KEY GENERATION OF ALGEBRAIC-CODE CRYPTOSYSTEMS

(1)

089&1221/94 $6.00 + 0.00 Copyright@ 1994 Pergamon Press Ltd

Key Generation

of Algebraic-Code Cryptosystems

HUNG-MIN

SUN

Institute of Computer Science and Information Engineering National Chiao-Tung University, Hsinchu, Taiwan, Republic of China

TZONELIH HWANG

Institute of Information Engineering

National Cheng-Kung University, Tainan, Taiwan, Republic of China (Received May 1992; revised and accepted November 1992)

Abstract-The purpose of this paper is to efficiently generate large nonsingular matrix (S, S-l) pairs and permutation matrices over the binary field using short keys. The motivation of this work is to provide a solution to the long-key problem in algebraic-code cryptosystems. A special class of matrices which have exactly two l’s in each row and each column is defined, and their properties are investigated to facilitate the construction of these algorithms. The time complexities of these algorithms are studied and found to have O(n) n-bit word operations.

Keywords-Algebraic-code cryptosystem, DBO matrices, DES, Private-key cryptosystem, Public-key cryptosystem.

1. INTRODUCTION

In 1978, McEliece proposed a public-key cryptosystem (McEliece’s scheme) based on algebraic coding theory [l]. McEliece’s scheme works as follows: the system user (receiver) constructs a (k x n) generator matrix G for a t-error correcting Goppa code C, a (Ic x Ic) nonsingular matrix S over GF(2), and a random (n x n) permutation matrix

P. G, S,

and

P

serve as secret keys of the receiver. Then, he computes G’ = S-’ G

P-l,

which is the generator matrix of a linear code (but supposedly hard to decode) with the same rate and error correction capability as C. G’ is published as the encryption key. The sender encrypts a k-bit message m into an n-bit ciphertext c by the equation c = m G’ + e, where e is an n-bit random error vector of weight less than or equal to t, chosen by the sender. The receiver, knowing that c (=

m G’ + e = m S-l G P-l + e),

computes c

P = (m S-l) G + eP

and uses the decoding algorithm of the original code C to obtain the vector

m S-‘.

The plaintext can be recovered easily by m = (m S-l) S.

Rao and Nam modified the McEliece’s scheme to construct a private-key algebraic-code cryp tosystem (the RaoNam scheme) [2]. In this approach, G, S,

P,

and G’ are all kept secret. The RaoNam scheme performs encryption by the equation c = (m S-l G + e)

P-l,

where e is a random error vector chosen from a predetermined syndrome-error table [2].

Both public-key and private-key algebraic-code cryptosystems require large binary matrices as keys. For example, the McEliece’s scheme suggested the use of a (524 x 524) nonsingular matrix, a (524 x 1024) generator matrix, and a (1024 x 1024) permutation matrix as keys. In the F&r- Nam scheme, a (64 x 64) nonsingular matrix, a (64 x 72) generator matrix, and a (72 x 72) permutation matrix were suggested. If these matrices are used directly as keys, over 2 x lo6 bits The authors of this paper wish to thank the anonymous referees for their useful comments and suggestions.

‘M-t by AM-W 99

(2)

are required for each user in McEliece’s scheme, and over 18 x lo3 bits are needed for each pair of users in the Rae-Nam Scheme. However, these matrices can be specified by a short sequence of bits (called seed or key seed).

While too short a key cannot provide security, a long key (as required for algebraic-code cryptosystems) is rather cumbersome and needs large storage space. Moreover, a long key does not necessarily provide a high level of security. There may be shortcuts which allow successful cryptanalysis in much less time than is required by exhaustive search on the key space [3]. In order to make algebraic-code cryptosystems (both public-key and private-key) more practical, the long-key problem has to be solved.

As a standard for private-key cryptosystems, the Data Encryption Standard (DES) uses a 56 bit key [4]. However, it is argued that with the advances in technology the key size of DES may soon have to be increased to 112 bits [5]. If we assume that a key size of 100 bits is appropriate, then in algebraic-code cryptosystems, some efficient algorithms are required to generate a binary matrix key set from a short key seed, e.g., to generate a matrix key set of size nearly 21°0 from a loo-bit key seed.

