New Asymmetric Cipher Based On Matrix Power Function and Its Implementation in Microprocessors Efficiency Investigation

The efficiency of realization of a new asymmetric cipher in microprocessors is presented. The cipher is based on the matrix power function and therefore to the contrary of traditional asymmetric ciphers the computation with large numbers is avoided. Since microprocessors are widely used in embedded systems such as smart-cards and have restricted computational resources the development of effectively realizable cryptographic primitives is a very actual problem. The efficiency investigation of proposed cipher showed that it has a significant superiority with respect to the traditional asymmetric ciphers such as El-Gamal and elliptic curves. DOI: http://dx.doi.org/10.5755/j01.eee.19.10.5906


I. INTRODUCTION
As the technological possibilities expand, embedded systems such as smartphones become common devices in our everyday life.The security of data, sent across the Internet, is very important for such devices.This requires creating cryptographic protocols, which can be implemented in computationally restricted electronic devices.However many of known protocols based on commuting cryptography, such as El-Gamal encryption, require a significant amount of computation.In recent time noncommuting cryptographic primitives such as McEliece PKC [1] are considered as a perspective trend of post quantum cryptography.One of the first sources declaring noncommuting cryptography was [2].In 2007 the state of the art of this perspective field of investigation was presented in seminal book by Myasnikov, Spilrain and Ushakov [3].In 2007 authors published a new key agreement protocol (see [4]) based on matrix conjugator search problem in combination with matrix discrete logarithm function.This key agreement protocol was named as STR (Sakalauskas, Tvarijonas, Raulynaitis) and was studied in detail in several sources available on web (see [5]- [7]).Continuing our research in non-commuting cryptography we present here a Manuscript received January 09, 2013; accepted April 08, 2013.This research was partly funded by a grant (No.VP1-3.1-ŠMM-08-K-01-018)from the EU SA.
new asymmetric cipher based on matrix power function (MPF).MPF was previously used for key agreement protocol in [8] and asymmetric cipher construction in [9]- [11].
We expect that the proposed asymmetric cipher has an effective realization in restricted computational environments as it was shown by Ottaviani et al. in [5] for STR key agreement protocol.

II. PRELIMINARIES
Let Zn = {0, 1…, n -1} be a finite ring of integers where the multiplication and addition are performed modulo n.These operations are associative and commuting and we will take it in mind below by default.It is well known that if n is prime then Zn is a field.Conveniently, we denote a multiplicative group in Zn consisting of integers relatively prime to n by Zn * .We denote the order of Zn * by |Zn * |.The value of |Zn * | is determined by the value of Euler's totient function ϕ(n).
Let Q and Y and all the other matrices defined below be square matrices of order m.Let matrix Q = {qij} powered by matrix Y = {yij} from the right be a matrix C = {cij}, i.e.
where elements of C are computed by the formula In a similar way by powering matrix Q from the left by matrix X = {xij} we obtain a matrix D = {dij}, i.e.
where elements of D are computed by the formula .
x y x y x y x y x y x y x y x y x y x y x y x y x y x y x y x y q q q q e q q q q e q q q q e q q q q e Consider (3) and assume, that matrices Q and E are given, while matrices X and Y are unknown.We name the problem of finding matrices X and Y, which satisfy (3), as MPF problem.
If elements of matrix Q are from Zn * , then, referencing to the Euler theorem, we can see, that the elements of matrices Q, X and Y are not in the same algebraic structures.Let matrix Q be from some matrix semigroup MS over some abstract semigroup S. In this case matrices X and Y should be chosen from ring over some commuting numerical ring R, since their elements are powers of elements of matrix Q.It is clear that characterization of R depends on the properties of semigroup S. We will name matrix semigroup MS as a platform semigroup, and the matrix ring MR as a power ring.Hence according to (3) and (4), matrices X, Y ∊ MR and matrices Q, E  MS.
Let us now present two lemmas, which indicate important properties of MPF useful for cryptographic protocols construction [9] (Sakalauskas, Luksys, 2007).We denote the ordinary matrix multiplication by XY.
Lemma 1.If R is commuting numerical semiring and S is commuting semigroup, then MPF satisfies the following associative law Lemma 2. If R is commuting numerical semiring and S is commuting semigroup, then MPF defined by ( 4) is an action of MR × MR in MS satisfying the following identity Now we can turn to asymmetric cipher construction.

