communicate with communication protocolthe prover playing the role of the cheating verier and an adversary cando changes in between ongoing process Katz and Lindell (2014).

We adopt the security model for IBI scheme from Chin et al. (2009). Animpersonation attack between an impersonator I and a challenger C isdescribed as a two-phased game as follows:

1. Setup (S). C takes input 1 and runs algorithm S. The result ofsystem parameters mpk is given to I while msk is kept to itself.

2. Phase 1: Learning Phase. I issues some extract queries IDi toC. C responds by running the extract algorithm to generate andreturn the private key usk corresponding to the identity IDi to I.



The queries may be asked adaptively. I issues transcript queries forpassive attacks or requests to act as a cheating verier correspondingto some IDi for active/concurrent attacks.

3. Phase 2: Impersonation Phase. Finally, outputs a challenge iden-tity ID which it wishes to impersonate whereby I now acts as acheating prover to convince the verier C based on information gath-ered in Phase 1. I wins the game if it is successful in convincing theverier.

2.4 Security Model for HIBI Schemes

We describe the security of a HIBI scheme with the following game betweenan impersonator I and a challenger C.Chin et al. (2009)

1. Setup (S). The challenger rst takes in a security parameter 1k andgives the resulting params to the I. It keeps rlmsk root-level mastersecret key to itself.

2. Phase 1. I can issue queries (qi, ..., qm) where qi is one of:

(a) Extract Key Query(E). Upon being queried with the public keyof IDi, returns uski to I.

(b) Transcript/Identication Query(P and V). For passive I, Cresponds with a transcript for the interaction between the proverand a verier. For active/concurrent, C acts as the prover while Itakes the role of a cheating verier.

3. Challenge (C). I outputs ID∗ 6= IDi wishes to impersonate. ID∗ is the

targeted identity by impersonator among (ID1, ...., IDi).

4. Phase 2.

(a) Extract Key Query(E). I can continue to query the private keysof IDi as long as IDi is not an ancestor of ID∗ 6= IDi.

(b) transcripts/Identication Query(P and V). I can continue toquery either transcripts for passive I or identication interactionsfor active/concurrent I for ID∗ or any ancestor of ID∗.

5. Impersonation. I takes the role of the cheating prover and tries toconvince the verier. I wins the game if it succeeds in convincing theverier to accept with non-negligible probability.



Denition 2.4. We say an HIBI scheme is (tHIBI , qHIBI , εHIBI) -secure un-der passive or active/concurrent attacks if for any passive/active/concurrent Iwho runs in time tHIBI , Pr[Ican impersonate] ≤ εHIBI , where I can make atmost qHIBI extract queries and transcripts/Identication Query.

3. The Hierarchical IBI Scheme Without

Pairing

The Hierarchical IBI scheme without pairing which is based on the Twin-Schnorr IBI scheme by Chin et al. (2015).

Root level consists of ID0 identity. The hierarchy proceed for level1 havingidentities (ID1, ID2, ..., IDi, ..., IDm) where m represent the last identity ofthat level. IDi is the targeted identity which can exist in a such a way that(ID1 ≤ IDi ≥ IDm). The construction of the Hierarchical IBI scheme withoutpairing algorithms (S, E ,P,V) are as follows Chin et al. (2009).

1. Key Setup (S). It takes 1k where k is the security parameter andgenerates G the group of order q. It picks random generators g1, g2 ∈ Gand two random integers x1, x2 ∈ Zq. It sets X = g−x1

1 g−x22 . It chooses a

hash function H : (0, 1)∗ × G× G⇒ Zq. It publishes pair of (mpk,msk)where mpk = 〈G, q, g1, g2, X〉 and msk = 〈x1, x2〉.

2. Extract (E). For ID0 root level, (mpk,msk, ID0) is the input. Itcalculates R = gx1

1 gx22 and sets α0 = H(ID0, R,X). later, It picks

two random integers r0,1, r0,2 ∈ Zq and calculates S0,1 = r0,1 + x1α0,S0,2 = r0,2 + x2α0. Finally, it sets uskID0

= 〈S0,1, S0,2, α0〉. It passesuskID0

to next level.

For ID1 level 1, It picks two random integers r1,1, r1,2 ∈ Zq and to calcu-late (S1,1, S1,2) where S1,1 = r1,1 + α1 + S0,1 and S1,2 = r1,2 + α1 + S0,2,it uses the (S0,1, S0,2) as ancestor user secret key. Therefore, uskID1

=〈S1,1, S1,2, α1〉.For IDi level i, it takes inputmpk = 〈G, q, g1, g2, X〉, uskIDi−1

= 〈Si−1, Si−2〉and user identity string (ID0, ..., IDi). It picks two random integersri,1, ri,2 ∈ Zq, calculates Vi = g1

ri,1+Si−1,1g2ri,2+Si−1,2 and sets αi =

H(ID0||...||IDi, Vi, X). Next, calculates Si,1 = ri,1 + αi + Si−1,1 andSi,2 = ri,2 + αi + Si−1,2 and sets uskIDi = 〈Si,1, Si,2, αi〉.

3. Identication Protocol (P and V) in which prover takes in mpk, IDi

and uskIDi while V takes in mpk and IDi. They run an identicationprotocol as follows.



• P begins by picking two random integers yi,1, yi,2 ∈ Zq and setsY = g

yi,11 g

yi,22 . P additionally sets Vi = g1

Si,1g2Si,2Xαi and sends

Y, Vi to V.• V picks a random challenge c ∈ Zq and sends it to P.• P responds by setting zi,1 = yi,1 + cSi,1 and zi,2 = yi,2 + cSi,2 andsends zi,1, zi,2 to V as it's response.

V calculates and accepts if the following equation holds for each i:

gzi,11 g

zi,22 = Y

(Vi

Xα′i

)c

where α′i = H(IDi, Vi, X)VERIFY can calculate α

′i = H(IDi, Vi, X)

by itself since

gSi,11 g

Si,22 Xα

i = gri,1+αi1 g

ri,2+αi2 g−αi1 g−αi2

= gri,11 g

ri,22

= R

The correctness of the identication protocol can be proven as such:

Y

(ViXαi

)c= g

yi,11 g

yi,22

(gSi,11 g

Si,22 Xαi

Xαi

)c

= (gyi,11 g

yi,22 )

(gSi,11 g

Si,22

)c

= (gyi,11 g

yi,22 )

(gcSi,11 g

cSi,22

)

= gyi,1+cSi,11 g

yi,2+cSi,22

= gzi,11 g

zi,22

4. Security Analysis

We describe the security of the Hierarchical IBI scheme without pairing thefollowing game between an impersonator I and a challenger C.Theorem 4.1. Hierarchical IBI scheme without pairing is secure against im-personation under active and concurrent attack if the discrete logarithm problemis hard in group G, where

εimppaHIBIwithoutpairing =

l

√εDLOGG,C (k) +

1

2k+

1

2k



Proof. Let I be an impersonator who (t, qi, ε) breaks the security of Hierar-chical IBI scheme without pairing. C is a simulator that nd out the valueof a according to discrete logarithm assumption. C will be given a group G,generators (g1 = g, g2 = ga) ∈ G, C will simulate for I as follows.

1. Setup(S). C takes 1k and returns mpk = 〈G, q, g1, g2, X〉 to I.

2. Phase 1. I can issue queries (q0, .., qi, ..., qm) where qi is for IDi. Thereare qm queries in total as there is m number of queries. In training phase,I tries to learn from the C. It will forge the user secret key and runstranscript. It is considered as a hierarchical version of the Twin-SchnorrIBI scheme without pairing for (ID1, ..., IDm), where (ID1, ..., IDi) for1 ≤ i ≤ m and (level1, level2, ..., levell) where (level1, ..., levelj) for 1 ≤j ≤ l to dene hierarchy.

(a) Case 1.

i. Extract Query (E). For IDi 6= ID∗, C takes master publickey and identity string as the input. Upon being queried withthe public key of IDi and returns uskIDi = (Si,1, Si,2) to I.To calculate uskIDi with the help of ancestor uskIDi−1

can bedone.

ii. Identication query (P and V). For I, C responds with atranscript for the interaction between the prover and a verier.In the simulation, Prover takes input (mpk, IDi, uskIDi) wherethe verier takes input (mpk, IDi). Prover generates (Y, Vi). Cgenerates random challenge c ∈ Zq. On the basis of challengeprover calculates zi,1, zi,2 to V as its response. Lastly V veries

gzi,11 g

zi,22 = Y

(Vi

Xα′i

)c

(b) Case 2.

i. Extract Query (E). For ID∗ = IDi, the ancestor of uskID∗

is unknown. But, the root secret key is known. Therefore, thealgorithm aborts. There is ID string where all ID are dened asparent and child node according to hierarchy. Parent helps togenerate usk of child node. Child node's usk is generated onlyin case it has parent usk dened. C takes master public key andidentity string as the input. Upon being queried with the publickey of ID∗ and returns uskID∗ = (S∗,1, S∗,2) to I.

ii. Identication query (P and V). When transcript will cre-ate even if not yet queried before as an extract query. Proverparticipate in transcript and add in the set. We will not ableto issue transcript for the already corrupted user. Prover and



verier communicates in this phase. ID∗ is targeted identityand verier needs to verify it. IDi = ID∗, I act as the cheaterV and C does not have user secret key of ID∗, however it needsto create it again to run an identication protocol. When Itries to forge ID∗ then he should know the previous (ID∗−1).We can perform transcript as many times as number of queriesdoes not exceed. Prover takes input (mpk, ID∗, uskID∗) wherethe verier takes input (mpk, ID∗). Prover generates (Y, V∗). Cgenerates random challenge c ∈ Zq where c corresponds to ID∗.On the basis of challenge prover calculates z∗,1, z∗,2 to V as its

response. Lastly V veries gz∗,11 g

z∗,22 = Y

(V∗Xα′∗

)c.

(c) Challenge (C). I outputs an IDi 6= ID∗ that it wishes to imper-sonate.

3. Phase 2. Breaking phase calculates as follows:

[yi,1, c1, Vi, zi,1] and [yi,2, c2, Vi, zi,2] from I where c1 6= c2. From here, Cextracts Si,1 = (zi,1 − zi,2)/(c2 − c1) and Si,2 = (zi,1 − zi,2)/(c2 − c1).

If Si,1 = Si,1 and Si,2 = Si,2 then C aborts.

gSi,1gSi,2 = gSi,1gSi,2

gSi,1+aSi,2 = gSi,1+aSi,2

gaSi,2 − gaSi,2 = gSi,1 − gSi,1

ga = g(Si,1−Si,1)(Si,2−Si,2)

a = − Si,1 − Si,1Si,2 − Si,2

To calculate the probability of C winning the game to solve the discrete loga-rithm problem. By the Reset Lemma, will successfully extract 2 valid conversa-

tions to derive (Si,1, Si,2) and calculating a with the probability εimpaa/caHIBIwithoutpairing

−(− 1

2k− 1

2k)l Assume C solves the discrete logarithm assumption. C which com-

putes correct value of a then event is A and not aborting event is B. Winning



probability can be given as following.

C = Pr[A ∧B]

C = Pr[A|B]Pr[B]

εDLOGG,C (k) ≥ (ε− 1

2k)lPr[B]

The probability of C aborting when event B is Si,1 = Si,1 and Si,2 = Si,2.Therefore probability of winning C is,

εDLOGG,C (k) ≥ (εimpca/aaHIBIwithoutpairing −

1

2k)l − 1

2k

εDLOGG,C (k) +1

2k≥ (ε

impca/aaTHIBIwithoutpairing −

1

2k)l

εimppaHIBIwithoutpairing ≤

l

√εDLOGG,C (k) + (

1

2k+

1

2k)

5. Implementation of JAVA code for

Hierarchical IBI without Pairing

In this section, we show our implementation of the Hierarchical IBI withoutPairing simulator in Java. We used NetBeans IDE 8.2 as the front end andJDK Bundle as back end. Previously Schnorr, Tight Schnorr, Twin Schnorr,RS Twin Schnorr IBI Scheme have been implemented in (Kam et al., 2015).We extend this work by adding in the Hierarchical Twin-Schnorr IBI withoutpairings to the Schnorr Suite prototype. A step by step implementation of theJAVA code to simulate the Hierarchical IBI without pairing is given in gures./par

Figure 1 shows the interface of the implemented code. It shows the listof schemes,input text box and algorithms. Users need to select HierarchicalIBI without pairing Scheme from given list of Schemes and enter the ID-stringalong with number of iteration given in Figure 2.

Figure 3 tells us more about the generation of master public and mastersecret key for the Hierarchical IBI without pairing. For 100 iterations, 48.115milliseconds is the average time taken.



The User secret key is calculated in Figure 4. We conduct simulations forup to 4 levels of hierarchy. For 100 iterations, We measure the average timein milliseconds to run extraction for the user secret key at each level. Rootlevel (similar to conventional IBI) takes 3.173, level 1 takes 3.210, level 2 takes3.231, level 3 takes 3.253 and nally level 4 takes 3.274 milliseconds.Figure 5 elaborates the communication between a prover and the verier forHierarchical IBI without pairing for one iteration. For 100 iterations, identi-cation protocol takes average times to run as follows: root level takes 1.279,level 1 takes 2.552, level 2 takes 3.848, level 3 takes 5.135 and nally level 4takes 6.399 milliseconds. This is consistent that the time taken will increaseslightly with each level of the hierarchy added to the protocol.

Figure 1: Default Demo page for Hierarchical IBI without pairing.

Figure 2: Selection for Scheme,ID-string and Iteration.



Figure 3: Setup Algorithm for Hierarchical IBI without pairing

Figure 4: Extract Algorithm for Hierarchical IBI without pairing



Figure 5: Identication Protocol for Hierarchical IBI without pairing

6. Eciency Analysis

In this section, we provide the eciency cost of the Hierarchical IBI schemewithout pairing in Table 1. We consider pairings (P), exponentiation (E),multiplications in group G (MG), multiplications in Zq (MZ) and additions inZq (A) in terms to dene the eciency in order.

We consider other schemes in order to calculate the identication cost inTable 2. The Twin-Schnorr IBI is slightly superior in terms of eciency and

Table 1: Eciency analysis for the Hierarchical IBI scheme without pairing

Algorithm E MG MZ ASETUP 2 1 0 0EXTRACT 4 2 4 4PROVE 5 3 2 2VERIFY 4 3 0 0



Table 2: Comparison of the identication protocol with other HIBI schemes, where l is the numberof hierarchy levels

Scheme P E MG MZ A AssumptionHIBI byChin et al. (2009)

l+1 l l 0 0 CDH,OMCDH

Waters-HIBI byFujioka et al. (2014)

4 6 3 0 0Prime orderbilinear group

Hess-HIBI byFujioka et al. (2014)

4 6 3 0 0Composite orderbilinear group

RSA-HIBI byFujioka et al. (2014)

0 3 0 3 4 RSA

HIBI withoutpairing

0 9 6 2 2 DLP

security compared to the HIBI scheme proposed in Fujioka et al. (2014). Weare considering the Hierarchical IBI scheme without pairing which is ecientscheme in case of targeted identity.

According to communication cost calculation, the Hierarchical IBI withoutpairing is more ecient and secure compared to the other HIBI schemes withthe exception of Fujioka et al's RSA-scheme, since pairing operations are costly.

7. Concluding Remarks

In this paper, we upgraded the Twin-Schnorr IBI scheme into the Hier-archical IBI scheme without pairing. Our proposed Hierarchical IBI schemewithout pairing is designed to prove many identication and verication at atime. The proposed scheme is ecient as it is pairing-free and secure based thediscrete logarithmic assumption.In this paper, we upgraded the Twin-SchnorrIBI scheme into the Hierarchical IBI scheme without pairing. Our proposed Hi-erarchical IBI scheme without pairing is designed to prove many identicationand verication at a time. The proposed scheme is ecient as it is pairing-freeand secure based the discrete logarithmic assumption.

References

Barapatre, P. and Rangan, C. P. (2013). Identity-based identication schemesfrom id-kems. In International Conference on Security, Privacy, and AppliedCryptography Engineering, pages 111129. Springer.



Bellare, M., Namprempre, C., and Neven, G. (2009). Security proofs foridentity-based identication and signature schemes. Journal of Cryptology,22(1):161.

Bellare, M. and Palacio, A. (2002). Gq and schnorr identication schemes:Proofs of security against impersonation under active and concurrent attacks.In Annual International Cryptology Conference, pages 162177. Springer.

Boneh, D. and Franklin, M. (2003). Identity-based encryption from the weilpairing. SIAM journal on computing, 32(3):586615.

Chin, J.-J., Heng, S.-H., and Goi, B.-M. (2009). Hierarchical identity-basedidentication schemes. In International Conference on Security Technology,pages 9399. Springer.

Chin, J.-J., Tan, S.-Y., Heng, S.-H., and Phan, R. C.-W. (2015). Twin-schnorr:a security upgrade for the schnorr identity-based identication scheme. TheScientic World Journal, 2015.

Fiat, A. and Shamir, A. (1986). How to prove yourself: Practical solutionsto identication and signature problems. In Conference on the Theory andApplication of Cryptographic Techniques, pages 186194. Springer.

Fujioka, A., Saito, T., and Xagawa, K. (2012). Security enhancements by or-proof in identity-based identication. In International Conference on AppliedCryptography and Network Security, pages 135152. Springer.

Fujioka, A., Saito, T., and Xagawa, K. (2014). Secure hierarchical identity-based identication without random oracles. IEICE Transactions onFundamentals of Electronics, Communications and Computer Sciences,97(6):13071317.

Gentry, C. and Silverberg, A. (2002). Hierarchical id-based cryptography. InInternational Conference on the Theory and Application of Cryptology andInformation Security, pages 548566. Springer.

Horwitz, J. and Lynn, B. (2002). Toward hierarchical identity-based encryp-tion. In International Conference on the Theory and Applications of Cryp-tographic Techniques, pages 466481. Springer.

