public-key cryptography using paraunitary matrices

IEEE TRANSACTIONS ON SIGNAL PROCESSING, VOL. 54, NO. 9, SEPTEMBER 2006 3489

Public-Key Cryptography Using Paraunitary MatricesFarshid Delgosha, Student Member, IEEE, and Faramarz Fekri, Senior Member, IEEE

AbstractIn this paper, we propose an algebraic approach fordesigning multivariate cryptosystems. Our method is based on for-mulating a general system of multivariate polynomial equations byparaunitary matrices. These matrices are a special family of invert-ible polynomial matrices that can be completely parameterized andefficiently generated by primitive building blocks. Using the gen-eral formulation that involves paraunitary matrices, we design aone-way function that operates over the fields of characteristic two.In order to include a trapdoor, we make some approximations tothe paraunitary matrix. The result is a trapdoor one-way functionthat is efficient to evaluate but hard to invert unless secret informa-tion about the trapdoor is known. Using this function, we proposea paraunitary asymmetric cryptosystem (PAC). We present an in-stance of the PAC and show how it can be efficiently implemented.This instance operates on the finite field GF(256). The messageblock consists of 16 to 32 symbols from GF(256), i.e., the blocksize is an integer between 16 and 32. The ciphertext block takesits elements from the same field and has at least ten extra symbols.We show that the encryption and decryption can be efficiently per-formed with complexities ( 3) and ( 2), respectively, where

is the size of the message block. Comparing complexities of thePAC to those in the hidden-field equation (HFE) family, we showthat the PAC is faster in public-key generation and decryption. Westudy the computational security of the PAC. In addition, we showthat the attacks developed for the HFE are not applicable on thePAC.

Index TermsAlgebraic techniques, multivariate cryptography,paraunitary matrices, public-key cryptography.

I. INTRODUCTION

THE principal of public-key cryptography is exchanginginformation between parties without requiring a securechannel. They are different from secret-key cryptosystems inwhich both parties must share a secret key. In a public-keysystem, each party has a pair of secret and public keys. Every-body can send encrypted messages to a designated party usingits public key. However, only the designated party can decryptusing his corresponding secret key. Public-key systems are usedfor key exchange or distribution in symmetric cryptosystems.Except the key exchange, other applications of public-key cryp-tography are digital signature and data authentication schemes.The first public-key cryptosystem, RSA, uses a univariatemonomial over a very large ring. The public key consists of theexponent of the monomial and a very large composite numberobtained by multiplying two large primes. The security of

Manuscript received November 29, 2004; revised October 1, 2005. The as-sociate editor coordinating the review of this manuscript and approving it forpublication was Prof. Ioan Tabus. This work was partially supported by the Na-tional Science Foundation under Career Award Grant CCR-93229.

The authors are with the Electrical and Computer Engineering Depart-ment, Georgia Institute of Technology, Atlanta, GA 30332 USA (e-mail:[email protected]; [email protected]).

Digital Object Identifier 10.1109/TSP.2006.877670

RSA is believed to be based on the problem of factoring largecomposite numbers. Although since its invention in 1978, RSAhas not been broken yet, there are some practical problems inits implementation. The first problem is the key-setup time thatis too long for computationally limited processors used in someapplications such as pervasive computing. For example, it takestens of minutes on a Palm V that uses a 16.6 MHz Dragonballprocessor to generate a 1024-bit RSA key [1]. Another problemis the size of the key, which is too long in applications wherebandwidth is limited. It must also be increased every yearbecause of improvements in the factorization algorithms andcomputational power. Currently, the minimum recommendedsize of RSA key is 1024 bits. As suggested in [2], the minimumsize must be 4096 bits by 2015 and 8192 bits by 2025. Thisimplies more complicated computations and longer key-setuptime in the future.

In an attempt to remedy these problems, two paths are taken:1) using monomials as the public key and hiding informationin the exponent that leads to the discrete logarithm over com-plicated groups (e.g., points on elliptic curves) and 2) consid-ering multivariate polynomials over small fields (e.g., GFfor some small ). Comparing to RSA, systems based on thediscrete logarithm over elliptic curves are able to maintain thesame security level with shorter key sizes [3], [4]. Hence, el-liptic curve cryptography (ECC) seems to be suitable for lowcomputational devices such as smart cards. However, ECC alsohas some problems and drawbacks. The shortest signature thatone can generate using an elliptic curve digital signature algo-rithm (ECDSA) is 320 bits [5], which is still long for many ap-plications. Elliptic curves over fields of characteristic two canbe easily implemented in hardware, but in order to maintainsecurity, one must employ a very large finite field, which im-plies a long signature [6]. The Koblitz curves are special ellipticcurves used to reduce the complexity of ECC. However, somecryptographers are concerned that the special structure in thesecurves (to facilitate an efficient implementation) may actuallybe used to efficiently attack them [7], [8]. Another problem isthe complexity of the elliptic curve signature-verification algo-rithm. A comparison between ECDSA and RSA in a field withprime characteristic shows that for practical sizes of fields andmoduli, signature verification with ECDSA is 40 times slowerthan when using RSA [9].

Considering the shortcomings of the RSA and ECDSA, itwould be desirable to have practical cryptosystems based onproblems other than the assumptions currently in use. We mightbe in a safer state against possibilities such as the emergence ofan efficient algorithm for factoring or computing discrete log-arithms. An alternative approach is multivariate cryptographythat includes systems based on multivariate polynomials oversmall fields. Multivariate cryptography is considered to be thecryptography of the twenty-first century [10]. Cryptosystems

1053-587X/$20.00 2006 IEEE

3490 IEEE TRANSACTIONS ON SIGNAL PROCESSING, VOL. 54, NO. 9, SEPTEMBER 2006

based on multivariate polynomials over small fields are fasterthan RSA and ECC. These are schemes whose public informa-tion is a set of multivariate polynomials. Their security is basedon the difficulty of solving systems of multivariate polynomialequations. The main challenge in designing such systems is in-cluding a trapdoor in the public polynomials without using poly-nomials with very specific forms. However, systems of randompolynomials are usually very hard to invert as this difficulty isthe security basis of multivariate cryptosystems. To solve thisparadigm, schemes have been proposed whose public polyno-mials are attempted to look random while the special structureis some how hidden from the view of cryptanalyst. For example,the HFE scheme uses a quadratic univariate monomial over anextension field of a small finite field [11], [12]. The represen-tation of the monomial over the smaller field gives a set ofquadratic homogenous polynomials. Unfortunately, this schemeand many of its variants have been broken because of the specialform of the public polynomials. There are some other designs,which we will review in the next section, that are all broken.

A. Outline of Our SchemeIn this paper, we propose a novel approach for deigning prac-

tical public-key cryptosystems. In our approach, we employ pa-raunitary (PU) matrices to design a one-way function (OWF).The entries of a PU matrix are polynomials with coefficientsfrom a finite field. By their definition, all such matrices are in-vertible, and obtaining their inverses requires no computation.In order to include a trapdoor in the OWF, we make some simpli-fications in the PU matrix employed in the design of the OWF.The difficulty of inverting the designed OWF is connected to thedifficulty of solving systems of multivariate polynomial equa-tions over finite fields. In order to establish this connection,we show that any system of multivariate polynomials is ex-pressible in terms of PU matrices. This relationship along withsome mathematical conjectures provides enough evidence forthe computational security of the proposed trapdoor OWF.

We propose a paraunitary asymmetric cryptosystem (PAC)based on the developed trapdoor OWF. The public key in thePAC consists of a number of multivariate polynomials with co-efficients from a finite field . For practical reasons, we sug-gest using GF as the field , although it can be any Galoisfield. In order to encrypt a message block, which is a vector

for some fixed positive integer , the public polyno-mials are evaluated at . Since there are efficient algorithms forpolynomial evaluation, the encryption algorithm in the proposedscheme is very efficient. The cipher text is a vectorwhere is a fixed positive integer. The decryption algorithm in-volves matrix multiplication and polynomial evaluation that canbe efficiently performed. Hence, the decryption is also very ef-ficient in the PAC. The typical choices of and are 32 and 10,respectively.

PU matrices are a subclass of invertible matrix polynomialswhose inverses are guaranteed to exist by their definition. Be-cause of their useful properties, paraunitary matrices have foundmany applications in signal processing, filter banks, wavelets,and error-control coding [13][17]. In fact, in earlier works, pa-raunitary matrices are shown to be promising building blocks to

construct wavelet-based symmetric ciphers [18], [19]. We haveshown that every univariate PU matrix over a field of charac-teristic two can be constructed by multiplying a small numberof parameterized PU building blocks [16]. Since there are al-gorithms to efficiently generate the univariate building blocks,the key-setup time in our cryptosystem is shorter than that inRSA and ECC. Considering the efficiency of the key setup, theencryption, and the decryption in the proposed PAC, its mainapplication is in constrained environments where the computa-tional power is limited.

In our scheme, the secret key provided by the user is a vector. A key-expansion algorithm is employed to expand

the secret key into a finite set of vectors of the same length .These vectors are employed as the design parameters for the PUbuilding blocks required to construct the PU matrix. In addition,they serve as the design parameters for other matrices and vec-tors involved in the design of the PAC.

In brief, the contributions of this paper are the following.1) We propose a public-key cryptosystem PAC that is based

on multivariate PU matrices over finite fields. These areinvertible matrices with polynomial entries. The followingfeatures of PU matrices make them attractive for applica-tion in multivariate cryptography.

a) The inverse of every PU matrix is guaranteed to existby its definition.

b) The inversion of a PU matrix requires no computation.c) Every PU matrix can be generated by multiplying a

small number of parameterized PU building blocks.d) There are efficient algorithms to generate PU building

blocks.2) Since PU matrices can be efficiently generated, the key

setup in our scheme is very fast and efficient compared tothat in RSA and ECC. The public information in the PACconsists of a number of multivariate polynomials. The en-cryption involves the evaluation of these polynomials atthe message block, which can be done efficiently. More-over, the decryption also involves efficient algebraic oper-ations such as matrix multiplication and polynomial evalu-ation. Thus, the PAC is very efficient. These features makeit attractive for application in energy-constrained environ-ments where the computational power is limited.

