Security Analysis of an Encryption Scheme Based on Nonpositional Polynomial Notations

Open Eng. 2016; 6:250–258

Research Article Open Access

Nursulu Kapalova* and Dilmukhanbet Dyusenbayev Security analysis of an encryption scheme based on nonpositional polynomial notations

DOI 10.1515/eng-2016-0034 unique providing that bases are pairwise relatively prime. Received May 05, 2016; accepted Jun 28, 2016 As distinct from classical RNSs, irreducible polynomials over GF(2) that is binary polynomials serve as bases in Abstract: The aim of the research was to conduct a cryp- NPNs [1–6]. tographic analysis of an encryption scheme developed Based on NPNs, nonconventional algorithms for en- on the basis of nonpositional polynomial notations to cryption, digital signatures and cryptographic key ex- estimate the algorithm strength. Nonpositional polyno- change have been developed [3, 7–9]. This paper is con- mial notations (NPNs) are residue number systems (RNSs) cerned with an investigation of the strength of a noncon- based on irreducible polynomials over GF(2). To evalu- ventional encryption scheme against cryptanalysis. The ate if the algorithms developed on the basis of NPNs are core of the algorithm under study is as follows. secure, mathematical models of cryptanalysis involving algebraic, linear and differential methods have been de- 1. First of all, an NPN is formed with its working bases signed. The cryptanalysis is as follows. A system of non- consisting of chosen irreducible polynomials linear equations is obtained from a function transforming p x p x ... p x plaintext into ciphertext with a key. Next, a possibility of 1( ), 2( ), , S( ) (1) transition of the nonlinear system to a linear one is consid- over GF(2) of degrees m1, m2, ... , mS respectively. ered. The cryptanalysis was conducted for the cases with Polynomials (1) subject to their arrangement consti- known: 1) ciphertext; 2) plaintext and the related cipher- tute a certain base system. All bases are to be dif- text; 3) plaintext file format; and 4) ASCII-encoded plain- ferent including the case when they have the same text. degree. The working range of the NPN is specified by Keywords: cryptography; encryption; nonpositional poly- polynomial (modulus) nominal notations; cryptostrength; residue; cryptanalysis P(x) = p1(x)p2(x) ··· pS(x)

m ∑︀S m of degree = i=1 i. Therefore, a mes- 1 Introduction sage of length N bits could be interpreted as a sequence of remainders α1(x), α2(x), ... , αS(x) Algorithms and methods developed on the basis of non- of dividing a polynomial F(x) by working bases positional polynomial notations (NPNs) are also known p1(x), p2(x), ... , pS(x) respectively: as nonconventional [1–3]. When considering a classical F x α x α x ... α x notation in residue number system (RNS), positive inte- ( ) = ( 1( ), 2( ), , S( )). (2) gers are chosen as a base system, where a positive inte- 2. Encryption of a message of length N bits is per- ger is represented by its remainders (residues) of dividing formed with a key sequence of the same length, by the base system [2, 4]. RNS construction relies on the which is interpreted as a sequence of remainders Chinese remainder theorem. According to the theorem, a β1(x), β2(x), ... , βS(x) of dividing some other poly- representation of a number as a sequence of remainders is nomial G(x) by the same working bases of the system: G(x) = (β1(x), β2(x), ... , βS(x)), (3) *Corresponding Author: Nursulu Kapalova: Institute Informa- ≡ tion and Computational Technologies Almaty, Kazakhstan; Email: where G(x) βi(x)(mod pi(x)), i = 1, s. [email protected] 3. Cryptogram H(x) = (ω1(x), ω2(x), ... , ωS(x)) is the Dilmukhanbet Dyusenbayev: Institute Information and result of multiplying polynomials (2) and (3). Mem- Computational Technologies Almaty, Kazakhstan; Email: di- bers of residue sequence ω1(x), ω2(x), ... , ωS(x) [email protected]

© 2016 N. Kapalova and D. Dyusenbayev, published by De Gruyter Open. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License. Security analysis of an encryption scheme based on nonpositional polynomial notations Ë 251

are then remainders on dividing products αi(x)βi(x) 2 Some methods of cryptographic by respective bases pi(x): attacks αi(x)βi(x) ≡ ωi(x)(mod pi(x)), i = 1, s. (4)

