Next Article in Journal
A Bi-Level Vaccination Points Location Problem That Aims at Social Distancing and Equity for the Inhabitants
Next Article in Special Issue
Spectral Problem of the Hamiltonian in Quantum Mechanics without Reference to a Potential Function
Previous Article in Journal
Research on PDF Shape Control for Nonlinear Stochastic System Using an Approximate Solution of FPK Equation
Previous Article in Special Issue
Entanglement Dynamics Governed by Time-Dependent Quantum Generators
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An IND-CPA Analysis of a Cryptosystem Based on Bivariate Polynomial Reconstruction Problem

1
Institute for Mathematical Research (INSPEM), Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia
2
Department of Mathematics and Statistics, Faculty of Science, Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia
3
Faculty of Computing and Informatics, Multimedia University, Cyberjaya 63100, Selangor, Malaysia
4
Faculty of Engineering, Multimedia University, Cyberjaya 63100, Selangor, Malaysia
*
Authors to whom correspondence should be addressed.
These authors contributed equally to this work.
Axioms 2023, 12(3), 304; https://doi.org/10.3390/axioms12030304
Submission received: 10 December 2022 / Revised: 24 February 2023 / Accepted: 28 February 2023 / Published: 17 March 2023
(This article belongs to the Special Issue Computation Methods on Quantum Systems)

Abstract

:
The Polynomial Reconstruction Problem (PRP) was introduced in 1999 as a new hard problem in post-quantum cryptography. Augot and Finiasz were the first to design a cryptographic system based on a univariate PRP, which was published at Eurocrypt 2003 and was broken in 2004. In 2013, a bivariate PRP was proposed. The design is a modified version of Augot and Finiasz’s design. Our strategic method, comprising the modified Berlekamp–Welch algorithm and Coron strategies, allowed us to obtain certain secret parameters of the bivariate PRP. This finding resulted in us concluding that the bivariate PRP is not secure against Indistinguishable Chosen-Plaintext Attack (IND-CPA).

1. Introduction

The world of technology is evolving along with the last wall of defense of data security–cryptography. With the inevitable realization of the quantum computer, coupled with Shor’s algorithm, which can solve the Integer Factorization Problem (IFP) and the Discrete Logarithm Problem (DLP) in polynomial time, classical cryptographic schemes depending on such hard mathematical problems could be vulnerable to quantum computer attack and rendered insecure. Among such cryptographic algorithms are the popular RSA and Elliptic Curve Cryptosystem (ECC) [1,2,3,4]. In 2016, the National Institute of Standards and Technology (NIST) had made a call for quantum resistant algorithms [4].
In quantum cryptography, a cryptographic algorithm is secure against the attack of both quantum and classical computers [5]. The popular Quantum Algorithm Zoo website lists favorable hard mathematical problems that are thought to be quantum resistant [6]. The post-quantum cryptography goal is to create schemes that can be resistant to a quantum computer [7]. Therefore, it is important for researchers to investigate different hard problems to create new cryptographic schemes that are secure against the attack of a quantum computer and to keep current communication practices protected [8].
The Polynomial Reconstruction Problem (PRP) is one of the listed problems in [6]. It has the full complexity needed against quantum computers of O ( q ) , where q is a prime number of n-bits. The PRP was introduced in 1999 as a potential hard mathematical problem for cryptographic design. When compared to the Reed–Solomon error correcting codes, the PRP has some similarity related to its formulation [9]. Furthermore, the PRP has been broadly studied from the point of view of solvability and robustness. Among the reasons why the PRP is recommended as a hard mathematical problem, as mentioned in [10] is, firstly, some evidence that shows that the PRP can cope with the improvement of quantum computing. Secondly, this system has new advantages from the perspective of efficiency and cost effectiveness. Thirdly, the PRP uses simple matrix operations and other interesting components that might make it useful in cryptographic settings.
The PRP can be solved in polynomial time when the weight of error w is small enough, such that w n k 2 , where n is the number of elements in a vector and k is the degree of the polynomial. Guruswami and Sudan improved this to w n k n [11]. In 2003, Augot and Finiasz proposed a cryptosystem that utilizes the PRP [12]. We denote this cryptosystem as the AF-Cryptosystem. The AF-Cryptosystem utilizes two types of PRPs. The first PRP concerns the definition in [6]. The second PRP is a specially constructed PRP to ensure decryption. The second PRP, which we coin as the Augot and Finiasz Solvable PRP (AF-SPRP) is defined below.
Definition 1.
(Augot and Finiasz Solvable PRP) Given n, k, t and ( x i , y i ) i = 1 , , n , output any polynomial p such that d e g < k and p ( x i ) = y i for at least t values of i, where t = n w .
The AF-Cryptosystem utilizes a univariate polynomial [13,14]. The AF-SPRP as in Definition 1 ensures that decryption can occur. That is, when one is given t points on a Cartesian plane, one needs to output a polynomial that fits all the points. Parameter t represents the number of elements equal to 0 in the vector. To complete the decryption process, Lagrange interpolation is utilized.
In 2004, the AF-Cryptosystem was successfully cryptanalyzed by Coron, where Coron managed to obtain the plaintext in polynomial time [15]. Nevertheless, the idea to utilize a PRP for a cryptosystem is indeed tempting. In 2013, Ajeena et al. utilized bivariate polynomials and the Vandermonde matrix to put forward a new PRP-based cryptosystem [16]. We denote this cryptosystem as the AAK-Cryptosystem. The designers of the AAK-Cryptosystem claimed that increasing the number of variables increases the level of security and resistance against any attack.
Designers of cryptosystems usually claim the security of the design in terms of exponential time and memory needed for the attack [17]. It is an essential characteristic to verify the security of a cryptographic scheme [18]. At the same time, it must be noted that indistinguishability is also an essential characteristic for a cryptosystem that might be chosen to be used on a plaintext domain of non-exponential size. A design needs to be secure against Indistinguishable Chosen-Plaintext Attack (i.e., IND-CPA secure) in order to overcome an adversary having the capability to re-encrypt all possible plaintexts and make a comparison with the ciphertext.
A cryptosystem is IND-CPA secure if every Probabilistic Polynomial Time Adversary has a negligible “advantage” over random guessing. An IND-CPA-secure cryptosystem results in an adversary not being able to win the IND-CPA game with probability more than 1 2 + ε ( n ) , where ε ( n ) is a negligible function in security parameter n. To this end, this research on the AAK-Cryptosystem is to determine whether it is IND-CPA secure or not.
Our contribution: This paper puts forward an IND-CPA analysis of the AAK-Cryptosystem that is the extension of [19]. The motivation for this research originates from the cryptanalysis performed on the AF-Cryptosystem by Coron. We used the Berlekamp–Welch algorithm and created a modified Coron cryptanalysis strategy, and we prove that we can construct a list of possible candidates of the AAK-Cryptosystem secret key, α . As such, we can highlight that the AAK-Cryptosystem is not IND-CPA secure.
The outline of this paper is shown as follows: In Section 2, we describe fundamental knowledge about the PRP as well as the Vandermonde method and outline the AAK-Cryptosystem. We also put forward the definition of Indistinguishable under Chosen-Plaintext Attack (IND-CPA). Next, we describe our proposed attack on the AAK-Cryptosystem and provide a numerical illustration for this attack in Section 3. Finally, we conclude in Section 4.