3) In order to study the computational security of the PAC,we argue that the public polynomials in the PAC areindistinguishable from an arbitrary set of multivariatepolynomials. For this purpose, we establish the connectionbetween an arbitrary system of multivariate polynomialsand PU matrices. We show that the problem of expressingevery set of multivariate polynomials in the form ofthe public polynomials in the PAC is equivalent to thePU completion problem that has strong ties with theQuillenSuslin theorem. The PU completion problem isa well-known mathematical conjecture that is proved tobe true in many cases. However, the validity of its generalform is an open problem. Although this does not providea solid proof for the security of our scheme, we note thatno public-key cryptosystem including RSA and ECC hasever been proved to be secure. As a matter of fact, theexistence of OWFs has not been formally proved.

DELGOSHA AND FEKRI: PUBLIC-KEY CRYPTOGRAPHY USING PARAUNITARY MATRICES 3491

4) We provide a practical instance of the proposed PAC byproviding specifications for the general description of thesystem. By comparing the complexities of the key setup,the encryption, and the decryption in the PAC and the HFE,we show that PAC has comparable level of complexity. Wealso provide a complete cryptanalysis of the PAC and showthat none of the attacks applicable to the HFE presents asecurity threat to the PAC.

In the rest of this section, the notation used in the paper isintroduced. In Section II, previous designs by algebraic tech-niques are briefly reviewed. Unitary and paraunitary matricesare reviewed in Section III. The relationship between generalsystems of multivariate polynomial equations and PU matricesis established in Section IV. In addition, the public-key gen-eration, encryption, and decryption algorithms of PAC are de-scribed in this section. In Section V, the computational securityof the proposed scheme is discussed in a mathematical language.A practical instance of the general design is introduced in Sec-tion VI and cryptanalyzed in Section VII. Concluding remarksare provided in Section VIII.

B. NotationBoldfaced lowercase letters are used for vectors. Ma-

trices are denoted by boldfaced uppercase letters. Thesymbol is used for the set of natural numbers, and

. The set of all integers isdenoted by ZZ. The Galois field GF , for , is denotedby since is fixed throughout this paper. The set of all per-mutations on elements is denoted by . Ifand , then we use the shorthand notation

. Assuming is a field or a ring, the vectorspace or the module of column vectors of length with en-tries from is denoted by . The ring of matriceswith entries from is represented by . In the case

, the notation is used. The terminologies vectorpolynomial and matrix polynomial are used for polynomialswhose coefficients are vectors or matrices, respectively [20].We interchangeably use these terms with the polynomial vectorand polynomial matrix, respectively, that refer to vectors andmatrices whose entries are polynomials. One can easily showthat both the terminologies vector polynomial and poly-nomial vector address the same concept, but from differentviewpoints. The same is true for the terminologies matrixpolynomial and polynomial matrix.

In order to facilitate future references, frequently used nota-tions are listed below with their meanings.

;

Galois field of characteristic two;set of all permutations on elements;

;

;

;

ring of matrices with entries fromthe ring ;

ring of Laurent polynomials;

para-Hermitian conjugateof the polynomial

matrix ;set of all unitary matrices overthe finite field ;unitary building block defined by (1);

PU set of all paraunitary matricesover the ring ;degree-one paraunitary building blockdefine by (3);degree-two paraunitary building blockdefined by (4).

II. PREVIOUS WORK IN MULTIVARIATE CRYPTOGRAPHYThe outline of a new public-key cryptosystem based on it-

erative polynomial substitution is sketched in [21]. The idea isattractive and simple, but as the authors mention, the numberof terms in polynomials astronomically increases even after afew iterations. A few solutions are provided to limit the numberof terms, but some solutions are not very practical and none ofthem gives an efficient cryptosystem.

The idea of using homogenous quadratic polynomials as thepublic information is introduced in [11]. To generate the publicpolynomials, an invertible quadratic monomial in GF ,a degree extension field of GF , is chosen. Here, isa power of two. The field GF can be considered as an

-dimensional vector space over GF . Using basis vectors,the quadratic monomial is converted into quadratic homoge-nous polynomials in variables. The encryption is performedby evaluating public polynomials at the plaintext block. Fordecryption, the ciphertext block is transformed back to GFand the monomial is inverted. Unfortunately, this scheme isbroken in [22] because of some unexpected algebraic relations.

Two generalizations of this scheme, called HFE and isomor-phisms of polynomials (IP), are introduced in [12], [23], and[24]. Some other variants can also be found in [25]. We referthe reader to [26] for a detailed introduction to the public-keysystems based on multivariate quadratic equations. The basicscheme of [12] was broken in [27]. The attack uses the simplefact that every quadratic homogenous multivariate polynomialhas a matrix representation. Using this representation, a highlyoverdefined system of quadratic homogenous equations in thesecret information is obtained. A new technique called relin-earization for solving such systems is proposed in [27]. Runningnumerous experiments showed that this technique for solvingoverdefined systems of homogenous quadratic polynomials isnot as efficient as one may expect [28]. Hence, it was improvedin [28] and [29] as the extended relinearization (XL) and fixingand XL (FXL) algorithms. These algorithms are efficient onlywhen the number of polynomial equations is proportional to thesquare of the number of unknown variables.

Other attacks on the HFE scheme can be found in [30][32].All these attacks take advantage of the special format of the


public polynomials. The latest attack on the HFE family is thefast algorithm of [33] for computing Grbner basis. It has beenshown that the system of public polynomials of HFE can besolved in a reasonable time using this algorithm.

The signature scheme QUARTZ is based on a variant of HFEthat is called HFEv [34], [35]. QUARTZ can generate signa-tures of length 128 bits with the security level 2 . The securityof QUARTZ is studied in [32], and some generic attacks areprovided in [36]. The signature schemes FLASH and SFLASHare proposed in [37]. They are based on the algorithmthat can be regarded as a special case of the more general HFEscheme [38]. It is claimed in [37] that these schemes can gen-erate signatures of length 296 and 259 bits with the security level2 , respectively. However, SFLASH is broken in [39].

A signature scheme based on birational permutations is pro-posed in [40]. The scheme is based on using a quadratic ho-mogenous tame automorphism and hiding its coefficients by ap-plying two affine transforms: one at the input and one at theoutput. The public key in this scheme consists of a numberof multivariate quadratic polynomials over the ring ZZ , where

is a positive composite integer consisting of two dis-tinct large prime factors and . Although the security of thisscheme is based on the integer-factorization problem, it can beregarded as a multivariate cryptographic scheme because of itsstructure. This scheme is broken in [41].

A public-key cryptosystem and signature scheme based onthe composition of four tame automorphisms, called tame trans-formation method (TTM), are introduced in [42] and [43]. Thisscheme has been broken in [44] where the cryptanalysis is re-duced to an instance of the MinRank problem that can be solvedin feasible time.

III. UNITARY AND PARAUNITARY MATRICESUnitary and paraunitary matrices are subclasses of invertible

matrices and polynomial matrices, respectively. The followingfeatures of these matrices make them attractive for applicationsin multivariate cryptography: 1) their inverses are guaranteed toexist by their definitions, 2) their inverses can be obtained withno computation, and 3) there are elementary building blocks togenerate these matrices. Since these building blocks are fullyparameterized, there are efficient algorithms for their designa-tion. In this section, we briefly review unitary and paraunitarymatrices and the elementary building blocks.

A matrix is called unitary if . Theset of all unitary matrices over the field is denoted by

. As an example, consider the matrix

(1)

where and such that is self-orthogonal,i.e., . (Notice that since is a finite field, nonzeroself-orthogonal vectors exist in .) It is easily verified that

. In fact, we have proved in [16] that isthe generating building block for all unitary matrices. The fol-lowing theorem summarizes this fact.

Theorem 1: A matrix is unitary if and only if, where is self-

orthogonal, for all , and is a permutation matrix.

The natural generalization of unitary matrices is PU matriceswhose entries are polynomials. Before introducing PU matrices,some algebraic notions must be defined. A multivariate Laurentpolynomial is a polynomial whose monomials are allowed tohave both positive and negative exponents. The set of such poly-nomials in the variables forms a ring that isdenoted by . This is, in fact, thegroup ring where ZZ is the free multi-plicative abelian group generated by .

We define the automorphism tilde over that mapsinto . This is, in fact, an involu-

tion. The polynomial is called the para-Hermitian conjugate(analog of the complex conjugate) of . The involution tildeis naturally extended to . For every matrix polyno-mial , its para-Hermitian conjugate

is defined by .There is a sesquilinear form associated

with the module with respect to the para-Hermitian conju-gation. For and

, the sesquilinear form is defined as . A set ofvectors is called orthonormal if forall , where is the Kronecker delta.

A matrix is called PU if and only if or,in other words

(2)

for all . The set of all PU matricesover the ring is denoted by PU . We deduce easily thata matrix is PU if and only if its column vectorssatisfy the orthonormal condition, i.e., , whereis the th column of . Hence, the set of column vectors of a PUmatrix in PU forms an orthonormal basis for the module

. In this paper, we only employ PU matrices overunless otherwise stated. These are matrices whose entries arepolynomials with only positive exponents.