Ioannidis, J., Keromytis, A., and Yung, M. (2005). Applied cryptography andnetwork security. Springer Berlin/Heidelberg.

Kam, Y. H. S., Chin, J. J., and Tan, S. Y. (2015). The schnorr-suite: Sim-ulation of pairing-free identity-based identication schemes using java. InInternational Conference on Security, Privacy, and Applied CryptographyEngineering, pages 1318. SEKEIE 2015.



Katz, J. and Lindell, Y. (2014). Introduction to modern cryptography. CRCpress.

Kurosawa, K. and Heng, S.-H. (2004). From digital signature to id-based iden-tication/signature. In International Workshop on Public Key Cryptography,pages 248261. Springer.

Shamir, A. (1984). Identity-based cryptosystems and signature schemes. InWorkshop on the theory and application of cryptographic techniques, pages4753. Springer.

Tan, S.-Y., Heng, S.-H., Phan, R. C.-W., and Goi, B.-M. (2011). A variantof schnorr identity-based identication scheme with tight reduction. In In-ternational Conference on Future Generation Information Technology, pages361370. Springer.





A New Attack on Special-Structured RSA

Primes

Ghafar, A.H.A. ∗1, Arin, M.R.K.1,2, and Asbullah, M.A.1,3



Malaysia, Malaysia3Centre of Foundation Studies for Agricultural Science, Universiti



ABSTRACT

RSA cryptosystem has withstand a number of cryptanalysis over the

years on its mathematical structures. The cryptanalysis provides the

users of the cryptosystem some particular cases where the RSA private

keys can be exposed hence diminishes its security elements. In this pa-

per, we discusses a general case of our previous attack on RSA primes.

Our attack corresponds to the special-structured RSA primes namely

the primes are relatively close to their nearest squared numbers. We also

count the number of primes that are vulnerable to our attack. Finally,

we present the countermeasure that can be implemented in the RSA key

generation algorithm to avoid our attack.

Keywords: RSA cryptosystem, cryptanalysis, RSA primes.

Ghafar, A.H.A., Arin, M.R.K. and Asbullah, M.A.

1. Introduction

The growth in numbers of digital applications marked the importance ofa secure cryptosystem. It is to ensure the communications between the ap-plications to be condential while maintaining its integrity. One of the maincryptosystem in use today is RSA cryptosystem which was introduced by Rivestet al. (1978). The cryptosystem utilizes the integer factorization problem (IFP)as one of its security features. The hard mathematical problem depends on thehardness of nding the prime factors of a very large integer which in generalis still an infeasible problem since it can only be solved by factoring algorithmin sub-exponential time(Crandall and Pomerance, 2006). However, there aremany factoring algorithms that focus on the special instances of primes. Thesealgorithms are able to solve the factorization of an integer in polynomial timeif the prime factors of the integer exhibit certain structures that can be ma-nipulated mathematically. This situation consequently poses a danger on RSAcryptosystem if no proper countermeasure is introduced. For that, FIPS (2013)has provided a standard guideline to avoid the usage of such vulnerable primes.

In this paper, we introduce another instances of primes that can lead to adisastrous impact on RSA. The special-structured primes in this paper can beretrieved in a polynomial time if they are used as the RSA primes. We alsocount the number of these vulnerable primes in terms of n-bit size to show thatthere are possibilities for these primes to be unknowingly chosen as the RSAprimes. Finally, we present a suitable countermeasure to avoid the usage ofsuch primes since there is no method in the standard guideline of RSA to avoidthe primes.

1.1 RSA Cryptosystem

A brief on the workings RSA key generation algorithm is discussed in thissection. We omit the details of RSA encryption and decryption algorithms sinceour attack is not related to the algorithms. First, the RSA key generationalgorithm generates two non-trivial primes of n-bit sizes, p and q to form aparameter called RSA modulus, N where N = pq. Then, the key generationalgorithm chooses a suitable e such that gcd(e, φ(N)) = 1 where φ(N) is theEuler's phi function of N . Then d is computed such that ed ≡ 1 (mod φ(N)).The parameters (N, e) are called RSA public keys while (p, q, φ(N), d) are calledRSA private keys.

Our attack in this paper describes an eort to factor N in polynomial time.In general, we focus on the structures of p and q. We show that if p and q are


A New Attack on Special-Structured RSA Primes

both having a special structure introduced in this paper, N can be factored bythe adversary in polynomial time hence exposes the private keys p and q.

1.2 Outline of This Paper

The paper is organized as follows. In Section 2, we describe some sig-nicant previous works that have been the motivations and guidelines of ourresult. Next, we present our attack in Section 3 and describe in Section 4 themethod to count the vulnerable primes aected by our attack in the previoussection. Then, in Section 5, we introduce the countermeasure to avoid usingthe vulnerable primes before we conclude our paper in Section 6.

2. Previous Works

There are numbers of factoring algorithms over the years since IFP fas-cinates mathematicians. One of the earliest algorithm of this type is calledEuler's factorization algorithm (Riesel, 2012). It depends on the statementthat the product of two sums of two squares is a sum of two squares. If thereare primes that satisfy the conditions of the statement then the product of theprimes can be factored. This work is almost similar to Fermat's factorizationmethod. The Fermat's method focuses on nding the values of odd integers vand w to factor u such that u = v2 − w2 = (v − w)(v + w) (Lehman, 1974).While the method is sometimes less ecient than the trial division methodwhich is basically the simplest strategy in factoring an integer, but the combi-nation of both methods may work on certain instances of a composite number.The strategy used in Fermat gives a motivation to the fastest general-purposefactoring algorithm which is general number eld sieve algorithm Lenstra et al.(1993).

In another hand, there are also special-purpose factoring algorithms thatspecializes on the certain instances of primes. For example, an algorithm byPollard (1974) can solve the factorization of a number, N which has primefactors, p1 ·p2 · . . . ·pn in polynomial time if for i = 1, 2, . . . , n there exists pi−1with small prime factors. That is, p − 1 can be broken completely into smallprime factors that are less than an integer, L. Another algorithm called ellipticcurve factoring algorithm was introduced by Lenstra Jr (1987). It replaces themultiplicative group used in Pollard's p− 1 algorithm to the group of points ina random elliptic curve.



2.1 Our Motivation

In our previous work, we investigated the impact of using p = am + 1 andbm + 1 where m = 2i with i = 1, 2, . . . (Ghafar et al., 2018). In the paper, weshowed that such N = pq can be factored in polynomial time by computing the

value of(b√Nc − i

)mwhere i is a small integer. The work was motivated by

a result by Friedlander and Iwaniec (1997) that states there are innitely manyprimes in the form of a2 + 1. This shows the signicance of our attack sinceprimes in this form are aected by our result. In this paper, we generalize theform of p and q. Particularly, we investigate the result of using p = am + rpand bm + rq where m = 2i with i = 1, 2, . . . and rp, rq are suciently smallintegers.

3. The New Attack

In this section, we discuss our new attack. The next lemma shows theequality of

√am + r to its integer and decimal forms.

Lemma 3.1. Let a, r ∈ Z+ and m ≥ 2 be a power of 2. If√am + r = am/2+ ε

then ε < r2am/2 .

Proof. Let am + r be an integer where a ∈ Z+. Then

√am + r <

√am +

r2

4a−m + r =

√(am/2 +

r

2a−m/2)2 = am/2 +

r

2a−m/2

Since√am + r = am/2 + ε then ε < r

2am/2 . This terminates the proof.

With result from Lemma 3.1, we can nd the lower and upper bounds ofN1/2 − (ab)m/2 in the following lemma.

Lemma 3.2. Let a, b ∈ Z+ and m ≥ 2 be a power of 2 such that a < b < 2a.Suppose N = (am + rp)(b

m + rq) where rp ≤ rq < Nγ . If rp < 2am/2 andrq < 2bm/2 then (rprq)

1/2 < N1/2 − (ab)m/2 <rq2 + 2

m2 −1rp + 1.

Proof. To prove the lower bound, rst we need to show that amrq + bmrp >2(ab)m/2(rprq)

1/2. Observe that

(am/2r1/2q − bm/2r1/2p

)2= amrq + bmrp − 2(ab)m/2(rprq)

1/2.



Since(am/2r

1/2q − bm/2r1/2p

)2will always be positive value, it implies that

amrq + bmrp > 2(ab)m/2(rprq)1/2. Then

√(am + rp)(bm + rq) =

√(ab)m + amrq + bmrp + rprq

>√

(ab)m + 2(ab)m/2(rprq)1/2 + rprq

=

√(abm/2 + (rprq)1/2

)2

= (ab)m/2 + (rprq)1/2

Thus,√

(am + rp)(bm + rq)− (ab)m/2 = N1/2− (ab)m/2 > (rprq)1/2. To prove

the upper bound, since√am + rp = am/2 + ε1 and

√bm + rq = bm/2 + ε2.

Then, based on Lemma 3.1,

N1/2 =√

(am + rp)(bm + rq) =√

(am + rp)√(bm + rq)

= (am/2 + ε1)(bm/2 + ε2) = (ab)m/2 + am/2ε2 + bm/2ε1 + ε1ε2

< (ab)m/2 + am/2rq

2bm/2+ bm/2

rp2am/2

+rp

2am/2rq

2bm/2(1)

If rp < 2am/2 and rq < 2bm/2 then

rp2am/2

rq2bm/2

=rprq

4(ab)m/2<

4(ab)m/2

4(ab)m/2

= 1. (2)

If a < b < 2a, (1) then will become

N1/2 − (ab)m/2 < am/2rq

2bm/2+ bm/2

rp2am/2

+ 1

=(ab

)m/2 rq2

+

(b

a

)m/2rp2

+ 1

< (1)m/2rq2

+ (2)m/2 rp

2+ 1

=rq2

+ 2m2 −1rp + 1.

This terminates the proof.

By obtaining the lower and upper bounds of N1/2− (ab)m/2 in Lemma 3.2,we proceed with the following theorem to factor N = pq in polynomial time.



Theorem 3.1. Let a, b ∈ Z+ and m ≥ 2 be a power of 2 such that a < b < 2a.Suppose N = (am + rp)(b

m + rq) be a valid RSA modulus. Let rp < 2am/2 andrq < 2bm/2 where maxrp, rq = Nγ . If Nγ is suciently small then N can befactored in polynomial time.

Proof. From Lemma 3.2 we can see that (rprq)1/2 < N1/2 − (ab)m/2 <

rq2 +

2m2 −1rp + 1. Thus,

N1/2 −(rq2

+ 2m2 −1rp + 1

)< (ab)m/2 < N1/2 − (rprq)

1/2. (3)

Suppose rp = Nγ1 and rq = Nγ2 are known. Then the dierence between theupper and lower bounds of (3) will be

N1/2 − (rprq)1/2 −N1/2 +

rq2

+ 2m2 −1rp + 1

< Nγ

(2

m2 −1 +

1

2

)−((minrp, rq)2

)1/2+ 1

= Nγ

(2

m2 + 1

2

)−minrp, rq+ 1

which is the size for set of numbers to nd (ab)m/2. If Nγ is suciently small,

then we can nd (ab)m/2 in polynomial time. By computing((ab)m/2

)2, we

nd (ab)m. Next, we can see that

N − rprq ≡ (am + rp)(bm + rq)− rprq

≡ (ab)m + amrq + bmrp

≡ amrq + bmrp (mod (ab)m)

By nding the roots of the following quadratic equation

X2 − (amrq + bmrp)X + ((ab)mrprq),

we nd x1 = amrq and x2 = bmrp. Since rp and rq are known, we can canobtain

am =x1rq

and bm =x2rp.

Thus we can factor N by calculating

N

bm + rq= am + rp.



Remark 3.1. Throughout this paper, we use the term `suciently small' toindicate the size of numbers that are computationally feasible to be brute-forcedby current computing machine. This is related to a suggestion from NIST in2010 that a key space with less than 280 elements may be feasible to be brute-forced by the computing machine in the nearest future (Barker et al., 2012).Hence an integer space with less than 280 is to be suciently small in our case.

The algorithm to factor N = pq via Theorem 3.1 is as follows:

Algorithm 1 Factoring N = pq = (am + rp)(bm + rq) via Theorem 3.1

Require: N, rp, rq,mEnsure: p, q1: Set i =

⌈(rprq)

1/2⌉.

2: while i <⌊ rq

2 + 2m2 −1rp + 1

⌋do

3: Set σ =([√

N]− i)2

4: Calculate z ≡ N − rprq (mod σ)5: Solve X2 − zX + σrprq = 06: Set x1 = X1 and x2 = X2

7: if Nx1rq

+rpor N

x2rp

+rq6= integer then

8: i++9: else

10: end if

11: end while

12: Output p = x1 and q = x2

The following is an example to illustrate Algorithm 1.

Example 3.1. We use RSA-2048 modulus in this example. Specically, we



are given

N = 1939133831924806606133876996976871687068609653763060909324448

8668514800635826815744380480577064007971365134666183669601095

8155783481842790728153408479119399762603861278141593483588318

0658196006836190128581789804020622061036339071154358680942063

2565404189405055681272917936676120931081002832888478823820373

5947313379284127719468283019386285632933463059274409471301888

9766975429020483124452679885746781484566076595100007926035076

9676930032535503214291431427677073662668575112732211044822652

0386299044393468981751535180261474975851491597630344397435627

0516781664462941952717473384070030332692688081483434497701485

3137639.

If rp = 900535 and rq = 801217 are known, then we set

i =⌈(rprq)

1/2⌉

= 849426.

Then we calculate

σ =([√

N]− i)2

and z ≡ N − (rprq) (mod σ) (4)

and solve the equation

x1,2 = X2 − zX + σrprq = 0 (5)

We nd that neither x1

rq+ rp nor x2

rp+ rq are integers. This means x1 and x2

are not our nal solutions. It also means σ 6= (ab)m at this point. To ndthe correct σ, we continue to search for them by iterating equations (4) and(5) using iterated values of i. This search can be done in polynomial time as ishould be less than

rq2 + 2

m2 −1rp + 1 = 1301144 as stated in Lemma 3.2. That

means operations in (4) and (5) must be repeated at most 1301144−849426+1 =



451719 times. In this case, when i = 851797 (2371st iteration), we nd

σ =([√

N]− i)2

= 1939133831924806606133876996976871687068609653763060909324448

8668514800635826815744380480577064007971365134666183669601095

8155783481842790728153408479119399762603861278141593483588318

0658196006836190128581789804020622061036339071154358680942063

2565404189405055681272917936676120931081002832888478823820136

3644226247359509479622750206627815044709366516531058654173197

4604923352225424730353329032249086913623919353764524727298560

5591555129796787303628030327922665738872798367891162749149287

8610056969597136857386365933544863559028289824946864269961727

7275323735121074694484308390477519869370362474253549976365912

5809936

and

z = N − (rprq) (mod σ)

= 2372303087131924618239845532812758470588224096542743350817128

6915162052076795058394099350853497694570942157241335483198736

5164085374902738715910663401099754407923795776744841048295673

3641776242074796332124365169246716611416823201772683480127473

8993241457929341867258233164993592510463322325607229884521263

4203376608

produces

Nx1

rq+ rp

= 13700386761479536402226136058449627163320996243973232147

33434571249622914952137540384698192037021610302105168487

87964345485387738830063329770436775997607191136323419341

78978105273604821452801636627889076570287685089046421945

59321229911297610484313176711855558800328066662776370116

43622625530512124168946150939



which is an integer and

Nx2

rp+ rq

= 14153861972546204716991607515293408672586498379096795090

45234715633813327222483363462306688824357868992092397689

36782644059806867509531431679202497456095447203331524817

99603351626050627890990413314169820141621929500991751698

98966830625839073322513143453891474436200004141038009977

91940162343931070147127595301

which is also an integer. Hence, N has been successfully factored in polynomialtime.

Remark 3.2. Observe that N in Example 3.1 does not exhibit any noticeablestructures (such as long adjacent 0's or 1's) in its value. As such, users ofRSA have a possibility to have generated such RSA modulus. Thus, Algorithm1 is valuable for RSA users to preempt usage of such RSA modulus.

4. The Number of Vulnerable Primes to the

New Attack

In this section, we calculate the number of primes having the structures asdiscussed in Section 3. First, we determine the number of squared numbersthat share the same bit size.

Lemma 4.1. If n is any large positive integer then there are at least⌊2

n2

(1− 2−

12

)⌋

squared numbers between 2n−1 and 2n − 1.

Proof. Let X = x2i ki=1 be the set of all squared numbers between 2n−1 and2n − 1. Particularly,

2n−1 < x2i < 2n − 1.

Then

212 (n−1) < xi < (2n − 1)

12 ⇒ 2

12 (n−1) < xi <

((2

n2 − 1

) (2

n2 + 1

)) 12 . (6)

Next, compute the dierence between the upper bound and the lower bound



of (6) in integer form. That is,

⌊((2

n2 − 1

) (2

n2 + 1

)) 12 − 2

12 (n−1)

⌋>

⌊((2

n2 − 1

) (2

n2 − 1

)) 12 − 2

12 (n−1)

⌋

=

⌊((2

n2 − 1

)2) 12 − 2

12 (n−1)

⌋

=⌊2

n2 − 1− 2

12 (n−1)

⌋.

=⌊2

n2

(1− 2−

12

)− 1⌋.

If n is any large positive integer then

⌊2

n2

(1− 2−

12

)− 1⌋≈⌊2

n2

(1− 2−

12

)⌋.


Theorem 4.1. Let π(x) be the prime-counting function that gives the numberof primes less than or equal to x, for any real number x. Then

π(x) ∼ x

log x.

Proof. See (Jameson, 2003)

With the results from Lemma 4.1, we can determine the number of weakprimes that are aected by our attack.