2. Materials and Methods

This section presents the fundamentals of PRP, Vandermonde method, AAK-Cryptosystem and IND-CPA concept.

2.1. Polynomial Reconstruction Problem (PRP)

We begin by revising fundamental knowledge regarding the PRP. The PRP has been well known since the generalized Reed–Solomon list decoding problem was reduced to it [20,21]. The PRP also seems to be hard, which results in it being a potential source of a hard mathematical problems to establish a cryptosystem [22]. To fathom the PRP, we here put forward the definition of PRP sourced from [6].
Definition 2.
(Polynomial Reconstruction Problem from Quantum Zoo) Let p ( x ) = a k x k + + a 1 x + a 0 be a polynomial over finite field F q . One is given access to the oracle and query value of x i F q , where 1 i k + 1 and then outputs coefficients a k , , a 0 to determine p ( x ) .
When an oracle receives input x F q , it outputs p ( x ) . The objective of solving the PRP is to obtain coefficients a k , , a 0 [6]. Note that the value of k is unknown and input x is less than q. Classically, the queries that are required to determine the coefficients are k + 1 . In the case of univariate polynomials of degree k, the PRP has query complexity of O k + 1 k .

2.2. PRP Computational Complexity

The highest degree for p ( x ) is k and the number of coefficients in p ( x ) is k + 1 = q 1 ; this means that k = q 2 . Therefore,
O k + 1 k = O ( q 1 ) .
If q 2 n is exponentially large, it is impossible to query input x up to 2 n times. Hence, solving the PRP takes exponential time, which is O ( 2 n ) .

2.3. Vandermonde Method

The Vandermonde method is a method that is used to find an interpolating polynomial in two or more dimensions. Let us suppose that we have two dimensional points, ( x 1 , y 1 ) , ( x 2 , y 2 ) , , ( x n , y n ) and that we obtain polynomial values for each point, denoted by z 1 , z 2 , , z n , respectively. We want to find a bivariate polynomial of degree n 1 that fits all of these points. The step-by-step method is as follows:
  • Write the general formula of the bivariate polynomial of degree n 1 .
  • Evaluate the polynomial at points ( x 1 , y 1 ) , ( x 2 , y 2 ) , , ( x n , y n ) .
  • Solve the linear equation system.
The problem can easily be written as V · c = Z , where Z is the vector of z values and c is the coefficient vector. This method is utilized in the decryption process of the AAK-Cryptosystem.

2.4. AAK-Cryptosystem

Ajeena et al. [16] proposed a bivariate PRP cryptosystem as described below. Let n be the number of elements in the vector. The AAK-Cryptosystem takes into consideration the below parameters (Table 1).
Remark 1.
Value w represents the maximum number of elements not equal to 0 in a vector.
Remark 2.
Value n w represents the number of elements equal to 0 in a vector.
Utilizing the above parameters, ref. [16] constructed their cryptosystem with Algorithms 1–3.
Algorithm 1 Key Generation Process
Input: Parameters ( x i , y i , q , n , k , W , w )
Output: Public Key, P K and secret key pair ( C , E )
  • Alice secretly generates monic bivariate polynomial p ( X , Y ) of degree equal to k 1 with respect to X and Y and big error vector E with the weight of W.
  • Alice computes codeword C = e v ( p ( X , Y ) ) = p ( x i , y i ) where x i , y i F q and computes P K = C + E .
  • Output public key, PK secret key pair ( C , E ) .
Algorithm 2 Encryption Process
Input: Message, μ F q
Output: Ciphertext, C T
  • Bob wants to send a message polynomial μ ( X , Y ) with length k + 1 .
  • The message is encoded into a codeword μ by computing μ = e v ( μ ( X , Y ) ) = μ ( x i , y i ) .
  • Bob randomly generates α F q and small error vector e with the weight of w.
  • Bob computes ciphertext C T = μ + α × P K + e and sends the ciphertext to Alice.
Algorithm 3 Decryption Process
Input: Ciphertext, C T
Output: Message polynomial, μ ( X , Y )
  • For i, where E i = 0 , determine C T ¯ = μ ¯ + α × C ¯ + e ¯ .
  • Correct C T ¯ to obtain C T ˜ = μ ˜ + α × C ˜ .
  • Compute unique polynomial q ( X , Y ) of degree k 1 by using Vandermonde method.
  • Determine the leading coefficient q ( X , Y ) .
  • Compute μ ( X , Y ) = q ( X , Y ) α p ( X , Y ) .

Proof of Correctness

Proposition 1.
The AAK-Cryptosystem decryption algorithm is correct.
Proof of Proposition 1.
To show that from ciphertext CT, message μ ( x , y ) can be obtained, let us observe the following:
C T = μ + α × P K + e = μ + α × ( C + E ) + e .
Let us consider position E i = 0 . Let μ ¯ , C ¯ , e ¯ and C T ¯ correspond to shortened codes μ , C , e and CT, respectively. Now, ( 1 ) becomes
C T ¯ = μ ¯ + α × C ¯ + e ¯ .
By ( 2 ) , μ ¯ + α × C ¯ R S k ¯ . Provided that e has weight that is less than error correction capacity R S k ¯ , then C T ¯ can be corrected and μ ˜ + α × C ˜ can be found. Using the Vandermonde method, we compute the unique polynomial q ( x , y ) degree k 1 and
e v ( q ( x i , y i ) ) = μ i ˜ + α × C i ˜
for i { 1 , 2 , , n } . Since we know that e v ( q ( x i , y i ) ) = q ( x i , y i ) , C ˜ = e v ( p ( x i , y i ) ) = p ( x i , y i ) and μ ˜ = e v ( μ ( x i , y i ) ) = μ ( x i , y i ) ,
q ( x i , y i ) = μ ( x i , y i ) + α p ( x i , y i ) μ ( x i , y i ) = q ( x i , y i ) α p ( x i , y i ) .
With ( 4 ) , message μ ( x , y ) is obtained.    □