The binary form of ciphertext H(x) represents the Cryptanalysis associates with such characteristics of cryp- sequence of consecutive coefficients of polynomials tosystems as evaluation of cipher reliability and development of breaking methods thereof. Analysis of reliabil- ω1(x), ω2(x), ... , ωS(x). 4. Decryption of cryptogram H(x) with a known key ity is based on the assumption that a cryptanalyst pos- sesses all the information about the cryptographic algo- G(x) for each βi(x) represents evaluation of a recip- −1 rithm in use while the key for a certain message is un- rocal (inverse) polynomial βi (x) under the following condition: known (Kerckhoffs’ principle). Cryptosystem strength depends on complexity of transformation algorithms, key −1 βi · βi (x) ≡ 1(mod pi(x)), i = 1, s. (5) multiplicity and implementation method thereof (protec- tion against bugs, viruses, etc.) Despite the fact that the G−1 x β−1 x β−1 x ... The result is polynomial ( ) = (( 1 ( ), 2 ( ), , concept of cipher strength holds a central position in cryp- β−1 x G x S ( )) inverse to polynomial ( ). The original message tography, a quantitative estimation of cryptostrength is, then could be calculated according to (4) and (5) through in general terms, still an open problem. The most general remainders of the following congruence: practical approaches to estimate an algorithm quality are −1 as follows [11]: αi(x) ≡ βi (x)ωi(x)(mod (pi(x)), i = 1, S. (6) 1. All possible attempts to break the algorithm; Hence, the complete key of a message of length 2. Analysis of the decrypting algorithm complexity; N bits in the above model of encryption scheme 3. Estimate of the cipher statistical security. is comprised of the chosen system of polynomial bases p1(x), p2(x), ... , pS(x), key G(x) = In the first instance, much depends on qualification, expe- (β1(x), β2(x), ... , βS(x)) obtained while generating a rience and intuition of a cryptanalyst as well as a proper pseudo-random sequence, and inverse key G−1(x) = estimate of capabilities of algorithm originators. It is gen- −1 −1 −1 erally believed that a cryptanalyst has knowledge about ((β1 (x), β2 (x), ... , βS (x)) calculated according to expression (5). the cipher structure, abilities to study the cipher and some To evaluate the scheme reliability, it was derived a for- characteristics of plaintext such as message themes, pat- mula of cryptostrength taking into account all possible terns, standards, formats and so on. In the second in- choices of secret parameters of the scheme. Cryptostrength stance, the estimate of cryptostrength is substituted with of the encryption scheme based on NPNs is determined by the estimate of minimum complexity of a breaking algo- all possible but distinct from each other choices of com- rithm. However, in general it does not seem possible to ob- plete keys that is secrecy thereof. Cryptostrength of en- tain rigorously provable estimates of the lower bound of cryption of a message of a given length N bits can be de- complexity of different algorithms. Complexity of compu- duced from a formula [5]: tational schemes can be evaluated by the quantity of computational primitives with due regard to the cost thereof. ∑︁ Q N k k ... k Ck1 Ck2 ...CkS kr = 2 ( 1 + 2 + + s)! n1 n2 nS . (7) This quantity generally must have a strict lower bound k1 ,k2 ,...,ks and fall outside performance limitations of state-of-the-art If an encryption scheme and at least one pair of plain- computer-based systems. In the third instant, an assump- text and ciphertext have been known to a cryptanalyst, tion is that a reliable cryptosystem from the standpoint then a natural way for analysis is straightforward enumer- of cryptanalyst represents a black box, where input and ation of all possible keys. The attack is conducted succes- output information sequences are mutually independent sively as long as encryption with a sample key coincides while the output ciphered sequence is pseudorandom. For with the known ciphertext. Formula (7) determines the the purposes of cryptanalysis the following methods are maximum possible number of attempts to find the right also used [12]: secret key. Such analysis technique is variously known as – Ciphertext only attack; full enumeration method [10], brute force technique [11] – Attack based on plaintexts and resulting cipher- or exhaustive method [12]. This paper represents results texts; of some cryptographic attacks applied against the above- mentioned encryption scheme. 252 Ë N. Kapalova and D. Dyusenbayev