Theorem 4.2. Let a, b, rp, rq be integers greater > 0. Let m be a power of2. Suppose rp < 2am/2 and rq < 2bm/2 where maxrp, rq = Nγ . Let x > 0be an integer where x2 is the smallest squared number with n-bit size then thenumbers of primes aected by our attack, π2(x) is asymptotic to

π2(x) ∼

⌊2

n2

(1− 2−

12

)⌋

2

Nγ

log (x)2+

Nγ

log(x+

⌊2

n2

(1− 2−

12

)⌋)2

.

Proof. First, we recall Prime Number Theorem in Theorem 4.1 that states forany real number x, π(x) is asymptotic to

π(x) ∼ x

log x.



Using this value, given two real numbers x0 and x1 where x0 < x1 < 2x0, wecan count the number of primes between the two numbers. That is,

x1log x1

− x0log x0

≈ x1log x0

− x0log x0

=x1 − x0log x0

.(7)

Let x > 0 be an integer where x2 is the smallest squared number with n-bit. Let π1(x) be the prime-counting function between x

2 and x2+maxrp, rq.Similar to (7),

π1(x) =x2 +maxrp, rq

log (x2 +maxrp, rq)− x2

log x2≈ x2 +maxrp, rq

log x2− x2

log x2

=x2 +maxrp, rq − x2

log x2=

maxrp, rqlog x2

=Nγ

log x2.

From Lemma 4.1, we know there are approximately⌊2

n2

(1− 2−

12

)⌋squared

numbers with n-bit size where n is a large integer suitably used in RSA. Thus,π1(x) for the consecutive squared numbers are as follows:

π1(x) =Nγ

log (x)2

π1(x+ 1) =Nγ

log (x+ 1)2

π1(x+ 2) =Nγ

log (x+ 2)2

...

...

π1

(x+

⌊2

n2

(1− 2−

12

)⌋)=

Nγ

log(x+

⌊2

n2

(1− 2−

12

)⌋)2 .

(8)

The summation of (8) can be represented in the sum of arithmetic progressionformula where the number of i terms is multiplied by the sum of the rst and



last number in the progression and dividing by 2. That is,

π2 =

⌊2

n2

(1−2− 1

2

)−1⌋

∑

i=0

Nγ

log (x+ i)2

=

⌊2

n2

(1− 2−

12

)⌋

2

(π1(x) + π1

(x+

⌊2

n2

(1− 2−

12

)⌋))

=

⌊2

n2

(1− 2−

12

)⌋

2

Nγ

log (x)2+

Nγ

log(x+

⌊2

n2

(1− 2−

12

)⌋)2

(9)


The following is an example to illustrate the result from Theorem 4.2.

Example 4.1. In this example we proceed to compute the number of primesused in RSA-2048 that are vulnerable to our attack. From Theorem 4.2, weneed to compute

⌊2

n2

(1− 2−

12

)⌋

2

Nγ

log (x)2+

Nγ

log(x+

⌊2

n2

(1− 2−

12

)⌋)2

.

Following Example 3.1, we have n = 1024 and maxrp, rq = N0.009661... which

implies γ = 0.009661. Observe that x = 2n−12 since x2 is the smallest squared

number with n-bit size. Substituting these values into (9), we obtain

π2(x) ∼

⌊2

n2

(1− 2−

12

)⌋

2

Nγ

log (x)2+

Nγ

log(x+

⌊2

n2

(1− 2−

12

)⌋)2

≈ 7.0265327 . . .× 10153. (10)

Thus, there are approximately 7.0265327 . . .× 10153 primes that are susceptibleto our attack if RSA-2048 is used.

5. Countermeasure of the Attack

In this section, we present a countermeasure to prevent using the vulnerableprimes discussed in Section 3. The countermeasure is depicted in Figure 1.



Given N, p and q, if

⌈N1/2 −

⌊p1/2

⌋·⌊q1/2

⌋⌋(11)

is a suciently small integer, then RSA key generation algorithm mustnd new p or q.

Figure 1: Countermeasure of the attacks shown in Section 3.

Since the computation is minimal, the prevention of the attack can be ap-plied in the real-world RSA implementation.

6. Conclusion

Our new method can successfully factor N in polynomial time given that itsatises certain conditions as in Theorem 3.1. We also show in Theorem 4.2 thatthe number of primes which are susceptible to our attack is large and dependson the size of p and q. Our attack includes primes that can be generated bycurrent standard RSA implementation namely RSA-2048 as in Example 3.1.Thus, a new countermeasure should be introduced to the existing guidelines inpreventing such attack to occur.

Acknowledgements

The research was supported by Ministry of Education of Malaysia withFundamental Research Grant Scheme (FRGS/1/2019/STG06/UPM/02/08).

References

Barker, E., Barker, W., Burr, W., Polk, W., and Smid, M. (2012). NIST SpecialPublication 800-57 Recommendation for Key.

Crandall, R. and Pomerance, C. B. (2006). Prime numbers: a computationalperspective, volume 182. Springer Science & Business Media.

FIPS, P. (2013). 186-4: Federal information processing standards publica-tion. Digital Signature Standard (DSS). Information Technology Laboratory,National Institute of Standards and Technology (NIST), Gaithersburg, MD,pages 208998900.



Friedlander, J. and Iwaniec, H. (1997). Using a parity-sensitive sieve to countprime values of a polynomial. Proceedings of the National Academy of Sci-ences, 94(4):10541058.

Ghafar, A. H. A., Arin, M. R. K., and Asbullah, M. A. (2018). ExtendingPollard Class of Factorable RSA Modulus. In Cryptology and InformationSecurity Conference, page 103.

Jameson, G. J. O. (2003). The prime number theorem, volume 53. CambridgeUniversity Press.

Lehman, R. S. (1974). Factoring large integers. Mathematics of Computation,28(126):637646.

Lenstra, A. K., Lenstra, H. W., Manasse, M. S., and Pollard, J. M. (1993).The number eld sieve. In The development of the number eld sieve, pages1142. Springer.

Lenstra Jr, H. W. (1987). Factoring integers with elliptic curves. Annals ofmathematics, pages 649673.

Pollard, J. M. (1974). Theorems on factorization and primality testing. InMathematical Proceedings of the Cambridge Philosophical Society, volume 76,pages 521528. Cambridge University Press.

Riesel, H. (2012). Prime numbers and computer methods for factorization,volume 126. Springer Science & Business Media.

Rivest, R. L., Shamir, A., and Adleman, L. (1978). A method for obtaining dig-ital signatures and public-key cryptosystems. Communications of the ACM,21(2):120126.





QuCCs: An Experimental of Quantum Key

Distribution using Quantum Cryptography and

Communication Simulator

Zukarnain, Z.A.∗1, Buhari, A.1, Harun, N.Z.1,2, and Khalid, R.1

1Department of Network, Faculty of Computer Science &

Information Technology, University Putra Malaysia, Malaysia2Department of Information Security, Faculty of Computer

Science and Information Technology, University Tun Hussein Onn

Malaysia, Malaysia

E-mail: [email protected] author ∗

ABSTRACT

The applications of quantum information science move towards bigger

and better dimensions for the next generation technology. In the eld

of quantum cryptography and quantum computation, the world already

witnessed various groundbreaking tangible products and promising re-

sults. Quantum cryptography is one of the mature elds of quantum

mechanics and the devices are already available in the markets. In order

to reach the heights of digital cryptography, the current state of quantum

cryptography is still under various researches. However, the complexity

of quantum cryptography is high due to combination of hardware and

software. The lack of eective simulation tool to design and analyze the

quantum cryptography experiments delays the reaching distance of the

success. Therefore, in this paper, a framework to achieve an eective

single photon based quantum cryptography simulation tool is proposed.

The limitations of a commercial photonic simulation tool based experi-

ments are also highlighted. Finally, the ideas for achieving one-stop sim-

ulation package for quantum based secure key distribution experiments

Zukarnain, Z.A., Buhari, A., Harun, N.Z. & Khalid, R.

are discussed. The proposed modules of simulation framework have been

analyzed from the programming perspective.

Keywords: quantum cryptography, quantum computation, quantum

key distribution.

1. Introduction

Nowadays, data and information can be stolen during any kind of digi-tal transaction, even with the current security measures. Nevertheless, securekey distribution problem is always a holy-grail research in the security world.As modern world moves completely towards digital, digital based transactionand communication are becoming the norm of the current society. As thesame growth of usage, hacking, spying and phreaking becomes common criti-cal threats to the society. The basic reason behind these threats is due to itsvulnerable nature. In digital communication, any information can be copiedwithout detection. Most of the popular current security mechanism providesonly computational security which means bound towards the technology limit.Further, these security mechanisms are vulnerable to brute force attack. Thesmart phone and quantum computer is the toughest candidate, which can breakthe current security systems. Therefore, quantum security protocols have beenresearched for long time as a solution to provide unconditional security to theexisting transaction of data in the network. Quantum security protocol usesthe smallest particle of light to transfer information over ber optics cables.Particularly, the principles of no-cloning theorem and Heisenberg's uncertaintyprinciple culminate a new breed of cryptography so called quantum cryptogra-phy. Quantum cryptography has inbuilt properties to detect hacking activity,self-message destruction and cannot be replicated. Under the quantum cryp-tography, Quantum Key Distribution (QKD) is the matured eld and real-timeproducts are available in the market.

QKD history has already accomplished 30 years. From the ground-breakingprotocol BB84 (Bennett and Brassard, 2014) to current QKD protocols haveundergone various developments. The improvement of quantum hardware im-proves the quality of QKD based solution. The presence of noise in the channeland losses due to imperfect devices need QKD more rigorous research to achievethe heights of digital cryptography. However, there is an enormous growth inthe eld of QKD as compare to quantum computer. Currently, QKD researchesare mostly based on experimental and mathematical. Mathematical modelingis inecient due to unable to comprehend the real experiment issues. The later


QuCCs: An Experimental of Quantum Key Distribution using Quantum Cryptography andCommunication Simulator

research is expensive due to need of photonics components. At this stage, itis expensive and cost millions to setup and implement quantum security solu-tions. Further, QKD research lacks of eective simulation tool which is able tosimulate the QKD's protocol and implementation. There is a complexity in de-veloping the quantum based simulation. It is also very dicult to measure andquantify risk in using quantum security solutions. Current, simulation tools areable to simulate macroscopic elements very well due to its deterministic type.On the other hand, quantum is basically stochastic nature. Further classicaltheories have failed so far in describing absolutely about the microscopic levelof elements. Before, we delve into further issues; a brief summary of quantumtheory is summarized in order to understand the quantum world clearly.

Therefore, the quantum simulator oers an easy way to manipulate desiredcomponent parameters while setting other parameters xed. It is also providesa simpler way of conducting experiments, with a further cost reduction in rela-tion to the practical real experiment. This article aims to emphasize the mod-eling issues of the quantum world and details that need to be considered duringcomputer simulation. We describe the design of a proposed Quantum Cryptog-raphy and Communication Simulator (QuCCs) which was implemented in Javaprogramming language as an interface, MatLab/Mathematica for calculation,and MySQL as a database. QuCCs is a simulator aimed as software designingtools for implementing secure key exchange solutions based on quantum prin-ciples. Moreover, QuCCs is designed as an online simulation tool with variousinteractive features such as online collaboration, virtual lab, cost estimationand budget planning which align with quantum communication experimentalmodels.

This paper also aims to emphasize the modeling issues of the quantumworld and details need to be considered during computer simulation. We wouldlike to describe briey about the modeling issues of macroscopic devices inthe quantum world. For example, the detectors are macroscopic devices usedto measure microscopic quantities. Macroscopic measuring devices have anenormous number of quantum states. Due to decoherence eect, wave functionof the neutron in the detector is lost some information. The detector registersthe remaining information with relative probability. Simulation of quantumworld consists of stochastic process. The random number generator plays avital role in the computer simulation program for quantum world. This articleis organized as follows: Section 2 outlines the background works on QuantumCryptography simulator. Section 3 describes the quantum theories. Section 4introduces the design of QuCCs's Model. Section 5 provides the methodologyto conduct the simulation. Section 6 discusses about the experiment's resultwhile Section 7 concludes this article and outlines the future work.



2. Quantum Cryptography Simulator

This section reviews several quantum cryptography simulator for conduct-ing quantum experiment. Attila Pereszlényi's (Pereszlényi, 2005) circuit whichstudies the QKD protocols by means quantum circuit level. Qcircuit has thequantum circuit interface with various objects to denote the OKD elements andanalyze quantum bit error rate. Later, Object oriented simulation for QKDwas proposed by Zhang et al. (2007). Zhao and De Raedt (2008) proposedan event-by-event simulation model and polarizer as the simulated componentfor QKD protocols i.e. BB84 protocol by Bennet and Brassard and Ekert's(Ekert, 1991) protocol with presence of Eve and misalignment measurementas scenarios. Niemiec et al. (2011) presented a C++ application to evaluateand test quantum cryptography protocols. This application has elegant user-friendly interface and many modules which complete entire QKD operations.It includes BB84 and B92 as a protocol option; two modules for eavesdropping;a noise level module; and privacy amplication. This simulation is suited forunderstanding overall QKD operations.

In contrast to above works, our previous work proposed simulation frame-work concentrates more on experimental elements (Buhari, 2012, Buhari et al.,2012a,b,c). Further, scalability of our module is better. One can extend toother encoding i.e. phase, amplitude and deployment of decoy states. Howeverentangled based QKD and correlation of simulation output statistics with pub-lished experimental results are still upcoming challenges. Moreover, QKD eldis conversely lacking of ecient simulation to study and evaluate the hardwareperformances. In our previous work, we proposed polarized based QKD basedon discrete event simulation using commercial photonic simulation softwarecalled OptiSystem. OptiSystem is basically for photonic based telecommunica-tion design and analysis tool. However, due to the presence of various photoniccomponents, we can model QKD experiments. OptiSystem oers drag anddrop solution with various inbuilt components.

Due to lack of real detector setup and missing of important components inour previous research based on OptiSystem, the experimental results are lessaccuracy even though closeness to real experiments. Precisely, in the sourcemodule, lack of polarization beam splitter (PBS) and lack of detector in receivermodule made simulation less signicant. Therefore, these limitations are thecore motivation for this current research. In this paper, the required buildingblocks and systematic workow for the experimental quantum cryptographyprotocols is proposed and dened.



3. Quantum Theory

Quantum theory is a theory to describe physics on a microscopic scale,such as on the scale of atoms, molecules, electrons, protons, etc. Both New-ton's mechanical motion of object and Maxwell's light as a wave are unt todescribe precision of microscopic elements. The quantum theory is supportedby the unconditional security as veried by the Heisenberg Uncertainty andno-cloning theorem. Heisenberg Uncertainty theory describes that the intrudercannot distinguish the properties of the quantum states without disturbing itwhile no-cloning theorem dened that the unknown quantum states cannot becopied. The following subsections explain briey about various building blocksof quantum mechanics principles taken from Howard (1985), Pereszlényi (2005),Zhang et al. (2007).

3.1 Photon

Quantum theory describes light as a particle called a photon. In 1922,Nobel proposed light is made of quanta, later named photons, which havewell dened energy and momentum. DeBroglie also proposed that a photonnot only carries energy, but also carries momentum. Energy is a scalar andmomentum is a vector quantity. Photons can be treated as the packets of lightwhich behave as a particle. To describe interactions of light with matter, needparticle (quantum) description of light. A single photon has an energy givenby

E =hc

λ′(1)

where h is the planck constant with the value of 6.6× 10−34 J/s, c is the speedof light with the value of 3 × 108 m/s and λ is the length of light in meter.Photons also carry momentum. The momentum is related to the energy by:

p =e

c=

h

λ′(2)

In QKD, the process of sharing a sensitive information securely between partiesin the network can be realized with the support key exchanged using photonfor the encryption purposes. The transmission of a photon happens throughthe quantum channel while the transmission of the data is carried out throughpublic channels such as radio frequency channels and the Internet.



3.2 Quantum Superposition

A quantum system can take on two states at once. For example, eachquantum bit (qubit) can encode both a 1 and a 0 at the same time. Thesuperposition states can be dened as:

|Ψ ≡ α|0 > +β|1 >=

[αβ

](3)

where Ψ is the superposition states,|0> and |1> are qubits states, and α and

β are the complex numbers. The

[αβ

]is a two dimensional vector, where |0>

equals to

[10

]and |1> equals to

[01

]. The probability of α and β coecients

can be satised by|α|2 + |β|2 = 1 (4)

where |α|2 is the probability of obtaining |Ψ> in |0> and |β|2 is the probabilityof obtaining |Ψ> in |1>.

3.3 Quantum Phase Transition

Phase transition is a change in the collective properties of a macroscopicnumber of atoms and quantum phase describe about change in the nature ofquantum superposition in a macroscopic quantum system.

3.4 Quantum Dehorence

The loss of coherence or ordering of the phase angles between the com-ponents of a system in a quantum superposition. Decoherence increases withthe number of quantum logic gates (qubits). Research is going into decreas-ing decoherence by limiting the amount of macroscopic devices involved in theprocess.

3.5 Quantum Entanglement

Entanglement is one of the quantum mechanics elds that can be denedas the correlation between particles that cannot be separated even though sep-arated by the distance between them. Two qubits are assumed to be entangledwhen the measurement of one qubit has aected the state of the other qubit.The disturbance by the eavesdropper to the entangled qubits may break the



correlation between them (Verma et al., 2019). The simplest entangled stateis Bell state; consist of two entangled particles called Einstein-Podolsky-Rosen(EPR) pairs. In quantum entanglement, the measurement is important to de-termine whether the state is entangled or separable. There are two types ofentanglement state which is the qubit spinning in the same direction and dif-ferent direction (Chen et al., 2015). In QKD, the entangled state is utilizedto establish secure key and detect the presence of eavesdropper. However, itis hard to adopt the entangled state in the current communication system dueto the diculties of generating, transmitting and storing the entangled stateeciently. Besides, a comparative study conducted by Sharma et al. (2016)found that the quantum cryptography using entanglement is physically moreexpensive compared to single qubit.