2.5. Indistinguishable under Chosen-Plaintext Attack (IND-CPA)

Every cryptosystem needs to have its basic security requirements analyzed, especially its indistinguishability characteristics, in order to avoid any attack to the cryptographic protocol [23]. Indistinguishable under Chosen-Plaintext Attack (IND-CPA) is a security notion for cryptosystems where a Probabilistic Polynomial Time Adversary (PPTA) communicates with a random oracle in a two-phase session, i.e., the learning and challenge phases [24]. IND-CPA is defined below.
Definition 3.
(Indistinguishable under Chosen-Plaintext Attack) The IND-CPA security model is defined by the following game between random oracle and PPTA:
  • The random oracle initializes a cryptographic scheme and generates ( P K , S K ) = G e n ( 1 n ) as well as choosing random b { 0 , 1 } and publishing public key P K , while secret key S K is kept secret.
  • The PPTA chooses two messages, μ 0 and μ 1 , and sends them to the random oracle.
  • The random oracle randomly chooses one out of the two messages and encrypts it; then, it sends ciphertext C = e n c ( μ b , P K ) to the PPTA.
  • The PPTA determines b . If b = b , then it outputs 1; else, 0.
A cryptosystem is Indistinguishable under Chosen-Plaintext Attack if for any PPTA, there exists a negligible function ε ( n ) such that
P r ( b = b ) 1 2 + ε ( n ) .
In other words, an IND-CPA-secure cryptosystem is a cryptosystem where any passive adversary that can eavesdrop in a communication between two parties cannot obtain any information about the encrypted message [25].

3. The Attack

In this section, we prove that the AAK-Cryptosystem is not IND-CPA secure. We also provide a numerical illustration.

3.1. Cryptanalysis of AAK-Cryptosystem

Theorem 1.
Let μ and e be as described in the AAK-Cryptosystem. If the adversary can correctly ascertain value μ + e , then given public key PK and ciphertext CT, the adversary can recover secret key α in polynomial time.
Proof of Theorem 1.
Let C T i , P K i and e i be vector elements in CT, PK and e, respectively. Let us recall that the vectors of ciphertext C T and public key P K are given by
C T i = μ ( x i , y i ) + α · P K i + e i 1 i n
and
P K i = C i + E i 1 i n .
We know that vector C is from the evaluation of polynomial p ( x i , y i ) . Based on [16], polynomial p ( x i , y i ) is a monic polynomial, and the highest power for this polynomial is up to k 1 with respect to both x and y. In addition, polynomial μ ( x i , y i ) must be of length k + 1 . Consider the following set of equations:
V , μ , α deg ( V ) k 1 , V 0 i , V ( x i , y i ) · ( C T i α × P K i ) = V ( x i , y i ) · μ ( x i , y i )
V , N , λ deg ( V ) k 1 , V 0 , deg ( N ) k 1 i , V ( x i , y i ) · ( C T i λ × P K i ) = N ( x i , y i )
From here, we can see that any solution ( 5 ) gives a solution to ( 6 ) , where one takes λ = α and N ( x i , y i ) = μ ( x i , y i ) · V ( x i , y i ) . For a given λ , Equation ( 6 ) gives 2 k 2 unknowns, which are the coefficients of polynomials V ( x i , y i ) and N ( x i , y i ) , where
V ( x i , y i ) = v k x i k 1 y i k 1 + + v 3 x i y i + v 2 x i + v 1 y i + v 0
N ( x i , y i ) = n k x i k 1 y i k 1 + + n 3 x i y i + n 2 x i + n 1 y i + n 0
and Y is the vector of coordinates
Y = ( v 0 , , v k 1 , n 0 , , n k 1 ) .
Next, a matrix M ( λ ) is created with the following entries:
M ( λ ) i , a , b = ( C T i λ · P K i ) · ( x i ) a · ( y i ) b
and
M ( λ ) i , a , b = ( x i ) a · ( y i ) b
where i { 1 , , n } , a { 0 , , k 1 } and b { 0 , , k 1 } in ( 7 ) and ( 8 ) . For the first half of columns of M ( λ ) , ( 7 ) is used, where a and b are the exponents of each monomial from polynomial p ( x , y ) . For the other half of columns of M ( λ ) , ( 8 ) is used, where a and b are also the exponents of each monomial from polynomial p ( x , y ) . Hence, M ( λ ) is either a rectangular matrix or a square matrix.
Then, we consider M ( λ ) with λ = 0 and use Gaussian elimination to compute the rank of matrix M ( 0 ) . Let us suppose that M ( λ ) has dimensions r × s . For rectangular matrix M ( λ ) , there are two cases:
(i)
When r > s , if rank M ( 0 ) = s , then there exists sub-square matrix M ( λ ) in M ( λ ) .
(ii)
When r < s , if rank M ( 0 ) = r , then there exists sub-square matrix M ( λ ) in M ( λ ) .
Using Equations (7) and (8), and with numerical input of public values ( x i , y i ) , we create M ( λ ) , where λ represents the possible value of α . By (7), which we use in the first half of columns of M ( λ ) , we have
M ( λ ) 1 , 0 , 0 = ( C T 1 λ · P K 1 ) · ( x 1 ) 0 · ( y 1 ) 0 = ( C T 1 λ · P K 1 )
M ( λ ) 1 , 1 , 0 = ( C T 1 λ · P K 1 ) · ( x 1 ) 1 · ( y 1 ) 0 = ( C T 1 λ · P K 1 ) · ( x 1 )
M ( λ ) 1 , 0 , 1 = ( C T 1 λ · P K 1 ) · ( x 0 ) 1 · ( y 1 ) 1 = ( C T 1 λ · P K 1 ) · ( x 1 ) · ( y 1 )
M ( λ ) n , k 1 , k 1 = ( C T n λ · P K n ) · ( x n ) k 1 · ( y n ) k 1
By (8), which we use in the second half of columns of M ( λ ) , we have
M ( λ ) 1 , 0 , 0 = ( x 1 ) 0 · ( y 1 ) 0 = 1 ( mod q )
M ( λ ) 1 , 1 , 0 = ( x 1 ) 1 · ( y 1 ) 0 = x 1 ( mod q )
M ( λ ) 1 , 0 , 1 = ( x 0 ) 1 · ( y 1 ) 1 = y 1 ( mod q )
M ( λ ) n , k 1 , k 1 = ( x n ) k 1 · ( y n ) k 1 ( mod q )
When we put these equations into matrix M ( λ ) , we have
M ( λ ) = ( C T 1 λ · P K 1 ) ( C T 1 λ · P K 1 ) · ( x 1 ) ( C T 1 λ · P K 1 ) · ( x 1 ) k 1 · ( y 1 ) k 1 1 x 1 y 1 ( x 1 ) k 1 · ( y 1 ) k 1 ( C T 2 λ · P K 2 ) ( C T 2 λ · P K 2 ) · ( x 2 ) ( C T 2 λ · P K 2 ) · ( x 2 ) k 1 · ( y 2 ) k 1 1 x 2 y 2 ( x 2 ) k 1 · ( y 2 ) k 1 ( C T n λ · P K n ) ( C T n λ · P K n ) · ( x n ) ( C T n λ · P K n ) · ( x n ) k 1 · ( y n ) k 1 1 x n y n ( x n ) k 1 · ( y n ) k 1 .
When Equations (7) and (8) are multiplied by V ( x i , y i ) and N ( x i , y i ) , respectively, we have
V ( x i , y i ) · M ( λ ) i , a , b = ( C T i λ · P K i ) · ( x i ) a · ( y i ) b · V ( x i , y i )
and
N ( x i , y i ) · M ( λ ) i , a , b = ( x i ) a · ( y i ) b · N ( x i , y i ) .
The summation of (10) and (11) is
( C T i λ · P K i ) · ( x i ) a · ( y i ) b · V ( x i , y i ) ( x i ) a · ( y i ) b · N ( x i , y i ) .
Since N ( x i , y i ) = μ ( x i , y i ) · V ( x i , y i ) , (11) becomes
( C T i λ · P K i ) · ( x i ) a · ( y i ) b · V ( x i , y i ) ( x i ) a · ( y i ) b · μ ( x i , y i ) · V ( x i , y i ) .
Equation (5) shows that V ( x i , y i ) · ( C T i α × P K i ) = V ( x i , y i ) · μ ( x i , y i ) and λ = α ; hence,
( x i ) a · ( y i ) b · μ ( x i , y i ) · V ( x i , y i ) ( x i ) a · ( y i ) b · μ ( x i , y i ) · V ( x i , y i ) = 0 .
As such, Y contains the coefficients of polynomials V ( x i , y i ) and N ( x i , y i ) , and if λ = α , there exists Y such that
M ( λ ) · Y = 0 , Y 0 .
If M ( λ ) is a square matrix and rank M ( 0 ) = r = s , then we take M ( λ ) as M ( λ ) to compute f ( λ ) = Det ( M ( λ ) ) . If M ( λ ) is a rectangular matrix, then we need to follow cases (i) and (ii) to find sub-square matrix M ( λ ) . Sub-square matrix M ( 0 ) is invertible when the determinant is not equal to 0. Next, we need to identify parameter λ from matrix M ( λ ) , which is constructed with relations (7) and (8). Given relation
M ( λ ) · Y = 0 ( mod q )
the chosen rows or columns in M ( λ ) can be arbitrary as long as the summation of (10) and (11) equals 0. Equation (15) shows a column matrix Y with entries not all equal to 0; then, Y corresponds to the nullspace of M ( λ ) . This means that M ( λ ) is non-invertible and its determinant is equal to 0. As such, λ can be determined from relation Det ( M ( λ ) ) = 0 . Hence, a solution of α must be a root for polynomial
f ( λ ) = Det ( M ( λ ) ) .
To this end, the degree of polynomial f ( λ ) is directly related to the number of columns containing λ in M ( λ ) . The maximum number of columns possible is given by relation n 2 . Note that n refers to the number of elements in the ciphertext ( C T ) vector. Let us observe that in order for the AAK-Cryptosystem to be practical, the number of elements in a vector cannot be exponentially large. Thus, the maximum number of roots is not exponentially large. Hence, if the adversary knows value μ + e , the adversary can test all possible values of α in polynomial time.    □