A PU matrix over can be interpreted as the transferfunction of a linear time-invariant system. In that context, thedegree of a PU matrix in every variable is the minimum numberof delay elements in the corresponding variable with which thesystem can be implemented [13]. The concept of degree can besimilarly defined for PU matrices over .

There are generating building blocks for univariate PU ma-trices over . We have proved in [16] that the elementarybuilding blocks are:

1) the degree-one PU building block

(3)where is a design parameter such that ;

2) the degree-two PU building block(4)

where are design parameters such thatand ;

3) the degree- PU building block

(5)


In (5), and , wheresuch that for all . Moreover,

is a diagonal matrix. We note that, , and are the design parameters of the degree- building

block.It is easily verified that the matrices defined in (3)(5) are all

paraunitary. The fact that these matrices are elementary buildingblocks for all univariate PU matrices over is summarizedin the following theorem [16].

Theorem 2: A matrix polynomial is PUif and only if , where is either theidentity or a unitary matrix and is one of the buildingblocks defined in (3)(5). If is the degree of , then

is the degree of .We have some partial results for factorizing bivariate PU

matrices [45]. However, finding generating building blocks forgeneral multivariate PU matrices is an open problem [46]. Wecan capture some of such matrices by multiplying univariatebuilding blocks in different variables. Since these buildingblocks do not commute, the resulting multivariate PU matrix isnot separable [16].

In the next section, we describe the structure of the PAC andshow how PU matrices can be efficiently used to generate non-linear equations.

IV. PARAUNITARY ASYMMETRIC CRYPTOSYSTEM

The goal in multivariate cryptography is designing an OWFusing a system of multivariate polynomial equations. Solvingsuch systems of equations, in general, is an NP-hard problemsince all the known algorithms have computational complexityexponential with respect to the number of variables [47]. TheOWF is used to design public-key cryptosystems and digital sig-nature schemes. The main challenge is how to include a trapdoorin the OWF without using polynomials of very special formbecause such polynomials usually weaken the security of theOWF. In this section, we establish the relationship between thegeneral systems of polynomial equations and multivariate PUmatrices. More precisely, we show that the vector constructed bythe multivariate polynomials of a system of multivariate poly-nomial equations can be written as a linear combination of thecolumns of any PU matrix. This general formulation cannot bedirectly employed to efficiently design a trapdoor OWF but pro-vides a framework for practical designs. We introduce a prac-tical trapdoor OWF, denoted by , by making some simplifica-tions to the PU matrix that appears in the general formula. Weuse to design a practical public-key cryptosystem.

Consider arbitrary multivariate polynomials, where .

They can be considered as the entries of a vector, where . As shown in

Section III, the columns of an arbitrary PU matrixPU form an orthonormal basis for . Hence, there

exist polynomials such that

(6)

or

(7)

where . Since this equation holds for everyPU matrix, there is no unique associated with a given .

In the above, we showed that given a vector and a PU matrix, we can find a vector such that (7) holds. In the design of, we use (7), but instead of finding for given and , we

choose a secret automorphism (i.e., bijective vector polynomial)and a PU matrix , then obtain the public vector-polynomial

. The automorphism is designed in such a way thatsolving is much easier than solving for all

. Nevertheless, the adversary, who does not knowand , cannot use this feature. All he can do is randomly choose aPU matrix and obtain the corresponding vector polynomialsuch that ; but solving the system of equations

is not necessarily easier than solving .There is no general algorithm to generate all automorphisms

over the vector space . However, it is possible to generatesome of them by composing tame automorphisms [48]. An au-tomorphism of the form

(8)is tame where , , and

for all . A tame automorphismcan be efficiently inverted. In order to compute for

, the following formula is recursivelyused:

(9)To encrypt a message, the public polynomials are

evaluated at the message block. However, in order to decryptthe ciphertext block by inverting , the value of at themessage is required. This implies the knowledge about . Tosolve this problem, we use an -variate, , PU matrix

PU , where , and compose it withthe vector polynomial . In order to decrypt the ci-phertext, only the value of is required. By the definition ofPU matrices in (2), is singular wheneverfor some . Thus, none of the entries of the vector poly-nomial must have a root in . The polynomial is ap-pended to the vector polynomial

(10)

to form the new vector polynomial

(11)

In order to mix the equations, we use the secret affine transfor-mation , where is a unitarymatrix and is an arbitrary vector. A unitary matrixis used since 1) it can be easily and efficiently generated usingTheorem 1 and the algorithm given in Appendix A; 2) by itsconstruction, it is guaranteed to be invertible; and 3) its inverse


can be easily obtained with no computation. In a single formula,the PU trapdoor OWF is as follows:

(12)

This is an OWF since evaluating for a given is easy,but inverting this function seems to be hard. In fact, there doesnot seem to exist an algorithm to solve the equation ,for given , more efficient than the general methodsfor solving systems of multivariate polynomial equations. Thetrapdoor information consists of the PU matrix , the unitarymatrix , the vector , the automorphism , and the multivariatepolynomial . Hence, is a trapdoor OWF.

The composite matrix polynomial in (12) approx-imates the PU matrix in (7). This approximation is in thesense that the entries of the PU matrix in (7) are takenfrom the ring while those of in (12) belong tothe ring . These two rings are both extensions of the fi-nite field , and their relationship is expressed by

(13)

The transcendence degree of the extension ring , that isan integer between zero and , determines whether this ring isclose to or to . The transcendence degree of an extensionring generalizes the notion of the dimension of a vector space[49], [50]. Let be the transcendence degree of . If

, then , and if , . In general,is a mapping from to ; thus, it cannot be a bijection if. However, the extension ring obtains its highest

transcendence degree when is close to a bijection. Thisterm implies that the preimages of elements of under themapping are subsets of that all have the same number ofelements. Mathematically, this means that the cardinality of theset is independent of thevalue of . If , then we suggest using thefollowing composition:

(14)

Here, is close to a bijection. Wemay use the vector polynomial

(15)where , , and

for all . In order toinvert in (15), the values of can bearbitrarily chosen and then the values of areobtained from a recursive equation similar to (9). Hence,

for any that implies in (14) isclose to a bijection.

As explained before, none of the entries of the vector poly-nomial must have a root in . The irreducible polynomial

in (14) is used to guarantee that this does not happen.We suggest using the polynomial

(16)

that is irreducible whenever assumingGF [51]. Since is not an automorphism, is not as

close to a bijection as is. However, is a 2-1 mapping sincefor every . Hence, the vector polynomial

is not significantly deviated from a bijection.Before using the key-generation algorithm, an algorithm is

required to expand the master key provided by the user. Algo-rithm 1 is employed for this purpose.

Algorithm 1: Key Expansion

INPUT: The master key

OUTPUT: The parameter set

1. for to do

2.

3. for to do

4.

5. for to do

6.

7. end

This algorithm specifies how the vectors required in the key-generation algorithm are derived from the master key . Thevectors in the set , the output of the key-expansion algorithm,are used to generate the elementary PU building blocks, thevector polynomial , the automorphism , the unitary buildingblocks, and the vector . The structure of the key-expansion al-gorithm is very similar to that of the block cipher AES [52]. Thedesign criterion, similarly, is having nonlinear relations betweeneach output vector and the master key such that taking advan-tage of these relations in an attack is infeasible. In Algorithm 1,

is chosen such that there are enough vectors in , the binaryoperation is the bitwise exclusive-OR, and arepublic constants.

It is possible to replace the proposed key-expansion algo-rithm with a pseudorandom number generator. For our purpose,a fast pseudorandom number generator such as the shrinking orself-shrinking generator is adequate [53], [54]. The shrinkinggenerator of [53] consists of two linear feedback shift registers(LFSRs) where one clocks the other. The idea is to generatea third source of pseudorandom bits that has better qualitythan the original sources. (Here, quality refers to the difficultyof predicting the pseudorandom sequence.) Let and

be the outputs of the two LFSRs. The shrinking gen-erator constructs a third sequence that includes thosebits for which the corresponding is 1. There are alsomore complicated pseudorandom number generators based onone-way functions [55], [56].


Algorithm 2 is used to generate the public and secret keysused in .

Algorithm 2: Key Generation

INPUT: The master key

PUBLIC OUTPUT: The vector polynomial

SECRET OUTPUT: : an -variate PU matrix in PU , :a vector polynomial in , : an automorphism over ,

: a unitary matrix in , : a constant vector in .

1. Using Algorithm 1 expand the master key in order togenerate the set consisting of vectors each of length

. The vectors in this set are used as the design parametersin every step of this algorithm.

2. Generate an -variate PU matrix PU usingTheorem 2 by multiplying arbitrarily chosen elementarybuilding blocks given in (3)(5). We note that each ofthese building blocks requires a number of parameters.Use the vectors in the expansion set as the designparameters.

3. Choose a vector polynomial that is close toa bijection (in the sense explained before) and none of itsentries, as a polynomial in , has a root in . Use thevectors in as the design parameters. (The compositionin (14) might be used.)

4. Choose an automorphism whosecoefficients are obtained from .

5. Construct the vector polynomials and as in (10) and(11), respectively.

6. Generate a unitary matrix using Theorem1 by multiplying the elementary building blocks given in(1) with different design parameters. In addition, choose avector using the vectors in .

7. Construct the vector polynomial as in (12).

Using the introduced , we propose a public-key cryptosystemthat we call PAC. Algorithms 3 and 4 are used to encrypt anddecrypt in the proposed cryptosystem PAC, respectively.

Algorithm 3: Encryption

INPUT: The plaintext block

OUTPUT: The ciphertext block

1. Evaluate the public vector-polynomial at .

Algorithm 4: Decryption

INPUT: The ciphertext block

OUTPUT: The plaintext block

1.

2. where

3.