4. QuCCs's Model Design

This section describes and elaborates the proposed simulation frameworkcalled QuCCs. As mentioned earlier, quantum is considered as microscopici.e. qubit and macroscopic i.e. devices transmitters, channels and receivercomponents. The relation between micro and macro is dened as mesoscopicsimulation.

From the computer program view, devices are dened as a list of propertiesor characteristics. Property is referred as members or variables of a computerprogram, while the properties are referred to microscopic or qubit. The meso-scopic features are considered as function or behavior that is responsible forchanges in the qubit properties according to the device properties. A completemathematical description of macroscopic devices is reviewed by Scarani et al.(2009). Figure 1 classies the mesoscopic simulation features. The followingsection briey describes the modeling of few optical components.

4.1 Coherent Wave (CW) Laser

Laser is the one of the important components in the source module. Thereare various types of laser available in the market. This section will presentcoherent wave type laser. The equation of intrinsic property of CW laser canbe described as

|√µeiθ〉 ≡ |α〉 = e−µ2

∞∑

n=0

an√n!|n〉 (5)

where α is the average number of photon or intensity of a pulse, µ is equal to α2

and θ is the phase factor. It can be noted that α and θ is randomly generated



Figure 1: Classication of Mesoscopic Simulation

at the time of simulation run, while µ is calculated based on user input.

4.2 Fiber Optic Channel

The ber channel's loss intrinsic property can be represented as

t = 10−αl10 (6)

where α is the attenuation coecient and l is the ber optic distance. Inthe ber optic network, the standard attenuation can be setup based on theoperating wavelengths; 1550nm, 1300nm and 800nm for short, medium andlong range applications. The attenuation coecients are 0.25, 0.35 and 2dB/kmcorrespondingly. The value of α and l is gathered from the user input.

4.3 Polarization Beam Splitter (PBS)

The component PBS plays a vital role in the polarized based QKD experi-ments. PBS is responsible to choose the encoding scheme randomly. In otherwords, the whole random mechanism of QKD depends on this component.



Table 1: Parameter value of the experiment

Property PolarizationPhoton

generation

Rectilinear 90or 0

Diagonal +45or -45Random

4.4 Detector

Detector is the vital component in the receiver module. The function of adetector is to convert the light into electrical signal. Nevertheless, quantumcryptography still lacks of perfect detector. Supposedly, a good detector mustable to achieve high detection rate. The analysis by Harun et al. (2018) provedthat there are many important criterion need to be fullled in order to choosethe best detector including low dark count rate and high detector eciency.

Table 2: Intrinsic Property of Detectors

APD InGaAs VLPC SSPD TES

DetectedWavelength

600 600 600 600 600

QuantumEciency

50% 10% 58%-85% 0.9% 65%

Fractions ofdark count rate

100Hz 10−5/gate 20KHz 100Hz 10Hz

RepetitionRate

CW CW CW CW CW

MaximumCount Rate

15 0.1 0.015 N/A 0.001

Jitter [ps] 50-200 500 N/A 68 9× 104

Temperature ofOperation [K]

250 220 6 2.9 0.1

DistinguishingPhoton Number

N N Y N Y

5. Methodology

This section describes and elaborates the proposed simulation frameworkcalled QuCCs. As mentioned earlier, quantum is about microscopic such asqubit and macroscopic such as transmitters, channels and receiver components.The relation between micro and macro is dened as mesoscopic simulation.



The QuCCs model is a combination of discrete event simulation (DES), systemdynamics and continuous simulation techniques. DES is the overall workow ofthe simulation. Continuous event simulation is responsible for qubit operationand mesoscopic simulation carried out by system dynamics. As shown in Figure2, the approach to operate the experiment is discrete event where the eventsdescribe the ow of experiment to produce qubits based on the polarization.The QuCCs enables users to input the value of the properties according to

Figure 2: The simulation's ow of event

their experiment's requirement. Table 1 presents the parameters and the valuerange of the components in the QuCCs simulator.

Table 3: Parameter value of the experiment

Component Properties Value range Function

StandardLaser

Frequency 0 to innity

CalculateEnergy()CalculatePhoto-electricEect()

GenerateNoOfPhotons()CalculateMomentum()

CalculateCompotonEect()

PolarizerSet of

polarizationH, V, LD, RD SetPolarization()

StandardAttenuator

Attenuation Between 0 and 1ReduceEnergyValue()ReduceNoOfPhoton()

Loss(dBm)

Fibre Optic Channel lengthBetween

0 and 100000ReduceEnergyValue()CurrentEnergy(Joule)

No. of incidentphoton

DetectorNo. of electron

H, V, LD, RD RetrievePolarization()



To conduct the QKD's experiment, we set up quantum components usingQuCCs. The simulator provides an easy way to manipulate desired parametersof each component and it is very ecient to simulate the experiment withlow cost compared to the practical testbed. Figure 3 presents the GUI ofQuCCs consisting the component library on the left side and its properties onthe left side, allows user to dene parameters based on the precise componentspecication with varying congurations such as the frequency of laser andincoming photon polarization.

Figure 3: The Graphical User Interface of QuCCs

6. Results and Discussions

In this section, the result of experimental through QuCCs is shown andexplained. Furthermore, the key challenges and benets of the QuCCs arediscussed briey. The experiment's result presented in the Figure 4 after userclick at the run experimen button, where user is able to view the obtain infor-mation after successful simulation. The results present the energy of the laser,polarization of photon, number of photon, frequency, compton wavelength andmomentum value.

Quantum world is a stochastic nature; therefore, to model stochastic orrandom nature, a random number generator with big size of seed is needed.Random is the key factor for superposition. However, pseudo RNG (PRNG)based on computer program has vulnerability due to the true random numbergeneration can be achieved by external resources. Moreover, due to limitation



Figure 4: The result of the experiments

of experimental data, the validation and verication of results are dicult.Another limitation is most of the quantum experimental devices are imperfect,thus reduces the quality of result.

Therefore, QuCCs is optimized to achieve correlate with theoretical result aswell as available experimental result. To achieve the highly signicant results,QuCCs is designed to exactly replicate the parameters and functions of quan-tum devices. QuCCs is a GUI based simulation with drag and drop solution,which is also contain inbuilt experimental model for fast processing. QuCCsalso provides the information about the vendor details such as the specicationfor the component. Furthermore, QuCCs is equipped with the availability ofdata and results' export feature to ease the user work. Moreover, QuCCs isdesigned as an online program which supports other interactive features likecollaboration and virtual lab. Thus QuCCs can support from novice to expertof quantum information science.

7. Conclusion

This article deals with the practical realization of quantum cryptographyand communication simulator from an experimental point of view. The worksummarizes the basic characteristics of the quantum component and describesways of implementing quantum simulator. The main part of this article dealswith the QuCCs simulation environment which is primarily intended as aneconomical way to simulate quantum communication experiments via onlinecomponents with instant and reliable results. An example QuCCs implemen-tation described in this article indicates that the quantum communication ex-periments results relies on the variable set up for each quantum component.The classication of simulation i.e. micro, meso and macro is important toachieve the proximity of real world experiments. Further, mesoscopic simu-lation is bridge between devices and qubit. We also highlight the softwarerequirement to achieve the highly interactive GUI based simulation tool. As



a conclusion, QuCCs may give benet the researchers from digital security,high-speed network and quantum computation to model and simulate the realquantum experiment and quantum communication. In the future, this workcan be easily extended to entanglement based research. Due to QuCCs soft-ware architecture is based on object oriented programming, thefore, it is easyto enhance or add new simulation elements.

References

Bennett, C. H. and Brassard, G. (2014). Quantum cryptography: Public keydistribution and coin tossing. Theor. Comput. Sci., 560(12):711.

Buhari, A. (2012). An ecient modeling and simulation of quantum key dis-tribution protocols using OptiSystemTM. In 2012 IEEE Symposium on In-dustrial Electronics and Applications, pages 8489. IEEE.

Buhari, A., Zukarnai, Z. A., Subramaniam, S. K., Zainuddin, H., and Sa-harudin, S. (2012a). BB84 and noise immune quantum key distribution pro-tocols simulation: An approach using photonic simulator. In Proc. Int. Conf.Comput. Intell. Syst., Int. Conf. Elect., Electron.(ICCIS), pages 3036.

Buhari, A., Zukarnain, Z. A., Subramaniam, S. K., Zainuddin, H., and Sa-harudin, S. (2012b). A Discrete Event Simulation Approach on Polarizedbased Quantum Key Distribution Protocols using OptiSystemTM. Interna-tional Journal of Computer Science and Information Security, 10(12):4248.

Buhari, A., Zukarnain, Z. A., Subramaniam, S. K., Zainuddin, H., and Sa-harudin, S. (2012c). An Ecient Modeling and Simulation of Quantum KeyDistribution Protocols Using OptiSystemTM. International Journal of Com-puter Science and Information Security, 10(12):814.

Chen, C.-Y., Zeng, G.-J., Lin, F.-J., Chou, Y.-H., and Chao, H.-C. (2015).Quantum cryptography and its applications over the internet. IEEE Network,29(5):6469.

Ekert, A. K. (1991). Quantum cryptography based on Bell's theorem. Physicalreview letters, 67(6):661.

Harun, N. Z., Zukarnain, Z. A., Hanapi, Z. M., and Ahmad, I. (2018). Evalua-tion of parameters eect in multiphoton quantum key distribution over beroptic. IEEE Access, 6:4769947706.

Howard, D. (1985). Einstein on locality and separability. Studies in Historyand Philosophy of Science Part A, 16(3):171201.



Niemiec, M., Roma«ski, ., and wi¦ty, M. (2011). Quantum cryptographyprotocol simulator. In International Conference on Multimedia Communica-tions, Services and Security, pages 286292. Springer.

Pereszlényi, A. (2005). Simulation of quantum key distribution with noisychannels. In Proceedings of the 8th International Conference on Telecommu-nications, 2005. ConTEL 2005., volume 1, pages 203210. IEEE.

Scarani, V., Bechmann-Pasquinucci, H., Cerf, N. J., Du²ek, M., Lütkenhaus,N., and Peev, M. (2009). The security of practical quantum key distribution.Reviews of modern physics, 81(3):1301.

Sharma, V., Thapliyal, K., Pathak, A., and Banerjee, S. (2016). A comparativestudy of protocols for secure quantum communication under noisy environ-ment: single-qubit-based protocols versus entangled-state-based protocols.Quantum Information Processing, 15(11):46814710.

Verma, P. K., El Rifai, M., and Chan, K. W. C. (2019). Multi-photon QuantumSecure Communication. Springer.

Zhang, X., Wen, Q., and Zhu, F. (2007). Object-oriented quantum cryptogra-phy simulation model. In Third International Conference on Natural Com-putation (ICNC 2007), volume 4, pages 599602. IEEE.

Zhao, S. and De Raedt, H. (2008). Event-by-event simulation of quantum cryp-tography protocols. Journal of Computational and Theoretical Nanoscience,5(4):490504.





Successful Cryptanalytic Attacks Upon RSA

Moduli N = pq

Abubakar, S.I. ∗1, Arin, M.R.K.1,2, and Asbullah, M.A.1,3



Malaysia, Malaysia3Centre of Foundation Studies for Agricultural Science, Universiti



ABSTRACT

This paper reports four new cryptanalytic attacks which show that tinstances of RSA moduli Ns = psqs for s = 1, . . . , t where t ≥ 2 can

be simultaneously factored in polynomial time using simultaneous Dio-

phantine approximations and lattice basis reduction techniques. We

construct four system of equations of the form esd − ksφ(Ns) = 1,esds − kφ(Ns) = 1, esd − kφ(Ns) = zs and esds − kφ(Ns) = zs us-

ing N −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N

⌉+1 as a good approximations of

φ(Ns) for unknown positive integers d, ds, ks, k, and zs . In our attacks,

we found an improved short decryption exponent bound of some reported

attacks.

Keywords: RSA Moduli, Simultaneous, Diophantine, Approximations,

Lattice, Basis, Reduction, LLL algorithm, etc.

Abubakar, S.I., Arin, M.R.K. & Asbullah, M.A.

1. Introduction

The increased day to day applications of shared telecommunications chan-nels, particularly wireless and local area networks(LAN's), results to largerconnectivity, but also to a much greater opportunity to intercept data andforge messages. The only practical way to maintain privacy and integrity ofinformation is by using public-key cryptography, Yan (2008).

The most widely used public-key cryptosystem is RSA. It was developed inRivest. et al. (1978). The RSA cryptosystem setup involves randomly selectingtwo large prime numbers p, q whose productN = pq known as the RSA modulusand a public key pair (N, e) used in encrypting message where e is randomlygenerated and a private key pair (N, d) used in decrypting the ciphertext.The two parameters e, d are connected by ed ≡ 1 (mod φ(N)) where φ(N) =(p − 1)(q − 1) is called the Euler totient function of N . The applications ofRSA cryptosystem can be found in areas such as secure telephone, e-commerce,e-banking, smart cards, digital communication in dierent types of networksDubey et al. (2014).

The security of RSA cryptosystem as one of the public-key cryptosystemsrelies on three major problems which include: integer factorization problem,that is the diculty of factoring the RSA modulus N = pq into two non-trivial prime factors p and q, nding integer solution of the equation ed =1 + kφ(N) where only e is known and k, d and φ(N) are unknown positiveintegers and nally nding the e− th root of the expression C = Me (mod N).It is therefore recommended for RSA users to generates primes p and q in sucha way that the problem of factoring N = pq is computationally infeasible foran adversary. Choosing p and q as strong primes has been recommended as away of maximizing the diculty of factoring RSA modulus N .

The use of short decryption exponent is to reduce the decryption time orthe signature generation time. Wiener, (1990) proved that RSA is insecure

if the decryption exponent is d < 13N

14 using continued fraction. He showed

that d can be found from the convergent of the continued fraction expansion ofeN Wiener (1990). In 2004, Blömer and May reported an improved version ofWiener's attack using generalized key equation of the form ex− yφ(N) = z for

unknown parameters x < 13N

14 and |z| < exN

−34 by using a combinations of

continued fraction method and lattice basis reduction methods. We emphasizethat the continued fraction technique is still widely used for current algebraiccryptanalysis, for instance, Asbullah and Arin (2016a) and Asbullah andArin (2016b).


Successful Cryptanalytic Attacks Upon RSA Moduli N = pq

Also, Hinek (2007), proved that k RSA moduli Ni can be factored if d < Nγ

for γ = k2(k+1) − ε where ε is a small constant to be determined by considering

the size of maxNi. Another instances of factoring generalized key equationswas reported by Nitaj et al. (2014). Nitaj et al. (2014), presented two scenarioswhich showed that k RSA moduli Ni = piqi can be factored simultaneously inpolynomial-time. In the rst scenario, they proved that if the given equationeix − yiφ(Ni) is satised where x < N δ, yi < N δ, and |zi| < pi−qi

3(pi+qi)yiN

14 for

δ = k2(k+1) , N = minNi then RSA moduli Ni can be factored simultane-

ously and the second scenario showed that k instances of RSA public key pairs(Ni, ei) satisfying generalized key equation eidi − yφ(Ni) = zi for unknown

integers xi, y, and zi where x < N δ, yi < Nδ and |zi| < pi−qi3(pi+qi)

yiN14 for all

δ = k(2α−1)2(k+1) , N = minNi and minei = Nα. They applied simultaneous

Diophantine approximations and lattice basis reduction techniques and nallyuse the Coppersmith's method to compute prime factors pi and qi of RSAmoduli Ni in polynomial time.

Similarly, Isah et al. (2018) presented some results where we established

that if the short decryption exponent d <√

aj+bi

2

(Ne

) 12 N0.375 then k

d can be

found from the convergent of the continued fraction expansion of eN1

, where

N−⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N

⌉+1 where a, b, i, j are small positive integers

which led to the factorization of N in polynomial time, Abubakar et al. (2018).This paper presents four attacks on t instances of RSA public key pair (Ns, es)for s = 1, . . . , t satisfying the following equations esd − ksφ(Ns) = 1, esds −kφ(Ns) = 1, esd − ksφ(Ns) = zs and esds − kφ(Ns) = zs where d, ds, k, ks,and zs are unknown positive integers. In the rst attack, we show that t RSAmoduli Ns = psqs can be eciently factored if there exists an integer d and tintegers ks such that esd − ksφ(Ns) = 1 is satised. We show that the primefactors ps and qs of t moduli Ns for s = 1, . . . , t can be found eciently if

N = maxNs and d < Nγ , ks < Nγ , for all γ = t(1+β)3t+1 for β < γ ≤ 1

2 .In the second attack, we also show that the t instances of RSA moduli can besimultaneously factored if the equation esds−kφ(Ns) = 1 is satised for integers

ds < Nγ , k < Nγ , for γ = t(α+β)3t+1 , N = maxNs and es = min es . In the

third attack, we also show that a generalized key equation esd− ksφ(Ns) = zscan be factored using simultaneous Diophantine approximations and lattice

basis reduction methods if d < Nγ , ks < Nγ , zs < Nγ for all γ = t(1+β)3t+1 and

N = maxNs. In the nal attack, the paper presents an attack on t RSA moduliNs = psqs satisfying an equation esds−kφ(Ns) = zs in which we show that theattack can simultaneously factor t RSA moduli if ds < Nγ , k < Nγ , zs < Nγ

for all γ = t(α+β)3t+1 where es = mines = Nα and N = maxNs.



The rest of the paper is organize as follows. In Section 2, we present reviewof some preliminaries results, some previous theorems on t instances of RSApublic key pair (Ni, ei) which simultaneously factored t RSA moduli Ni =piqi using simultaneous Diophantine approximations and lattice basis reductiontechniques . In Section 3 , we present the proofs of our main results with lemmasand theorems and their respective numerical examples and nally in Section 4,we conclude the paper.