3.2. Algorithm for Theorem 1

The Algorithm 4 for Theorem 1 is shown below.
Algorithm 4 Listing all possible candidates of secret key α via Theorem 1
Input: Public key, P K and ciphertext, C T
Output: Secret key, α
  • Compute public key, P K = C + E .
  • Compute ciphertext, C T = μ + α × P K + e .
  • Construct matrix M ( λ ) :
  •    Compute first half column using M ( λ ) i , a , b = ( C T i λ · P K i ) · ( x i ) a · ( y i ) b .
  •    Compute second half column using M ( λ ) i , a , b = ( x i ) a · ( y i ) b .
  • Get [ m , n ] = M ( λ ) where m represents as number of rows and n represents as number of columns for matrix M ( λ ) .
  • Apply α = 0 to compute rank M ( 0 ) .
  • Do the following procedure:
  •    if  rank M ( 0 ) = m = n then take M ( λ ) as M ( λ )  end if
  •    if  rank M ( 0 ) = n then there exist sub square matrix M ( λ ) in M ( λ )  end if
  •    if  rank M ( 0 ) = m , then there exist sub square matrix M ( λ ) in M ( λ )  end if
  • for sub square M ( λ )  do
  •    Compute determinant, Det ( M ( λ ) ) .
  •    Solve f ( λ ) = Det ( M ( λ ) ) = 0 .
  •    List all roots of f ( λ ) . This list contains all possible candidates of the secret key α .

