A failure in decryption process for bivariate polynomial reconstruction problem cryptosystem
Siti Nabilah Yusof, Muhammad Rezal Kamel Ariffin, Sook-Chin Yip, Terry Shue Chien Lau, Zahari Mahad, Ji-Jian Chin, Choo-Yee Ting

TL;DR
This paper identifies a decryption failure in a bivariate polynomial-based cryptosystem when errors exceed a certain threshold.
Contribution
The paper introduces a new upper bound to prevent decryption failure in bivariate polynomial reconstruction cryptosystems.
Findings
Decryption failure occurs when error weight exceeds the number of monomials in the secret polynomial.
An upper bound is established to avoid decryption failure in the cryptosystem.
Abstract
In 1999, the Polynomial Reconstruction Problem (PRP) was put forward as a new hard mathematics problem. A univariate PRP scheme by Augot and Finiasz was introduced at Eurocrypt in 2003, and this cryptosystem was fully cryptanalyzed in 2004. In 2013, a bivariate PRP cryptosystem was developed, which is a modified version of Augot and Finiasz's original work. This study describes a decryption failure that can occur in both cryptosystems. We demonstrate that when the error has a weight greater than the number of monomials in a secret polynomial, p, decryption failure can occur. The result of this study also determines the upper bound that should be applied to avoid decryption failure.
Genes, proteins, chemicals, diseases, species, mutations and cell lines named across the full text — each resolved to its canonical identifier and authoritative record.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCoding theory and cryptography · Cryptographic Implementations and Security · Cryptography and Data Security
Introduction
1
A valid and secure cryptosystem can be designed using a good hard mathematical problem in cryptography. Cryptography is an important mechanism in data security where the cryptography algorithm makes communication possible in the presence of an adversary [8], [30]. User's private data in embedded system needs to be protected and authenticated. It is essential for users to ensure that data consumed is valid [10], [28]. Shor's algorithm has successfully solved classical problems such as the integer factorization problem (IFP) and the discrete logarithm problem (DLP) in polynomial time, where a quantum computer can attack cryptosystems that rely on such difficult mathematical problems [1], [3], [34]. Among the well-known cryptographic schemes that are algorithmically insecure in post quantum cryptography are RSA, El-Gamal, and Elliptic Curve Cryptosystem [7], [22]. The National Institute of Standards and Technology (NIST) has called for a search for quantum-resistant algorithms [4], [11], [13], [33].
Hence, this shows that post-quantum cryptography is preferable for information security purposes. Post-quantum cryptography is a cryptographic algorithm that is believed to be secure from the attack of quantum computer [21]. Post-quantum cryptography also consists of five major types which are lattice-based, code-based, isogeny-based, hash-based and multivariate-based cryptography [9], [19]. The Quantum Algorithm Zoo website lists useful hard mathematical problems that may be immune to a quantum computing attack [20]. Thus, cryptographers must investigate diverse hard problems so that the new design cryptosystems are safe from the attack of quantum computers [18]. The evaluation of time intricacy and memory space for the attack is to ensure and validate the safety of the cryptosystems [26], [27].
Quantum Algorithm Zoo introduced the PRP as a difficult mathematical problem in post-quantum cryptography [20]. This problem was introduced in 1999 when PRP developed a formulation equivalent to Reed-Solomon error-correcting codes [6], [29], [31]. The problem also contains the full intricacy against the quantum computers with the complexity of in which q contains n bits of prime. Besides that, a wide range of research on the PRP has been conducted based on the solvability and robustness [25].
This problem can be easily solved if the error's weight, w, is at most . The parameter n represents the number of elements of the vector, while the parameter k represents the polynomial degree. This equation has been upgraded into [16]. Augot and Finiasz suggested a univariate PRP cryptosystem in 2003, where we call this scheme the AF-Cryptosystem. A univariate polynomial is used in the AF-Cryptosystem [23], [24]. The AF-Cryptosystem also applied two PRP types: the first PRP is defined in [20], and the second PRP is built to guarantee the process of decryption. The second PRP is denoted as the Augot and Finiasz Solvable PRP (AF-SPRP), which is described below:
Definition 1***(Augot and Finiasz Solvable PRP)*** Given n, k, t and , output any polynomial p such that and for at least t values of i where .