2. Preliminaries

In this section, we state some denitions and theorems related to t instancesof RSA public key pair (Ni, ei) that simultaneous factored RSA moduli Ni =piqi using simultaneous Diophantine approximations and lattice basis reductiontechniques.

Denition 2.1. Let ~b1, . . . , ~bm ∈ Rn. The vectors b′is are said to be linearlydependent if there exist x1, . . . , xm ∈ R, which are not all zero such that

m∑

i

(xibi = 0).

Otherwise, they are said to be linearly independent.

Denition 2.2. (Lenstra et al., 1982): Let n be a positive integer. A subset Lof an n-dimensional real vector space Rn is called a lattice if there exists a basisb1, . . . , bn on Rn such that L =

∑ni=1Zbi =

∑ni=1 ribi : ri ∈ Z, 1 ≤ i ≤ n.

In this situation, we say that b1, . . . , bn are basis for L or that they span L.

Denition 2.3. (LLL Reduction) Nitaj (2012) Let B = 〈b1, . . . , bn〉 be a basisfor a lattice L and let B∗ = 〈b∗1, . . . , b∗n〉 be the associated Gram- Schmidtorthogonal basis. Let

µi,j =〈bi, b∗j 〉〈b∗j , b∗j 〉

for1 ≤ j < i

The basis B is said to be LLL reduce if it satises the following two conditions:

1. µi,j ≤ 12 , for 1 ≤ j < i ≤ n

2. 34 ||b∗i−1||2 ≤ ||b∗i + µi,i−1b∗i−1||2 for 1 ≤ i ≤ n. Equivalently, it can bewritten as

||b∗i ||2 ≥ (3

4− µ2

i,i−1)||b∗i−1||2



Theorem 2.1. (Blömer,2004) Let (N, e) be RSA public key pair with modulus

N = pq and the prime dierence p−q ≥ cN 12 . Suppose that the public exponent

e ∈ Zφ(N) satises an equation ex+ y = kφ(N) with

0 < x <1

3N

14 and |y| ≤ N −3

4 ex

for c ≤ 1. Then N can be factored in polynomial time.

Theorem 2.2. (Lenstra, 1982) Let L be a lattice basis of dimension n hav-ing a basis v1, . . . , vn. The LLL algorithm produces a reduced basis b1, . . . , bnsatisfying the following condition

||b1|| ≤ ||b2|| ≤ · · · ≤ ||bj || ≤ 2n(n−1)

4(n+1−j) det(L)1

n+1−j

for all 1 ≤ j ≤ n, Lenstra et al. (1982).

Theorem 2.3. (Nitaj et al. 2014) (Simultaneous Diophantine Approxima-tions) Given any rational numbers of the form α1, . . . , αn and 0 < ε < 1,thereis a polynomial time algorithm to compute integers p1, ..., pn and a positiveinteger q such that

maxi |qαi − pi| < ε and q ≤ 2n(n−3)

4 .3n.ε−n.

Theorem 2.4. Nitaj et al. (2014) Let Ni = piqi be k RSA moduli for i =1, . . . , k for k ≥ 2 and N = minNi. Let ei, i = 1, . . . , k, be k public exponents.Dene δ = k

2(k+1) . If there exist an integer x < N δ and k integers yi < N δ

and |zi| < pi−qi3(pi+qi)

yiN1/4 such that eix − yiφ(Ni) = zi for i = 1, · · · , k, then

one can factor the k RSA moduli N1, . . . , Nk in polynomial time.

Theorem 2.5. Nitaj et al. (2014) Let Ni = piqi be k RSA moduli for i1, . . . , kfor k ≥ 2 where q < p < 2q. Let ei, i = 1, · · · , k, be k public exponents with

minei = Nα. Let δ = (2α−1)k2(k+1) . If there exist an integer y < N δ and k

integers xi < N δ and |zi| < pi−qi3(pi+qi)

yN1/4 such that eixi − yφ(Ni) = zi for

i = 1, . . . , k, then one can factor the k RSA moduli N1, . . . , Nk in polynomialtime.

3. Results

In this section, we present some theorems and their proofs with numericalexamples to show how the attacks are carried out to simultaneously factor tRSA moduli.



Lemma 3.1. If a and b are positive integers less than log N and p and qare prime numbers such that a > b and apj − bqj 6= 0 and N = pq, then

φ(N)<N−⌈

(a+b)1j

(ab)12j

√N

⌉+1.

Proof. Let (apj − bqj)(bpj − aqj) > 0, then we get

abp2j − a2pjqj − b2pjqj + abq2j > 0

ab(p2j + q2j) > (a2 + b2)pjqj .

Adding 2abpjqj to both sides we have:

ab(p2j + 2pjqj + q2j) > (a2 + 2ab+ b2)pjqj

(pj + qj)2 >(a+ b)2pjqj

ab

pj + qj >(a+ b)(pjqj)

12√

ab.

Since (p+ q)j > pj + qj , then

p+ q >(a+ b)

1j

(ab)12j

√N.

Then φ(N) < N −⌈

(a+b)

1j

(ab)12j

√N

⌉+ 1.

Lemma 3.2. If a and b are small positive integers and p and q are primenumbers such that ajpi − bjqi 6= 0 and N = pq is RSA modulus satisfying the

condition e < φ(N), then φ(N) > N −⌈

(a+b)ji

(ab)j2i

√N

⌉+ 1, for 2 < i < j and

a > b.

Proof. Let (ajpi − bjqi)(bjpi − ajqi) < 0, then we get

ajbjp2i − a2jpiqi − b2jpiqi + ajbjq2i < 0

ajbj(p2i + q2i) < (a2j + b2j)piqi.



Adding 2ajbjpiqi to both sides we have

ajbj(pi + qi)2 < (aj + bj)2piqi

(pi + qi)2 <(aj + bj)2

ajbjN i

pi + qi <aj + bj

(ab)j2

Ni2 .

Since pi + qi < (p+ q)i, then

p+ q <(a+ b)

ji

(ab)j2i

√N.

Taking j = i+ 1, we have φ(N) > N −⌈

(a+b)i+1i

(ab)i+12i

√N

⌉+ 1.

Theorem 3.1. Let p and q be distinct prime numbers and let N = pq beRSA modulus where (N, e) are public key pair with condition e < φ(N). If

d <√

ai+1+bi

2 (Ne )12N0.375 and N1 = N −

⌈(a

i+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N

⌉+

1, for i > 2 then one of the convergent kd can be found from the continued

fraction expansion of eN1

which leads to the factorization of RSA modulus N inpolynomial time.

Proof. See Abubakar et al. (2018)

3.1 System of Equation Using N −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N

⌉+ 1 as

Approximation of φ(N)

In this section, we present four attacks on t RSA moduli Ns = psqs usingsystem of equations of the form esd− ksφ(Ns) = 1, esds − kφ(Ns) = 1, esd−ksφ(Ns) = z1 and esds − kφ(Ns) = z1 for s = 1, . . . , t, for 3 ≥ j < i in whichwe successfully factor t RSA moduli in polynomial time.

3.1.1 The Attack on t RSA Moduli Ns = psqs Satisfying esd− ksφ(Ns) = 1

Taking t ≥ 2, let Ns = psqs be t RSA moduli, for s = 1, . . . , t. The attackworks for t instances (Ns, es) when there exists integer d and t integers kssatisfying esd− ksφ(Ns) = 1. We show that prime factors ps and qs of t RSA



moduli Ns for s = 1, . . . , t, 3 ≥ i < j can be found eciently for N = maxNsand d < Nσ, ks < Nσ, for all σ = t(1+β)

3t+1 for β < σ ≤ 12 .

Theorem 3.2. Let Ns = psqs be RSA moduli for i = 3, . . . , j, s = 1, . . . , tand t ≥ 2. Let (es, Ns) be public key pair and (d,Ns) be private key pairwith condition es < φ(Ns) and a relation esd ≡ 1 ( mod φ(Ns)) is satised.Let N = maxNs, if there exists positive integers d < Nγ , ks < Nγ for all

γ = t(1+β)3t+1 such that equation esd− ksφ(Ns) = 1 holds, for β < γ ≤ 1

2 , then tRSA moduli Ns can be successfully recovered in polynomial time.

Proof. Given t ≥ 2, i = 3, . . . , j and suppose Ns = psqs be t RSA moduli fors = 1, . . . , t. Suppose that N = maxNs and ks < Nγ . Then the equationesd− ksφ(Ns) = 1 can be rewritten as follows

esd− ks(Ns − (ps + qs) + 1) = 1

esd− ks(Ns − (Ns − φ(Ns) + 1) + 1) = 1.

Let Φ =

⌈(a

i+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√Ns

⌉

esd− ks (Ns − Φ+ Φ− (Ns − φ(Ns) + 1) + 1) = 1

∣∣∣∣es

Ns − Φ+ 1d− ks

∣∣∣∣ =|1− ks (Ns − φ(Ns) + 1− Φ)|

Ns − Φ+ 1. (1)

Setting N = maxNs, ks < Nγ , d < Nγ be positive integers and suppose that

|Φ+ φ(Ns)−Ns − 1| < N2γ−β

Ns − ϕ+ 1 >a

b2N.

Plugging the conditions into equation (1) gives the following

|1− ks (Ns − φ(Ns) + 1− Φ)|Ns − Φ+ 1

<|1 + ks (Φ−Ns + φ(Ns)− 1)|

Ns − ϕ+ 1

<1 +Nγ(N2γ−β)

ab2N

=b2(1 +N3γ−β)

aN

<(ab

) ij

N3γ−β−1.



Then, it follows that∣∣∣∣

esNs − Φ+ 1

d− ks∣∣∣∣ <

(ab

) ij

N3γ−β−1.

We next proceed to show the existence of integer d and t integers ks. We let

ε =(ab

) ij N3γ−β−1, with γ = t(1+β)

3t+1 . Then we have

Nγεt = Nγ

((ab

) ij

N3γ−β−1)t

= (a

b)

itj Nγ+3γt−βt−t = (

a

b)

t2 .

Since (ai

bj )itj < 2

t(t−3)4 · 3t for t ≥ 2, then we get Nγεt < 2

t(t−3)4 · 3t. It follows

that if d < Nγ then d < 2t(t−3)

4 · 3t · ε−t, we have∣∣∣∣

esNs − Φ+ 1

d− ks∣∣∣∣ < ε, d < 2

t(t−3)4 · 3t · ε−t.

This satises the conditions of Theorem 2.3 and we proceed to nd integer dand t integers ks for s = 1, . . . , t. Next, from equation esd − ksφ(Ns) = 1 wecompute the following:

φ(Ns) =esd− 1

ks

ps + qs = Ns − φ(Ns) + 1

x2 − (Ns − φ(Ns) + 1)x+Ns = 0.

Finally, by nding the roots of the quadratic equation, the prime factors psand qs can be revealed which lead to the factorization of t RSA moduli Ns fors = 1, . . . , t.

Let

X1 =e1

N1 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N1

⌉+ 1

X2 =e2

N2 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N2

⌉+ 1

X3 =e3

N3 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N3

⌉+ 1

Consider the lattice L spanned by the matrix



M =

1 −[C(X1)] −[C(X2)] −[C(X3)]

0 C 0 0

0 0 C 0

0 0 0 C

Also input a = 3, b = 2, j = 4, t = 3 and i = 3 as small positive integers. Theabove matrix M will be used for computing required reduced basis which leadsto successful factoring of moduli Ns for s = 1, . . . , t.

Table 1: Algorithm for factoring RSA moduli Ns = psqs for esd− ksφ(Ns) = 1 of Theorem 3.2

INPUT: The public key tuple (Ns, es, σ) satisfying Theorem 3.2.

OUTPUT: The prime factors ps and qs.

1. Compute ε =(ab

) ij N3σ−β−1, where N = maxNs for s = 1, . . . , t,

β < σ ≤ 12 and a > b.

2. Compute C = [3t+1 · 2 (t+1)(t−4)4 · ε−t−1] for t ≥ 2.

3. Consider the lattice L spanned by the matrix M as stated above.

4. Applying the LLL algorithm to L, we obtain the reduced basis matrix K.

5. Compute J = M−1.

6. Compute Q = JK to produce integer d and t integers ks for s = 1 . . . , t.

7. Compute φ(Ns) = esd−1ks

for s = 1, . . . , t.

8. Compute Ns − φ(Ns)+1.

9. Solve the quadratic equation x2 − (Ns − φ(Ns) + 1)x+Ns = 0.

10. Then output the roots of the equation as ps and qs for s = 1, . . . , t.

Example 3.1. In what follows, we give an illustration to show how Theorem



3.2 works on 3 RSA moduli and their corresponding public exponents: Let

N1 = 6873759006499876318806143993197356564591388266671764381824926

3846051525412519477341947854641345828302449064555046022658532

2294757161953899804299046773862357772238793538346038690333358

4005355615949819852825099249580914306069158122568478713851337

9297105644771277087971272536948011093049702148354789189194680

7378961261693885067649290531129757984797441797978880421889884

4938375945264466689615792890611317250548197417336207014476483

4099357391502750121741231747591044796068015398327404507739611

2140179292264918180345351177923138063579852385919236227751980

4955061306507800411759709768988763372228548308239065587556264

454521

N2 = 6873759006499876318806143993197356564591388266671764381824926

7844181203918265072709146693385362771399837104508302530605547

7578563691758443580670089792237291021205227470484658605927963

0183716564607314293229098374753748839266068589770120701997873

0607996611048310203178053273608613824614890848421930274235576

1728874810851036160417484819782253601577312336352969195141625

3277146634354443879199361296961781013613991043578887980883412

6302224046543243911354519858608423657878981907425836256862367

5631721550745656583734569695446525649246881269398127476965115

3001286334451806875770579694109475342828781134506112848187247

5811456149592808848044135907640086362341746144237314114206092

4475533



N3 = 8978139558472362675873367508731483070511520914060463888155026

1388928088778065844511827653848185447102581197560657340302537

8111410341951027371148973259338530549228638186507249798434636

2980876969880857643563960910844555358165030055640958729707728

0554263508473112207932398227170321064490121048310237056891329

5830669060755842391713804406388292714270464770346737668464215

5354233976928129457338829423595874460595457212461912834775228

2247082540729123802116973627850647882737066228541102586794719

3127513376185237230986463004307926102019124994508881206205365

5308947554364568356384242213969998323148216121283612455796817

545379

e1 = 2655596774191944112368935733634869417398335543575728971240447

8501596577009193302839124857406930246492853575725109088184349

9006927411709255255922739531924336011072672986262282732654731

9709585298825633727012585324352521162977634816903358929973590

6726569408454092611085327817025242382554638889567210806243119

5530302853178637011285349145211416103389461701990856119478336

2682180561374505114559411405728656644490977959211960989049384

6189057792305777375878001634296635879452858499104866220270414

4969178976900294459165402153720145113449807943118999248613601

5673571155128036701732252704602271698931905924083705251619145

944309

e2 = 2137745452908426791531742811783474397659260072423118418529723

1372064771035649088448013128296348832537804035825327721170489

1255984069379198925155608924379540042740361215100326292175421

0173002638767016670991056518566884505098318855462539320915538

8868593919903505503692350147451275178922089935514586090984763

6238068913104272975193992317380535596708790612428893128610184

3138182503063563344841084528340368084427577651608221100811177

7867853094388593898728031601497941742777391724040370716152221

9128194178458922078879557955267787939397480551344365322841503

9061482163394965150561205571395599983210195227888058502310633

024525



e3 = 3376302598271191870188405364071713065607100240181184699662570

2255086258436583211335843258793030936072336392983215856540479

9953125779525511439128291020834389613374068416205032628729198

1614581551642757897767829436911032605178624200673043346061001

2142248700441721659939208924087950529260916887929812535473932

1817090001202244567834249200232976426215389468855576323277726

1862370550936835074376899622865460438674567718027330038509377

5099874246378735790918793792747677982857557119205283807903203

9392650709827067367352258205096098914166051373859769018576614

8835065491259971934045455754080194274389976593356624639028151

554549

Observe N = maxN1, N2, N3,N = 8978139558472362675873367508731483070511520914060463888155026

1388928088778065844511827653848185447102581197560657340302537

8111410341951027371148973259338530549228638186507249798434636

2980876969880857643563960910844555358165030055640958729707728

0554263508473112207932398227170321064490121048310237056891329

5830669060755842391713804406388292714270464770346737668464215

5354233976928129457338829423595874460595457212461912834775228

2247082540729123802116973627850647882737066228541102586794719

3127513376185237230986463004307926102019124994508881206205365

5308947554364568356384242213969998323148216121283612455796817

545379

Taking t = 3, we have σ = t(1+β)3t+1 = 0.360 and ε =

(ab

) ij N3σ−β−1 = 1.650768155×

10−74. Applying Theorem 2.3 for n = t = 3 we compute

C = [3t+1 · 2 (t+1)(t−4)4 · ε−t−1]

C = 5453944245000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000




M =

1 −[C(X1)] −[C(X2)] −[C(X3)]

0 C 0 0

0 0 C 0

0 0 0 C

Therefore, by applying the LLL algorithm to L, we obtain reduced basis withfollowing matrix