3.3. Numerical Illustration of Theorem 1

This section presents a numerical illustration of how to retrieve secret key α based on Theorem 1. Given n = 10 , k = 3 , w = 1 and W = 3 in F 11 , let x = ( 2 , 3 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 ) and y = ( 4 , 3 , 6 , 2 , 1 , 5 , 7 , 8 , 9 , 10 ) . We take private polynomial
p ( x , y ) = x 2 y + x y 2 + 3 x y + 5
and big error vector E,
E = ( 0 , 0 , 0 , 10 , 0 , 7 , 3 , 0 , 0 , 0 ) .
The public key is
P K = C + E
where C = e v ( p ( x , y ) ) . We compute C as follows:
p ( 2 , 4 ) = 0 , p ( 3 , 3 ) = 9 , p ( 3 , 6 ) = 1 , p ( 4 , 2 ) = 0 , p ( 5 , 1 ) = 6 ,
p ( 6 , 5 ) = 7 , p ( 7 , 7 ) = 2 , p ( 8 , 8 ) = 0 , p ( 9 , 9 ) = 1 , p ( 10 , 10 ) = 6 .
Therefore,
P K = C + E = ( 0 , 9 , 1 , 0 , 6 , 7 , 2 , 0 , 1 , 6 ) + ( 0 , 0 , 0 , 10 , 0 , 7 , 3 , 0 , 0 , 0 ) = ( 0 , 9 , 1 , 10 , 6 , 3 , 5 , 0 , 1 , 6 ) .
A message μ ( x , y ) = x y + 2 x + 4 y + 3 is encoded into codeword μ , where μ = e v ( m ( x , y ) ) . That is,
μ ( 2 , 4 ) = 9 , μ ( 3 , 3 ) = 8 , μ ( 3 , 6 ) = 7 , μ ( 4 , 2 ) = 5 , μ ( 5 , 1 ) = 0
μ ( 6 , 5 ) = 10 , μ ( 7 , 7 ) = 6 , μ ( 8 , 8 ) = 5 , μ ( 9 , 9 ) = 6 , μ ( 10 , 10 ) = 9 .
Therefore, we have
μ = ( 9 , 8 , 7 , 5 , 0 , 10 , 6 , 5 , 6 , 9 ) .
We choose private constant α = 3 F 11 and small error vector e, where
e = ( 0 , 0 , 0 , 0 , 0 , 7 , 0 , 0 , 0 , 0 )
of weight w = 1 . Ciphertext CT is
C T = μ + α × P K + e = ( 9 , 8 , 7 , 5 , 0 , 10 , 6 , 5 , 6 , 9 ) + 3 × ( 0 , 9 , 1 , 10 , 6 , 3 , 5 , 0 , 1 , 6 ) + ( 0 , 0 , 0 , 0 , 0 , 7 , 0 , 0 , 0 , 0 ) = ( 9 , 8 , 7 , 5 , 0 , 10 , 6 , 5 , 6 , 9 ) + ( 0 , 5 , 3 , 8 , 7 , 9 , 4 , 0 , 3 , 7 ) + ( 0 , 0 , 0 , 0 , 0 , 7 , 0 , 0 , 0 , 0 ) = ( 9 , 2 , 10 , 2 , 7 , 4 , 10 , 5 , 9 , 5 ) .
We now proceed to attack ciphertext C T . Let M ( λ ) be the matrix of the following system:
  • M ( λ ) i , a , b = ( C T i λ · P K i ) · ( x i ) a · ( y i ) b
  • M ( λ ) i , a , b = ( x i ) a · ( y i ) b
where i { 1 , , 10 } , a { 0 , 1 , 2 } and b { 0 , 1 , 2 } in ( 1 ) and ( 2 ) . For the first half of columns of matrix M ( λ ) , we use ( 1 ) . Hence, when i = 1 , a = 0 and b = 0 ,
M ( λ ) 1 , 0 , 0 = ( C T 1 λ · P K 1 ) · ( x 1 ) 0 · ( y 1 ) 0 = 9 λ · 0 = 9 .
When i = 5 , a = 1 and b = 1 ,
M ( λ ) 5 , 1 , 1 = ( C T 5 λ · P K 5 ) · ( x 5 ) 1 · ( y 5 ) 1 = ( 7 λ · 6 ) · 5 · 1 = 2 8 λ .
When i = 5 , a = 2 and b = 1 ,
M ( λ ) 5 , 2 , 1 = ( C T 5 λ · P K 5 ) · ( x 5 ) 2 · ( y 5 ) 1 = ( 7 λ · 6 ) · 5 2 · 1 1 = 10 7 λ .
For the second half of columns of matrix M ( λ ) , we use ( 2 ) . When i = 2 , a = 2 and b = 2 ,
M ( λ ) 2 , 2 , 2 = ( x 2 ) 2 · ( y 2 ) 2 = ( 3 2 ) · ( 3 2 ) = 7 .
When i = 2 , a = 2 and b = 1 ,
M ( λ ) 2 , 2 , 1 = ( x 2 ) 2 · ( y 2 ) 1 = ( 3 2 ) · ( 3 1 ) = 6 .
When all the entries in M ( λ ) have been calculated, see Appendix A. In Appendix A, we can see that the dimension of M ( λ ) is 10 × 18 . Next, we consider M ( λ ) with λ = 0 and apply Gaussian elimination to calculate the rank of matrix M ( 0 ) . The rank for matrix M ( 0 ) is 10, which, in this example case (ii), is applied, and we take columns 9 to 18 to be a sub-square matrix of M ( λ ) . Then, the sub-square matrix denoted by M ( λ ) is the matrix with dimensions 10 × 10 , as follows:
M ( λ ) = 4 10 7 6 9 3 1 7 6 2 8 3 λ 10 8 2 8 2 6 2 6 7 6 5 λ 10 5 8 8 4 2 2 1 6 7 2 λ 10 9 7 7 3 6 6 1 2 10 7 λ 10 10 10 6 6 6 8 8 8 3 5 λ 10 6 8 5 3 4 8 7 2 8 4 λ 10 4 6 4 6 9 6 9 8 9 10 3 2 3 2 5 2 5 7 1 5 λ 10 2 7 2 7 8 7 8 6 5 6 λ 10 1 10 1 10 1 10 1 10 .
Furthering the process, we calculate determinant f ( λ ) ,
f ( λ ) = det ( M ( λ ) ) = 74877540 λ 42937040 .
The highest degree of polynomial f ( λ ) is 1. This coincides with the fact that M ( λ ) has one column that contains λ . Upon computing f ( λ ) modulo q = 11 , we obtain the following:
f ( λ ) = λ 3 .
We take λ = 3 as the secret key. In line with Theorem 1, M ( 3 ) is indeed a non-invertible matrix. To see this fact, we compute column matrix Y, which is the nullspace of M ( 3 ) , respectively. Column matrix Y is given by
Y = 9 1 4 0 5 5 3 7 9 1 .
Let us observe that M ( 3 ) · Y = 0 .
Remark 3.
Let us assume that the adversary knows that
μ + e = ( 9 , 8 , 7 , 5 , 0 , 10 , 6 , 5 , 6 , 9 ) + ( 0 , 0 , 0 , 0 , 0 , 7 , 0 , 0 , 0 , 0 ) = ( 9 , 8 , 7 , 5 , 0 , 6 , 6 , 5 , 6 , 9 ) .
It is easy to see that the adversary can determine whether λ = 3 is the secret key or not. This can be illustrated as follows:
C T 3 × P K = ( 9 , 2 , 10 , 2 , 7 , 4 , 10 , 5 , 9 , 5 ) 3 × ( 0 , 9 , 1 , 10 , 6 , 3 , 5 , 0 , 1 , 6 ) = ( 9 , 8 , 7 , 5 , 0 , 6 , 6 , 5 , 6 , 9 ) .
Hence, λ = 3 is the correct value of α.
Remark 4.
At this point, when the adversary tries λ = 3 , it does not provide any constructive information upon his attempt to successfully cryptanalyze the ciphertext. This is clear because the adversary does not have Equation (18) at hand to make a comparison with (19). The usefulness of the above strategy can only be seen in the following section, IND-CPA on the AAK-Cryptosystem.