The proposed scheme operates on any finite field GFwith . The reason it should not be used over GF is thatsince none of the entries of the vector polynomial must takethe value zero, the only possible choice is . With thischoice, the PU matrix becomes a constant matrix independentof the values of . Hence, the PAC becomes a constant matrixmultiplied by a vector polynomial that is an automorphism. In-stances of such schemes were proposed in [40] and broken in[41]. We suggest using GF to enhance the implementationof the scheme.

The length of the ciphertext in PAC is . By increasing ,the length of the ciphertext increases, but as explained before,the general formula (7) is approximated better since the tran-scendence degree of increases.

In the following, we show how to construct a probabilisticscheme using PAC.

A. Probabilistic PAC

The proposed PAC is a deterministic scheme, i.e., the map-ping from the plaintext space to the ciphertext space is determin-istic. In other words, given the plaintext, the corresponding ci-phertext is always the same. This determinism might cause someleakage of partial information to the adversary. For example, theRSA function preserves the Jacobi symbol of the plaintext, andwith the discrete-log function, it is easy to compute the least sig-nificant bit of the plaintext from the ciphertext by a simple Le-gendre symbol calculation [57]. In order to prevent the leakageof partial information, the notion of semantic security is pro-posed in [58]. Informally, a public-key cryptosystem is seman-tically secure if, for all probability distributions over the mes-sage space, whatever a passive adversary can compute in ex-pected polynomial time about the given ciphertext, it can com-pute in expected polynomial time without the ciphertext [55],[58]. Semantic security is the reminiscent of Shannons perfectsecrecy in which the adversary is given unbounded computa-tional power. Although theoretically attractive, perfect secrecyis not achievable unless the key is as long as the message. Thisrequirement hinders the practical usefulness of perfect secrecy.By contrast, semantic security can be viewed as the polynomi-ally bounded version of perfect secrecy in which the adversaryis given limited computational power.

In a semantically secure cryptosystem, the mapping fromthe plaintext to the ciphertext is probabilistic. Hence, differentencryptions give different ciphertexts corresponding to a singleplaintext. An efficient probabilistic public-key cryptostsembased on the RSA one-way function is proposed in [59]. Ingeneral, there are standard methods to construct probabilisticschemes based on deterministic one-way functions. In thefollowing, we briefly explain the method proposed in [60] toachieve semantic security. This method is based on the randomoracle model.

Let be a random generator that is public toeverybody and be an OWF such as the one in (12). Considerthe following probabilistic encryption function:

(17)


Here, is a randomly chosen vector and denotes theconcatenation of two vectors. It is proved in [60] that the en-cryption function is semantically secure. Note that the dataexpansion factor of 2 is unavoidable. The decryption algo-rithm is straightforward: The receiver, who knows the trapdoor,uses his information about to obtain , applies the randomgenerator to , and then easily obtains the message from

. The adversary, without the trapdoor information, isunable to calculate and hence although is public.

In the following section, we discuss some results on the com-putational security of the proposed scheme.

V. ON THE COMPUTATIONAL SECURITY OF THE PACIn this section, we study the computational security of the

PAC by providing evidences that relate the difficulty of invertingthe OWF in PAC to a known computationally hard problem.The computational security measures the amount of computa-tional effort required, by the best currently known methods, todefeat a system [55]. In general, it is very difficult to prove thesecurity of public-key cryptosystems [55], [56]. For example,it is known that if the public modulus in RSA is factored intoits prime factors, then RSA can be broken. However, it is notproved that breaking RSA is equivalent to factoring the publicmodulus [57]. By providing some theorems and conjectures, inthis section, we establish the connection between the hardnessof inverting the OWF in the proposed PAC and the difficulty ofsolving a general system of multivariate polynomial equations.

The PAC is based on the formula

(18)where is an arbitrary polynomial vector, PU ,and is an automorphism over . As explained in Sec-tion IV, given an arbitrary polynomial vector , (18) is validwhen the condition on is relaxed. The security of our proposedscheme reduces to the difficulty of solving general systems ofmultivariate polynomial equations if the following conjecture isproved.

Conjecture 1: Given an arbitrary polynomial vector ,there always exists a matrix PU and an automorphism

such that (18) holds.This conjecture implies that an arbitrary system of multi-

variate polynomials can always be represented in the form (18).Hence, if this conjecture is true, the public polynomials of PACare indistinguishable from an arbitrary system of multivariatepolynomials.

The group PU acts on the module by matrixmultiplication. Notice that PU matrices preserve the norm,i.e., if PU and such that ,then . Hence, PU , in fact, acts on the set

for every . This groupaction is transitive if for every two arbitrary , thereexists a matrix PU such that . Conjecture 1 isa weaker statement than the transitivity of the action of PUon because, for the purpose of our proposed PAC, isalways an automorphism. Hence, the following conjecture, ifproved, suffices to prove the Conjecture 1.

Conjecture 2: The group PU acts transitively on the set.

This conjecture has strong ties with the PU completionproblem [46], [50]. This problem is as follows.

Problem 1 (The PU Completion Problem): Given the vectorsuch that where , does there exist a

matrix PU such that is the first column of ?The following lemma gives the relationship between the Con-

jecture 2 and the PU completion problem.Lemma 1: The group PU acts transitively on for

every if and only if the PU completion problem has apositive answer.

Proof: Let such that and. Since PU acts transitively on

, there exists a matrix PU such that .The first column of is and is the PU completion of .

Let be arbitrary polynomial vectors andbe a vector defined as the first part of the proof. Since every PUpolynomial vector has a PU completion, there are PU matrices

PU such that and . Thisimplies . Thus, PU acts transitively on .

The PU completion problem has a positive answer if the classof generalized-unitary matrices, denoted by GU , is consid-ered instead of the class of PU matrices [46], [50].

Theorem 3 (QuillenSuslin): Every generalized-unitarypolynomial vector has a completion in GU .

The matrix is called generalized unitary ifthere exists a matrix such that . The setof generalized unitary matrices is denoted by GU .Notice that PU GU . The PU completion problemhas a positive answer for the case , but for , itis still an open problem [46]. This problem also has a positiveanswer for arbitrary when , where is the fieldof complex numbers [46].

The OWF in (12) is slightly different from the general for-mula (18) in two ways.

1) The PU matrix is approximated by the compositematrix polynomial .

2) The vector polynomial is concatenated to the end ofthe vector polynomial in (10).

This deviation might seem as a source of leaking partial infor-mation in the ciphertext. In order to address this issue, we notethe following points.

Approximating the PU matrix with the compositematrix polynomial, is necessary in order to designan efficient protocol. Security and complexity are often inthe same direction: increasing one increases the other one.In order to achieve a practical system, a tradeoff betweenthe security and complexity must be established. This is notonly specific to the PAC. For example, the idea in RSA isusing the hardness of factoring general composite integers. Intheory, the modulus can be any composite integer. However, inpractice, only composite integers with only two distinct primefactors are used. Without this simplification, key generation inRSA could be time consuming. The ElGamal digital signaturescheme is another example. The underlying hard problem inthis scheme is the discrete-log problem. However, the trapdoor


OWF employed in this scheme is such that for selective forgery,solving the discrete-log problem is not required. It seems thatthe general strategy in designing one-way functions consists ofthe following steps: 1) choose a mathematical problem that isbelieved to be hard, 2) design a trapdoor OWF based on thishard problem, and 3) make some simplification to the generalscheme to design an efficient and practical scheme. We havefollowed these guidelines in designing the PAC.

In order to address the concatenation issue, we note that thecoefficients of the elements constructing are calculatedusing the expanded key. Hence, they are unavailable to the ad-versary. Moreover, the unitary matrix and the vector arealso secret. Therefore, there does not seem to exist an easy wayfor the adversary to obtain the coefficients of the vector polyno-mial from the public polynomials.

In the worst case, the adversary has somehow obtained thevector polynomial . Since is a many-to-one mapping,its value cannot be used to calculate the plaintext . Anotherapproach for the adversary to decrypt the ciphertext is obtainingthe PU matrix . In this approach, the adversary is facingwith the following question: How to find the coefficients of thePU matrix from ? This problem seems to be stronglyrelated to the polynomial decomposition problem, which is asfollows.

1) Problem 2 (The Polynomial Decomposition Problem):Given a vector polynomial , determine whether thereexist vector polynomials such that . In theaffirmative case, compute and .

This problem has been studied extensively in the literature[61][65]. There are polynomial-time algorithms for Problem2 in the univariate case. In the multivariate case, there are onlysolutions for special cases, e.g., when either or is univariate.A general solution to the multivariate case seems to be difficult[65]. The instance of Problem 2 in which the characteristic ofthe field divides the degree of the polynomial is called the wildcase. There is only a subexponential solution to the univariateversion of the problem in the wild case [63]. We note that thecharacteristic of the field in the case of the OWF is two. If thedegree of the PU matrix is even, then we have a wild case ofProblem 2. Hence, concatenating at the end of doesnot seem to leak any information.

In the following section, we provide a practical instance ofthe PAC by choosing the parameters in its general description.

VI. A PRACTICAL INSTANCE OF THE PAC

There are numerous ways to design PAC depending on thechoices of the parameters in Algorithm 2 used to generate thekey. A good design is one that meets the following criteria.

1) The public polynomials, entries of , must look random;they should not have any special structure. Solving thesystem of public polynomials for the plaintext must becomputationally infeasible.

2) It is desirable to have sparse public polynomials to keepdown the complexity of the encryption. The number ofterms of the vector polynomial has the most influencein the number of terms of the public polynomials. There-fore, should have a few terms.

3) The evaluation of the automorphism and its inverse mustbe efficient.