K =

A11 A12 A13 A14

B11 B12 B13 B14

C11 C12 C13 C14

D11 D12 D13 D14

where

A11 = 6059171132112429370227828012581845104164008148990042013797541

9140872732217516309085619258940600739427834221565424466839826

9578297613560979072176306252357569225734821095555675380913166

83263466110675466248861609905678538589

A12 = 6800583981171717241577599736578815180114240756874229033882279

5998283251793363259789070846584989247833233640877551305300099

1536327844175667981009967877404370215470311589181379531856784

6511982486428685821420751277951417354

A13 = 5856340701315242563153348516943422939173792145408460319569249

0139823375558125147734468127787499591851124594365096123870162

8196744465226306783146956887212216292158721596169098004285729

69891229849620648969985061530157790174

A14 = 3528786261647555852229497420785428604674128437766283217131054

1894672299649975694881953525933282557858125704672982122851973

0169754693217292921174539810256414344000362227371359620271077

34292445110575996262285254719920157942



B11 = 6485305148842603073254473445733872192861516473847813363352444

6748784751837606998144127764756312526278989428939457673635997

1934513893737128853530585970252343214334105471630794307655801

498923861020470398031560982125764725084

B12 = −706964726021772653311436567126196118104963720125027611623142

7539191630039889136160588696462882491400181951760642256218762

9788428188047930793461066437952642437958848437023797397659666

74919957179553710530271790224802325085576

B13 = 253842401621009251805480353518984652615986671458245242945111

165983136989649869121606386033540157186058709321322516236784

154347198416054235945088027127474782507154467460985304793419

5085383493130948403072345312136442618250344

B14 = −202739261054718240146979782696457043418582226678569112733210

1657016914411582988568155521091280475459703089461549444068241

4076020056995897251101978011131825849071656921991061809225804

3416410849061423549981977347299457955448

C11 = 205966496313945718811084753125335149912130430933172541634942

097003243446548636997117045649596127985955679140310295326540

944441964153161498813585446541483813890390437213909922422106

6803313001998661749438098644513041304027107

C12 = −3637455195068763770466417320548596097683973526297894244423

813825855100807734313379843729203187024258129106718485453626

043849449773858121177981128372433504193950348738928609113368

758609333834110829515358177495290215799650698

C13 = −5205119373155228047055224271360717839670487507036561829528

475160561126779053079935424433067347378122758122410457154299

174618816086674930669876104382590355972376574746766419658743

254928922300310475104237609195533827705683038

C14 = 688178364836427372428859448714159409282646876120209397939324

195425060682132021094039730355975116426994104658982134516926

144616723232320558962413385338539214277833024748195280107067

8738262680069907062311508227610142617438346



D11 = −1567037553627924200365007046015785080558363512514418192700

291998864606550770144897775260212727154899566265718783978972

477716574141980606965631913328645386386065276702540992890503

8839527684351916756595398901544180525700058764

D12 = −5309411967115751590503266932933988294493807381292332634262

243520420316201594326520270996935497260888364465898983674628

760541202099407347967138653872792973827622289084729662437870

943074138714075376417931283628728758470354904

D13 = 884593889254469694171682084467432055158786994908589932468481

971207114687276718726540544246089169503338322282424783597039

497240506218972401749022448264533913547313456293280513835858

9290240539467520774575824653232258811430776

D14 = 147908907041305414729819487564131098109177922036683977649617

531208536065383621079271611716066338694833646803023641421567

614661586457614756888415349679320409299927974870820266687398

91393521529573149775001244116508461608168408

Next we compute Q = JK

Q =

E11 E12 E13 E14

F21 F22 F23 F24

G31 G32 G33 G34

H41 H24 H43 H44

where

E11 = 605917113211242937022782801258184510416400814899004201379754

191408727322175163090856192589406007394278342215654244668398

269578297613560979072176306252357569225734821095555675380913

16683263466110675466248861609905678538589

E12 = 234089023160387503899947820104684102600594369956988347493550

908351252247290719559742247643063747335280100917831381122136

983034902391066046554398406429133565849892615822906432151022

66582940788728772531288756359513996465200



E13 = 165128331426066301150048114810720260786544299257995214337472

490182352319596083674619975657660447873629600068190289388407

494816453622752364547113634149161233991329806413443648853193

92344899326752280314601162291124318656418

E14 = 227860071716259553936140639510349154413309444338897070868435

720845556742934546376994115611318683118584697933463123751356

877588494242961654245740781823298392802404491870077383989756

84026195741550966450944037664572599581072

F21 = 648530514884260307325447344573387219286151647384781336335244

467487847518376069981441277647563125262789894289394576736359

971934513893737128853530585970252343214334105471630794307655

801498923861020470398031560982125764725084

F22 = 250552214830796928104434306191780365179349132440120620737425

524620887935780204423052538741060989066425015223804405995034

548142752051132451694406773407133041074819274216889364117715

485982634917470085376322697748609500919501

F23 = 176741602880574434429720975166023459325114137265491206396832

496367373777294629657840551399770810570918016472588021703193

933162037447414144211894248753329236420312160372552183832594

671870246468871627153764098089888285571469

F24 = 243885188930439177261877251441269206441242023021553965921986

425723389982598346882757762903998817422665601939906627393842

126713461991372794412512501020114727727423768470589968639220

438974995609877973063201641051511311715772



G31 = 205966496313945718811084753125335149912130430933172541634942

097003243446548636997117045649596127985955679140310295326540

944441964153161498813585446541483813890390437213909922422106

6803313001998661749438098644513041304027107

G32 = 795727581787080565220100618925221292124119238683069753610196

552333426201272223142239486367270829862673863314925481370387

445212203187491482943240459077084466329667169691040202168649

733897624441655916026497045985732300044364

G33 = 561312812007300990647109528050932393932425630408155952102988

053909309008763861009713717585098980307332283825043848271595

913251524337248913803717279635844211360832442742686045802509

589030974712159048920719414753593457054203

G34 = 774553806089323614565214503553379249335387960963029528569487

804354020018432586210565117438683594739979914107493184335924

096649112033069269348001273145646916732566905702556028294235

258502914345680900346042621775790705717619



H41 = −1567037553627924200365007046015785080558363512514418192700

291998864606550770144897775260212727154899566265718783978972

477716574141980606965631913328645386386065276702540992890503

8839527684351916756595398901544181525700058764

H42 = −6054067168367238876243034290723471619641612044251184828220

846941364039663336511880407520176596035316937904852121634217

685258360272613015803883026926571165484869752559858322998850

700642466835137450075339773544873687733039195

H43 = −4270589010783572899231495551136012574246458580594951657801

693015287139823048454959685382821697428417349238312269075867

359426605967792096221147038214296348341789946285501356316887

395178099792870263526865739320122399532970701

H44 = −5892972513341867815659798977789247910589781024397651168186

540376568886677080189129759177024382057480937277949632086122

537564398375934139949687801666946613126100215934615753210542

124817884144476374946057920486834741895620193

From rst row of Q we obtain d, k1, k2 and k3 as follows:

d = 605917113211242937022782801258184510416400814899004201379754

191408727322175163090856192589406007394278342215654244668398

269578297613560979072176306252357569225734821095555675380913

16683263466110675466248861609905678538589

k1 = 234089023160387503899947820104684102600594369956988347493550

908351252247290719559742247643063747335280100917831381122136

983034902391066046554398406429133565849892615822906432151022

66582940788728772531288756359513996465200

k2 = 165128331426066301150048114810720260786544299257995214337472

490182352319596083674619975657660447873629600068190289388407

494816453622752364547113634149161233991329806413443648853193

92344899326752280314601162291124318656418

k3 = 227860071716259553936140639510349154413309444338897070868435

720845556742934546376994115611318683118584697933463123751356

877588494242961654245740781823298392802404491870077383989756

84026195741550966450944037664572599581072



We now compute φ(Ns) = esd−1ks

for s = 1, 2, 3. That is:

φ(N1) = 687375900649987631880614399319735656459138826667176438182492

638460515254125194773419478546413458283024490645550460226585

322294757161953899804299046773862357772238793538346038690333

358400535561594981985282509924958091430606915812256847871385

133792971056447712770879712725369480110930497021483547891891

946807360906095280083909717496446505531479472986033753897760

367942687288162446822134767302902029299493785165241282825225

623920362223822049345924474082392120601335215889420685144595

811139251091531776514757224777370239239633300076336913146576

473999369370158589950521059851901110403500812176893937099504

8630070755267200

φ(N2) = 784418120391826507270914669338536277139983710450830253060554

775785636917584435806700897922372910212052274704846586059279

630183716564607314293290983747537488392660685897701207019978

730607996611048310203178053273608613824614890848421930274235

576172887481085103616041748481978225360157731233635296919514

162532751562028316287381173037950565587458832439953591139026

725888203856656197264793082012577143329208120771702368982033

383214897511242425889202320641960830128452923366191813805353

442534742799770934799524311337770261069154984217409112166315

947748907777012844876275123925721944130295749953302496334351

0419369343056668

φ(N3) = 897813955847236267587336750873148307051152091406046388815502

613889280887780658445118276538481854471025811975606573403025

378111410341951027371148973259338530549228638186507249798434

636298087696988085764356396091084455535816503005564095872970

772805542635084731122079323982271703210644901210483102370568

913295810309804959337412093232358779040936236019252541559327

275375936498645195769915756459950707462479935501936405367606

940071196318547735104326128510755921219197493948748668265595

331363085552946018482605313925873605856652404785009531194603

667223820325515453692232867711762366885551219766212423600874

2966722938884880



Also, we proceed to compute Ns − φ(Ns) + 1 for s = 1, 2, 3.

N1 − φ(N1) + 1 = 18055166413801157931794084624226505324455764224982

66152194180654943207962453419427638703183223126965

45004507954758237279787697518656815767433299253553

09112744790733298129449266256861048647515715750160

95556798093868350476350351547277265975375261112534

75407002589813240698664953755250459608937244016957

485509187322

N2 − φ(N2) + 1 = 19904315228151410820575019052222677307470482197740

78210823809836739034597911827250728146509444975821

02050568542234791526656609126486764560528150087145

24112001321935126007394253976787213092409718544446

36802668002559844407040223289481253412356803444330

47165337241184139635097906123884436479029630722691

581418866

N3 − φ(N3) + 1 = 20359255796504979620572047609251778034445517805178

34118883959892475249704302997742299165212496612404

37848408236765374516261522776721869118926589803572

87281333421913617145430536584107574567357702631917

06058939845127369723411546331427753898154520537930

17442239679266618545114486125486091885274869489073

878660500

Finally, solving quadratic equation x2 − (Ns − φ(Ns) + 1)x+Ns for s = 1, 2, 3gives us p1, p2, p3 and q1, q2, q1 which lead to the factorization of 3 RSA moduliN1, N2, N3. That is:

p1 = 125996510243579377036578709625070509149965607289197462380323

568050591088606805308498226110444282184204319977136540252228

404824041770174980787532063489726992340857428760730490336088

293784757777451908692939966157115408100371230289873158366597

874847130610204074287588369955091709929650694436058386446759

856020881



p2 = 144912796807558235227224448071847089726991649207347724182024

222904224424246307807314892132273304147585475369132446627841

072419525104684923701516949551889868917461979250212886412199

798432583631043448100999635346072672806149552170468670640315

413279511112706033529388400459627682480890373049785944192653

667580799

p3 = 139003037188738962566074612642830443452225212660273650472251

568209599310351634537275215878176674386285311684308958328894

785970321757979050842136830517175022646286898260911409072158

014503113747448580372331966193565931585504803326953181330325

462356074101577929451389018253165508365397034276878394464475

925478761

q1 = 545551538944322022813621366171945440945920349606291528390944

974437297076385366342656442078780305123406845308182179850513

828734768866407866457671900633641351070499042205640023264803

167017173800497008627398432297196395346639244378534391709282

364063447967985155256523287098620453208089145011856305107256

53166441

q2 = 541303554739558729785257424503796833477131727700600969003567

607696790355448749177579225186711934345165751994097881636855

841896013820796368266331375933512510957573720098610561275680

736983404661419963626806314541833116345544701584794547009202

670649219344593037117957391754702236429940634292436865300379

13838067

q3 = 645895207763108336396458634496873368922299653915097614161444

210379256600786652369547006430729868541525367239278070456214

755524549638900680844529730556977906879322379105428962936830

612425598295777387982739277909468053868363513061895940594899

896977189158643102278776002919489777600890576083964750245979

53181739

From our result, one can observe that we get d ≈ N0.3584 which is largerthan the Blömer-May's bound of x < 1

3N0.25, Blömer and May (2004). This

shows that the Blömer-May's attack can not yield the factorization of t RSAmoduli in our case. Our bound d ≈ N0.3584 is also greater than bound x =



N0.344 of Nitaj et al. (2014).

3.1.2 The Attack on t RSA Moduli Ns = psqs Satisfying esds − kφ(Ns) = 1

In this section, we consider second case in which t RSA moduli satisfy tequations of the form esds − kφ(Ns) = 1 for unknown parameters ds and k fors = 1, . . . , t.

Theorem 3.3. Let Ns = psqs be t RSA moduli for s = 1, . . . , t, i = 3, . . . , jand t ≥ 2. Let (es, Ns) be public key pair and (ds, Ns) be private key pairwith es < φ(Ns) and given relation esds ≡ 1 (mod φ(Ns)) is satised. Lete = mines = Nα be t public exponents. If there exists positive integers

ds < Nσ, k < Nσ, for all σ = t(α+β)3t+1 such that equation esds − kφ(Ns) = 1

holds, then prime factors ps and qs of t RSA moduli Ns can successfully berecovered in polynomial time.

Proof. For t ≥ 2 and i = 3, . . . , j. Let Ns = psqs be t RSA moduli for s =1, . . . , t and suppose e = mines = Nα be t public exponents for s = 1, . . . , tand suppose that ds < Nγ . Then equation esds−kφ(Ns) = 1 can be rewrittenas

esds − k(Ns − (ps + qs) + 1) = 1

esds − k(Ns − (Ns − φ(Ns) + 1)) = 1.

Let ∆ =

⌈(a

i+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√Ns

⌉.

esds − k (Ns −∆ + ∆− (Ns − φ(Ns) + 1) + 1) = 1.

Then we can have:∣∣∣∣k

(Ns −∆ + 1)

es− ds

∣∣∣∣ =|1− k (Ns − φ(Ns) + 1−∆)|

es.

Taking N = maxNs and suppose that ds < Nγ , k < Nγ be positive integersand

|∆ + φ(Ns)−Ns − 1| < N2γ−β .



Suppose also e = mines = Nα for s = 1, . . . , t then we have

|1− k (Ns − φ(Ns) + 1−∆)|es

≤|1 + k (∆−Ns + φ(Ns)− 1)|es

<1 +Nγ(N2γ−β)

Nα

=1 +N3γ − β

Nα

<(ab

) i2j

N3γ−α−β .

Hence, we get:

∣∣∣∣k(Ns −∆ + 1)

es− ds

∣∣∣∣ <(ab

) i2j

N3γ−α−β .

We now proceed to show the existence of integer k and t integers ds.

Taking ε =(ab

) i2j N3γ−α−β and γ = t(α+β)

3t+1 . Then we get

Nγεt = Nγ

((ab

) i2j

N3γ−α−β)t

=(ab

) it2j

Nγ+3γt−αt−βt =(ab

) it2j

.

Since(ab

) it2j < 2

t(t−3)4 · 3t for t ≥ 2, then Nγεt < 2

t(t−3)4 · 3t. It follows that if

k < Nγ then k < 2t(t−3)

4 · 3t · ε−t for s = 1, . . . , t, we have

∣∣∣∣k(Ns −∆ + 1)

es− ds

∣∣∣∣ < ε, k < 2t(t−3)

4 · 3t · ε−t.

This also satises the conditions of Theorem 2.3 and we now proceed to revealthe private key ds and k for s = 1, . . . , t. Next, from equation esds−kφ(Ns) = 1we compute the following:

φ(Ns) =esds − 1

k, ps+qs = Ns−φ(N−s)+1, x2−(Ns−φ(Ns)+1)x+Ns = 0.

Finally, by nding the rots of the quadratic equation, the prime factors psand qs can be found which lead to the factorization of t RSA moduli Ns fors = 1, . . . , t.



Let

X1 =

N1 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N1

⌉+ 1

e1

X2 =

N2 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N2

⌉+ 1

e2

X3 =

N3 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N3

⌉+ 1

e3.


M =

1 −[C(X1)] −[C(X2)] −[C(X3)]

0 C 0 0

0 0 C 0

0 0 0 C

Also input a = 3, b = 2, j = 4, i = 3 and t = 3 as small positive integers. Theabove matrix M will be used for computing required reduced basis which leadsto successful factoring of moduli Ns for s = 1, . . . , t.

Example 3.2. In what follows, we give an illustration of how Theorem 3.3works on 3 RSA moduli and their corresponding public exponents

N1 = 330887927826729358131406751905555113358427

N2 = 909455241479718015703976451522306293699987

N3 = 896255999831476423504365353752613393410129

e1 = 260093505791357595269019761161559922357089

e2 = 830211428275988442317142948578507842037903

e3 = 260639236216424239075202140155225066663301

Observe

N = maxN1, N2, N3 = 909455241479718015703976451522306293699987

e = mine1, e2, e3 = 260093505791357595269019761161559922357089



Table 2: Algorithm for factoring RSA moduli Ns = psqs for esds − kφ(Ns) = 1 of Theorem 3.3

INPUT: The public key tuple (Ns, es, α, σ satisfying the above Theorem 3.3.


1. Compute ε =(ab

) i2j N3σ−α−β for β < α ≤ 1

2 and N = maxNsfor s = 1, . . . , t, t ≥ 2 and a > b. Also compute e = mines = Nα.

2. Compute C = [3t+1 · 2 (t+1)(t−4)4 · ε−t−1].




6. Compute Q = JK to produce d and ks.

7. Compute φ(Ns) = esds−1k .




with e = mine1, e2, e3 = Nα with α = 0.9870431932. Taking t = 3, β = 0.25

we have σ = t(α+β)3t+1 = 0.3711129579 and ε = 0.000007508475067.

Applying Theorem 2.3, we compute

C = [3t+1 · 2 (t+1)(t−4)4 · ε−t−1] = 12742306620000000000000.