An intuitive method is to use a data compression technique to compress these key matrices into short keys. However, a generalized data compression scheme cannot control the length of these short keys and, besides, the result of this compression is usually larger than what is needed. For example, the total number of 1024 x 1024 permutation matrices is 1024. The shortest sequence to represent a 1024 x 1024 permutation matrix is at least log,(1024!) bits, where logZ(1024!) = log2 1 + log, 2 + . . . + log, 1024 2 J:024 log2a:dx = 9215, which is too large to be a key.

In these algebraic-code cryptosystems, both the nonsingular and permutation matrices are all held in secret. Therefore, even if the structure of these matrices reveals the key seed, there is no harm to the security of the system. The simplicity and efficiency of the algorithms will be our main concern.

2. DOUBLE-ONE

(DBO) MATRICES

AND THEIR PROPERTIES

DEFINITION 2.1. An n x n square matrix over GF(2) is called a double-one (DBO) matrix if each column and each row of the matrix contains exactly two 1 ‘s.

DEFINITION 2.2. A double-one matrix is called TYPE 1 double-one (DBO-1) matrix if all l’s in the matrix can be connected in a unique cycle in either column or row direction (see Figure 1).

[ 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1

1

Figure 1. A DBO-1 matrix for n = 4; all l’s for a cycle: (1,1) + (3,1) + (3,4) + (474) -+ (472) - (292) + (273) --+ (193) -+ (1, l), where (i,j) denotes the entry of the ith row and the jth column of the matrix.

DEFINITION 2.3. A double-one matrix is called TYPE 2 double-one (DBO-2) matrix if it is not a DBO-1 matrix (see Figure 2).

[ 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1

1

Figure 2. A DBO-2 matrix for n = 4; all l’s form two cycles: (1,l) - (4,l) + (4,3) + (1,3) 4 (1,l) and (2,2) -+ (3,2) + (3,4) + (2,4) 4 (2,2).

(3)

Algebraic-Code Cryptosystems 101 DEFINITION 2.4.

The distance of two matrices of

GF(2)

with the same size is the number of

entries with

different

values in the

corresponding

positions of

both matrices.

For example:

The distance of [n d 31 and [i p a] is4.

LEMMA 1. DBO-1 matrices

exist for n >

2

and

DBO-2 matrices

exist for n 1

4.

PROOF. According to Definition 1, it is easy to find that the only DBO-1 matrix for n = 2 is 1 1

[ 1 1.

1

For a DBO-1 matrix, there exists at least two cycles. Every cycle contains at least four 1’s.

So, the smallest size n of a DBO-2 matrix is 2 - 4/2 = 4. I

LEMMA 2. For a

square

matrix

of size

n,

the

total number

of

DBO-lmatrkes is $ [(n - 1)!12. PROOF. Starting from the lSt row, assume i and j positions are selected for 1’s. Obviously, there are Cz choices. Next, we select one position from the ith column to put another “1” such that the ith column has double 1’s. There are n - 1 choices. Suppose (k,i) is the position selected. Then, we need to select one position from the kth row to put another “1” such that the kth row has double 1’s. There are n - 2 choices. F&peat this process continuously until a DBO-1 matrix is obtained. The total number of ways to obtain a DBO-1 matrix can be computed by:

C; x (n - 1) x (n - 2) x

(n -

2) x (n - 3) x (n - 3) x . . . x 2 x 2 x 1 x 1 x 1 = i [(n - 1)!12. u

LEMMA 3. AI1 DBO

matrices are

singular matrices.

PROOF. For ail n x n DBO matrices, if we add the first n - 1 rows to the last row, then the entries of the last row are all 0’s. This is because there are exactly two l’s in each column. I LEMMA 4. The

rank of any n x

n DBO-1 matrix is n - 1.

PROOF. Suppose M is an n x n DBO-1 matrix. For any (~1,. . . , z,) in its null space, we have M x ($1,. . . ,z,)~ = (0,. . . ,O)T.

It is easy to compute that (1, . . . , 1) and (0, . . . , 0) are the only solutions for the above equation because all l’s in M form a cycle. For example,

If zi = 1, then zs = 1, and then 22 = 1. If zi = 0, then x3 = 0, and then 22 = 0.

