POLYNOMIAL-TIME PLAINTEXT-RECOVERY ATTACK ON THE MATRIX-BASED KNAPSACK CIPHER

: The aim of the present paper is to propose a polynomial-time plaintext-recovery attack on the matrix-based knapsack cipher. The aforesaid algorithm uses only public information and has time complexity O(t 1.34 ), where t is the decryption time of the attacked cryptosystem. The matrix-based knapsack cipher is a novel additively homomorphic asymmetric encryption scheme, which is a representative of group-based knapsack ciphers. This cryptosystem is based on the isomorphic transformation’s properties of the inner direct product of diagonal subgroups of a general linear group over a Galois field. Unlike the classical knapsack cryptoschemes, the cryptographic strength of the aforesaid cipher depends on the computational complexity of the multidimensional discrete logarithm problem. Due to the attack proposed in the given paper, the matrix-based knapsack cipher can be considered broken and should not be used as a privacy tool. However, this cryptosystem is still suitable for educational purposes as an example of the application of linear and abstract algebras in asymmetric cryptography.


INTRODUCTION 1
Asymmetric encryption schemes are widely used to ensure the confidentiality of communication via insecure channels. These cryptosystems allow the interacting parties to create a shared secret key for a symmetric cipher in such a way that an eavesdropper gets no information useful for cryptanalysis [1,2]. Network protocols that use asymmetric encryption include TLS [3], S/MIME [4], OpenPGP [5], Tor [6] and many others [7].
Some of asymmetric ciphers are homomorphic meaning that they allow calculations on encrypted data to be performed without preliminary decryption. This property makes it possible to use the given cryptosystems in several areas of applications besides symmetric key establishment. In particular, homomorphic asymmetric ciphers are used in secret e-voting protocols [8] and cloud computing [9].
The matrix-based knapsack cipher is a novel additively homomorphic asymmetric encryption scheme, which is a representative of group-based knapsack ciphers [10]. This cryptosystem is based on the isomorphic transformation properties of the inner direct product of diagonal subgroups of a general linear group over a Galois field [11]. Unlike the classical knapsack cryptoschemes, the cryptographic strength of the aforesaid cipher depends on the computational complexity of the multidimensional discrete logarithm problem [10].
The given cipher was originally proposed in [11]. The approach to building this cryptosystem over a Galois field with a multiplicative group of a large smooth order was proposed in [12]. Another approach, in which the aforesaid cipher is built over a small Galois field, was used in [10], where the property of additive homomorphism was proven for this cryptoscheme. Also, in [10] a secret e-voting protocol based on the given cipher was briefly described.
The aim of the present paper is to propose a plaintext-recovery attack on the matrix-based