M =

1 −[C(X1)] −[C(X2)] −[C(X3)]

0 C 0 0

0 0 C 0

0 0 0 C


K =

−175146409612035 −823228839795 174148519192170 −114206584622820−84039951771888287 80666065160018481 −87963455766549006 −596637544584632476917823720099937 113434318528267569 264927030686706 −11817096330071787621604480682726699 152229348988955163 151359706383740262 196696397901374148




Q =

−175146409612035 −222819221750609 −191864162336087 −602273175529801−84039951771888287 −106914647529743848 −92061578568439781 −28898684670238611776917823720099937 97853959199204323 84259642258505725 264496098146466542

21604480682726699 27484968619764657 23666631808664282 74290984412871231

From rst row of Q we obtain k, d1, d2 and d3 as follows:

k = 175146409612035, d1 = 222819221750609, d2 = 191864162336087,

d3 = 602273175529801

We now compute φ(Ns) = esds−1k for s = 1, 2, 3. That is:

φ(N1) = 330887927826729358130254895146939245547920

φ(N2) = 909455241479718015702034073311041714951816

φ(N3) = 896255999831476423502471935613753586474660


N1 − φ(N1) + 1 = 1151856758615867810508

N2 − φ(N2) + 1 = 1942378211264578748172

N3 − φ(N3) + 1 = 1893418138859806935470

Finally, solving quadratic equation x2−(Ns−φ(Ns)+1)x+Ns = 0 for s = 1, 2, 3gives us p1, p2, p3 and q1, q2, q1 which lead to the factorization of 3 RSA moduliN1, N2, N3. That is:

p1 = 604310949056531947721, p2 = 1154909102962814371933,

p3 = 948145143716756720671, q1 = 547545809559335862787,

q2 = 787469108301764376239, q3 = 945272995143050214799

From our result, one can observe that we get mind1, d2, d3 ≈ N0.3404 whichis larger than the Blömer-May's bound of x < 1

3N0.25, Blömer and May (2004).

This shows that the Blömer-May's attack can not yield the factorization of tRSA moduli in our case. Our mind1, d2, d3 ≈ N0.3404 is also greater thanthe minx1, x2, x3 ≈ N0.337 of Nitaj et al. (2014).

3.1.3 The Attack on t RSA Moduli Ns = psqs Satisfying esd−ksφ(Ns) = zs

In this section, we consider another case in which t RSA moduli satises tequations of the form esds−kφ(Ns) = zs for unknown parameters d, ks and zs



for s = 1, . . . , t.Taking s ≥ 2, let Ns = psqs, s = 1, . . . , t. The attack works for t instances(Ns, es) when there exists an integer d and t integers ks satisfying equationesd− ksφ(Ns) = zs. We show that t prime factors ps and qs of t RSA moduliNs can be found eciently for N = maxNs and d < Nσ, ks < Nσ, zs <

Nσ, for all σ = t(1+β)3t+1 .

Theorem 3.4. Let Ns = psqs be t RSA moduli for s = 1 . . . , t, i = 3, . . . , j andt ≥ 2. Let (es, Ns) be public key pair and (d,Ns) be private key pair with es <φ(Ns) and the relation esd ≡ 1 (mod φ(Ns)) is satised. Let N = maxNs. Ifthere exists positive integers d < Nσ, ks < Nσ, zs < Nσ, for all σ = t(1+β)

3t+1such that esd − ksφ(Ns) = zs holds, then prime factors ps and qs of t RSAmoduli Ns can successfully be found in polynomial time.

Proof. Given t ≥ 2, i = 3, . . . , j and let Ns = psqs, be t moduli. Also SupposeN = maxNs and ks < Nγ . Then equation esd − ksφ(Ns) = zs can berewritten as

esd− ks(Ns − (ps + qs) + 1) = zs

esd− ks(Ns − (Ns − φ(Ns) + 1)) = zs.

Let Ψ =

⌈(a

i+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√Ns

⌉, then we have

esd− ks (Ns −Ψ + Ψ− (Ns − φ(Ns) + 1) + 1) = zs.

∣∣∣∣es

Ns −Ψ + 1d− ks

∣∣∣∣ =|zs − ks (Ns − φ(Ns) + 1−Ψ)|

Ns −Ψ + 1. (2)

Let N = max Ns and ks < Nγ , zs < Nγ be positive integers and also suppose

|Ψ + φ(Ns)−Ns − 1| < N2γ−β

Ns −Ψ + 1 >a

b2N. (3)



Then plugging into equation (2) yields

|zs − ks (Ns − φ(Ns) + 1−Ψ)|Ns −Ψ + 1

<|zs + ks (Ψ−Ns + φ(Ns)− 1)|

Ns −Ψ + 1

<Nγ +Nγ(N2γ−β)

aa2N

=b2(Nγ +N3γ−β)

aN.

<(ab

) ji

N3γ−β−1

∣∣∣∣es

Ns −Ψ + 1d− ks

∣∣∣∣ <(ab

) ji

N3γ−β−1.

We now proceed to show the existence of an integer d and t integers ks. Taking

ε =(ab

) ji N3γ−β−1, with γ = t(1+β)

3t+1 . Then we have

Nγεt = Nγ

((ab

) jti

N3γ−β−1)t

=(ab

) ji

Nγ+3γt−βt−t =(ab

) jti

.

Since(ab

) jti < 2

t(t−3)4 · 3t for t ≥ 3,then, we get Nγεt < 2

t(t−3)4 · 3t. It follows

that if d < Nγ then d < 2t(t−3)

4 · 3t · ε−t s = 1, . . . , t we have

∣∣∣∣es

Ns −Ψ + 1d− ks

∣∣∣∣ < ε, d < 2t(t−3)

4 · 3t · ε−t. (4)

This also satises the conditions of Theorem 2.3. We next proceed to revealthe integer d and t integers ks for s = 1, . . . , t. Next, from equation esd −ksφ(Ns) = zs we compute the following:

φ(Ns) =esd− zsks

, ps+qs = Ns−φ(Ns)+1, and x2−(Ns−φ(Ns)+1)x+Ns = 0.

Finally, by nding the roots of the quadratic equation, the prime factors psand qs can be revealed which lead to the factorization of t RSA moduli Ns fors = 1, . . . , t.



Let

X1 =e1

N1 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N1

⌉+ 1

X2 =e2

N2 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N2

⌉+ 1

X3 =e3

N3 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N3

⌉+ 1

.


M =

1 −[C(X1)] −[C(X2)] −[C(X3)]

0 C 0 0

0 0 C 0

0 0 0 C

Also input a = 3, b = 2, t = 3, i = 3 and j = 4 as small positive integers. Theabove matrix M will be used for computing required reduced basis which leadsto successful factoring of moduli Ns for s = 1, . . . , t.

Table 3: Algorithm for factoring RSA moduli Ns = psqs for esd− ksφ(Ns) = zs of Theorem 3.4

INPUT: The public key tuple (Ns, es, σ) satisfying Theorem 3.4.


1. Compute ε =(ab

) ji N3σ−β−1, where N = maxNs for s = 1, . . . , t, t ≥ 2

and a > b.

2. Compute C = [3t+1 · 2 (t+1)(t−4)4 · ε−t−1].





7. Compute φ(Ns) = esd−zsks

.






Example 3.3. In what follows, we give an illustration of how Theorem 3.4works on 3 RSA moduli and their corresponding public exponents: Let

N1 = 375270288388155952559179266733410200130149711633757848638072

227304156891204524465929516379356532652594430099193144413053

034684816086690895503948837541345333172653074650433039977109

985948522442438327744430027773200907849431176361605072162598

399123282720139933117463564907689758595720677530014005273766

133491024010026552784190254315010687921205288638619209656103

017174367098641463627064271774571753488010373165313837054637

186830837442177683237799918732632693938417600214613827642809

767324809453654166903152018290314231421243899466975139731199

355817947285050806482102025998663422146138925629654055739596

7868252883230089

N2 = 425784008926774541923387593826207664214113946943961680922620

394667354169519252605059581391332531345343488115395381950328

297728246075090885990344153355579698331456537530349370121532

295090953254294967959539294779641981340122347299905483481310

449668458826802576391838160531160544790165344042415629933693

521630702863211738923515256527402524557701663987465942605660

150441974972713731637541108057190638407315012875871972203615

274618430762870785200333395693901655228005236781643699843978

856547239342994347817720529824688545388466243020358292068304

145064938117452719184247376702338529327662017815599078599108

3101909875503667



N3 = 405658827861307548717285246780664714720778978295242786004485

417329685060284308355835201237643659799118302476500970551722

407341787820553952631591139707793440757284440484810909219242

913223068799730395413152659903771205905645605882158663444083

590817848862445664323090030376743711809245503713830296987301

021155007979866270835685768336181064321831823412305411285233

377150535298853385169849340159000071760427445193462740326710

281797053820409422187401075705972772300193778160422395204859

358735864504724482233477635110063090731804692885315959890209

807989687222832122033192941012752853104051465489617223388611

3776799409522639

e1 = 315936322938986053953441519390696092406282531927151442698340

978938338464606211108217859302315804227889141855342743850819

674732536297453285295585932940372454696578374732107292072721

054834216989923181349924608792163765844991236395769550999289

512282209491092173729964762792128726884750375674572405681015

510860555211262224039997481958951038802108518441067075406483

190567808516652433899429796892339561823841755338496563305747

542712968234419721379609347517397726074928939526125781523146

853175961745552272282260097313862476267233030695316896789001

711296774730136989188725187684794928149321474124898632748438

031236368011959

e2 = 162829030992744402996943887517589449335610102762584823924781

578466029911838253012694710698611036599896330375059214238825

719681261997721331171606138010354707765781495765076379355938

935856150025191533801312998949169196703390237882892814165366

805585002425530550497766132985513322828155250098667563567214

105237492647824619877412651266274923556309708293520600558213

597425289101818078911688168776269492275063666918418468157980

007675080362361320869607958356988371280365004321879077635447

670645893030386176233230698893102058589330540028343058144614

833092676135729219420166265900624048640537003922867416753437

2408750629670136



e3 = 374533755671870516734222609878629757277492925305117434141619

048431905951544749617870567510409397156516937221760227207149

984287184026078276716270619114725660299197002044223648267484

984792787464149907985737355428217766562790113478199959147600

419022398347604333936947680116684621807606356895121005876932

446015594306063035154855849039407809183142326918996682127443

847103267978592727526480380870702442941305892609280488501587

963163562235185528467716165043295902500328463809470299736439

721319876835570785315643106962502149044187965580563421283123

173154801659289187264751506032471121352621581049648365894461

3670174221911309

Observe N = maxN1, N2, N3N = 425784008926774541923387593826207664214113946943961680922620

394667354169519252605059581391332531345343488115395381950328

297728246075090885990344153355579698331456537530349370121532

295090953254294967959539294779641981340122347299905483481310

449668458826802576391838160531160544790165344042415629933693

521630702863211738923515256527402524557701663987465942605660

150441974972713731637541108057190638407315012875871972203615

274618430762870785200333395693901655228005236781643699843978

856547239342994347817720529824688545388466243020358292068304

145064938117452719184247376702338529327662017815599078599108

3101909875503667

Taking t = 3, β = 0.2 , then we have σ = t(1+β)3t+1 = 0.36 and

ε =(ab

) ji N3σ−β−1 = 2.287102475× 10−74. Applying Theorem 2.3, for n = t =

3 we compute

C = [3t+1 · 2 (t+1)(t−4)4 · ε−t−1]

C = 148017317000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000




M =

1 −[C(X1)] −[C(X2)] −[C(X3)]

0 C 0 0

0 0 C 0

0 0 0 C


K =

a11 a12 a13 a14b11 b12 b13 b14c11 c12 c13 c14d11 d12 d13 d14

where

a11 = 13764109169144680060901580870681534619170310496083843503546

51346136536532065426353753447144420359794583065283628799813

51762199642971142694746397186704960941040360841201206616533

808809169804720715677220236560850120799825921

a12 = 90544431818271366650544993838206745402107549787860221393961

55886914921275774580715467460102780858221478486305452993305

15801905196977221355910545045736648835429108720656938385070

37061635083966072007471915846829941832072717

a13 = 12409071826642183984226409880744674434150298040976327871402

60423043250364219446724089697299805117837451977723236427059

97702475924918835477610663956941145673060616092165129427759

971580163946595715277168922525612216579051121

a14 = 59732348790424814599936340116480003460415709176580583901462

72518243422072713285452315038744773369330528302501440582322

86058454282076663844255737950410695538967576582591725597514

4114831672004097865095111588584143123063124



b11 = 20968724232484186931314780743373493421317720637165810914110

27412328698477773042950621794776094516949522135460925298081

02874469975981081109038258518435448770962495557354655536239

565856389509558528737371211152950350120172842

b12 = −511622934825936395152563902043049382705470296737391909117

18881334787736675374150844859264902217170198452946596164554

86916309855549625278842563956862349507810301451096370262633

43106862540680684554279649384328672235098937566

b13 = 22741758683451874283652846271436440028158711747699383670475

35221492107466309221077786949524256980700095247232739455629

84544211317357476046802209566307091781595710935107634367521

694618887879506559295808014103945866423823242

b14 = −182208312927606516857869066746277197744460905678208586864

84032694725285582282850953842741240029631082473622499229983

24108773733960920592322553078704727992530657738707909277959

609820848552850532963552434780487521349368349752

c11 = 10190561812860238985232930483137397052006077279889821060374

44617823788614923287006777432084215379933653255526620917454

54546717697311606108901615936861675588888581524609627448541

327621781136401007270581830534080333662484582

c12 = 21483687164200957468716905211736490301316107663114169773285

87750118839105848548335895935608811951468663803974429048003

61724737818147563565440865025446386261952908418682329878593

7604482417697977351481295421690199776404058414

c13 = −163470007622309647157256722535606588199572236368734148384

95303311697313864567558293217767111858275112897040805899282

03882599594335521526911929382449920195588322055901600263190

962675722830865413524305037362435813339306977018

c14 = −811941608937886454384572946305638587740866502804019710208

51623435615808854626941263763776466618417849842298201930500

30883535163966164315073162196587661840842031006921813573420

87698864792375880379431551031409905240639789192



d11 = −220492249647663765651845694248789149882466728830102921470

06215842532801536530604530199283197569222204342806169556574

42244013302742115535369358906003443609850353143881135545695

018993880348493894726640724112517387848080358489

d12 = 49602136294947181112870334754278982684823636821402519901141

98896899746343738375350457884321006531048513868589474250305

73551377725663956594178535133537287546645295377738603379791

471784345368792415416419242010321417574945147

d13 = 21717149370209085094208259533302246359057175002517911924260

79202079814926449017170362832021067321620568829376252808715

55141817418288001873893133217287995331665061409026931806345

2625418789200717647255531790244235155452374711

d14 = 58923837435646816496506610388711379471240719311492431389753

13546081921948509746744673646610810274923015609113594903099

38982498261766440558823953129527782519396609794705060891914

870343381303407685502687288637915210328603084


Q =

e11 e12 e13 e14f21 f22 f23 f24g31 g32 g33 g34h41 h24 h43 h44



where

e11 = 13764109169144680060901580870681534619170310496083843503546

51346136536532065426353753447144420359794583065283628799813

51762199642971142694746397186704960941040360841201206616533

808809169804720715677220236560850120799825921

e12 = 11587866596388929310538669063842837605012781405887550796989

77530661742713519669303253260365879882309952537734805749855

94981076735041493893207785855394640382492801791282476027726

37920010417664257109466302145478671696693740

e13 = 52636935899478857558107694513550484105701788527151565961634

99101979256572207395092378504222471430416360633371121337806

20151002113573372714806870910220432644812492028686160469729

63010936775458141913852745928074110596728068

e14 = 12708027402672212455307654054060269892308681942359915547441

52533725139260145669683752213390337490621574940861299988369

16143931148607654304192820784836088390246819307348797161159

856425729061648261648042890595862176168936738

f21 = 20968724232484186931314780743373493421317720637165810914110

27412328698477773042950621794776094516949522135460925298081

02874469975981081109038258518435448770962495557354655536239

565856389509558528737371211152950350120172842

f22 = 17653360353112766716040563781853775334963796629369744551761

76218324141711304289191081403960528241081702384980987906025

77663869952646349223462390290088677038258007429221589439507

13513610333690970685764085527740064716818008

f23 = 80188945013119679919128297159605612166932052837423487498715

91845037166998333477245686700139921534815424316385640661803

15160050172444656215653855128153799241495824888420002671450

80007081339524633521949201753036471643301050

f24 = 19359852415501058645323616871037002425320909305448570263615

87283970692251171893728180954479277121346808369788135755972

97328674226953293917820992351006907649103871485250269894475

302423966553119415015867124748654465601987139



g31 = 10190561812860238985232930483137397052006077279889821060374

44617823788614923287006777432084215379933653255526620917454

54546717697311606108901615936861675588888581524609627448541

327621781136401007270581830534080333662484582

g32 = 85793326236032643288429002735351776758842061322544084622305

90254414116973405550866339834474119854609111520802751732684

72190023299851600300329202957706151440374100459211646150498

5139164412039876919548746114431465168627656

g33 = 38970916485148312927226294089754917464310616507795093058515

94824991200623365939636619441929113970025103712497418498704

23340880575791486596723742729093916455220287649477307278012

27483614500669723640765211813766133056267431

g34 = 94086683834766734320044951580133722765379998324918157401495

27457818812549450706886303953133286529574605764932015534978

21496040785553274738982782735038003990066344949820768262395

19201327652227368984959598805242908362174753

h41 = −220492249647663765651845694248789149882466728830102921470

06215842532801536530604530199283197569222204342806169556574

42244013302742115535369358906003443609850353143881135545695

018993880348493894726640724112517387848080358489

h42 = −185630231717610305510146773184653381708763646679052793881

21352957917587684167925309837404873921477856601682870648703

46345190977572508810792455253838773694645531713502442907039

18644912015609978145835895070038786227547548885

h43 = −843210139385808271167305136371322428922999519211220352650

82624687685130234110110265317875594037118424792797497736414

13900120168434355151597796516343278844729088938247065609543

71550662798999847138487046066008034994157570619

h44 = −203574493355567808167639049697066773410850056050899250784

75597543303207716879388510130345847706800427899745333513841

45498859376755868228086491996070719438870961482009775280763

138243859278604016577961402508535522479482598359



From rst row of Q we obtain d, k1, k2 and k3 as follows:

d = 1376410916914468006090158087068153461917031049608384350354651

3461365365320654263537534471444203597945830652836287998135176

2199642971142694746397186704960941040360841201206616533808809

169804720715677220236560850120799825921

k1 = 115878665963889293105386690638428376050127814058875507969897

753066174271351966930325326036587988230995253773480574985594

981076735041493893207785855394640382492801791282476027726379

20010417664257109466302145478671696693740

k2 = 526369358994788575581076945135504841057017885271515659616349

910197925657220739509237850422247143041636063337112133780620

151002113573372714806870910220432644812492028686160469729630

10936775458141913852745928074110596728068

k3 = 127080274026722124553076540540602698923086819423599155474415

253372513926014566968375221339033749062157494086129998836916

143931148607654304192820784836088390246819307348797161159856

425729061648261648042890595862176168936738

We next compute φ(Ns) = esd−zsks

for s = 1, 2, 3 where z1, z2, z3 are :

z1 = 305275083049103130204432261599597271283929787990806869804242

738943678699349447449517970019048175311322812618197269590308

048135406770206408852804441649032819252518609182707587065745

936507215424735464170683411517808501728839

z2 = 180872351698788201821103431504798876851625557857784396929326

302728400947153023238062338566181756927152509363417997023999

274734787344845273288270990000261654426220646299049668139206

183863806933653428305884940255936320193048

z3 = 187976824174617411275658492727608034753152272175419260812887

823819864021035965072399171413779616629629429327078502026383

174803613079415952341627800975362562615214821149720393612897

902123025291868603668914742850482614575661



φ(N1) = 375270288388155952559179266733410200130149711633757848638

072227304156891204524465929516379356532652594430099193144

413053034684816086690895503948837541345333172653074650433

v039977109985948522442438327744430027773200907849431176361

605072162598399123282720139933117463564907689758595720677

530014005273766133491007343459200461728058931190033481870

682749560541596527382873016778508244500514039394299446425

920169762964118392439145303784087161676760194005614258494

450781403530401478723214958425205463556168137504502978271

364181212424413735038976163711194507812147083851548412774

4755082132460130798350054505712344720275341460

φ(N2) = 425784008926774541923387593826207664214113946943961680922

620394667354169519252605059581391332531345343488115395381

950328297728246075090885990344153355579698331456537530349

370121532295090953254294967959539294779641981340122347299

905483481310449668458826802576391838160531160544790165344

042415629933693521630687745756451977936018465753290012220

303725987562001170311036490360988141225898658005601508370

412025173527251485411580084727981701037481517266968537656

434127897804607315924784304733658307155951056222512132982

014873045002984351579701084892502354360781621435888328056

3916043472322945408210599845758793883871132856

φ(N3) = 405658827861307548717285246780664714720778978295242786004

485417329685060284308355835201237643659799118302476500970

551722407341787820553952631591139707793440757284440484810

909219242913223068799730395413152659903771205905645605882

158663444083590817848862445664323090030376743711809245503

713830296987301021154994100634469119994676784774528239642

260798213035066116157849242483693641751743069471065874924

201355918251127324156364099976962794175515882135748650411

523810744791618261554666263122332155394762676935889392127

453643881729046250526222102077905516680774355687330053742

9968263157542590127348390427515731636294470256




N1 − φ(N1) + 1 = 1666656735232246219538382065443933460588905866805

9575634301350320133219126550232380272307062090203

4023497186621980415270533550160064776059131183741

9948763619668421234891959480889960399009799876564

7515312042867240031475053240100755035644623439472

9037226305536132241879139328929125498190502890255

523532607888630

N2 − φ(N2) + 1 = 1511745528694557923806164923454548136026147838060

4489839405484611725590411642450051589130036902987

7023447207182036945337027811697477188161287253639

9879387733897703638391919455181358103583839676149

8017691706530515421240036006712367219252562583756

6710977483590486459469249804297232747780186145324

308026004370812

N3 − φ(N3) + 1 = 1387923180171569109155140653608218956261409237621

9117219301292815159743418106270687934196836226089

2752116130025539176970768576152466715189399573223

6077638303336880413365019309561353234932971955654

1745717935637087922963839065433668107730084170542

0577663458628872697560267882972064768823843458598

045163115052384

Finally, solving quadratic equation x2−(Ns−φ(Ns)+1)x+Ns = 0 for s = 1, 2, 3gives us p1, p2, p3 and q1, q2, q1 which lead to the factorization of 3 RSA moduli



N1, N2, N3. That is:

p1 = 139827604650824535502106880006759787705924055462491084984882

411890209155050120398256302029535094249080148517207499814458

099427188153603596101718035261121877672931434907704273690051

425765725495747931733085969822723387488996909022466957166838

256345486227819553011254542493260730678239287013058735270688

183878759

p2 = 113739553818289492934682443651991877291502552078353716915268

629542111349870727887307836086431692942580732341049297947377

485629632324810403557260435301409905226787856712299547619004

397936425817425707868192763627975627090536938936451293133300

276418076305940351281023586805617727375912704306448107896864

419447669

p3 = 969504437303931233643187178196461270709635832908405929974716

674053852345873246413608813189576703547178742633062046971062

144528052366657449076156502945617776617452144371121266575698

291961295297840644270478665250666025546451234651989261900512

467854796154115874767372927018223210335409726842489297280361

81770807

q1 = 268380688724000864517313265376335583529665312181046713581310

913111230362153819255464210410858077849433486694144806008124

341229719111724630294657067337544842939106885814916743989446

141352544919085434200344588496769272615354919850833992793961

383835509984859831209873366460681984472589034898315202528444

24009871

q2 = 374349990511662994459340486934293631111223172769118147878621

657514455424569661320805521393733693444271486613273899795954

218206515237775772999320468652886816298250712689239789913141

242195815018927230872430167717858530982312818722089939232556

114863467154323920543588244418656985683507587969721641116158

4923143



q3 = 418418742867637875511953475411757685551773404713505791955412

607462121995937380655184606494045905380342418667193344798645

541233472300494444919575733132020526719428268993898042985654

942971676657813530301314898458126270837455308714821511107904

586350980480470413959602675660606510312278511592096683171269

33281577.

From our result, one can observe that we get d ≈ N0.3592 which is larger thanthe Blömer-May's bound of x < 1

3N0.25, Blömer and May (2004). This shows

that the Blömer-May's attack can not yield the factorization of t RSA moduliin our case. Also our bound d ≈ N0.3599 is greater than x = N0.344 of Nitajet al. (2014).

3.1.4 The Attack on t RSA Moduli Ns = psqs Satisfying esds−kφ(Ns) = zs

In this section, we present another case in which t RSA moduli satisfyingequations of the form esds − kφ(Ns) = zs for unknown parameters ds, k andzs for s = 1, . . . , t can be simultaneously factored in polynomial time.

Theorem 3.5. Let Ns = psqs be t RSA moduli for s = 1, · · · , t, i = 3, . . . , jand t ≥ 2. Let (es, Ns) be public key pair and (ds, Ns) be private key pair withcondition es < φ(Ns) such that the relation esd ≡ zs (mod φ(Ns)) is satised.Also, let e = mines = Nα be t public exponents. If there exists positive

integers ds < Nγ , k < Nγ , zs < Nγ , for all γ = t(α+β)3t+1 such that equation

esds − kφ(Ns) = zs holds, then prime factors ps and qs of t RSA moduli Nscan be successfully recovered in polynomial time for s = 1, . . . , t.

Proof. Given t ≥ 2, for i = 3, . . . , j and suppose Ns = psqs, 1 ≤ s ≤ t be t RSAmoduli. Setting e = mines = Nα be t public exponents for s = 1, . . . , t andsuppose that ds < Nγ . Then equation esds − kφ(Ns) = zs can be rewritten as

esds − k(Ns − (ps + qs) + 1) = zs

esds − k(Ns − (Ns − φ(Ns) + 1)) = zs.

Suppose Υ =

⌈(a

i+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√Ns

⌉, then we have

esds − k (Ns − Υ + Υ − (Ns − φ(Ns) + 1) + 1) = zs.

∣∣∣∣k(Ns − Υ + 1)

es− ds

∣∣∣∣ =|zs − k (Ns − φ(Ns) + 1− Υ )|

es. (5)



Suppose N = maxNs, ds < Nγ , k < Nγ , zs < Nγ are positive integers and

|Υ + φ(Ns)−Ns − 1| < N2γ−β

and taking e = mines = Nα. Plugging the above conditions into inequality(5), then we have:

|zs − k (Ns − φ(Ns) + 1− Υ )|es

≤ |zs + k (Υ + φ(Ns)−Ns − 1)|es

<Nγ +Nγ(N2γ−β)

Nα

=Nγ +N3γ−β

Nα

<(ab

) j2i

N3γ−α−β .

Hence we get: ∣∣∣∣k(Ns − Υ + 1)

es− ds

∣∣∣∣ <(ab

) j2i

N3γ−α−β .

We now proceed to show the existence of integer k and the t integers ds. Let

ε =(ab

) j2i N3γ−α−β and γ = t(α+β)

3t+1 . Then we get

Nγεt = Nγ

((ab

) j2i

N3γ−α−β)t

=(ab

) jt2i

tN3γt−tα−βt =(ab

) jt2i

.

Since(ab

) jt2i < 2

t(t−3)4 · 3t for t ≥ 2, then, it implies that Nγεt < 2

t(t−3)4 · 3t. It

follows that if k < Nγ then k < 2t(t−3)

4 · 3t · ε−t for s = 1, . . . , t, we have

∣∣∣∣k(Ns − Υ + 1)

es− ds

∣∣∣∣ < ε, k < 2t(t−3)

4 · 3t · ε−t.

This fullled the conditions of Theorem 2.3. We next proceed to reveal theprivate key ds and k for s = 1, . . . , t. Next, from equation esds − kφ(Ns) = zswe compute the following:

φ(Ns) =esds − zs

k, ps+qs = Ns−φ(N−s)+1, and x2−(Ns−φ(Ns)+1)x+Ns = 0.

Finally, by nding the roots of the quadratic equation, the prime factors psand qs can be found which lead to the factorization of t RSA moduli Ns fors = 1, . . . , t in polynomial time.



Let

X1 =

N1 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N1

⌉+ 1

e1

X2 =

N2 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N2

⌉+ 1

e2

X3 =

N3 −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N3

⌉+ 1

e3.


M =

1 −[C(X1)] −[C(X2)] −[C(X3)]

0 C 0 0

0 0 C 0

0 0 0 C

Also input a = 3, b = 2, t = 3, i = 3 and j = 4 as small positive integers. Theabove M matrix will be used for computing required reduced basis which leadsto successful factoring of moduli Ns for s = 1, . . . , t.



Table 4: Algorithm for factoring RSA moduli Ns = psqs for esds − kφ(Ns) = zs of Theorem 3.5

INPUT: The public key tuple (Ns, es, α, σ satisfying the above Theorem 3.5.


1. Compute ε =(ab

) j2i N3σ−α−β , where N = maxNs for s = 1, . . . , t, t ≥ 2,

β < σ ≤ 12 and a > b. Also compute es = mine1, . . . , et = Nα.

2. Compute C = [3t+1 · 2 (t+1)(t−4)4 · ε−t−1].





7. Compute φ(Ns) = esds−zsk .



10. Then output prime factors ps and qs for s = 1, . . . , t.

Example 3.4. In what follows, we give an illustration of how Theorem 3.5works on 3 RSA moduli and their corresponding public exponents:

N1 = 329514818397907511194535067519744287

N2 = 853577457696022637279536861717261139

N3 = 689835688169708146675664504365049467

e1 = 167369348344774632991700349806069653

e2 = 737687793704945765120221919495997383

e3 = 156091109112298242178765923428663298

Observe

N = maxN1, N2, N3 = 853577457696022637279536861717261139

e = mine1, e2, e3 = 156091109112298242178765923428663298

with e = mine1, e2, e3 = Nα for α = 0.9794645353. Since t = 3, we have

γ = t(α+β)3t+1 = 0.3688393605 and ε = 0.00005009279807 .

Applying Theorem 2.3, we compute

C = [3t+1 · 2 (t+1)(t−4)4 · ε−t−1] = 0.00005009279807.




M =

1 −[C(X1)] −[C(X2)] −[C(X3)]

0 C 0 0

0 0 C 0

0 0 0 C


K =

−1424579461243 −60125738090 266732672439 2957665316792

258395480634514 21185514433820 −129818740616122 137993452225584

196899106295135 291427529910050 274154359898645 74704790779560

−162814655725785 366161498530450 −421680171226195 −33871422775960


Q =

−1424579461243 −2804695406341 −1648378792750 −6295847076671

258395480634514 508726004601070 298989029400110 1141963979993325

196899106295135 387652660987237 227831665385049 870184287007563

−162814655725785 −320547592761628 −188392597920164 −719550016112108

From the rst row of Q we obtain k, d1, d2, and d3 as follows:

k = 1424579461243, d1 = 2804695406341,

d2 = 1648378792750, d3 = 6295847076671

We now compute φ(Ns) = esds−zsk for s = 1, 2, 3 where z1, z2, z3 are :

z1 = 579057474385, z2 = 1556015073242, z3 = 38593801470

φ(N1) = 329514818397907510033962670013247816

φ(N2) = 853577457696022635407743651209932856

φ(N3) = 689835688169708144943019327714137216


N1 − φ(N1) + 1 = 1160572397506496472

N2 − φ(N2) + 1 = 1871793210507328284

N3 − φ(N3) + 1 = 1732645176650912252

Finally, solving quadratic equation x2−(Ni−φ(Ni)+1)x+Ni = 0 for i = 1, 2, 3gives us p1, p2, p3 and q1, q2, q1 which lead to the factorization of 3 RSA moduliN1, N2, N3. That is:

p1 = 665240622214224083, p2 = 1085312126633841397,

p3 = 1112653948231598779, q1 = 495331775292272389,

q2 = 786481083873486887, q3 = 619991228419313473



From our result, one can observe that we get mind1, d2, d3 ≈ N0.3400 which islarger than the Blöomer-May's, bound of x < 1

3N0.25, Blömer and May (2004)

. This shows that the Blöomer-May's attack can not yield the factorization oft RSA moduli in our case. Also our mind1, d2, d3 ≈ N0.340 is greater thanminx1, x2, x3 ≈ N0.337 of Nitaj et al. (2014) .

4. Conclusion

The paper reported some improvement of bounds over some former attackson t instances of factoring RSA moduli Ns = psqs. It has been shown thatt instances of RSA moduli Ns = psqs satisfying equations of the form esd −ksφ(Ns) = 1, esds − kφ(Ns) = 1, esd − ksφ(Ns) = z1 and esds − kφ(Ns) =

z1 for s = 1, . . . , t using N −⌈(

ai+1i +b

i+1i

2(ab)i+12i

+ a1j +b

1j

2(ab)12j

)√N

⌉+ 1 as a good

approximations of φ(Ns) for unknown positive integers d, ds, k, ks and zs canbe simultaneously factored in polynomial time using simultaneous Diophantineapproximations and lattice basis reductions methods.

Acknowledgements

The present research was partially supported by the Universiti Putra MalaysiaGrant with Project Number GP-IPS/2018/9657300.

References

Abubakar, S. I., Arin, M. R. K., and Asbullah, M. A. (2018). A New ImprovedBound for Short Decryption Exponent on RSA Modulus N = pq UsingWiener's Method. In 3rd International Conference on Mathematical Sciencesand Statistics (ICMSS'2018), page 122.

Asbullah, M. A. and Arin, M. R. K. (2016a). Analysis on the AAβ Cryp-tosystem. In The 5th International Cryptology and Information SecurityConference 2016 (Cryptology2016), pages 4148.

Asbullah, M. A. and Arin, M. R. K. (2016b). Analysis on the Rabin-p Cryp-tosystem. In The 4th International Conference on Fundamental and AppliedSciences (ICFAS2016), pages 08001210800128. AIP Conf. Proc. 1787.

Blömer, J. and May, A. (2004). A generalized Wiener Attack on RSA. InInternational Workshop on Public Key Cryptography, pages 113. Springer.



Dubey, M. K., Ratan, R., Verma, N., and Saxena, P. K. (2014). CryptanalyticAttacks and Countermeasures on RSA. In Proceedings of the Third Inter-national Conference on Soft Computing for Problem Solving, pages 805819.Springer.

Hinek, J. (2007). On the Security of Some Variants of RSA. PhD thesis,University of Waterloo, Ontario, Canada.

Lenstra, A. K., Lenstra, H. W., and Lovász, L. (1982). Factoring Polynomialswith Rational Coecients. Mathematische Annalen, 261(4):515534.

Nitaj, A. (2012). Diophantine and Lattice Cryptanalysis of RSA Cryptosys-tem. Articial Intelligence Evolutionary Computation and Metaheuristics(AIECM), 2(11):139168.

Nitaj, A., Arin, M. R. K., Nassr, D. I., and Bahig, H. M. (2014). New Attackson the RSA Cryptosystem. In International Conference on Cryptology inAfrica, pages 178198. Springer.

Rivest., R., Shamir, A., and Adleman, L. (1978). A Method for ObtainingDigital Signatures and Public-key Cryptosystems. Communications of theACM, 21(2):120126.

Wiener, M. (1990). Cryptanalysis of Short RSA Secret Exponents. IEEE Trans.Inform. Theory, 36(3):553558.

Yan, S. Y. Y. (2008). Cryptanalytic Attacks on RSA. Springer, 1st edition.