– Chosen plaintext attack (possibility to choose a to perform the attack it is needed a large set of plain- plaintext to encrypt); texts and related ciphertexts. Besides, modern encryp- – Adaptive chosen plaintext attack. tion schemes were developed with due consideration of resistance to attacks of this nature. Relevance of alge- The goal of the ciphertext only attack is to find as many braic methods of cryptanalysis rests upon the possibility of as possible plaintexts corresponding to available cipher- breaking through them encryption schemes given merely texts that is to find a key, which was used for encryption. one plaintext-ciphertext pair. It is also of importance that However, the given attack type is the weakest as well as the methods are applicable to strong modern cipher sys- inconvenient. tems. Algebraic attacks make use of internal cipher struc- When performing the attack based on plaintexts and ture that is to obtain an encryption key it is necessary resulting ciphertexts there are two alternatives for the to represent enciphering transformations in the form of a statement of the problem: 1) to find the key that was used set of multidimensional polynomial equations, and subse- to transform a plaintext into ciphertext; and 2) to build an quently to solve the system [11]. algorithm capable to decrypt any message encrypted with that key. Plaintexts are of crucial importance in the attack. They could be retrieved from a variety of sources. This attack is more powerful as against the ciphertext only attack. 3 Literature Review The main difference between the just mentioned attack and the chosen plaintext attack lies in the possibil- One of challenges facing modern cryptography is building ity to choose a number of plaintexts and further to encrypt a general theory of encryption strength validation. Exis- them with the searched key. This makes the latter attack tence of a variety of cryptanalysis methods coupled with more powerful. emergence of new lines of research in the area calls for The adaptive chosen plaintext attack is applicable in continuous literature analysis. When it concerns the topic cases where a cryptanalyst has an access to the encryp- of this paper, it could be mentioned the following works. tion device. This type of attack is also widely used to break Books [10, 11] consider basic techniques of cryptanalysis public key cryptosystems. To perform the attack, methods in details. The task to break a certain cipher is solved on of differential and linear cryptanalysis are of frequent use. a case-by-case basis, though methods of solution thereof Differential cryptanalysis was put forward by E. Biham have some common features allowing bringing together and A. Shamir in 1990. This approach represents a chosen various attacks and developing cryptanalysis methods. plaintext attack. Diversity measure variation of two plain- The use of mapping preserving algebraic structures (ho- texts during main phases of cryptographic transformation momorphisms) is a standard method to solve mathemat- was considered as the basis for the analysis. The Hamming ical problems. It is generally used embedding of an al- distance serves as a diversity measure for two binary vec- gebraic structure into an enveloping structure or homo- tors. The Hamming distance between two strings of equal morphism of a larger structure into a smaller one. Pub- length is the number of positions at which the correspond- lications [11, 15] provide results of algebraic cryptanaly- ing symbols are different. To perform differential crypt- ses. If an enveloping algebraic structure opens the way analysis successfully it is required a large set of plaintexts to new properties, then the former approach consisting and resulting ciphertexts [13]. of two steps is applied. The first step implies extending Linear cryptanalysis was proposed by Japanese math- a cryptographic algorithm on an enveloping set enabling ematician Matsui in 1993. The method again represents a simplification of key breaking by means of the new prop- known plaintext attack. The method uses linear approxi- erties and developing a method of key breaking for the mations assuming with a certain probability that there is extended cryptoalgorithm. The second step involves pa- a linear dependence between