An instance of the PAC is presented in this section by providingspecifications for the general description of the system in Al-gorithm 2. The resulting scheme is intended to meet the designcriteria. We choose GF because of implementationconsiderations. In addition, we choose for theblock length that corresponds to 128 to 256 bits. However, ourscheme is flexible and the order of the field and value ofcan be different without affecting the structure. The secret keyconsists of symbols from . We fix because its value expo-nentially affects the number of monomials of the PU matrix .Considering the range of , we suggest for reasons thatwill become clear later in this paper. For this choice of , thesize of the ciphertext block varies between 208 and 264 bits.

A. Constructing the Vector PolynomialFor the PU matrix , we use only and building blocks

defined in (3) and (4) because the number of their parametersis less than those of defined in (5). Moreover, they can begenerated with less complexity. In order to generate the PUmatrix PU , where , we design

univariate building blocks in each variable. The param-eter is independent of , and its typical value is two. Let

be the PU building blocks in thevariable for all . Then, the PU matrix is obtainedas follows:

(19)

where is a public permutation and is the ceilingfunction. Notice that since these building blocks do not com-mute, the order of terms in the above multiplication is impor-tant.

The special structure of the and building blocks makesthe multiplication of the matrices less complex than multi-plying arbitrary matrices. By induction, it can be easily shownthat these building blocks and their multiplications have the fol-lowing form:

(20)

where , ZZ , and such thatand are finite sets. Notice that the matrix is completelydetermined if the sets and along with the following sets ofvectors are known:

(21a)(21b)

Hence, if is one of the intermediate matrices in the process ofmultiplying the matrices in (19), instead of multiplying thevectors and , the sets and are obtained. Thatis why the generating algorithms for the building blocks and

, provided in the Appendix, only compute the vector param-eters of these building blocks. The advantage of this strategy is


reducing the complexity of multiplying matrices. The followingfact can be stated about the complexity of multiplying two ma-trices of this special form.

Fact 1: Let be matrices each of the form(20). Then, the complexities of computing and

are both upper bounded by

assuming that and the cardinalities of all sets are independentof .

Using this procedure, after carrying out all the multiplicationsrequired to compute the PU matrix in (19), the sets and

are obtained. Having these sets, by Fact 1, the followingfact can be stated about the total complexity of generating thematrix .

Fact 2: The complexities of constructing and areboth upper bounded by sinceand are constants. Having and , the complexityof constructing is at most .Hence, the total complexity of constructing is at most

.

Every entry of is a multivariate polynomial inwith the maximum degree of being for all . Hence,the following fact can be stated.

Fact 3: Entries of the PU matrix are -variate polynomialswhose monomials are subsets of a maximal set of monomials.The cardinality of this maximal set issince both and are constants.

With and , the size of the maximal set in Fact3 is . It is feasible to generate and store a polynomialwith this many monomials in practice.

For , we use the structure suggested in (14) for the irre-ducible polynomial as in (16) (in which the value of ispublic) and the vector polynomial as follows:

(22)

Here, are public exponents and , for, are secret coefficients whose values are obtained from

the set in Algorithm 2. The exponents directly influencethe degree of the final public polynomials. As we will explainlater, to make sure that some attacks are not applicable on thesystem, we choose these exponents proportional to the blocklength , i.e.,

(23)

As the result, the total degree of the public polynomials becomesproportional to . Notice that since all the computations are per-formed in GF , all exponents are modulo 2 1. Hence, if

, (23) will not have the desired effect. The followingfact gives the complexity of constructing .

Fact 4: The complexity of constructing as in (14) issince is constant.

The next step is composing and to get the matrixpolynomial . Let , where

and ZZ is a finite set such thatby Fact 3. To construct ,

we must compute for . Since the exponentsare independent of , the complexity of computingis . Hence, the total complexity of constructing is

.

Using Fact 3, the following fact can be stated.Fact 5: Entries of the matrix are multivariate polyno-

mials whose monomials are subsets of a maximal set of mono-mials. The cardinality of the maximal set is independent of .

Having the matrix polynomial , an automorphism isrequired to obtain the public vector-polynomial . We suggestthe composite automorphism where and aretame automorphisms over . If , then

(24)

where , , andfor and . Similarly, if

, then

(25)

where , for and, and is a constant such that

(a typical value is ). The coefficients and in(24) and in (25) are kept secret and their values are obtainedfrom the set in Algorithm 2. The exponents and arepublic. To keep the complexity of the encryption low, we imposethe restriction for all and where is a fixedinteger independent of the block length . We note the followingimportant fact.

Fact 6: Each entry of is a multivariate polynomial that hasa constant number of monomials independent of .

The complexities of evaluating and are given in thefollowing facts.

Fact 7: Complexities of evaluating and are both .The next step in generating the OWF is multiplying

and to get the vector polynomial as in (10).By Facts 5 and 6, the complexity of carrying out this multipli-cation is . The vector polynomial consists of multi-variate polynomials whose number of monomials, given by thefollowing fact, influences the complexity of the encryption.

Fact 8: Entries of are polynomials whose monomials aresubsets of a maximal set of monomials. The cardinality of themaximal set is .

The final step is generating a unitary matrix and multi-plying it by the vector polynomial defined in (11). As ex-plained in Section III, all unitary matrices are generated by mul-tiplying copies of the building block defined in (1). To re-duce the complexity, we use only one building block for with


TABLE ICOMPLEXITIES OF CONSTRUCTING THE COMPONENTS OF PAC

and taken from . The algorithm in the Appendix canbe used to generate with complexity .Once we have the unitary matrix , the final step is performingthe multiplication . Entries of the matrix are constants, butthose of are multivariate polynomials that have terms byFact 8. Hence, the complexity of carrying out the multiplication

is . The number of monomials ofthe entries of is given in the following fact.

Fact 9: Entries of are polynomials whose monomials aresubsets of a maximal set of monomials. The cardinality of themaximal set is .

All the exponents involved in the construction of are fixedintegers except the exponents in (22) that are proportional to

. Hence, the following fact can be stated about the total degreeof .

Fact 10: The total degree of the public polynomials in isproportional to .

The complexities computed in this section are summarized inTable I.

A toy example of the PAC is provided in Appendix B. Wenote that this is not a practical example of the PAC, and theresulting public-key system is insecure in practice due to smallchoices for parameters. The purpose of this example is to showhow the system is designed and illustrate the structure of publicpolynomials.

B. The Complexity of PACIn this section, we give complexities of the key generation,

the encryption, and the decryption in the PAC. Adding up thecomplexities listed in Table I, we conclude that the total com-plexity of the public-key generation is . The secret keyconsists of the PU matrix , the automorphism , the unitarymatrix , and the constant vector . By Table I, the total com-plexity of generating these matrices and vectors is .

To compute the complexity of Algorithm 3 that is the encryp-tion algorithm, we note that by Fact 9, the public polynomials

(entries of ) share the same set of monomials.Let this set be ZZ , whereis the cardinality of this set. Then, ,where . Thus, has the matrix formulation

, where is an matrix andis a vector of length . The complexity of

computing is . Since by Fact 9,the total complexity is . The complexity of evaluating thevector at the plaintext block is by Fact 10. Hence, thetotal complexity of the encryption is .

For the decryption, Algorithm 4 is employed. The complexityof computing in this algorithm is . Sinceby Fact 3 every entry of the PU matrix has a constant numberof monomials, the complexity of computing

in Algorithm 4 is . Using Fact 7, the complexity of com-puting the plaintext vector in this algorithm is . Hence,the total complexity of the decryption is .

We summarize the complexity of PAC in Table II. The com-plexity of the HFE public-key scheme is also provided for com-parison. The table shows that the computational complexity ofthe public-key generation and the decryption in the proposedPAC is lower than those in the HFE. It is worth mentioning thatthe complexities of encryption and decryption in RSA are both

for a block length of size bits. In Table II, isthe number of bits per field element.

VII. CRYPTANALYSIS OF THE INSTANCE OF THE PACThe entries of the vector polynomial are the public infor-

mation in PAC. In order to attack this scheme, one approachis solving the system of polynomial equations ,

, for , where is the cipher-text. The other approach is finding the secret key from the publicpolynomials. In this section, we investigate the vulnerability ofPAC to algebraic attacks initially developed for the HFE family.Some of these attacks are quite general and applicable on otherschemes. We also investigate the vulnerability of the PAC forsome bad choices of parameters. These attacks follow one ofthe approaches mentioned above. Our results show that the prac-tical instance of the PAC, introduced in Section VI, is resistant toall these attacks. Note that key exhaustive search has the com-plexity that is infeasible. Attacks studied in thissection are Grbner basis, univariate polynomial representation,relinearization, XL and FXL algorithms, and an attack for small.

Since the public polynomials of HFE are homogenous, allattacks developed for HFE are specialized for homogenouspolynomials. The public polynomials in PAC are not homoge-nous. However, they can be converted into the homogenousform using a technique employed in algebraic geometry forgoing from the affine space to the projective space [66]. Let

be the total degree of the public polynomial in the PAC,where . Suppose . In orderto convert the system of public polynomials into a system ofhomogenous polynomial equations, replace by for

and multiply through each equation by . The resultis the following system of homogenous equations of degreethat consists of equations in 1 variables

(26)

By Fact 10, we note that the total degree of the homogenouspolynomials in this system is proportional to , i.e., .

