Asymmetric cipher protocol using conjugacy and discrete logarithm problem

The paper proposes asymmetric cipher protocol based on matrix field over some field F . The asymmetric cipher is based on two simultaneous problems: matrix conjugator search problem (MCSP) and matrix discrete logarithm problem (MDLP). The algorithm construction does not allow performing a crypto-analysis by replacing the existing MCSP solution to the matrix decomposition problem (MDP) solution. The security parameters are defined and preliminary security analysis is presented.


Introduction
The asymmetric cipher constructing must be based on certain one-way function. According to the general definition, OWF is a function, when computing its value for any argument is easy, but its inversion is not, i.e., this problem is intractable. Hence, the security of asymmetric cipher relies on the complexity of OWF inversion.
The security of classical asymmetric cipher protocols such as RSA, El Gamal, etc. relies on the complexity of OWFs based on the number theoretical approach. But after the significant breakthrough by P. Shor of ATT Research Labs in the field of quantum computing the situation have changed essentially. The quantum algorithms can factor integers and find discrete logarithms in probabilistic polynomial time. So the security of classical asymmetric cryptosystems may have a serious security threat in near future. Hence the there is a need of other approaches in construction of asymmetric cryptosystems to withstand the new challenge of quantum computing.
New ideas in public key cryptography using hard problems in infinite noncommutative groups and semigroups appeared in [6]. One realization of these ideas appeared in [1], using the braid group as a platform. The security of this cryptosystem was based on conjugator search problem. But according to [5], this approach is not sufficient and necessary to achieve the proper security.
The other approach to use non-commutative infinite group (e.g., braid group) representation was also used for the other kind of one way functions construction as a background of both digital signature scheme and key agreement protocol [3,4]. Construction of new asymmetric cipher using decomposition (double coset) problem in matrix semiring M over semiring N of natural numbers is presented in [2].
We proposed the idea to use two simultaneous problems for the one way function construction, presented in [4], to construct the asymmetric cipher. The idea is to use matrix group conjugacy problem together with matrix discrete logarithm problem. We will make a conjecture supported by our analysis, that these two simultaneous problems are intractable and hence proposed function is a good candidate to be an OWF.
In this paper we analyze security aspects of CSP and DLP in matrix field over some finite field. The construction of asymmetric cipher protocol with a brief mathematical background is presented in Section 2. Section 3 provides considerations on the preliminary security analysis. The main conclusions about the security analysis of proposed algorithms are outlined in Section 4.

Asymmetric cipher protocol
We will use the previously proposed idea to use two simultaneous problems for the key agreement protocol [4] for asymmetric cipher construction. For this we use the following algebraic structures: • Let these matrices have the following form: where is m/2-dimensional zero matrix; L 1 and L 2 are m/2 -dimensional square matrices over Z q ; I is m/2-dimensional identity matrix; g 1 and g 2 are the numbers in Z q . By having matrices M L1 and M L2 and some polynomials p X1 , p X2 we calculate secret matrix X in the following way: = a 10 I + a 11 M 1 L1 + · · · + a 1n M n L1 · a 20 I + a 21 M 1 L2 + · · · + a 2n M n L2 , (1) where polynomials p X1 , p X2 ∈ P are secret and chosen at random, i.e., coefficients of polynomial are secret and randomly generated. The main condition for matrix X is that there must exist inverse matrix X −1 . Then there must exist p X1 ( ) −1 , p X2 ( ) −1 : This means that for certain subset P F ∈ P, there exist some subring M F of matrices in M, which is a field. For the protocol construction let us choose at random any matrix Q in M not equal to M L1 and M L2 . We choose also at random secret integer number r ∈ N . By having instances X, Q and r, we compute the matrix A as follows: The asymmetric cipher we declare the following public parameters: sets M and P; subset M L and matrices M L1 , M L2 , Q. For the public key (P uK) we can define the matrices A and Q and for the private key (P rK) -matrix X and secret integer number r. In brief, these keys are denoted by P uK = {A, Q} and P rK = {X, r} correspondingly. Instead of storage matrix X, it is possible to store the coefficients of polynomial p X1 , p X2 . Then for the ciphering procedure matrix Xmust be computed using (1). This has some sense since P rK must be carefully stored in some memory restricted electronic device. Then instead of storing matrix X with m 2 matrix elements in Z q , we can store the only 2(n+1) numbers in Z q , representing the coefficients of polynomial p X1 , p X2 . Since P uK = {A, Q} is publicly available, it can be stored without the significant concern to reduce its bit length.
The example of key lengths is presented below in Section 3.
To describe the ciphering processes we need to introduce the definition of encryptor and decryptor operators, using randomly chosen secret matrix Y ∈ M F . This matrix is calculated analogously as matrix X, but using some random polynomials p Y 1 ( ), Of course, the same condition, as for matrix X, must be satisfied: there must exist inverse matrix Y −1 , i.e., there must exist p Y 1 ( ) and p Y 2 ( ) −1 . DEFINITION 1. Encryptor ε is an element in M, which is calculated by following equation by choosing secret random number s ∈ N : DEFINITION 2. Decryptor δ is an element in M, which is calculated by following equation by choosing secret random number s ∈ N : Since the finite elements of Z q can be transformed to the binary form, we define the bitwise XOR operation in Z q for any finitely presented numbers. DEFINITION 3. The bitwise XOR operation ⊕ of numbers in Z q is a sum modulo 2 of bits of these numbers presented in binary form.
Suppose Alice wants to send Bob a message t, encrypted by asymmetric cipher. For encryption Alice uses Bob's public key P uK. The decryption is provided by Bob's private key P rK.
At first, to encrypt a message t Alice must perform an encoding of message t by the set of numbers in Z q and to form a m-dimension encoded matrix T , corresponding to t.
The asymmetric cipher encryption algorithm is the following.
Step 1: Alice takes M matrix, chooses polynomials p Y 1 () and p Y 2 () in P with secret random generated coefficients, and using (2), calculates secret matrix Y which has inverse matrix Y −1 .
Step 4: Alice obtains the cyphertext C computed by the formula: Step 5: Alice sends to Bob the following data D = {C, δ}, which is ciphertext for T . Decryption algorithm: Bob gets data D = {C, δ} and using his private key P rK calculates the encoded plaintext T by equation: The last equation is valid since the following identities hold XY = Y X and X −1 Y −1 = Y −1 X −1 . Indeed using these commutation identities we obtain the following: Then Bob, using the known decoding procedure, recovers the initial message t from T .

Preliminary security analysis
The security of proposed asymmetric cipher relies on OWF, which is based on two simultaneous problems: the matrix conjugator search problem (MCSP) and matrix discrete logarithm problem (MDLP). DEFINITION 4. The MCSP is for given instances Q and A to find the conjugator matrix X from the following equation: The MCSP alone in matrix field does not provides a sufficient security since its solution can be performed by polynomial time algorithm. The unknown matrix X from (9) can be found by solving the following homogenous matrix equation, which corresponds to the homogenous system of linear equations: The MDLP is to find a natural r for given m-dimensional matrices Q and P , satisfying the following equation: This problem can be reduced to the multiple ordinary DLP when Q can be transformed to the diagonal form. If Q has a block diagonal form, the initial m-dimensional MDLP can be spitted to several l i -dimensional matrix DLP where l 1 . . . , l k are dimensions of corresponding k blocks.
To break the proposed cipher, the adversary must find the P rK = (X, r). Then he/she must solve the following system of the following matrix equations: The first matrix equation could be transformed into multivariate quadratic equation with 2(n+1) unknowns.
The second one corresponds to the MDLP. We have no known algorithms suitable to solve this system except the brute force attack, i.e., the total scan of solution.
The preliminary analysis shows, that MCSP and MDLP in this case can not be solved separately. Since the total complexity is composed by both matrix MCSP and MDLP, we can make a conjecture that proposed asymmetric cipher security level is sufficient at this time if the cipher parameters are chosen in such way that they prevent the brute force attack.
The proposed cipher's algorithm depends on the following parameters: -the dimension of matrices m; -the order q of finite field Z q ; -the order n of polynomials; -the magnitude of secret integer numbers (r, s).
The greater values q, n and (r, s) are, the higher security against the brute force attack can be achieved. The P rK and P uK lengths depend on the values of these parameters. Hence can be treated as security parameters of proposed cipher algorithm. Let us, for example, choose the values q = 61, n = 12, m = 10, r = 2 128 , then the total scan set number of verification consist of operations about η = 2 256 . Since the matrix Xof private key P rK = {X, k} can be represented by the vectors of polynomials' coefficients, then the length of P rK is 256 bits. The representation of P uK = {A, Q} requires 4608 bits. Hence, the PrK compromitation by applying the brute force attack has 2 256 complexity.
According to the choosen parameters the ciphering procedure will take about log 2 r m-dimensional matrix multiplications. In total it is required to perform the m 2 log 2 r multiplication operations in the small field, e.g., in the field of order 61. These operations can be performed using the table. In our parameters collection this takes about 10,000 multiplications with multiplication table of order 61 × 61.
For example, for the RSA asymmetric cipher with key length of 4096 bits it is required to perform several thousands multiplications to calculate the exponent in the ring of order 2 4096 .
As we see the amount of calculations in our system is similar to the amount of calculations in RSA. Furthermore, the private key length in our system is ten times shorter than is classical systems.

Conclusions
This paper presents the new asymmetric cipher scheme based on new one way function (OWF). The new OWF is constructed using two simultaneous problems: the matrix conjugator search problem (MCSP) and matrix discrete logarithm problem (MDLP) over the finite field Z q .
So far, there are no known deterministic algorithms allowing to solve simultaneously the MCSP and MDLP. Since nor MCSP neither MDLP can not be solved separately, the security of proposed asymmetric cipher relies on the brute force attack prevention. The paper presents the secure parameters values, which shows that the private key length in our system is ten times shorter than is classical systems. The computation amount of presented system is comparable to the classical systems.