plaintext, relating cipher- rameterization of the developed method of key breaking text and key bits. The scheme of linear cryptanalysis is with the data specific to the original (non-extended) cryp- implemented in two steps. The first step implies build- toalgorithm, and further finding the answer of the prob- ing linear relations involving plaintext, ciphertext and key lem. The latter approach is used straightforwardly to de- bits, where the relations are likely true. The second is to crease the complexity of the problem by shrinking. Here, use these relations in conjunction with known plaintext- the problem is split into subproblems to solve them one- ciphertext pairs to derive key bits [14]. Both differential by-one. In article [16], a new cipher named Baby Rijndael and linear cryptanalyses for a significant period of time was built. The cipher represents a reduced version of Ri- were based on statistical approaches. As noted above, jndael scheme with the same algebraic structure. The XL Security analysis of an encryption scheme based on nonpositional polynomial notations Ë 253 and XSL attacks on Baby Rijndael were performed to ex- 4.1 Security against algebraic cryptanalysis plore if the attacks could be used against AES. A system of encryption scheme based on NPNs of n linear equations in n unknowns can be solved easily. The method of Gaussian elimination is a well-known algo- Let us consider first the process of encryption for merely 3 rithm to solve the problem with the running time of O(n ). one irreducible polynomial. Suppose expression Practically, there are even faster methods, depending on a system of equations. α(x) · β(x) ≡ ω(x)(mod p(x)) (8) Works [17–26] describe results of differential and describes an encryption method based on NPNs. linear-differential cryptanalyses of simplified block cipher We write the polynomials in use as follows: algorithms. Linear analysis is based on the knowledge by a cryptanalyst of both plaintext and ciphertext in block en- n−1 n−2 2 α(x) = an−1x + an−2x + ... + a2x + a1x + a0 cryption schemes, such as DES. Matsui made use of the scheme for analysis, since the DES encryption algorithm is a polynomial, where coefficients are bit sequences ofa represented an open-source model with all its transposi- plaintext; tion and substitution tables known in advance. However, β x b xn−1 b xn−2 ... b x2 b x b the Matsui linear cryptanalysis against DES requires a con- ( ) = n−1 + n−2 + + 2 + 1 + 0 siderable number of plaintexts, particularly, to break a key is a polynomial, where coefficients are bit sequences of the in 8-round, 12-round and 16-round DES it is needed 221, generated key; 233 and 247 known plaintexts respectively. n−1 n−2 2 In [27–30], results of attacks on algorithm RC5 are dis- ω(x) = cn−1x + cn−2x + ... + c2x + c1x + c0 cussed. While analyzing algorithm RC5, it is possible to pursue a goal of finding either the seed secret key orex- is a polynomial, where coefficients are bit sequences of the tended key table. The application of the two powerful at- resulting ciphertext; and tacks of differential and linear cryptanalysis to RC5 is con- n n−1 n−2 2 p(x) = kn x + kn x + kn x + ... + k x + k x + k sidered by Kaliski and Yin [28], who show that the 12-round −1 −2 2 1 0 nominal cipher appears to be secure against both attacks. is an irreducible polynomial selected as a working base for It is also shown that there are keys that make RC5 even modulo operations. weaker against differential cryptanalysis. Recently, in [29], The process of decryption for (8) is performed accord- new differential cryptanalysis results imply that 16 rounds ing to the following formula: are required for the cipher with w = 32 to be secure. The results of linear cryptanalysis are refined by Selcuk in [30], ω(x) · β−1(x) ≡ α(x)(mod p(x)), (9) where it is shown that a small fraction of keys results in β−1 x d xn−1 d xn−2 ... d x2 d x d significant susceptibility to linear cryptanalysis. where ( ) = n−1 + n−2 + + 2 + 1 + 0 is a reciprocal (inverse) polynomial to β(x), where coefficients are bit sequences and ω(x) · ω−1(x) ≡ 1(mod p(x)). From expression (8) we find polynomial s(x) ∈ 4 Cryptanalysis of encryption GF(2)[x]/(p(x)), which satisfies equation scheme based on NPNs ω(x) · β−1(x) ⊕ p(x) · s(x) = α(x), (10)