3.4. Indistinguishable under Chosen Plaintext Attack on AAK-Cryptosystem

This section proves that the AAK-Cryptosystem is not IND-CPA secure. Let us observe that within the AAK-Cryptosystem, the weight of small error vector e must be w < n k 2 . This means there are n w elements equal to 0 in small error vector e. Therefore, we can utilize this fact to prove that the AAK-Cryptosystem is not IND-CPA secure. The theorem for this attack is reported below.
Theorem 2.
If vector μ + e has been obtained, then the AAK-Cryptosystem is not IND-CPA secure.
Proof of Theorem 2.
The PPTA conducts the following:
  • It chooses two messages, μ 0 and μ 1 , in which identical elements do not share the same position in the vector and sends it to the random oracle.
  • The random oracle relays the ciphertext, where C T = μ b + α × P K + e .
  • It computes α based on Theorem 1.
  • It computes C T α × P K = μ b + e .
  • Since the PPTA knows about secret key α , the PPTA can check the μ b + e vector entry positions. Due to the fact that e has vector elements equal to 0 totaling n w , the PPTA can identify b.
Note that if the adversary chooses an incorrect root from f ( λ ) , it would result in an incorrect value of α . As such, C T α × P K would result in a meaningless vector to make a comparison with either μ 0 or μ 1 . The adversary would then just choose the next root available. Since the number of roots is not exponentially large, this process is feasible.
From here, we can see that the AAK-Cryptosystem is not IND-CPA secure, because the PPTA can guess which vector μ b is encrypted with P r ( b = b ) = 1 . Furthermore, on a side note, the PPTA can also distinguish vector e.    □

3.4.1. Algorithm for Theorem 2

The Algorithm 5 for Theorem 2 is shown below.
Algorithm 5 IND -CPA on the AAK-Cryptosystem using Theorem 2
Input: Messages pair ( μ 0 , μ 1 )
Output:b where b { 0 , 1 }
  • PPTA chooses 2 messages, ( μ 0 , μ 1 ) where identical elements do not share the same position in the vectors.
  • PPTA sends 2 messages to random oracle.
  • Random oracle chooses 1 message between ( μ 0 , μ 1 ) .
  • Random oracle encrypts the message and publishes C T = μ b + α × P K + e .
  • PPTA computes α .
  • PPTA computes C T α × P K = μ b + e .
  • PPTA check μ b + e with ( μ 0 , μ 1 ) to determine b.

3.4.2. Numerical Illustration of Theorem 2

This section presents a numerical illustration of IND-CPA on the AAK-Cryptosystem based on Theorem 2. Given n = 10 , k = 3 , w = 1 and W = 3 in F 11 , let x = ( 2 , 3 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 ) and y = ( 4 , 3 , 6 , 2 , 1 , 5 , 7 , 8 , 9 , 10 ) . We take the private key,
p ( x , y ) = x 2 y + x y 2 + 3 x y + 5
and big error vector E,
E = ( 0 , 0 , 0 , 10 , 0 , 7 , 3 , 0 , 0 , 0 ) .
The public key is:
P K = C + E
where C = e v ( p ( x , y ) ) ; hence,
p ( 2 , 4 ) = 0 , p ( 3 , 3 ) = 9 , p ( 3 , 6 ) = 1 , p ( 4 , 2 ) = 0 , p ( 5 , 1 ) = 6 ,
p ( 6 , 5 ) = 7 , p ( 7 , 7 ) = 2 , p ( 8 , 8 ) = 0 , p ( 9 , 9 ) = 1 , p ( 10 , 10 ) = 6 .
Therefore,
P K = C + E = ( 0 , 9 , 1 , 0 , 6 , 7 , 2 , 0 , 1 , 6 ) + ( 0 , 0 , 0 , 10 , 0 , 7 , 3 , 0 , 0 , 0 ) = ( 0 , 9 , 1 , 10 , 6 , 3 , 5 , 0 , 1 , 6 ) .
Two messages are chosen by the PPTA, μ 0 ( x , y ) = x y + 2 x + 4 y + 3 and μ 1 ( x , y ) = x y + 5 x + 8 y + 7 . These two messages are encoded into codewords μ 0 and μ 1 , respectively, where μ b = e v ( μ ( x , y ) ) for b { 0 , 1 } . For μ 0 ( x , y ) = x y + 2 x + 4 y + 3 , it is encoded as follows:
μ 0 ( 2 , 4 ) = 9 , μ 0 ( 3 , 3 ) = 8 , μ 0 ( 3 , 6 ) = 7 , μ 0 ( 4 , 2 ) = 5 , μ 0 ( 5 , 1 ) = 0 ,
μ 0 ( 6 , 5 ) = 10 , μ 0 ( 7 , 7 ) = 6 , μ 0 ( 8 , 8 ) = 5 , μ 0 ( 9 , 9 ) = 6 , μ 0 ( 10 , 10 ) = 9 .
Then, we obtain μ 0 = ( 9 , 8 , 7 , 5 , 0 , 10 , 6 , 5 , 6 , 9 ) . For μ 1 ( x , y ) = x y + 5 x + 8 y + 7 , it is encoded as follows:
μ 1 ( 2 , 4 ) = 2 , μ 1 ( 3 , 3 ) = 0 , μ 1 ( 3 , 6 ) = 0 , μ 1 ( 4 , 2 ) = 7 , μ 1 ( 5 , 1 ) = 1 ,
μ 1 ( 6 , 5 ) = 8 , μ 1 ( 7 , 7 ) = 4 , μ 1 ( 8 , 8 ) = 10 , μ 1 ( 9 , 9 ) = 7 , μ 1 ( 10 , 10 ) = 6 .
Then, we obtain μ 1 = ( 2 , 0 , 0 , 7 , 1 , 8 , 4 , 10 , 7 , 6 ) . The PPTA must ensure that identical elements in the two message vectors do not share the same location. Next, the PPTA sends these two message vectors, ( μ 0 and μ 1 ) to the random oracle. The random oracle chooses one of the message vectors, encrypts it and publishes ciphertext CT, where
C T = μ b + α × P K + e = ( 9 , 2 , 10 , 2 , 7 , 4 , 10 , 5 , 9 , 5 ) .
Since the value of secret key α can be computed based on Theorem 1, the PPTA retrieves α = 3 . Next, the PPTA computes equation
C T α × P K = μ b + e
and obtains μ b + e = ( 9 , 8 , 7 , 5 , 0 , 6 , 6 , 5 , 6 , 9 ) . The PPTA can check the entry positions using Equation ( 19 ) . Finally, the PPTA can identify b from μ b + e , considering the fact that e has vector elements equal to 0 totaling n w . To this end, the PPTA can identify b = 0 with probability equal to one.