From Definition 1, the decryption process can occur in the AF-Cryptosystem. From the Cartesian plane, if we obtain t points, a polynomial is required to be yielded in which this polynomial consists of all the points where t is the zero element in a vector. The decryption process in the AF-Cryptosystem can be done using Lagrange interpolation.
Nevertheless, the AF-Cryptosystem was managed to be fully cryptanalyzed by Coron [12]. Next, a bivariate PRP cryptosystem was proposed in 2013 by Ajeena et al.; this cryptosystem is called the AAK-Cryptosystem [2]. The AAK-Cryptosystem is the modified version of the AF-Cryptosystem where they used bivariate polynomial and Vandermonde method. The creators of AAK-Cryptosystem mentioned that if the amount of variables increases, then the cryptosystem's security level can be improved.
Our contribution. In this paper, we analyze the decryption process for both cryptosystems, which is different from our published papers in [36], [37]. In our published papers, we put forward results that discusses the AAK-Cryptosystem is not indistinguishable chosen plaintext attack (IND-CPA) secure and how to retrieve the private key from the AAK-Cryptosystem. While our findings in this paper indicate that decryption errors can occur in both cryptosystems if the weight of the big error vector E is greater than the number of monomials in the secret polynomial p.
Organization of the article. This paper's setup is as follows: in Section 2, we put forward the fundamentals of PRP, Lagrange interpolation, and Vandermonde method and outline both AF-Cryptosystem and AAK-Cryptosystem. In Section 3, we explain our propositions for decryption failure in both cryptosystems and give an example for this analysis. Finally, we discuss our result in Section 4 and we conclude our findings in Section 5.
Materials and methods
2
This section explains the fundamental knowledge about PRP, Lagrange interpolation, Vandermonde method, AF-Cryptosystem and AAK-Cryptosystem.
PRP
2.1
The PRP is known since the generalized Reed-Solomon list decoding problem has been reduced to it [32]. Next, we describe PRP based on [20], which shown down below:
Definition 2***(PRP from Quantum Zoo)*** Let be a polynomial over finite field . One is given access to the oracle and query value of where then output coefficients to determine .
From Definition 2, this shows that when the oracle input , then it will output . Then, this provides us the coefficients [20]. Classically, we need queries to identify the number of coefficients. Therefore, the query complexity in PRP for a univariate polynomial with a degree equal to k is .
Computational complexity of PRP
2.2
We know that has a degree equal to k, and contains coefficients, equivalent to , hence . Thus,
It is impractical for us to query input x if is exponentially large. This shows that solving PRP would take exponential time, which is .
Lagrange interpolation
2.3
The Lagrange interpolation method can identify a polynomial based on the observed value at each observed point. Besides that, Lagrange interpolation is regularly utilized in cryptography to share secret and coding computing [14]. The Lagrange interpolation is where we are provided n real values and , then output a polynomial p that contains real coefficients which satisfies where [17]. Polynomial p must have a degree less than the real values where . The Lagrange interpolation formula with nth order is as follows,
The AF-Cryptosystem utilized Lagrange interpolation in decryption process.
Vandermonde method
2.4
An interpolation polynomial with two or more dimensions is determined using the Vandermonde method. Given points that have two variables where , for each point, one must obtain the polynomial values , correspondingly. The two variables polynomial with the degree of can be obtained by using the following steps,
- 1.Formulate the formula of a polynomial with the degree where this polynomial contains two variables.
- 2.Calculate the polynomial at the given points.
- 3.Solve the system of linear equations.
The problem can be presented in the form where V is a Vandermonde matrix with the dimension of , also known as coefficients matrix [15], [35]. Parameter Z contains z values, while parameter c is the coefficient vector. The AAK-Cryptosystem applied the Vandermonde method in the decryption process.
AF-cryptosystem
2.5
Augot and Finiasz introduced a univariate PRP cryptosystem which describes down below [5]. Considering that n is the number of elements in the vector and the AF-cryptosystem applied the following parameters in Table 1.Table 1. Parameters.Table 1. ParameterRemark A finite field of size q**nThe number of elements in the vectorkIts dimensionWThe weight of big error vector, E where PRP is hard when, [2]wThe weight of small error vector, e that enabling the PRP to decrypt the ciphertext when [12]
Remark 1The parameter w is the vector's maximum number of nonzero elements.
Remark 2The parameter is known as the number of zero elements of the vector. The proposed AF-Cryptosystem is as follows:
Algorithm 1Key generation process.Algorithm 1
Algorithm 2Encryption process.Algorithm 2
Algorithm 3Decryption process.Algorithm 3
Proof of correctness
2.5.1
Proposition 1 The message polynomial can be obtained through the decryption algorithm in AF-Cryptosystem.
ProofRefer to Appendix A. □
AAK-cryptosystem
2.6
The AF-Cryptosystem was altered by Ajeena et al. to create the bivariate PRP cryptosystem that is described below [2]. The AAK-Cryptosystem applied the parameters in Table 1. The proposed modified cryptosystem is as follows:
Algorithm 4Key generation process.Algorithm 4
Algorithm 5Encryption process.Algorithm 5
Algorithm 6Decryption process.Algorithm 6
Proof of correctness
2.6.1
Proposition 2 The proof of the decryption algorithm in AAK-Cryptosystem is correct.
ProofRefer to Appendix B. □
The decryption failure
3
This section explains how decryption failure can occur in the AF-Cryptosystem and AAK-Cryptosystem. A numerical illustration is also provided.
Decryption failure in AF-cryptosystem
3.1
Proposition 3 If the weight of nonzero element in big error E is , then the decryption process in AF-Cryptosystem cannot occur.
ProofRefer to Appendix C. □
Numerical illustration for Proposition 3
3.1.1
In this section, inline with Proposition 3, we put forward a numerical example where the system owner incorrectly sets the system parameters such that which would lead to the system owner unable to decrypt the ciphertext.
Example 1Let , , and in . Given . We start with the key generation process by taking the private polynomial,
and big error vector E,
The public key is:
Vector C is obtained by the evaluation of where:
Hence, . Then, compute PK as follows,
Next, in encryption process, we evaluate codeword μ which shown as follows,
Thus, we have
Next, we generate a constant and a small error vector, e where
Observe that the weight for the small error vector is . Then, the CT is:
In the decryption process, based on the AF-Cryptosystem, we need to consider the position of zero elements in E where . From E, we have
Therefore, we obtain two shadows . Next, Lagrange interpolation is applied to find . The degree of polynomial must be . From , we have
Hence, the unique polynomial is as follows,
As we can see here, has a degree of 1, which is smaller than . Therefore, we cannot identify due to the small size of . Hence, the decryption process is a failure.
Decryption failure in AAK-cryptosystem
3.2
This section presents the scenario where the decryption process in AAK-Cryptosystem is a failure. A larger size of W, will make it difficult to determine the message polynomial, .
Proposition 4 If the weight of nonzero element in big error E is larger than number of monomial of secret polynomial , then the decryption process in AAK-Cryptosystem cannot occur.
ProofRefer to Appendix D. □
Numerical illustration of Proposition 4
3.2.1
In this section, inline with Proposition 4, we put forward a numerical example where the system owner incorrectly sets the system parameters such that which would lead to the system owner unable to decrypt the ciphertext.
Example 2Let , , and in . Given and . We start with the key generation process by taking the secret polynomial,
and big error vector E,
The public key is:
Vector C is obtained where the is evaluated down below:
Thus, . Then, the PK is as follows,
Next, in encryption process, we evaluate codeword μ which shown as follows,
Hence, we obtain
Next, we generate a secret value and a small error vector, e such that
Observe that the weight for the small error vector is . Then, CT is:
In the decryption process, based on the AAK-cryptosystem, we need to consider the position of zero elements in E where . From E we have
Thus, we contain three shadows . The next step is to find a unique polynomial using the Vandermonde method. Polynomial must be with the degree of for X and Y. Let , we have,
We need to determine the coefficients for by using Gaussian elimination,
Then, the equation of the system is
As we can see here, the system shows that is a free variable and is not a unique solution. Hence, we cannot identify . From , we have insufficient information to identify unique polynomial . Hence, the decryption process cannot be done.
Discussion
4
Based on the results, we need to ensure the weight of big error vector W, is less than the number of monomials of the secret polynomial p, for both AF-Cryptosystem and AAK-cryptosystem. The users of these cryptosystems need to take into consideration information regarding the boundary value for W, to prevent decryption failure from occurring.
Conclusion
5
This paper presents that decryption failure can occur in AF-Cryptosystem and AAK-Cryptosystem. When W is greater than the number of monomials of secret polynomial p, then we cannot determine unique polynomial q. Hence, we cannot decrypt the ciphertext, CT, to identify the message polynomial, μ. Thus, the recommended weight for big error vector, E to be used in AF-Cryptosystem and AAK-Cryptosystem are and respectively so that decryption process can occur. For the future works, we would suggest an investigation into whether the size of the message polynomial that is used in both cryptosystems could also contribute towards decryption failure.
Availability of data and materials
Not applicable.
Consent of publication
Not applicable.
CRediT authorship contribution statement
Siti Nabilah Yusof: Writing – original draft, Methodology, Formal analysis, Conceptualization. Muhammad Rezal Kamel Ariffin: Writing – review & editing, Validation, Supervision, Funding acquisition. Sook-Chin Yip: Writing – review & editing, Funding acquisition. Terry Shue Chien Lau: Formal analysis. Zahari Mahad: Formal analysis. Ji-Jian Chin: Funding acquisition, Formal analysis. Choo-Yee Ting: Formal analysis.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Abdul Jamal N.A.S.Kamel Ariffin M.R.Sapar S.H.Abdullah K.New identified strategies to forge multivariate signature schemes Symmetry 141120222368
- 2Ajeena R.K.Kamarulhaili H.Almaliky S.B.Bivariate polynomials public key encryption schemes Int. J. Cryptol. Res.4120137383
- 3Agarkar A.A.Agrawal H.LRSPPP: lightweight R-LWE-based secure and privacy-preserving scheme for prosumer side network in smart grid Heliyon 53201910.1016/j.heliyon.2019.e 01321 PMC 641666130911691 · doi ↗ · pubmed ↗
- 4Li A.Liu D.Zhang C.Li X.Yang S.Liu X.Lu J.Zhou X.Hu A.Ni T.A flexible and high-performance lattice-based post-quantum crypto secure coprocessor IEEE Trans. Ind. Inform.192202218741883
- 5Augot D.Finiasz M.A public key encryption scheme based on the polynomial reconstruction problem International Conference on the Theory and Applications of Cryptographic Techniques 2003229240
- 6Augot D.Finiasz M.Loidreau P.Using the Trace Operator to Repair the Polynomial Reconstruction Based Cryptosystem Presented at Eurocrypt 2003 International Association for Cryptologic Research 2092003
- 7Begum M.B.Deepa N.Uddin M.Kaluri R.Abdelhaq M.Alsaqour R.An efficient and secure compression technique for data protection using Burrows-Wheeler transform algorithm Heliyon 202310.1016/j.heliyon.2023.e 17602 PMC 1034767737457815 · doi ↗ · pubmed ↗
- 8Bhatia A.Kumar A.Jain A.Kumar A.Verma C.Illes Z.Raboaca M.S.Networked control system with MANET communication and AODV routing Heliyon 811202210.1016/j.heliyon.2022.e 11678 PMC 969192536439715 · doi ↗ · pubmed ↗