Therefore, ((0, . . . , 0), (1, . . . , 1)) is the null space and its dimension is 1. By an important result in linear algebra for any n x n matrix,

dim (row space) + dim (null space) = n,

(4)

THEOREM 5. Adding one “1” to any entry of an n x n DBO-1 matrix, the resulting matrix is a

nonsingular matrix of rank n.

PROOF. Suppose M is the DBO-1 matrix and M* is the resulting matrix by adding “1” to the

entry (j, k) of M. Consider the linear system:

Ax (z~,...,z,)~

= (O,...,O)T,

where the coefficient matrix

A

is the resulting matrix by taking out the jth row of M*. Similar

to the proof of Lemma 4, we may obtain that (0,. . . ,O), (1,. . . , 1) are the only solutions for this system. Suppose the nonzero positions in the jth row of M are (j, /cl), (j, kz). Now, consider the system M* x (51,. . . ,z,)~ = (0,. . . , O)T. It has one more condition zkl + 5k2 + xk = 0 than

Ax (z~,...,x~)~

=(O,...,

O)T.

Thus, the only possible solution is xkl = xkz = xk = 0. Hence,

(0, * *. , 0) is the only solution for this system, and we obtain dim (null space of M*) and the rank

of M* is n. _I

3. ALGORITHMS

FOR LARGE NONSINGULAR

MATRICES

S AND S-l

Baaed on Theorem 5, we construct an algorithm to efficiently generate a large nonsingular matrix S from a relatively short key seed. The algorithm has a one-to-one mapping from the key to the nonsingular matrix.

ALGORITHM I. (Input: A seed-key k, the length of k, llcl < 2n - 4, e.g., lOO-bit. Output: S, an n X n nonsingular matrix.)

Step 1: The seed-key k is used to specify a linear pseudo-random number generator with a one-to-one mapping from k to random sequence (e.g., LFSR [6] to generate a random sequence of length 2n-2 with O’s in the last two bits. (These random bits rlr2. . .rZn_2 will be used to specify the location of l’s in the DBO-1 matrix.)

Step 2: Starting from an n x n zero matrix, fill the entry (1,l) with a “1,” and lock the lSt row such that the entries of the row cannot be changed; let (Ri, Ci)(Oli< 2n - 1) be the index of the ith “1” filled in the matrix; (&, Co)=(l, 1); let (row,col) denote the index of the most recent “1” added to the matrix; (row,col)=(l,l).

Step 3: Repeat i for i=l.. .2n - 2 BEGIN

IF i is even THEN /* Add 1 to the row */ BEGIN

Invert the (ri + l)th (Note 1+1=2) available (unlocked) 0 (from left to right) in the Ri_lh row, and lock the row;

update (row,col); (Ri, Ci)=(row,col); END

ELSE /* Add 1 to the column */ BEGIN

Invert the (ri + l)th (Note 1+1=2) available (unlocked) 0 (from top to down) in the Ci_ih column, and lock the column;

update (row, col); (Ri, Ci)=(row,col); END

(5)

Step 4: Step 5:

Algebraic-Code Cryptosystems 103

Unlock the first row, and invert the entry (1, C&2); update (row,col); (~2n-1rC2n-l)=(~~~,~~1).

Calculatep=([k/nJ modn)+l;q=(k mod n)+l, and add “1” into the entry (p, q) (note here l+l=O). Note: k is the integer value of the key seed.)

From Steps l-4 of Algorithm I, we can construct an n x n DBO-1 matrix. Step 5 adds one “1” to this matrix. According to Theorem 5, the resulting matrix is indeed a nonsingular matrix. This proves the correctness of Algorithm I.

Obviously, the time complexity of Algorithm I is dominated by Step 3, which can be done in linear time. The array (Ri,Ci) recording the index of l’s in the newly constructed matrix will be used to construct its inverse later.

LEMMA 6. The distance of two distinct DBO matrices of the same dimension is at least 4. PROOF. Let D1 and Da be two distinct DBO matrices. We can find that at least one entry (assume (i, j) entry) in both matrices has different values. In this case, the jth column in D1 and D2 must have at least two entries with different values because each column has two 1’s. Similarly, for the ith row, excluding (i,j) entry, we can find another entry (assume (i, k) entry) with different values. Thus, the kth column in D1 and D2 has at least two entries with different values because each column has two 1’s.