III. ASYMMETRIC CIPHER
The construction of suggested asymmetric cipher is based on the conjecture that MPF is a candidate one-way function (OWF).This means that direct computation of MPF value i.e. computation of matrix E for given instances Q, X and Y in (3) is algorithmically effective while the computation of the inverse value i.e. finding any matrices X and Y for instances Q and E is infeasible.
Let Bob be the sender and let Alice be the receiver.Bob is willing to encrypt a message M using Alice's public key.
The message M can be decrypted by Alice's private key.
Alice and Bob agree on the following public matrices: matrix Q, selected from platform semigroup MS and matrix A selected from power ring MR.Alice randomly selects nonsingular secret matrix X in MR and computes a secret matrix U as a polynomial of A i.e.U = PU(A), when polynomial PU( ) is secret and chosen at random.Alice's private key PrKA is a pair of matrices (X, U), i.e.PrKA = (X, U).Her public key is a pair of matrices B and E, i.e.PuKA = (XAX -1 = B, X Q U = E).
Bob takes Alice's public key PuKA and performs a following encryption protocol: 1) Bob randomly chooses a secret non-singular matrix Y in the power ring MR; 2) He selects a random secret polynomial PV( ) and computes a secret matrix V = PU(A).Then he takes matrix B and computes PV(B) = XVX -1 ; 3) He raises matrix X Q U to the obtained matrix power XVX -1 on the left and obtains XV Q U ; 4) He raises the result matrix to the power matrix Y on the right and obtains XV Q UY = K.The obtained matrix K is used as a key to encrypt a message M and compute a ciphertext C. 5) Bob computes the ciphertext C = K ⊕ M, where ⊕ is bitwise sum modulo 2 of entries of matrices K and M. 6) Bob computes matrices Y -1 AY and V Q Y which we denote by ε i.e. ε = (Y -1 AY, V Q Y ).7) He sends the enctyptor ε to Alice together with C.
To decrypt Bob's message Alice does the following: 2) Alice raises matrix V Q Y to the power Y -1 UY on the right and then raises the result matrix to the power X on the left and hence obtains a matrix XV Q UY which is the encryption key K.
3) Alice can now decrypt a ciphertext C using encryption key K and relation Note that only matrices U and V are commuting.This is the main advantage of the suggested protocol as compared with the protocols based on CSP.Note also, that, since Alice and Bob compute their matrices U and V as polynomials of A, only the coefficients of polynomials must be stored.This shortens private key lengths.

IV. SECURITY PARAMETERS DEFINITION AND THEIR SECURE VALUES DETERMINATION
The suggested protocol has two main security parameters: parameter n, defining group Zn * , and the matrix order m.The choice of these parameters is based on a fact, that no information about a private key could be recovered from a public key.The recovery implies the solution of the following system of equations with respect to unknown matrices X and U: , UA AU  (10) where matrices Q, E, A and B are given.
We are making a conjecture that solution of this system of equations is infeasible.
We consider a simplest case of (8), when elements qij ∊ Zn * .Then the discrete logarithm of both sides of (8) can be taken and ( 8) is transformed to matrix MQ problem.This problem is defined as solving an equation with respect to unknown matrices X and U where P and D are discrete logarithms of matrices Q and E respectively.It was shown in [12], that if matrix A is similar to a Jordan matrix then all solutions of (10) can be expressed as polynomials of matrix A. Hence (10) has n m solutions.Equation ( 9) can be considered in a similar way since it is equivalent to (10) if we consider only invertible matrices.Hence it can be shown, this equation has n (m -1) φ(n) solutions.Since we obtain commutating matrices using polynomials, while non-singular matrix X can be chosen freely, to determine main security parameters we are referring to the following facts: 1.The number of matrices, commuting with a public matrix A, defined over a power ring, should be at least 2 80 .Every commuting matrix should be obtained using polynomials of matrix A; 2. The number of matrices, conjugating with a public matrix A, defined over a power ring, should be at least 2 80 .If these requirements are satisfied, then total scan of matrices X and U is infeasible.Keeping this in mind the choice of parameters is as follows: 1.For the platform group definition we seek to minimize the group order and to maximize the maximal orders of group elements.In this case the optimal solution is to choose n = 3p with a prime number p = 2q + 1, where s is also This yields = 2q.
2. Since we consider ( 9) and (10) We can now apply a natural logarithm to both sides of ( 13) to obtain 81ln 2 ln( 3) ln( 9) , ln( 3) ln 3 where   is the ceiling function.Since introduced protocol has two security parameters, which have to satisfy the inequality (14), one of them must be chosen for other reasons.Therefore we advice that parameter n must be chosen taking the compromise between the available memory and required computation time.
Based on data of Table I we can see that the total amount of bits to store information is the smallest if n = 33.This yields m = 25 and λ(n) = 10.However the length of keys is the smallest if n = 141, which yields m = 15 and λ(n) = 46.

