Cayley–Purser algorithm: Difference between revisions

During a work-experience placement with [[Baltimore Technologies]], Flannery was shown an unpublished paper by [[Michael Purser]] which outlined a new [[public-key]] cryptographic scheme using [[non-commutative]] multiplication. She was asked to write an implementation of this scheme in [[Mathematica]].

Before this placement, Flannery had attended the 1998 [[Young Scientist and Technology Exhibition|ESAT Young Scientist and Technology Exhibition]] with a project describing already existing crytographiccryptographic techniques from the [[Caesar cipher]] to [[RSA (algorithm)|RSA]]. This had won her the Intel Student Award which included the opportunity to compete in the 1998 [[Intel International Science and Engineering Fair]] in the United States. Feeling that she needed some original work to add to her exhibition project, Flannery asked Michael Purser for permission to include work based on his cryptographic scheme.

On advice from her mathematician father, Flannery decided to use [[Matrix (mathematics)|matrices]] to implement Purser's scheme as [[matrix multiplication]] has the necessary property of being non-commutative. As the resulting algorithm would depend on multiplication it would be a great deal faster than the [[RSA (algorithm)|RSA]] algorithm which uses an [[exponent]]ial step. For her Intel Science Fair project Flannery prepared a demonstration where the same plaintext was enciphered using both RSA and her new Cayley–Purser algorithm and it did indeed show a significant time improvement.

Like [[RSA (algorithm)|RSA]], Cayley-Purser begins by generating two large primes ''p'' and ''q'' and their product ''n'', a [[semiprime]]. Next, consider [[general linear group|GL]](2,''n''), the [[general linear group]] of 2×22×2 matrices with integer elements and [[modular arithmetic]] mod ''n''. For example, if ''n''=5, we could write:

:<math>\left[\begin{matrixbmatrix}0 & 1 \\ 2 & 3\end{matrixbmatrix}\right] +

\left[\begin{matrixbmatrix}1 & 2 \\ 3 & 4\end{matrixbmatrix}\right] =

\left[\begin{matrixbmatrix}1 & 3 \\ 5 & 7\end{matrixbmatrix}\right] =\equiv

\left[\begin{matrixbmatrix}1 & 3 \\ 0 & 2\end{matrixbmatrix}\right]</math>

:<math>\left[\begin{matrixbmatrix}0 & 1 \\ 2 & 3 \end{matrixbmatrix}\right]\left[ \begin{matrixbmatrix}1 & 2 \\ 3 & 4\end{matrixbmatrix}\right] =

\left[\begin{matrixbmatrix}3 & 4 \\ 11 & 16\end{matrixbmatrix}\right] =\equiv

\left[\begin{matrixbmatrix}3 & 4 \\ 1 & 1\end{matrixbmatrix}\right]</math>

This group is chosen because it has large order (for large semiprime ''n''), equal to (''p''²-1−1)(''p''²-−''p'')(''q''²-1−1)(''q''²-−''q'').

Let <math>\chi</math> and <math>\alpha</math> be two such matrices from GL(2,''n'') chosen such that <math>\chi\alpha^{-1} \not= \alpha\chi</math>. Choose some natural number ''r'' and compute:

Recovering the private key <math>\chi</math> from <math>\gamma</math> is computationally infeasible, at least as hard as finding square roots mod ''n'' (see [[quadratic residue]]). It could be recovered from <math>\alpha</math> and <math>\beta</math> if the system <math>\chi\beta = \alpha^{-1}\chi</math> could be solved, but the number of solutions to this system is large as long as elements in the group have a large order, which can be guaranteed for almost every element.

However, the system can be broken by finding a multiple <math>\chi'</math> of <math>\chi</math> by solving for <math>d</math> in the following congruence:

:<math>\deltad \left(\beta_{11}^{-1}beta - \alpha_alpha^{11-1}\right) \equiv \epsilonleft(\alpha^{-1}\gamma - \gamma\beta\right) \pmod n</math>

==See References also==

* Sarah Flannery and David Flannery. ''In Code: A Mathematical Journey''. {{ISBN |0-7611-2384-9}}