Based on the above discussions, we have proved that the distance of D1 and D2 is at least 4. I THEOREM 7. Algorithm I has a one-to-one mapping from the seed-key k to the nonsingular matrix.

PROOF. It is possible to find a pseudo-random number generator such that there exists a one- to-one mapping from the seed-key k (Ikj-bit) to a random sequence (2n - 2 bits with O’s in the last two bits) for lkl < 2n - 4. The random sequence is used to specify the locations of l’s in the DBO-1 matrix as described in Algorithm I. Now, what we need to show is that there exists a one-to-one mapping from the random sequence to a nonsingular matrix.

One-to-many mapping is impossible because Algorithm I is a deterministic algorithm. Assume that there exists a many-to-one mapping from random sequences to a nonsingular matrix. Let

RI, RQ be two distinct random sequences which map to the same nonsingular matrix as follows: DBO-1 add one “1"

RI = rir2.. . ri . . . rzn_2 - D1 e %,

R2 = rlr2...r:... k-2

DBO-1 add one “1"

-D2 e S2,

where the ith bit is the first distinct element in RI and R2.

According to Algorithm I, the ith bit controls the (i + l)th “1” filled in the row or column, which the ith “1” is located. Thus, this row (or column) of D1 will be different from that of D2 because pi # r:. Hence, D1 is not equal to D 2. However, according to Lemma 6, any two distinct DBO-1 matrices with the same dimension have the distance of at least 4. Therefore, the distance between S1 and S2 is at least 2 (we change only one bit in D1 to get S1 and one bit in D2 to get Sz). That is, S1 # Sp. This is a contradiction. Thus, Algorithm I is a one-to-one mapping from

the random sequences to nonsingular matrices. _I

LEMMA 8. If one “I” is added to the entry (p, q) of a DBO-1 matrix, then the entries of the

qth row of its inverse S-l are all 1 ‘s.

PROOF. Assume the qth row vector of S-’ is (41, q2.. . qq . . . qn) and S = [Sl,

S2 . .

.

S,

.

. . S,] where Si is the ithcolumn of S. Since S-l . S = I,

(41.. .Qq. ..qn)~[S~...Sq...Sn]=(O,O...l...O,O).

(6)

Except S, that has either one or three l’s, each column vector of S has exactly two 1’s.

Therefore, q1 = q2 = . . - = qn = 1 is the only solution for (1). I

Due to the special structure in the DBO-1 matrix, S-’ can be computed easily as follows. The qth row of S-’ can be decided from Lemma 8. Assume that the entry (Ic, m) and the entry (Ic, q) of S are the only locations of l’s in the kth row. The mth row of S-’ can be determined by the following:

matrix S matrix S-l identity matrix

Similarly, other rows of S-’ can be computed in this way. The following algorithm is constructed to generate S-l.

ALGORITHM II. (Input: S, an n x R, nonsingular matrix constructed by Algorithm I,

Step 1: Step 2:

Step 3:

Step 4:

Output: S-l, the inverse matrix of S.)

Obtain the arrays R=[&,

RI,. . . ,

Rs,,-i], C=[Cc, Cl,. . . , C&i] from Algorithm I; search the array C to find the latj such that Cj=q, O<j<2 - n - 1.

IF

Rj=P

THEN BEGIN

W=[W1,W2,..., Wn] where

Wi=Rj+z.i mod

2n

L=[L&z,...,

L,,]

where Li=Cj+2.imod zn

END; ELSE

BEGIN

W=[W1,Ws,..., Wn] where

Wi=Rj+l-z.i mod2n

L=[Lr, Ls,. *. )

L,]

where

Li=Cj+,_,.i mod

zn

END;

Search the array W to find the m such that W,,,=p(llmln); let S-l be an n x n empty matrix; set the

Lr, .

. . , L,_l

rows of the matrix S-’ to l’s; set the

L,, . . . , L,

rows of the matrix S-’ to 0’s. Repeat i for i=l . . . N

BEGIN

Invert the unlocked entries of the

With

column of S-l; lock the

L.th

_I row.

END

It is easy to see that the time complexity is dominated by Step 3 which can be done in O(n) n-bit word operations. In the following, we give an example to illustrate Algorithm II.