A. Grbner BasisGrbner basis is the classical method for solving systems of

polynomial equations [67][70]. This technique can theoreti-cally solve all systems of this kind. However, its complexityis exponential in the number of variables, although there isno closed-form formula for it. The complexity of computinga Grbner basis for the public polynomials of the HFE isinfeasible using Buchbergers algorithm that is the classicalalgorithm for computing the Grbner basis. However, it is


TABLE IICOMPLEXITIES IN THE NUMBER OF BINARY MULTIPLICATIONS

completely feasible using the algorithm introduced in [71].The complexities of solving the public polynomials of severalinstances of the HFE using the algorithm are provided in[33]. The special form of the public polynomials in the HFEscheme makes it vulnerable to different attacks. In particular,it implies a relatively small upper bound on the degrees of thepolynomials that occur during the Grbner basis computation[33]. Moreover, as expressed in [33], a crucial point in thecryptanalysis of HFE is the ability to distinguish a randomalgebraic system from an algebraic system coming from HFE.The public polynomials in the PAC are not homogenous.Moreover, they look random since they are derived from thegeneral formula (7) relating an arbitrary system of polynomialequations to PU matrices.

In order to apply the methods of [33] to the PAC, the systemof homogenous polynomials in (26) is employed. However, thetotal degree of the resulting system is proportional to the numberof variables . It is explained in [33] that in this case, theredoes not seem to exist a polynomial time algorithm to computethe Grbner basis. Hence, solving the public polynomials of thePAC using the Grbner basis method is infeasible.

B. Univariate-Polynomial Representation of the PublicPolynomials

This attack is based on the observation that any system ofmultivariate polynomials in variables over a field can berepresented as a single sparse univariate polynomial of a spe-cial form over an extension field of degree over . This issummarized in the following lemma that is proved in [27].

Lemma 2: Let , , be any system ofmultivariate polynomials in variables over with the cardi-nality . Then, there are coefficients suchthat the system of polynomials is equivalent to the univariatepolynomial .

The drawback of this approach is that the number of termsof the equivalent univariate representation is expo-nentially related to the number of variables. However, when thepolynomials are homogenous, which is the case in HFE, thepolynomial is sparse. This fact, stated in the following lemma,significantly enhances the attack on the HFE using univariatepolynomial representation.

Lemma 3: Let be any collection of homogenous mul-tivariate polynomials of degree in variables over . Then,the only powers of that appear in the univariate polynomialrepresentation over are sums of exactly (not necessarilydistinct) powers of , i.e., . Hence, the number ofnonzero terms and the degree of are both .

To apply the above technique to solve the homogenous formof the public polynomials in the PAC in (26), we recall that thedegree of the homogenous polynomials is proportional to .

Hence, the degree and the number of nonzero terms of the uni-variate polynomial representation are both . The com-plexity of root finding algorithms, e.g., Berlekamp algorithm, ispolynomial in the degree of the polynomial [51]. This results inan exponential time algorithm to find the roots of . Therefore,this approach is less efficient than the exhaustive search.

C. Relinearization, XL, and FXL AlgorithmsThese techniques, developed in [28] and [72] to attack the

HFE family, are methods for solving highly overdefined sys-tems of polynomial equations, i.e., systems consisting ofequations in variables where . In this situation, the com-plexity of these algorithms is approximately . How-ever, when the number of equations is for some ,then these techniques are not efficient [28]. In order to mountan attack on the HFE scheme using these methods, the equiva-lent univariate polynomial representation of the public polyno-mials are obtained using Lemma 2. By Lemma 3, it has the form

, where and .It is shown in [72] that the cryptanalyst can use this matrix rep-resentation to obtain a system of polynomial equationsin variables. The relinearization, XL, and FXL algorithmsare used to solve this system. Since the homogenous form of thepublic polynomials of the PAC in (26) are not quadratic, theirunivariate polynomial representation is not quadratic. Hence, itdoes not have a matrix representation as . Therefore, theattack developed in [72] is not applicable on the PAC. However,the adversary may directly apply the relinearization, XL, or FXLalgorithm the system of homogenous polynomials (26). In thefollowing, we show that this approach is unsuccessful.

The relinearization technique is developed in [72] for solvingoverdefined systems of homogenous quadratic polynomialequations. Unfortunately, it is shown in [28] that the relin-earization technique is not as efficient as one may expect sincemany of the newly generated equations are dependent. Hence,the extended relinearization algorithm is proposed in [28]. It isclaimed to be the best algorithm for highly overdefined systemsof multivariate homogenous equations. Using the homogenouspolynomials of (26), we have a system of homogenousequations in 1 variables where . It is provedin [28] that in this case, the XL has exponential complexity.Therefore, the XL algorithm cannot be directly used to mountan attack on the PAC.

A variant of the XL algorithm, called fixing and XL, is intro-duced in [28]. In this algorithm, some variables are guessed tomake the system slightly overdefined. Then, the XL algorithmis applied. The main question is how many variables mustbe guessed. Although more guesses make the system moreunbalanced, they add to the complexity of the algorithm. Theoptimum number of guesses is provided in [28]. Using thisoptimum value, the FXL has the exponential complexity for


solving the system of public polynomials in PAC. Hence, theFXL algorithm can not be efficiently applied on the PAC.

D. An Attack for SmallThis attack is applicable on the PAC when is small, specially

, and also when in (12) is a tameautomorphism of the form

(27)

where . We briefly describe the attack for. In this case, is a multivariate polynomial in , denoted

by , i.e.,

(28)

The adversary fixes and computes the value offor all . There exists a subset and a constant

such that for all , . The PU matrix be-comes the constant matrix over . Because of the specialstructure of the automorphism in (27), the values of the poly-nomials do not change over since they dependonly on . The only polynomial that varies overis . This implies that is a one-dimen-sional subspace of . Examination of gives the value ofthe last column of up to scaling.

In the next step, the adversary fixes and com-putes the value of for all . Using a sim-ilar approach, the adversary can obtain some information aboutthe next-to-the-last column of the PU matrix . Repeating thisprocess, the adversary is able to obtain useful information aboutthe PU matrix.

This attack works for two reasons.1) The variable appears only in the last entry of the au-

tomorphism . Hence, by fixing , the polyno-mials become constant. The practical instanceof the PAC, introduced in Section VI, does not have thisproblem. The automorphism employed in the practicalinstance is the composition of two tame automorphismsand given in (24) and (25). By the special structure ofthese automorphisms, every variable appears in at leastentries of .

2) In the example given here, has the lowest transcen-dental degree. To avoid such attacks, the value of shouldnot be small. In general, in order to find , the adversarymust examine the set that has cardinality .For the typical choice , the size of this space is 2 .Thus, finding becomes infeasible for the adversary.

VIII. CONCLUSIONWe introduced a framework to construct public-key cryp-

tosystems using paraunitary matrices over finite fields. Thisframework evolves from relating general systems of multi-variate polynomial equations to the PU matrices. Using thegeneral formula expressing this relationship, we designed apractical trapdoor one-way function. The difficulty of inverting

the introduced OWF is based on the NP-hard problem of solvingsystems of multivariate polynomial equations. We proposeda new public-key cryptosystem PAC based on our trapdoorOWF. To encrypt a message using PAC, public multivariatepolynomials are evaluated at the message. Hence, comparingto other public-key cryptosystems such as RSA and ElGamalthe encryption algorithm is efficient. We described a practicallyefficient instance of the PAC by making simplifications to thegeneral description. The PU matrix used in the instance ofPAC can be generated using fully parameterized elementarybuilding blocks. There are algorithms to efficiently generatethese building blocks. Therefore, the key setup is fast andefficient in PAC, which is another distinguishing feature ofour proposed scheme. By developing efficient realization ofthe instance of the PAC, we showed that the complexities ofthe public-key generation and the decryption in the PAC arelower than those in the HFE. Finally, we studied several attacks(such as Grbner bases, univariate polynomial representation,relinearization, XL, and FXL algorithms) that were developedto break the HFE. We concluded that they are not applicable tothe proposed PAC.

APPENDIX AALGORITHMS FOR DESIGNING UNITARY AND

PARAUNITARY BUILDING BLOCKS

In this Appendix, we provide algorithms for designing theunitary building block defined in (1) and the PU buildingblocks and defined in (3) and (4), respectively.

Algorithm A.1 can be used to design the unitary buildingblock of (1).

Algorithm A.1: Unitary Building-Block Generation

INPUT: The vector and theelement

OUTPUT: The unitary matrix

1.

2. for to do

3.

4. for to do

5.

6. end

7.

8.

Suppose the vector is used to design sucha matrix. Because of the restriction , we must have

(A.1)

Equivalently, since is a field of characteristic two, we have

(A.2)


The above equation is used in the algorithm for designing theunitary building block. It can be shown that the complexity ofthis algorithm is .

Algorithm A.2 can be used to design the vector parameter ofthe building block .

Algorithm A.2: Building-Block Generation

INPUT: The vector

OUTPUT: The vector such that

1.

Suppose the is the vector parameter ofthe building block . Because of the restriction , wemust have

(A.3)

or equivalently

(A.4)

The above equation is used in the algorithm for designing theunitary building block. No multiplication is carried out in thisalgorithm. Hence, its complexity is independent of .

Algorithm A.3 is used for designing the vector parameters ofthe building block in (4).

Algorithm A.3: Building-Block Generation

INPUT: Vectors and

OUTPUT: Vectors and such that ,, and

1.

2.

3.

4.

5.

6.

7.

8.

This building block takes two vectors and such that

(A.5a)(A.5b)(A.5c)

Let and . By (A.5a),we must have

(A.6)

Knowing components of , the last one is calculatedusing (A.6). Assuming are given, from (A.5b) and(A.5c), we get

(A.7)

in the unknowns and , where and. Solutions to this system are

(A.8)

Setting , these fractions are simplified. Thecomplexity of this algorithm is .

APPENDIX BA TOY EXAMPLE OF THE PAC

In this Appendix, we provide a toy example of the PAC. Wenote that this is not a practical example of the PAC, and theresulting public-key system is insecure in practice due to smallchoices for parameters. The purpose of this example is to showhow the system is designed and illustrate the structure of publicpolynomials. In our design, we have used the computer algebrasoftware SINGULAR [73].

