A new non-associative cryptosystem based on NTOW public key cryptosystem and octonions algebra

Abstract

In this work, we present a public key cryptosystem, called OTWO, based on octonions algebra and NTWO cryptosystem [1] which is a multivariate version of NTRU [2]. Inherent security of this system relies on the difficulty of the shortest vector problem (SVP) in a certain type of lattices with a hybrid norm. Since the octonions are non-associative (power-associative) and alternative algebra, they do not have a matrix isomorphic representation. So, normally lattice attacks [3] against this cryptosystem are impossible. The only way to cryptanalysis and to find the private key for decryption in this cryptosystem is to expand the equation of public key as a linear system of equations and form a non-circular lattice. However, this type of attack seems to has no chance to succeed. We change the underlying algebraic structure of NTWO and use a different lattice for key generation and decryption that it increases complexity of decryption. Furthermore, the nonassociativity of underlying algebraic structure and existence of different lattice for key generation and decryption improve the security of cryptosystem markedly. Method: The octonion algebra can be consider over a field or any arbitrary commutative ring R [4]. In our work, we use the bivariate convolution polynomial ring R′ = Z[X]/(X − 1) = Z[x, y]/(x−1, y−1) which n is a fixed prime number. Hence, we define A, Ap and Aq as the three octonion algebras over the rings R′, R′ p = Zp[X]/(X −1) and R′ q = Zq[X]/(X −1), respectively with bilinear multiplication (denoted by the symbol ◦), as follows A := { f0(x, y) + ∑7 i=1 fi(x, y) · ei ∣∣ f0(x, y), . . . , f7(x, y) ∈ R′}, Ap := { f0(x, y) + ∑7 i=1 fi(x, y) · ei ∣∣ f0(x, y), . . . , f7(x, y) ∈ R′ p}, Aq := { f0(x, y) + ∑7 i=1 fi(x, y) · ei ∣∣ f0(x, y), . . . , f7(x, y) ∈ R′ q}. where {1, e1, e2, e3, e4, e5, e6, e7} are the basis of the algebras and they have the following rules ei = −1, i = 1, . . . , 7 ei · ej = −ej · ei i 6= j, i, j = 1, . . . , 7 ei · ej = ek → ei+1 · ej+1 = ek+1 i 6= j, i, j = 1, . . . , 7 ei · ej = ek → e2i · e2j = e2k i 6= j, i, j = 1, . . . , 7 and the indices greater than 7 should be reduced mod 7. For simplification we use the notation fi , fi(x, y), for i = 0, 1, 2, 3. We denote the conjugate and inverse of the octonion F by F ? = f0 − ∑7 i=1 fi · ei and F−1 = ( ∑7 i=1 fi )−1 · F , respectively. In OTWO, the public parameters (n, p, q, d) play the same role as the alternative parameters do in NTWO, i.e., n is an integer number such that n|(q − 1), p and q are two different prime numbers such that gcd(p, q) = gcd(n, q) = 1 and q p. The subsets Lf , Lg, Lφ and Lm of R′ contain small polynomials which are polynomials with coefficients with small Euclidian norm and small Hamming norm (defined as the number of nonzero coefficient of a polynomial). Let Jq = Qq + ∑7 i=1Qq · ei, where Qq = 〈σ = ∑ (a,b)∈T λ(a,b)〉 is an ideal generated by σ and λ(a,b)’s are Lagrange interpolators as follows