n−2 n−3 2 When performing the cryptanalysis, it is believed that an where s(x) = sn−2x + sn−3x + ... + s2x + s1x + s0 is encryption scheme has been known in advance. The crypt- a polynomial. analysis relies on two forms of information. The cryptana- The process of multiplication for two polynomials is as lyst needs to derive: follows:

– Plaintext and a key from a ciphertext; −1 n−1 ω(x) · β (x) = (cn−1x + ... + c1x + c0) · (11) – Secret key from a plaintext-ciphertext pair. n−1 · (dn−1x + ... + d1x + d0) Before conducting algebraic and linear analyses of an en- −1 2n−2 ω(x) · β (x) = cn dn x + cryption scheme based on NPNs, a set of equations is built −1 −1 2n−3 subject to regularities of ring multiplication (4). This set + (cn−1dn−2 ⊕ cn−2dn−1)x + ... + c0d0 relates to a key, plaintext and ciphertext. n p(x) · s(x) = (kn x + ... + k1x + k0) · (12) 254 Ë N. Kapalova and D. Dyusenbayev

n−2 · (sn−2x + ... + s1x + s0) ⊕ kn−1 · Si+1 ⊕ kn−2 · Si+2 ⊕ ... ⊕ ki+2 · Sn−2, 2n−2 p(x) · s(x) = kn sn−2x + (kn sn−3 ⊕ kn−1sn−2) · where i = 0, n − 2. 2n−3 · x + ... + k0s0 If we plug equation (14) in the set of equations (13), then we will get n equations instead of 2n−1 ones. These n Then from (10), (11) and (12) we derive the following equations consist of variables di, ki and ai. The quantity of set of equations: products consisting of variables ki and di increases rapidly ⎧ c d ⊕ k s in line with the degree of irreducible polynomial, yet the ⎪ n−1 n−1 n n−2 = 0 ⎪ quantity of multipliers ki is no more than one-half of the ⎪ ⎪cn−1dn−2 ⊕ cn−2dn−1 ⊕ kn sn−3 ⊕ kn−1sn−2 = 0 ⎪ polynomial’s index. It should be also noted that the sum of ⎪... ⎪ coefficients is equal 1 for any irreducible polynomial (the ⎪ ⎪cn d ⊕ ... ⊕ c dn ⊕ kn s ⊕ ... ⊕ k sn = 0 cryptanalyst can take advantage of this property). Hence, ⎪ −1 1 1 −1 0 2 −2 ⎪ the set (13) becomes as follows: ⎨cn−1d0 ⊕ ... ⊕ kn−1s0 ⊕ ... ⊕ k1sn−2 = an−1 ⎧ ⎪cn−2d0 ⊕ ... ⊕ kn−2s0 ⊕ ... ⊕ k0sn−2 = an−2 ⎪F (c, d, k) = an ⎪ ⎪ 1 −1 ⎪ ⎪ ⎪... ⎨F2(c, d, k) = an−2 ⎪ (15) ⎪ ⎪c2d0 ⊕ c1d1 ⊕ c0d2 ⊕ k2s0 ⊕ k1s1 ⊕ k0s2 = a2 ⎪Fn(c, d, k) = a ⎪ ⎪ 0 ⎪ ⎪ ⎪c1d0 ⊕ c0d1 ⊕ k1s0 ⊕ k0s1 = a1 ⎩kn−1 ⊕ ... ⊕ k1 = 1 ⎪ ⎩⎪c d ⊕ k s a 0 0 0 0 = 0 The set can be linearized with introduction of new (13) variables. However, it requires a plaintext of the length not c c c ... c c c Here = ( n−1, n−2, , 2, 1, 0) are coefficients less than the number of variables obtained. ω x of polynomial ( ) representing the bit sequence of the Therefore, it is not possible to solve the set of equa- α x p x known ciphertext. Coefficients for polynomials ( ), ( ), tions by linearization with introduction of new variables. β−1 x s x a a a ... a a a k ( ) and ( ) are = ( n−1, n−2, , 2, 1, 0), = In this situation the quantity of values of plaintexts should k k ... k k k d d d ... d d d ( n−1, n−2, , 2, 1, 0), = ( n−1, n−2, , 2, 1, 0) be not less than the quantity of variables. s s s ... s s s and = ( n−2, n−3, , 2, 1, 0) respectively. We con- Let us now consider the case, where plaintext is un- sider these coefficients as bit sequences of unknown vari- known. The cryptanalysis problem then reduces to the key ables. exhaustion attack. Table 1 represents the number of tries Set of equations (13) can be built for every working versus the key length. base of the encryption scheme based on NPNs. Note that Let us now discuss the case, where the cryptanalyst n the quantity of equations in set (13) is (2 − 1), while the has a plaintext and the resulting ciphertext that is vari- quantity of variables in the set is (4n − 2). ables ai in equation (15) are known. As noted above, lin- Let us consider first a particular case, where the setof earization is inefficient in this case. The solution canbe equations is linear. In this situation, the set (13) is free of found by fitting of irreducible polynomials. Substituting k s variables i and i. the values of selected irreducible polynomials in the set of If a set of equations is linear and the quantity of vari- equations (15), we will obtain n equations in n unknowns. ables in the set is twice as much as the quantity of equa- n n A solution of these equations is either existent or not ex- tions, then it will have 2 solutions. However, for each spe- istent. If they do not have a solution, then other polynomi- a a a ... a a a cific plaintext = ( n−1, n−2, , 2, 1, 0) there exists als of the same degree will be selected. Otherwise, using d d d ... d d d a unique solution = ( n−1, n−2, , 2, , 0). the computed solution as a key we will decipher consecu- Let us now take a look at the general case. Consider- tive blocks of length m bits. In the event the obtained plain- k k ing that coefficients n and 0 are always equal 1 for ir- text is meaningless, we will try the next solution. Provided s reducible polynomials, we can transform variables i in that the results obtained make sense, we believe that the set (13) into the following equations: part of key corresponding to the chosen working base has been derived and then we move to searching other parts sn−2 = cn−1 · dn−1, of the key. The complexity of this approach will increase sn = cn · dn ⊕ cn · dn ⊕ kn · cn · dn , −3 −1 −2 −2 −1 −1 −1 −1 in accordance with the growth of degree of the irreducible The general formula for the expression can be shown polynomial (Table 2). in a recursive form: Let us also consider the case, where extension type of the encrypted file is known. As far as the standard begin-

si = cn−1 · di+1 ⊕ ... ⊕ ci+1 · dn−1⊕ (14) ning of file is known, the set of equations can be put inthe Security analysis of an encryption scheme based on nonpositional polynomial notations Ë 255

Table 1: Number of tries versus key length.

Key Number of irreducible Number of different Number of all possible Probability length polynomials plaintexts tries 3 2 8 16 0,0625 4 3 16 64 0,015625 5 6 32 256 0,003906 6 9 64 832 0,001202 7 18 128 3136 0,000319 8 30 256 10816 9,25E−05 9 56 512 39488 2,53E−05 10 99 1024 140864 7,1E−06 11 186 2048 521792 1,92E−06 12 335 4096 1893952 5,28E−07 13 630 8192 7054912 1,42E−07 14 1161 16384 26076736 3,83E−08 15 2182 32768 97576512 1,025E−08 16 4080 65536 364963392 2,74E−09