We design a toy example of the PAC following the guidelinesof Section VI. The block size is and . The operatingfinite field is GF with the primitive element .

Since , the vector polynomial is a one-dimensionalmultivariate polynomial. We choose its coefficients and expo-nents as follows:

(B.1)

For the irreducible polynomial in (16), we usesince . These choices give the following irreduciblemultivariate polynomial for the vector polynomial in (14):

(B.2)

In our example, the PU matrix consists of only one degree-onebuilding block as in (3) with the vector . Forthe unitary matrix , we use the building block in (1) with

and . The constant vector ischosen to be .

As stated in Fact 9, the entries of the OWF are poly-nomials whose monomials are subsets of a maximal setof monomials. Hence, we just give one of the publicpolynomials. The rest of them have similar structures. If


, then the polynomialis as follows:

(B.3)

ACKNOWLEDGMENT

The authors wish to thank the anonymous reviewers whoseconstructive and insightful comments improved the presentationof this paper. In addition, the authors thank C. Wolf for usefuldiscussions on multivariate cryptography.

REFERENCES[1] N. Modadugu, D. Boneh, and M. Kim, , B. K. Roy and E. Okamoto,

Eds., Generating RSA keys on a handheld using an untrusted server,in INDOCRYPT00. Berlin, Germany: Springer-Verlag, 2000, vol.1977, Lecture Notes in Computer Science, pp. 271282.

[2] B. Schneier, Applied Cryptography: Protocols, Algorithms, and SourceCode in C, 2nd ed. New York: Wiley, 1996.

[3] A. J. Menezes, Elliptic Curve Public Key Cryptosystems. Norwell,MA: Kluwer Academic, 1993, vol. 234, Kluwer Int. Series Eng.Comput. Sci. (SECS).

[4] L. C. Washington, , K. H. Rosen, Ed., Elliptic Curves: Number Theoryand Cryptography. New York: Chapman and Hall/CRC, 2003, Dis-crete Mathematics and its Applications.

[5] The Elliptic Curve Digital Signature Algorithm (ECDSA), ANSIX9.62, American National Standards Institute, 1998.

[6] D. Johnson, A. Menezes, and S. Vanstone, The elliptic curve digitalsignature algorithm (ECDSA), Int. J. Inf. Security, vol. 1, no. 1, pp.3663, Aug. 2001.

[7] M. J. Wiener and R. J. Zuccherato, Faster attacks on elliptic curvecryptosystems, in Select. Areas Crypto.SAC98, Berlin, Germany,1999, vol. 1556, Lecture Notes in Computer Science, pp. 190200.

[8] R. Zuccherato, Using a PKI based upon elliptic curve cryptography:Examining the benefits and difficulties, Entrust, 2003, White Paperv. 1.0 [Online]. Available: http://www.entrust.com/resources/whitepa-pers.cfm

[9] E. D. Win, S. Mister, B. Preneel, and M. Wiener, J. P. Buhler, Ed.,On the performance of signature schemes based on elliptic curves,in Algorithmic Number Theory Symp. IIIANTS-III, Berlin, Germany,1998, vol. 1423, Lecture Notes in Computer Science, pp. 252266.

[10] M.-L. Akkar and J. Patarin, Multivariate cryptography on smartcards, in Smart Card Security Conf., Mar. 2001 [Online]. Available:http://www.nmda.or.jp/nmda/ic-card/proceedings/Day2E.html

[11] T. Matsumoto and H. Imai, C. G. Guenther, Ed., Public quadraticpolynomial-tuples for efficient signature-verification and message-en-cryption, in Adv. Cryptol.EUROCRYPT88, Berlin, Germany, 1988,vol. 330, Lecture Notes in Computer Science, pp. 419453.

[12] J. Patarin, U. Maurer, Ed., Hidden fields equations (HFE) and isomor-phisms of polynomials (IP): Two new families of asymmetric algo-rithms, in Adv. Cryptol.EUROCRYPT96, Berlin, Germany, 1996,vol. 1070, Lecture Notes in Computer Science, pp. 3348.

[13] P. P. Vaidyanathan, Multirate Systems and Filter Banks. EnglewoodCliffs, NJ: Prentice-Hall, 1993.

[14] M. Vetterli and J. Kovacevic, Wavelets and Subband Coding. Engle-wood Cliffs, NJ: Prentice-Hall, 1995.

[15] S. M. Phoong and P. P. Vaidyanathan, Paraunitary filter banks over fi-nite fields, IEEE Trans. Signal Process., vol. 45, no. 6, pp. 14431457,Jun. 1997.

[16] F. Fekri, R. M. Mersereau, and R. W. Schafer, Theory of paraunitaryfilter banks over fields of characteristic two, IEEE Trans. Inf. Theory,vol. 48, pp. 29642979, Nov. 2002.

[17] , Two-band wavelets and filter banks over finite fields with con-nections to error control coding, IEEE Trans. Signal Process., vol. 51,no. 12, pp. 31433151, Dec. 2003.

[18] K. S. Chan and F. Fekri, A block cipher cryptosystem using wavelettransforms over finite fields, IEEE Trans. Signal Process. Supp. SecureMedia, vol. 52, no. 12, pp. 29752991, Oct. 2004.

[19] F. Delgosha and F. Fekri, Stream cipher using finite-field wavelets, inProc. IEEE Int. Conf. Acoust. Speech Signal Processing (ICASSP05),Philadelphia, PA, Mar. 2005, vol. 5, pp. 689692.

[20] L. Gohberg, P. Lancaster, and L. Rodman, Matrix Polynomials. NewYork: Academic, 1982.

[21] H. Fell and W. Diffie, H. C. Williams, Ed., Analysis of apublic key approach based on polynomial substitution, in Adv.Cryptol.CRYPTO85, 1986, vol. 218, Lecture Notes in ComputerScience, pp. 340349.

[22] J. Patarin, D. Coppersmith, Ed., Cryptanalysis of the Mat-sumoto and Imai public key scheme of Eurocrypt88, in Adv.Cryptol.CRYPTO95, 1995, vol. 963, Lecture Notes in ComputerScience, pp. 248261.

[23] J. Patarin, N. Koblitz, Ed., Asymmetric cryptography with a hiddenmonomial, in Adv. Cryptol.CRYPTO96, 1996, vol. 1109, LectureNotes in Computer Science, pp. 4560.

[24] J. Patarin, L. Goubin, and N. T. Courtois, K. Nyberg, Ed., Improvedalgorithms for isomorphisms of polynomials, in Adv. Cryptol.EU-ROCRYPT98, 1998, vol. 1403, Lecture Notes in Computer Science,pp. 184200.

[25] J. Patarin and L. Goubin, Trapdoor one-way permutations andmultivariate polynomials, in Proc. Int. Conf. Inf. Commun. Secu-rityICICS97, Berlin, Germany, Nov. 1997, vol. 1334, Lecture Notesin Computer Science, p. 356.

[26] C. Wolf and B. Preneel, Taxonomy of public key schemes based on theproblem of multivariate quadratic equations, Cryptol. ePrint Archive,2005 [Online]. Available: http://eprint.iacr.org/2005/077

[27] A. Kipnis and A. Shamir, M. Wiener, Ed., Cryptanalysis ofthe HFE public key cryptosystem by relinearization, in Adv.Cryptol.CRYPTO99, 1999, vol. 1666, Lecture Notes in ComputerScience, pp. 1930.

[28] N. T. Courtois, A. Klimov, J. Patarin, and A. Shamir, B. Preneel, Ed.,Efficient algorithms for solving overdefined systems of multivariatepolynomial equations, in Adv. Cryptol.EUROCRYPT00, 2000, vol.1807, Lecture Notes in Computer Science, pp. 392407.

[29] N. T. Courtois and J. Patarin, M. Joye, Ed., About the XL algorithmover GF (2), in CT-RSA03, 2003, vol. 2612, Lecture Notes in Com-puter Science, pp. 141157.

[30] R. S. Coulter, G. Havas, and M. Henderson, K. Shirayanagi andK. Yokoyama, Eds., Giesbrechts algorithm, the HFE cryp-tosystem and Ores p -polynomials, in Proc. Asian Symp. Comput.Math.ASCM01, Singapore, Sep. 2001, vol. 9, Lecture Notes Serieson Computing, pp. 3745.

[31] N. T. Courtois, D. Naccache, Ed., The security of hidden field equa-tions (HFE), in CT-RSA01, 2001, vol. 2020, Lecture Notes in Com-puter Science, pp. 266281.

[32] N. T. Courtois, M. Daum, and P. Felke, Y. G. Desmedt, Ed., On thesecurity of HFE, HFEv- and quartz, in Proc. Int. Workshop PracticeTheory Public Key Crypto.PKC03, Berlin, 2003, vol. 2567, LectureNotes in Computer Science, pp. 337350.


[33] J. C. Faugre and A. Joux, D. Boneh, Ed., Algebraic cryptalanysis ofhidden field equation (HFE) cryptosystems using Grbner bases, inAdv. Cryptol.CRYPTO03, 2003, vol. 2729, Lecture Notes in Com-puter Science, pp. 4460.

[34] J. Patarin, N. T. Courtois, and L. Goubin, D. Naccache, Ed., QUARTZ,128-bit long digital signatures, in CT-RSA01, 2001, vol. 2020, Lec-ture Notes in Computer Science, pp. 282297.

[35] G. Martinet, Quartz, Flash and SFlash, NESSIE, 2001, Public Rep.[Online]. Available: https://www.cosic.esat.kuleuven.ac.be/nessie/re-ports/

[36] N. T. Courtois, Y. G. Desmedt, Ed., Generic attacks and the secu-rity of Quartz, in Proc. Int. Workshop Practice Theory Public KeyCrypto.PKC03, Berlin, 2003, vol. 2567, Lecture Notes in ComputerScience, pp. 351364.

[37] J. Patarin, N. T. Courtois, and L. Goubin, D. Naccache, Ed., FLASH, afast multivariate signature algorithm, in CT-RSA01, 1999, vol. 2020,Lecture Notes in Computer Science, pp. 298307.

[38] J. Patarin, L. Goubin, and N. T. Courtois, K. Ohta and D. Pei, Eds.,C and HM: Variations around two schemes of T. Matsumoto andH. Imai, in Adv. Cryptol.ASIACRYPT98, 1998, vol. 1514, LectureNotes in Computer Science, pp. 3549.

[39] H. Gilbert and M. Minier, L. R. Knudsen, Ed., Cryptanalysis ofSFLASH, in Adv. Cryptol.EUROCRYPT02, 2002, vol. 2332,Lecture Notes in Computer Science, pp. 288298.

[40] A. Shamir, D. R. Stinson, Ed., Efficient signature schemes based onbirational permutations, in Adv. Cryptol.CRYPTO93, 1994, vol.773, Lecture Notes in Computer Science, pp. 112.

[41] D. Coppersmith, J. Stern, and S. Vaudenay, D. R. Stinson, Ed.,Attacks on the birational permutation signature schemes, in Adv.Cryptol.CRYPTO93, 1994, vol. 773, Lecture Notes in ComputerScience, pp. 435443.

[42] T. T. Moh, A public key system with signature and master key func-tions, Commun. Algebra, vol. 27, no. 5, pp. 22072222, 1999.

[43] , A fast public key system with signature and masterkey functions, in Proc. Int. Workshop Crypto. Tech. E-Com-merceCrypTEC99, Kowloon, Hong Kong, China, 1999, pp. 6369.

[44] L. Goubin and N. T. Courtois, T. Okamoto, Ed., Cryptanalysis ofthe TTM cryptosystem, in Adv. Cryptol.ASIACRYPT00, 2000, vol.1976, Lecture Notes in Computer Science, pp. 4457.

[45] F. Delgosha and F. Fekri, Factorization of two-channel 2D paraunitaryfilter banks over fields of characteristic two, in Proc. IEEE Int. Symp.Inf. TheoryISIT04, IL, Jun.Jul. 2004, p. 565.

[46] H.-J. Park, A computational theory of Laurent polynomial rings andmultidimensional FIR systems, Ph.D. dissertation, College of Engi-neering, Univ. of California, Berkeley, CA, 1995.

[47] B. Mourrain, V. Y. Pan, and O. Ruatta, Accelerated solution of mul-tivariate polynomial systems of equations, SIAM J. Comput., vol. 32,no. 2, pp. 435454, 2003.

[48] A. van den Essen, Polynomial Automorphisms and the JacobianConjecture. Berlin, Germany: Birkhuser Verlag, 2000, vol. 190,Progress in Mathematics.

[49] T. W. Hungerford, Algebra. New York: Springer-Verlag, 1974, vol.73, Graduate Texts in Mathematics.

[50] S. Lange, Algebra, 3rd ed. New York: Addison-Wesley, 1993.[51] A. J. Menezes, I. F. Blake, X. Gao, R. C. Mullin, S. A. Vanstone, and

T. Yaghoobian, Applications of Finite Fields. Norwell, MA: KluwerAcademic, 1993.

[52] J. Daemen and V. Rijmen, The Design of Rijndael: AESThe Ad-vanced Encryption Standard. Berlin, Germany: Springer-Verlag,2002.

[53] D. Coppersmith, H. Krawczyk, and Y. Mansour, D. R. Stinson, Ed.,The shrinking generator, in Adv. Cryptol.CRYPTO93, 1993, vol.773, Lecture Notes in Computer Science, pp. 2239.

[54] W. Meier and O. Staffelbach, A. D. Santis, Ed., The self-shrinkinggenerator, in Adv. Cryptol.EUROCRYPT95, 1995, vol. 950, Lec-ture Notes in Computer Science, pp. 205214.

[55] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook ofApplied Cryptography. New York: CRC Press, 1997.

[56] D. R. Stinson, Cryptography: Theory and Practice. Boca Raton, FL:CRC Press, 1995, The CRC Series on Discrete Mathematics and ItsApplications.

[57] S. Goldwasser and M. Bellare, Lecture Notes on Cryptography2001 [Online]. Available: http://www.cs.ucsd.edu/users/mihir/pa-pers/gb.html

[58] S. Goldwasser and S. Micali, Probabilistic encryption, J. Comput.Syst. Sci., vol. 28, no. 2, pp. 270299, 1984.

[59] M. Blum and S. Goldwasser, G. R. Blakley and D. Chaum, Eds., Anefficient probabilistic public key encryption scheme which hides allpartial information, in Adv. Cryptol.CRYPTO84, 1984, vol. 196,Lecture Notes in Computer Science, pp. 289302.

[60] M. Bellare and P. Rogaway, Random oracles are practical: A para-digm for designing efficient protocols, in Proc. ACM Conf. Comput.Commun. SecurityCCS93, New York, 1993, pp. 6273.

[61] M. Dickerson, Polynomial decomposition algorithms for multivariatepolynomials Dept. of Computer Science, Cornell Univ., Ithaca, NY,1987, Tech. Rep. TR87-826.

[62] J. V. Z. Gathen, Functional decomposition of polynomials: The tamecase, J. Symb. Comput., vol. 9, no. 3, pp. 281299, Mar. 1990.

[63] , Functional decomposition of polynomials: The wild case, J.Symb. Comput., vol. 10, no. 5, pp. 437452, Nov. 1990.

[64] D. Kozen, S. Landau, and R. Zippel, Decomposition of algebraic func-tions, J. Symb. Comput., vol. 22, no. 3, pp. 235246, Sep. 1996.

[65] J. von zur Gathen, J. Gutierrez, and R. Rubio, Multivariate polynomialdecomposition, Appl. Algebra Eng. Commun. Comput., vol. 14, no. 1,pp. 1131, 2003.

[66] I. R. Shafarevich, Basic Algebraic Geometry 1: Varieties in ProjectiveSpace, 2nd ed. Berlin, Germany: Springer-Verlag, 1994.

[67] D. Eisenbud, Commutative Algebra with a View Toward Algebraic Ge-ometry. New York: Springer-Verlag, 1995, vol. 150, Graduate Textsin Mathematics.

[68] T. Becker and V. Weispfenning, Grbner Bases: A Computational Ap-proach to Commutative Algebra. New York: Springer-Verlag, 1993,vol. 141, Graduate Texts in Mathematics.

[69] D. Cox, J. Little, and D. OShea, Ideals, Varieties, and Algorithms: AnIntroduction to Computational Algebraic Geometry and CommutativeAlgebra, 2nd ed. New York: Springer-Verlag, 1997, UndergraduateTexts in Mathematics.

[70] , Using Algebraic Geometry. New York: Springer-Verlag, 1998,Graduate Texts in Mathematics.

[71] J.-C. Faugre, T. Mora, Ed., A new efficient algorithm for computingGrbner bases without reduction to zero (F ), in Proc. Int. Symp. Sym-bolic Algebraic Comput.ISSAC02, 2002, pp. 7583.

[72] A. Kipnis, J. Patarin, and L. Goubin, J. Stern, Ed., Unbalanced oil andvinegar signature schemes, in Adv. Cryptol.EUROCRYPT99, 1999,vol. 1592, Lecture Notes in Computer Science, pp. 206222.

[73] G.-M. Greuel, G. Pfister, and H. Schnemann, SINGULAR 2.0 Centre forComputer Algebra, Univ. Kaiserslautern, 2001, A Computer AlgebraSystem for Polynomial Computations [Online]. Available: http://www.singular.uni-kl.de

Farshid Delgosha (S01) received the B.Sc. degreefrom Tehran Polytechnic, Iran, in 1995 and the M.Sc.degree from Sharif University of Technology, Tehran,in 1997. Since 2001, he has been pursuing the Ph.D.degree at the School of Electrical and Computer En-gineering, Georgia Institute of Technology, Atlanta.

His current research interests lie in the general fieldof signal processing and cryptography, in particular,finite-field wavelets and their applications in cryptog-raphy, algebraic and multivariate cryptography, andsecurity aspects of wireless sensor networks. In the

past, he conducted research on telecommunications, modulation techniques, andDSL systems.

Faramarz Fekri (S91M00SM03) received theB.Sc. and M.Sc. degrees from Sharif University ofTechnology, Tehran, Iran, in 1990 and 1993, respec-tively, and the Ph.D. degree from the Georgia Instituteof Technology, Atlanta, in 2000.

From 1995 to 1997, he was with the Telecommu-nication Research Laboratories (TRLabs), Calgary,AB, Canada, where he worked on multicarrier spreadspectrum systems. Since 2000, he has been on theFaculty of the School of Electrical and Computer En-gineering, Georgia Institute of Technology. His cur-

rent research interests lie in the general field of signal processing and commu-nications, in particular, wavelets and filter banks, error control coding, cryptog-raphy, wireless sensor networks, and communication security. In the past, heconducted research on speech and image processing.

Dr. Fekri received the Sigma Xi Best Ph.D. Thesis Award from the GeorgiaInstitute of Technology in 2000 for his work on finite-field wavelets and theirapplication to error control coding. He received the National Science FoundationCAREER award in 2001.

public-key cryptography using paraunitary matrices

Documents

publickey cryptography

publickey cryptosystem

publickey systems

publickey generation

corresponding secret

applications of public

public keys

usedfor key exchange