EXAMPLE 1. k = 01011 seed 5 bits

’ PI

random number generator

) r =

10011000 8 bits k = 010112 = 1110, p = ([11/5J mod5) + 1 = 3, q = (llmod5) + 1 = 2

(7)

Algebraic-Code Cryptosystems 105

R=

[Ro,Rl,Rz,R3,R4,R5,R6,R7,Rs,Rg] =

[1,3,3,2,2,5,5,4,4,1]

C =

[CO,Cl,C2,C3,C4,C5,C6,C7,CSrC9] = [1,1,2,2,4,4,3,3,5,5] W = [WI., w2, w3, w4, w51 = P4, RG, Rs, h R21 = P, 5,4,1,3]

L = [‘%,L2,L3,L4,L51 = [~4,~6,~8,~0,~21 = [4,3,5,1,21

4. ALGORITHM

FOR LARGE

PERMUTATION

MATRICES

A permutation matrix that has exactly one “1” in each column and each row can also be obtained from a DBO-1 matrix M by inverting the even positions of l’s in the cycle of M, counting from any position. It is obvious that the resulting matrix has exactly one “1” in each column and row. Therefore, the algorithm for the permutation matrices can be constructed by modifying Algorithm I as follows.

ALGORITHM III. (Input: a seed-key k,

Output: an n x n permutation matrix.)

Step 1: The seed-key Ic is used to specify a pseudo-random number generator (e.g., LFSR) to generate a random sequence of length n - 1 with a “0” in the last, bit [6]. (These random bits rlr2.. .r,-1 will be used to specify the locations of l’s in the permutation matrix. If Ikl > n - 2, e.g., llcl=lOO,n=72, we can use multiple choices for ri, e.g., let 0 5 ri I n - i such that a one-to-one mapping from k to random sequence is possible.)

Step 2: Starting from an n x n zero matrix, invert, the entry (1,l); lock the lSt row; let (row,col) denote the index of the entry that is visited most recently; (row,col)=( 1,l)

Step 3: Repeat, i for i=l

.

. . n - 1

BEGIN

Find the lSt available (unlock) entry (from top to down) in the (col)th column, and

lock the column; update (row,col);

invert the (ri + l)th (Note 1+1=2) available (unlocked) entry (from left to right) in the (row)th row, and

lock the row; update (row,col). END

Notice that the time complexity of Algorithm III is O(n) n-bit word operations.

5. CONCLUSIONS

The conventional methods to obtain the inverse matrix of an n x n nonsingular matrix needs O(n2) vector operations [7,8]. Based on the newly defined class of matrices (the Double-One ma-

trices), we construct algorithms for generating large nonsingular matrices pairs and permutation matrices from a short seed in O(n) n-bit word operations. These algorithms provide a l-l mapping between the key values and the matrices. They are particularly useful in solving the long-key

(8)

problem of algebraic-code cryptosystems. For the public-key algebraic-code cryptosystems, the generator matrix G can be recomputed from the public key G’ and the secret matrices S and P, by G = S G’ P by the receiver. Therefore, one may not have to construct a G based on a short seed. However, the problem of specifying the generator matrix from a short key seed for private-key algebraic-code cryptosystems still requires further research.

REFERENCES

1. R.J. McEliece, A public-key cryptosystem based on algebraic coding theory, DSN Progress Report 42-44, 114-116, JPL, Pasadena, CA, (1978).

2. T.R.N. Itao and K.H. Nam, Private-key algebraic-code encryption, IEEE tins. Znfor. Theory 35 (4), 829-833 (July 1989).

3. W. Diffie and M.E. Hellman, Exhaustive crypt-analysis of the NBS data encryption standard, Computer 10 (6), 74-84 (June 1977).

4. Data encryption standard, FIPS PUB 46, National Bureau of Standards, Washington, DC, (January 1977). 5. M.E. Hellman, DES will be totally insecure within ten years, IEEE Spectrum 16 (7), 32-39 (July 1979). 6. S.W. Golumb, Shift Register Sequences, Holden-Day, San Francisco, CA, (1967).

7. A.V. Aho, J.E. Hopcroft and J.D. Ullman, The Design and Analysis of Computer Algorithms, Addi- son-Wesley, Reading, MA, (1974).

8. T. Hwang, Secret error-correcting codes and algebraic-code cryptosystems, Ph.D. Dissertation, Univ. of SW Louisiana, (Summer 1988).