Table 2: Number of tries for irreducible polynomials versus key Table 3: Beginnings of files for some standard extension types. length. Byte No 1 2 3 4 5 6 7 8 Key Number of Number of Probability .docx 50 4b 03 04 14 00 06 00 length irreducible all possible .jpg Ff d8 Ff e0 00 10 4a 46 polynomials tries .pdf 25 50 44 46 2d 31 2e 3 2 4 0,25 .pdf* Ef bb Bf 25 50 44 46 2d 4 3 7 0,1429 .htm 3c 21 44 4f 43 54 59 50 5 6 13 0,0769 .doc d0 cf 11 e0 a1 b1 1a e1 6 9 22 0,0455 .zip 50 4b 03 04 7 18 40 0,025 .exe 4d 5a 90 00 03 00 00 00 8 30 70 0,0142 9 56 126 0,0079 Byte No 9 10 11 12 13 14 15 16 10 99 225 0,0044 .docx 08 00 00 00 21 00 11 186 411 0,0024 .jpg 49 46 00 01 01 01 01 2c 12 335 746 0,0013 .pdf* 31 2e 13 630 1376 0,0007 .htm 45 20 68 74 6d 14 1161 2537 0,0004 .doc 00 00 00 00 00 00 00 00 15 2182 4719 0,0002 .exe 04 00 00 00 ff Ff 00 00 16 4080 8799 0,0001

secutive block of length m to obtain a new set of equa- form discussed above, and similarly we can find key parts tions where the right side is determined. Here the number step by step. Table 3 lists starting bytes for some standard of equations depends on the plaintext length. The number file types. These bytes can be used for deriving parts ofthe of equations is equal to the number of variables when the key. plaintext length is eight times as much as the key length. Let us finally consider the case, where plaintext rep- The resulting set of equations can be further solved in the resents ASCII-encoded characters of the Latin alphabet. same way as in the cases above. Higher degrees of poly- Taking into account that each 8th bit is zero bit, we can nomials increase substantially the number of possibilities substitute respective bits of the plaintext for variables in for the search, which in turn adversely affects the effective- the set of equations (15) and drawing them from each con- ness of the cryptanalysis. 256 Ë N. Kapalova and D. Dyusenbayev

Table 4: Truth table. Table 5: Probability of trueness versus the number of multiplications in equation XY X ∧ YX ⊕ Y 0 0 0 0 Number of Probability of true Probability of false 0 1 0 1 multiplica- substitution substitution 1 0 0 1 tions 1 1 1 0 1 0,75 0,25 2 0,375 0,625 3 0,5625 0,4375 4.2 Security against linear cryptanalysis 4 0,46875 0,53125 5 0,515625 0,484375 The set of equations (13) can be linearized by substitu- 6 0,4921875 0,5078125 tion of multiplication of variables ki and sj with addition 7 0,50390625 0,49609375 thereof through the truth table (Table 4). We can check if it 8 0,498046875 0,501953125 is possible in our situation. Substituting in equation (13) 9 0,500976563 0,499023438 multiplication ki sj for addition ki ⊕ sj we can linearize 10 0,499511719 0,500488281 equation (14). Note that not all equations in (13) can be 11 0,500244141 0,499755859 linearized. When it concerns cryptanalysis, the more lin- 12 0,49987793 0,50012207 ear equations we have, the better. This can be achieved as 13 0,500061035 0,499938965 follows. 14 0,499969482 0,500030518 From the truth table it follows that expression xy⊕x⊕y 15 0,500015259 0,499984741 will take on a value 1 with a probability of 3/4, while a value 16 0,499992371 0,500007629 0 with a probability of 1/4. Substitution of multiplication of variables x and y for addition x ⊕ y ⊕ 1 in the set of equations (13) results in obtaining of a set of linear equations. set of equations (13) will provide a great opportunity to re- If in an equation the number of multiplications is in- veal a part of key. creased, then the probability of trueness of the equation The difference matrix of differential cryptanalysis of will come close to 0.5 (Table 5). In the event one of multi- the encryption scheme based on NPNs for all irreducible pliers in an equation is equal or likely close to 1 it is pos- polynomials (working bases) is uniformly distributed. This sible to build an approximate linear equation. The num- shows that differential cryptanalysis is ineffective for the bers of coefficients «0» and «1» in irreducible polynomials algorithm. are close to each other; therefore it is rather complicated to obtain an approximate linear equation. Thus, linear cryptanalysis is ineffective for the algorithm under study. 5 Discussions

4.3 Security against differential The strength of multiplication operation in the encryption scheme based on NPNs was investigated against algebraic, cryptanalysis linear and differential attacks. It is possible to reveal a ′ complete key making use of the algorithm scheme when If ∆α(x) = α(x)⊕ α (x) is a difference in plaintexts, ∆ω(x) = ′ considering parts of the key. ω(x)⊕ω (x) is a difference in ciphertexts and α(x)⊕β(x) ≡ ′ ′ To perform a linear attack against the algorithm, it is ω(x)(mod p(x)), α (x) ⊕ β(x) ≡ ω (x)(mod p(x)) then needed first to determine the degree of polynomials orthe the following expression is true, since the distributive law length of key part. Differential attack does not require any holds for the field under consideration: necessity of the kind. ′ ∆α(x) × β(x) = (α(x) ⊕ α (x)) × β(x) = Given that the parts of key (from working bases) can ′ = α(x) × β(x) ⊕ α (x) × β(x) = be studied separately in the algorithm under considera- ′ tion, the complete key is retrieved from the parts thereof. = ω(x) ⊕ ω (x) ≡ ∆ω(x)(mod p(x)). The length of complete key is determined by expression m ∑︀S m m If an irreducible polynomial from working bases, a dif- = i=1 i, hence in each block of bits, variables in ferential between plaintexts and a differential between ci- the set of equations (13), which was built using values of phertexts are known then a statistical attack against the ciphertext and plaintext, are identical. In this regard, each Security analysis of an encryption scheme based on nonpositional polynomial notations Ë 257

Table 6: Numbers of zeroes (“0′′) and ones (“1′′) in coeflcients of irreducible polynomials

Key length 3 4 5 6 7 8 9 Number of irreducible polynomials 2 3 6 9 18 30 56 “0” 2 4 10 24 54 94 224 “1” 6 11 26 39 90 176 336

Number of “1” less coeflcients kn and k0 2 5 14 21 54 116 224 Key length 10 11 12 13 14 15 Number of irreducible polynomials 99 186 335 630 1161 2182 “0” 448 918 1852 3750 7496 15338 “1” 641 1314 2503 5070 9919 19574

Number of “1” less coeflcients kn and k0 443 942 1833 3810 7597 15210

irreducible polynomial of degree mi can be checked using Acknowledgement: Works on development, analysis and respective parts of each consecutive block of length m. implementation of domestic means of cryptographic infor- It should be also noted that statistics (frequency of oc- mation security for the Republic of Kazakhstan are actual currence) in the parts of plaintext and ciphertext of the as Kazakhstan is actively integrated into the global infor- length equal to degree of working base mi, beginning from mation community. m ∑︀i−1 m = i=1 i position, is identical in each block of length m, but merely transformed into one possible variation of sequence of length mi depending on the key. That is why References the cryptanalyst conducts frequency analysis in parts of plaintext of respective length. A similar analysis applied [1] Bijashev R.G., “Development and investigation of methods of then to the related ciphertext enables determination of the the overall increase in reliability in data exchange systems of lengths of key parts. In the case where length mi is suc- distributed ACSs,” Doctoral Dissertation in Technical Sciences, cessfully determined, the next step will be enumeration of Moscow, 1985 [2] Akushskii I.Ya. and Juditskii D. I., Machine Arithmetic in Residue irreducible polynomials as per respective degrees mi and Classes [in Russian], Sov. Radio, Moscow, 1968,439 then solving the equation (13). [3] Biyashev R. G. and Nyssanbayeva S .E., “Algorithm for Creation In case of algebraic attack provided that the cipher- a Digital Signature with Error Detection and Correction”, Cyber- text and plaintext are known, the number of possibilities netics and Systems Analysis,2012, 48, 4, 489–497 to find the key is within the following interval: [4] Moisil Gr. C., Algebraic Theory of Discrete Automatic Devices [Russian translation], Inostr. Lit., Moscow,1963, 680 S S ∑︁ ∏︁ [5] Nyssanbayev R. K., “Cryptographical method on the basis of K(mi) ≤ I(m) < K(mi). polynomial bases”, Herald of the Ministry of Science and Higher i=1 i=1 Education and National Academy of Science of the Republic of Kazakhstan, 1999, 5, 63–65 K m where ( i) is the number of irreducible polynomials of [6] Amerbayev V.M., Biyashev R.G., Nyssanbayeva S.E. Implemen- degree no more than mi, I(m) is the number of tries for keys tation of nonpositional notations for cryptographic security // of length m. Proceedings of the National Academy of Science of the Republic of Kazakhstan. Ser. Physics and Mathematics, Almaty: Gylym, 2005, 3, 84-89 [7] Biyashev R., Nyssanbayeva S., Kapalova N. The Key Exchange 6 Conclusions Algorithm on Basis of Modular Arithmetic // Proceedings of International Conference on Electrical, Control and Automa- tion Engineering (1-2 December,2013, Hong Kong- Lancaster), The results of the study showed that linear and differential U.S.A.:DEStech Publications, 2013, 501–505 cryptanalyses are inefficient for the encryption-decryption [8] Biyashev R., Kalimoldayev M., NyssanbayevaS., Kapalova N., algorithm based on NPNs. The complexity of algebraic Khakimov R. Program Modeling of the Cryptography Algorithms attacks is determined by the quantity and degree of ir- on Basis of Polynomial Modular Arithmetic / The 5th Interna- reducible polynomials, which are selected for the set of tional Conference on Society and Information Technologies (4-7 March 2014) Orlando, Florida, USE – IIIS, 49–54 working bases. The findings can be used for recommenda- [9] Biyashev R.G., Nyssanbayeva S.E., Kapalova N.A. Secret keys tions regarding practical usage of encryption scheme. for nonpositional cryptosystems. Development, investigation 258 Ë N. Kapalova and D. Dyusenbayev

and implementation, LAB LAMBERT Academic Publishing, 2014 [22] J. Borst, L.R. Knudsen, and V. Rijmen, «Two Attacks on Reduced [10] Ivanov M.A. Cryptographic methods of information security in IDEA», Advances in Cryptology | EUROCRYPT ’97, Springer- Ver- computer systems and networks, M.:KUDIT-OBRAZ, 2001, 308 lag, 1997, 1–13 [11] Rostovtsev A.G., Mahovenko E.B. Theoretical cryptography. [23] Hawkes P., «Dierential-Linear Weak Key Classes of IDEA», Ad- NPO «Professional», Saint Petersburg, 2004 vances in Cryptology EUROCRYPT ’98 Proceedings, Springer- [12] https://ru.wikipedia.org/wiki/Cryptoanalysis Verlag, 1998, 112–126 [13] Babenko L.K., Ischukova E.A. Modern block encryption algo- [24] Nyberg K., «Linear Approximation of Block Ciphers», Advances rithms and methods of analysis thereof,Moscow, Helios, ARV, in Cryptology | EUROCRYPT ’94 Proceedings, Springer- Verlag, 2006 1995, 439–444 [14] Matsui M., «Linear Cryptanalysis Method for DES Cipher» (Ad- [25] Nyberg K. and KnudsenL., «Provable Security Against a Dieren- vances in Cryptology | EUROCRYPT ’93 Proceedings, Springer- tial Attack», Journal of Cryptology, V. 8, N. 1, 1995, 27–37 Verlag, 1994 [26] Nyberg K. and Knudsen L., «Provable Security Against a Dieren- [15] Voronin R. I., Algebraic cryptoanalysis of one-round S-AES, tial Cryptanalysis», Advances in Cryptology | CRYPTO ’92 Pro- PDM, 2011, 4, 29–31 ceedings, Springer- Verlag, 1993, 566–574 [16] Kleiman E. The XL and XSL attacks on Baby Rijndael. lowa State [27] Rivest R.L., «The RC5 Encryption Algorithm», Fast Software En- University, Ames, lowa, 2005 cryption, 2nd International Workshop Proceedings, Springer- [17] Murphy S., «The Cryptanalysis of FEAL-4 with 20 Chosen Plain- Verlag, 1995, 86–96 texts» (Journal of Cryptology, V. 2, N. 3, 1990, 145 [28] Kaliski B.S. and Yin Y.L., «On Differential and Linear Cryptanaly- [18] Matsui M., «The First Experimental Cryptanalysis of the Data En- sis of the RC5 Encryption Algorithm», Advances in Cryptology | cryption Standard» (Advances in Cryptology | CRYPTO ’94 Pro- CRYPTO ’95 Proceedings, Springer-Verlag, 1995, 445–454 ceedings, Springer-Verlag, 1994, 125–129 [29] Knudsen L.R. and Meier W., «Improved Differential Attacks [19] Brown L., Kwan M., Pieprzyk J., and Seberry J., «Improving on RC5», Advances in Cryptology | CRYPTO ’96 Proceedings, Resistance to Dierential Cryptanalysis and the Redesign of Springer-Verlag, 1996, 216–228 LOKI»,Advances in Cryptology | ASIACRYPT ’91 Proceedings, [30] Selcuk A.A., «New Results in Linear Cryptanalysis of RC5», Fast Springer-Verlag, 1993, 36–50 Software Encryption, 5th International Workshop Proceedings, [20] KnudsenL.R., «Cryptanalysis of LOKI-91», Advances in Cryptol- Springer-Verlag, 1998, 1–16 ogy | AUSCRYPT ’92, Springer-Verlag, 1993, 196–208 [21] Tokita T. , T. Sorimachi, and M. Matsui, «Linear Cryptanalysis of LOKI and s2DES», Advances in Cryptology | ASIACRYPT ’94, Springer-Verlag, 1995, 293–303