4. Discussion

This analysis shows that from M ( λ ) , we choose columns 9 to 18 to be our sub-square matrix M ( λ ) . In our study, we also observe that columns 7 to 16 also give the correct value of α , where the sub-square matrix is given as follows:
M 1 ( λ ) = 3 1 4 10 7 6 9 3 1 7 7 4 λ 10 λ 8 3 λ 10 8 2 8 2 6 2 2 9 λ 1 10 λ 6 5 λ 10 5 8 8 4 2 2 10 6 λ 9 λ 7 2 λ 10 9 7 7 3 6 6 10 7 λ 10 7 λ 10 7 λ 10 10 10 6 6 6 8 1 9 λ 5 λ 3 5 λ 10 6 8 5 3 4 8 6 3 λ 9 10 λ 8 4 λ 10 4 6 4 6 9 6 1 8 9 10 3 2 3 2 5 2 3 4 λ 5 3 λ 1 5 λ 10 2 7 2 7 8 7 5 6 λ 6 5 λ 5 6 λ 10 1 10 1 10 1 10 .
Then, the determinant for M 1 ( λ ) , where f 1 ( λ ) = det ( M 1 ( λ ) ) , is
f 1 ( λ ) = det ( M 1 ( λ ) ) = 21483650 λ 3 + 136151740 λ 2 + 72625310 λ + 44956500 .
The highest degree of polynomial f 1 ( λ ) is 3. This coincides with the fact that M 1 ( λ ) has three columns that contain λ . Upon computing f 1 ( λ ) modulo q = 11 , we obtain the following:
f 1 ( λ ) = 10 ( λ 2 + 4 λ + 2 ) ( λ 3 ) .
When λ = 3 , determinants f ( λ ) and f 1 ( λ ) are 0. From the analysis performed above, we can see that from determinant f ( λ ) , we can obtain a set of λ , where one of them is the correct value of α . In order to determine which root is the correct value of α , we need to compute C T α × P K = μ + e . We know that the weight of small error e must be n k 2 , which gives us the information about the zero elements in e. Next, if λ α , then vector C T λ × P K does not provide any significant information about the message. Hence, this cryptanalysis presents a good outcome, where secret key α can be determined. Therefore, this shows that the AAK-Cryptosystem is not IND-CPA secure.

5. Conclusions

In this research study, we present an algebraic cryptanalysis of an AAK-Cryptosystem as described in [16]. This attack is resourced from strategies found in [15]. In this paper, we proved that we managed to form a list of possible values of the secret key, α . Furthering our analysis, we were able to prove that the AAK-Cryptosystem is not IND-CPA secure. As such, the AAK-Cryptosystem, as outlined in [16], is not suitable for utilization upon a set of plaintexts originating from a domain of non-exponential size.

Author Contributions

Conceptualization, S.N.Y. and M.R.K.A.; methodology, S.N.Y., M.R.K.A., T.S.C.L. and N.R.S.; validation, M.R.K.A.; formal analysis, S.N.Y.; investigation, S.N.Y., M.R.K.A., T.S.C.L. and N.R.S.; resources, M.R.K.A.; writing—original draft preparation, S.N.Y.; writing—review and editing, S.N.Y., M.R.K.A., T.S.C.L., N.R.S., S.-C.Y. and T.T.V.Y.; visualization, S.N.Y., M.R.K.A., T.S.C.L., N.R.S., S.-C.Y. and T.T.V.Y.; supervision, M.R.K.A.; project administration, M.R.K.A.; funding acquisition, T.S.C.L., S.-C.Y., T.T.V.Y. and M.R.K.A. All authors have read and agreed to the published version of the manuscript.

Funding

The research was supported by the Ministry of Higher Education Malaysia through the Fundamental Research Grant Scheme (FRGS/1/2019/STG06/UPM/02/8). It was also partially supported by the Mediterranea Universiti of Reggio Calabria (UNIRC) Research Grant (UPM/INSPEM/ 700-3/1/GERAN ANTARABANGSA/6380071–10065). The results of Terry Shue Chien Lau were supported by the MMU Postdoc (MMUI/220141).

Data Availability Statement

Not applicable.

Acknowledgments

The first author would like to further express appreciation to Institute for Mathematical Research (INSPEM), Universiti Putra Malaysia (UPM) and Ministry of Higher Education (MOHE) for giving the opportunity to conduct this research.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
PRPPolynomial Reconstruction Problem
IND-CPAIndistinguishable under Chosen Plaintext Attack
PPTAProbabilistic Polynomial Time Adversary

Appendix A

Full matrix M ( λ ) for numerical illustration of Theorem 1:
M ( λ ) = 9 3 1 7 6 2 3 1 4 10 7 6 9 3 1 7 6 2 2 9 λ 6 5 λ 7 4 λ 6 5 λ 7 4 λ 10 λ 7 4 λ 10 λ 8 3 λ 10 8 2 8 2 6 2 6 7 10 λ 5 6 λ 8 3 λ 8 3 λ 4 7 λ 2 9 λ 2 9 λ 1 10 λ 6 5 λ 10 5 8 8 4 2 2 1 6 2 10 λ 4 9 λ 8 7 λ 8 7 λ 5 3 λ 10 6 λ 10 6 λ 9 λ 7 2 λ 10 9 7 7 3 6 6 1 2 7 6 λ 7 6 λ 7 6 λ 2 8 λ 2 8 λ 2 8 λ 10 7 λ 10 7 λ 10 7 λ 10 10 10 6 6 6 8 8 8 4 3 λ 9 4 λ 1 9 λ 2 7 λ 10 2 λ 6 10 λ 1 9 λ 5 λ 3 5 λ 10 6 8 5 3 4 8 7 2 10 5 λ 4 2 λ 6 3 λ 4 2 λ 6 3 λ 9 10 λ 6 3 λ 9 10 λ 8 4 λ 10 4 6 4 6 9 6 9 8 5 7 1 7 1 8 1 8 9 10 3 2 3 2 5 2 5 7 9 λ 4 9 λ 3 4 λ 4 9 λ 3 4 λ 5 3 λ 3 4 λ 5 3 λ 1 5 λ 10 2 7 2 7 8 7 8 6 5 6 λ 6 5 λ 5 6 λ 6 5 λ 5 6 λ 6 5 λ 5 6 λ 6 5 λ 5 6 λ 10 1 10 1 10 1 10 1 10 .