V. COMPARISON WITH OTHER ASYMMETRIC CIPHERS
We consider the implementation of the suggested protocol on 32 bit microprocessor.Since all arithmetic operations are performed using pre-calculated look-up tables, we can consider them as elementary operations.We estimated the upper bound of number of elementary operations to perform the asymmetric ciphering which is no more than 8.0 × 10 5 if n = 33 and 1.04 × 10 5 if n = 141.As we can see amount of elementary operations is reduced 8 times in case of n = 141 as compared to the case of n = 33.
To compare the efficiency of our algorithm with other known algorithms we introduce a term of computational cost defined by the number of elementary operations executed in the custom microprocessor.Since our algorithm uses less elementary operations in the case of n = 141 as compared to the case of n = 33, we compare its computation cost to a classical El-Gamal-2048 bits asymmetric encryption scheme and elliptic curve ECC-521 asymmetric encryption scheme on 32 bit microprocessor.
In average multiplication of 2048 bit integer requires 8191 elementary operations.The same is true for squaring.Total average amount of elementary operations for Alice to perform asymmetric encryption is about 23.5 × 10 6 .As we can see the minimum average number of operations performed in case of El-Gamal encryption is at least 235 times greater than in our case.
Point addition in ECC-521 can be performed with 9 multiplication and 5 squaring operations [13].Total amount of elementary operations in average is 8078.Point doubling requires 4 multiplications and 4 squaring operations, which can be computed using elementary operations.Total amount of elementary operations to perform asymmetric encryption for Alice in average is about 6.9 × 10 6 .This means that this algorithm uses at least 69 times more elementary operations than our algorithm.
The objective results of obtained comparison are presented in Table II.The explanation of the obtained results can be based on the fact that the realization of both El-Gamal-2048 and ECC-521 relies on the usage of arithmetic operations with large integers.Despite the fact that integers in ECC-521 are 4 times shorter than in El-Gamal-2048, the cost of each operation of ECC-521 is longer since these operations themselves are more complicated.VI.CONCLUSIONS 1.We expect that compromisation of the suggested asymmetric cipher is more complex than of other compared and widely distributed ciphers since its security relies on the solution of matrix MQ problem which is related with an NP-complete MQ problem.2. As we see from computation efficiency estimation results, the proposed cipher has a more effective realization as compared with El-Gamal and especially with widely distributed ECC-521 cipher.3.If the parameter n increases the computational cost of the proposed algorithm reduces, but memory requirements increase.This means that parameter n must be chosen taking into consideration also memory requirements.4. On this base an even more secure cipher can be constructed by avoiding the cryptanalysis equation transformation to matrix MQ problem, with approximately same efficiency of computations.

TABLE I .
INFLUENCE OF PARAMETER N ON KEYS LENGTHS AND MEMORY REQUIREMENTS.