MATRIX-BASED KNAPSACK CIPHER
The given cryptosystem has two parameters [10]: 1. The order of the finite field, over which the cipher is built. The given parameter is designated as q. It is necessary that q -1 be small (or just smooth in the case of the approach using a large Galois field) and larger than 1.
2. The order of the square matrices being used. It is denoted as n. The minimum value of n is 2.
The key generation procedure begins with choosing the generating set of the abelian group G, which is the diagonal subgroup of the general linear group GL(n, GF(q)). This set is represented by the tuple (g1, g2, ..., gn) obtained from (z1, z2, ..., zn), where zі is a randomly chosen primitive element of GF(q). The element gi is obtained from the n-dimensional identity matrix over GF(q) by means of replacing the (i, i) entry with zi [10]. Since the order of each gi is equal to q -1, each dG  has a single representation in the following form [10]: 12 12 ... , where pі is a nonnegative integer less than q -1. Therefore, it is not hard to see the correctness of the formula ( ) The private key is a randomly selected matrix s  GL(n, GF(q)). This matrix is used to define the group H, which is a subgroup of GL(n, GF(q)), the isomorphism f: G → H and its inverse f -1 : H → G. This pair of isomorphisms can be described as follows [10]: 1 : · · , f s s The public key is a tuple (e1, e2, ..., en). Its elements are calculated by the formula where (σ1, σ2, ..., σn) is a random permutation of (1, 2, ..., n). Although the original version of the considered cipher does not use the aforementioned secret permutation [10,11], this feature should be introduced to complicate a cryptanalytic attack on the given cryptosystem. The encryption procedure converts a plaintext into an integer tuple (x1, x2, ..., xn), for which 0 ≤ xі ≤ q -2, and computes the ciphertext c in the following way [10]: 12 12 ... .
Since (g1, g2, ..., gn) is a generating set of G, the encryption procedure and (3) imply that each element of H belongs to the set of ciphertexts. Thus, there is a bijection between plaintexts and elements of H.
Decryption is performed as follows: 1. The tuple (y1, y2, ..., yn), where yi is the (i, i) entry of f -1 (c), is computed. By virtue of (1)-(4), i σ y equals i σ z to the power of xi. 2. The tuples (z1, z2, ..., zn) and (σ1, σ2, ..., σn) are found using the following condition. If the (k, k) entry of f -1 (ei) is not equal to 1, then σi is k and zk equals this entry. This approach follows from (3) and the definition of gi. The given step can be avoided by storing the aforesaid tuples along with the private key.
The given cipher is additively homomorphic due to the following properties [10]: 1. The plaintexts set is an additive abelian group under the operation ,  which is defined as follows: where (u1, u2, ..., un) and (v1, v2, ..., vn) are plaintext tuples. Thus, the plaintext group is s an additive group of the n-dimensional module over the residue ring modulo n.
2. The ciphertext set equipped with the matrix product operation is the multiplicative abelian group H mentioned above.
3. If ci denotes the ciphertext obtained from the plaintext tuple mi by encryption performed using some fixed public key, then decryption of the ciphertext c1 ⋅ c2 ⋅ ... ⋅ ck with the corresponding private key produces m1  m2  ...  mk.
These properties, together with the bijection between elements of H and plaintexts, make the ciphertext group isomorphic to the plaintext one.
The final step of the decryption lies in computing the elements of the plaintext tuple (x1, x2, x3, x4) in the following way: Thus, the decryption of cp defined as c1 ⋅ c2 yields the plaintext (0, 3, 5, 4), which equals m1  m2 due to the used cipher being additively homomorphic. The only known plaintext-recovery attack on this cryptosystem lies in solving the multidimensional discrete logarithm problem, which can be described (6) by (4). General purpose algorithms, which are used for solving problems of this kind in arbitrary groups, are considered to be computationally difficult for non-quantum computers [7,13]. Nevertheless, the special purpose algorithm proposed in the section below solves the aforesaid problem in polynomial time and does not require a quantum computer.

PLAINTEXT-RECOVERY ATTACK
The attack proposed in this section recovers the plaintext from the ciphertext of the matrix-based knapsack cipher by using only public information. This algorithm relies on the properties of the polynomials B(λ) and Wі(λ), which are defined over GF(q) in the following way: where c is the ciphertext chosen for decryption, (e1, e2, ..., en) denotes the corresponding public key and I stands for the n-order unit matrix over GF(q). It is clear that B(λ) and Wі(λ) are characteristic polynomials [14] of the matrices c and c ⋅ ei respectively. The theorem proposed below describes the relationship between these polynomials and the variables of the decryption procedure. Theorem 1. If the permutation (σ1, σ2, ..., σn) is used to generate the public key and the tuple (y1, y2, ..., yn) is obtained on the initial step of decryption, then i σ y can be found by the formula where gcd(B(λ), Wi(λ)) denotes the monic greatest common divisor of B(λ) and Wi(λ).
where (e1, e2, ..., en) is the public key tuple. The plaintext-recovery attack receives the ciphertext c and the corresponding public key (e1, e2, ..., en) as input. The cipher parameters q and n are considered to be specified along with the public key. The output of this algorithm is the recovered plaintext tuple (x1, x2, ..., xn). The attack procedure consists of the following steps: 1. The coefficients of B(λ) are calculated, and the variable i is set to 0.
2. The coefficients of Wi(λ) are computed, and the variable i is increased by 1.
3. The value of i σ y is obtained by (8). 4. The value of i σ z is computed using (10). 5. The plaintext fragment xi is recovered in accordance with (5).
The following toy example of the aforementioned attack is constructed using the decryption instance described in Section 2. The input is represented by the ciphertext c, which equals cp in (7), and the public key (e1, e2, e3, e4) defined by (6). The parameters q and n are 13 and 4 respectively.
The first two steps of the attack establish the identities The fifth step determines that x1 = 0, x2 = 3, x3 = 5 and x4 = 4.
Hence, the algorithm outputs (0, 3, 5, 4), which equals the plaintext tuple obtained in Section 2 by decryption of the corresponding ciphertext.

TIME COMPLEXITY OF THE PLAINTEXT-RECOVERY ATTACK
The most computationally difficult arithmetic operations in GF(q) are multiplication and division. The last one for a finite field is multiplication by the inverse of the divisor. The time complexity for these operations is O(log 2 (q)) [15]. Thus, multiplication of η-degree polynomials in GF(q), as well as their division, takes O(η 2 ⋅ log 2 (q)) time. Multiplication of η-order matrices over GF(q) has time complexity O(η 3 ⋅ log 2 (q)).
Coefficients of the characteristic polynomial of an arbitrary η-dimensional matrix over GF(q) can be efficiently found using the Hessenberg algorithm by performing O(η 3 ) arithmetic operations in the given field [16,17]. Thus, the time complexity of the first two steps of the attack procedure is O(n 3 ⋅ log 2 (q)).
The greatest common divisor of two polynomials over GF(q) can be calculated using the Euclidean algorithm by means of performing O(η 2 ) field arithmetic operations, where η is the largest of the degrees of the aforementioned polynomials [15]. So the third step has time complexity O(n 2 ⋅ log 2 (q)).
The determinant of a square matrix over GF(q) can be found using the Gaussian elimination in O(η 3 ) field arithmetic operations, where η denotes the order of the given matrix [18,19]. Thus, the time complexity of the fourth step is O(n 3 ⋅ log 2 (q)).
A discrete logarithm in GF(q) can be efficiently computed using the Pohlig-Hellman algorithm by executing O(log 2 (q)) field arithmetic operations due to q -1 being smooth or small [20,21]. Therefore, the fifth step requires at most O(log 4 (q)) time.
Since each step except the first is performed by the attack algorithm n times, the foregoing implies that the time complexity of the plaintext-recovery attack is O(n 4 ⋅ log 2 (q) + n ⋅ log 4 (q)).
The time complexities of the considered attack and the decryption procedure can be compared in the following way. The first decryption step requires 2 multiplications of η-order matrices over GF(q). The optional next step is recommended to be omitted by means of storing (σ 1 , σ 2 , σ 3 , σ 4 ) and (z 1 , z 2 , z 3 , z 4 ) along with the private key. The last step consists in computing n discrete logarithms in GF(q). In light of the above, performing the decryption procedure requires O(n 3 ⋅ log 2 (q) + n ⋅ log 4 (q)) time. Therefore, if t denotes the decryption time, the time complexity of the plaintext-recovery attack is O(t 1.34 ).

CONCLUSION
The plaintext-recovery attack proposed in the present paper has time complexity O(t 1.34 ), where t stands for the decryption time of the attacked cryptosystem. In terms of the parameters of the matrix-based knapsack cipher, the time complexity of the given cryptanalytic method can be expressed as O(n 4 ⋅ log 2 (q) + n ⋅ log 4 (q)). Hence, the aforesaid encryption scheme can be considered broken and should not be used as a privacy tool. However, this cipher is still suitable for educational purposes as an example of the application of linear and abstract algebras in asymmetric cryptography. The obtained results help to eliminate the information security risks, which arise from the use of the aforesaid cipher in the absence of information about its vulnerability.