References

  1. Brassard, G.; Lutkenhaus, N.; Mor, T.; Sanders, B.C. Security Aspects of Practical Quantum Cryptography. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000; pp. 289–299. [Google Scholar]
  2. Cambou, B.; Gowanlock, M.; Yildiz, B.; Ghanaimiandoab, D.; Lee, K.; Nelson, S.; Philabaum, C.; Stenberg, A.; Wright, J. Post Quantum Cryptographic Keys Generated with Physical Unclonable Functions. Appl. Sci. 2021, 11, 2801. [Google Scholar] [CrossRef]
  3. Shor, P.W. Algorithms for Quantum Computation: Discrete Logarithms and Factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; pp. 124–134. [Google Scholar]
  4. Song, B.; Zhao, Y. Provably Secure Identity-Based Identification and Signature Schemes From Code Assumptions. PLoS ONE 2017, 12, e018289. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  5. Shi, J.; Chen, S.; Lu, Y.; Feng, Y.; Shi, R.; Yang, Y.; Li, J. An approach to cryptography based on continuous-variable quantum neural network. Sci. Rep. 2020, 10, 2107. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  6. Jordan, S. Quantum Algorithm Zoo. 2011. Available online: https://quantumalgorithmzoo.org/ (accessed on 5 January 2023).
  7. Gaborit, P.; Otmani, A.; Kalachi, H.T. Polynomial-Time Key Recovery Attack on the Faure–Loidreau Scheme Based on Gabidulin Codes. Des. Codes Cryptogr. 2018, 86, 1391–1403. [Google Scholar] [CrossRef] [Green Version]
  8. Imran, M.; Abideen, Z.U.; Pagliarini, S. An Experimental Study of Building Blocks of Lattice-Based NIST Post-Quantum Cryptographic Algorithms. Electronics 2020, 9, 1953. [Google Scholar] [CrossRef]
  9. Naor, M.; Pinkas, B. Oblivious Transfer and Polynomial Evaluation. In Proceedings of the Thirty-First Annual ACM Symposium on Theory of Computing, Atlanta, GA, USA, 1–4 May 1999; pp. 245–254. [Google Scholar]
  10. Kiayias, A.; Yung, M. Directions in Polynomial Reconstruction Based Cryptography. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 2004, 87, 978–985. [Google Scholar]
  11. Guruswami, V.; Sudan, M. Improved decoding of Reed-Solomon and Algebraic-Geometry Codes. IEEE Trans. Inf. Theory 1999, 45, 1757–1767. [Google Scholar] [CrossRef] [Green Version]
  12. Augot, D.; Finiasz, M. A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 4–8 May 2003; pp. 229–240. [Google Scholar]
  13. Kiayias, A.; Yung, M. Polynomial Reconstruction Based Cryptography. In Proceedings of the International Workshop on Selected Areas in Cryptography, Toronto, ON, Canada, 16–17 August 2001; pp. 129–133. [Google Scholar]
  14. Kiayias, A.; Yung, M. Cryptanalyzing the Polynomial-Reconstruction Based Public-Key System under Optimal Parameter Choice. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Jeju, Republic of Korea, 5–9 December 2004; pp. 401–416. [Google Scholar]
  15. Coron, J.S. Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem. In Proceedings of the International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 1–4 March 2004; pp. 14–27. [Google Scholar]
  16. Ajeena, R.K.; Kamarulhaili, H.; Almaliky, S.B. Bivariate Polynomials Public Key Encryption Schemes. Int. J. Cryptol. Res. 2013, 4, 73–83. [Google Scholar]
  17. Lin, C.Y.; Wu, J.L. Cryptanalysis and Improvement of a Chaotic Map-Based Image Encryption System Using Both Plaintext Related Permutation and Diffusion. Entropy 2020, 22, 589. [Google Scholar] [CrossRef] [PubMed]
  18. Kuwakado, H.; Morii, M. Quantum Distinguisher between the 3-Round Feistel Cipher and the Random Permutation. In Proceedings of the IEEE International Symposium on Information Theory, Austin, TX, USA, 13–18 June 2010; pp. 2682–2685. [Google Scholar]
  19. Yusof, S.N.; Kamel Ariffin, M.R. An Empirical Attack on a Polynomial Reconstruction Problem Potential Cryptosystem. Int. J. Cryptol. Res. 2021, 11, 31–48. [Google Scholar]
  20. Bleichenbacher, D.; Nguyen, P.Q. Noisy Polynomial Interpolation and Noisy Chinese Remaindering. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000; Volume 1807, pp. 53–69. [Google Scholar]
  21. Sadkhan, S.B.; Ruma, K.H. Evaluation of Polynomial Reconstruction Problem using Lagrange Interpolation Method. In Proceedings of the 2006 2nd International Conference on Information and Communication Technologies, Damascus, Syria, 24–28 April 2006; Volume 1, pp. 1399–1403. [Google Scholar]
  22. Augot, D.; Finiasz, M.; Loidreau, P. Using the Trace Operator to Repair the Polynomial Reconstruction Based Cryptosystem Presented at Eurocrypt 2003. Int. Assoc. Cryptologic Res. 2003, 209. [Google Scholar]
  23. Zhu, S.; Han, Y. Generative Trapdoors for Public Key Cryptography Based on Automatic Entropy Optimization. China Commun. 2021, 18, 35–46. [Google Scholar] [CrossRef]
  24. Carstens, T.V.; Ebrahimi, E.; Tabia, G.N.; Unruh, D. On Quantum Indistinguishability Under Chosen Plaintext Attack. Int. Assoc. Cryptologic Res. 2020, 596. [Google Scholar]
  25. Abdalla, M.; Benhamouda, F.; Pointcheval, D. Public-Key Encryption Indistinguishable Under Plaintext-Checkable Attacks. IET Inf. Secur. 2016, 10, 288–303. [Google Scholar] [CrossRef] [Green Version]
Table 1. Parameters used in the AAK-Cryptosystem.
Table 1. Parameters used in the AAK-Cryptosystem.
ParameterRemark
XInput x i
YInput y i
F q Finite field with size q
nThe number of elements in a vector
kIts dimension
WThe weight of big error vector E when the PRP is hard, that is, W > n k 2 [16]
wThe weight of small error e, which results in the PRP being able to decrypt the ciphertext such that w n k 2 [15]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Yusof, S.N.; Kamel Ariffin, M.R.; Lau, T.S.C.; Salim, N.R.; Yip, S.-C.; Yap, T.T.V. An IND-CPA Analysis of a Cryptosystem Based on Bivariate Polynomial Reconstruction Problem. Axioms 2023, 12, 304. https://doi.org/10.3390/axioms12030304

AMA Style

Yusof SN, Kamel Ariffin MR, Lau TSC, Salim NR, Yip S-C, Yap TTV. An IND-CPA Analysis of a Cryptosystem Based on Bivariate Polynomial Reconstruction Problem. Axioms. 2023; 12(3):304. https://doi.org/10.3390/axioms12030304

Chicago/Turabian Style

Yusof, Siti Nabilah, Muhammad Rezal Kamel Ariffin, Terry Shue Chien Lau, Nur Raidah Salim, Sook-Chin Yip, and Timothy Tzen Vun Yap. 2023. "An IND-CPA Analysis of a Cryptosystem Based on Bivariate Polynomial Reconstruction Problem" Axioms 12, no. 3: 304. https://doi.org/10.3390/axioms12030304

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop