IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMSII: EXPRESS BRIEFS, VOL. 55, NO.

5, MAY 2008

423

Known-Plaintext Attack to Two Cryptosystems Based on the BB Equation

G. Alvarez, L. Hernndez Encinas, and J. Muoz Masqu
AbstractRecently, Rama Murthy and Swamy proposed a symmetric cryptosystem based on the BrahmaguptaBhskara (BB) equation. The BB equation is the quadratic Diophantine equation 2 2 , where is an integer and is a positive integer such that is irrational. For the particular case , the equation is called the Pell equation. The proposed cryptosystem was modied later by the same authors in order to avoid the cryptanalysis given by Youssef. Below, a known-plaintext attack to both cryptosystems is presented.

+ =

=1

is the decimal expression of the block . The ciphertext, with , corresponding to is the pair of integers bitlength given by

(2) The deciphering process to obtain count the following expressions: from takes into ac-

Index TermsBrahmaguptaBhskara (BB) equation, cryptanalysis, cryptography, Pell equation.

I. PRELIMINARIES AND NOTATIONS

HE BrahmaguptaBhskara (BB) equation is the quadratic Diophantine equation

where is an integer and is a positive integer such that is , the equation is called irrational. For the particular case the Pell equation. The goal of this paper is to show that the two cryptosystems proposed by Rama Murthy and Swamy in [2] and [3] are vulnerable to the known-plaintext attack and, hence, they are insecure. First of all, we summarize the cryptosystem proposed in [2], which was subsequently improved in [3] in order to avoid the cryptanalysis appearing in [4]. The authors proposed a symmetric cryptosystem based on the Pell equation in the nite eld , so that the Pell equation can be written as (1) where is a prime number and and are quadratic residues modulo . In the proposed symmetrical cryptosystem, there are two classes of keys: the primary key is a prime number , where is the bitlength of ; the secondary key is a couple . The plaintext of prime numbers, and in the interval corresponding to a block of the original message of bits, , , where is the integer dened as
Manuscript received August 21, 2007; revised October 22, 2007. This work was supported in part by the Ministerio de Educacin y Ciencia of Spain under Grant SEG2004-02418. This paper was recommended by Associate Editor S. Callegari. The authors are with the Department of Information Processing and Coding, Applied Physics Institute, CSIC, 28006-Madrid, Spain (e-mail: gonzalo@iec. csic.es; luis@iec.csic.es; jaime@iec.csic.es). Digital Object Identier 10.1109/TCSII.2007.914441

obtained from (2) and (1). The authors claim that the security of this cryptosystem is based on the fact that there are innitely many prime numbers greater than , and the keys are only limited by practical hardware/software considerations. Nevertheless, Youssef presented in [4] a known-plaintext attack to the previous cryptosystem by using a system of four linear equations over . The equations and are deduced from the knowledge of two plaintexts and the four their corresponding ciphertexts , and to yield unknowns

(3)

Once the cryptanalyst has obtained the values , a similar system or and is solved by using the equations derived from . Then, new a new pair of plaintext-ciphertext: and rational values for are obtained, and from them the value of

provides a multiple of the prime . In order to improve the previous cryptosystem, Rama Murthy and Swamy proposed in [3] a modication in the ciphering , process. With the same notations as above, the ciphertext corresponding to a given plaintext , is computed as follows: (4)

1549-7747/$25.00 2008 IEEE

424

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMSII: EXPRESS BRIEFS, VOL. 55, NO. 5, MAY 2008

With such a modication, the attack proposed by Youssef is not effective as the linear system of equations (3) becomes

Notice that the running time for solving the system (5) is neg, and ligible as explicit formulas are used. Once are known, and can be directly obtained as follows:

(12) (13) As the equations for have not been used , in the system (5), they allow one to compute is the numerator of the fraction for where , and is a multiple of , as follows from the very denition of the BB equation modulo . Furthermore, the bitlength of is less than , as is the sum of three summands each of which being, at most, a product of two factors of bitlength , and other summands of less bitlength, as

which cannot be solved in the unknowns , and II. CRYPTANALYSIS

, and , when are known.

Here, we present a cryptanalysis to the cryptosystem introduced in [3] by using a known-plaintext attack. Suppose that four distinct plaintext-ciphertext pairs , are known. The cryptanalysis is based on the fact that the system of equations (14) (5)

obtained from (1) and (4) admits a unique solution in whenever the following inequalities hold:

(15) Hence, the value of is derived from directly, without using any sophisticated factorization algorithm. Once the value of is known, the values of and are obtained by reducing modulo the rational values for and in (6) and (7). Next, we show how to perform the cryptanalysis either when or vanishes. If , then and are completely determined, namely

In fact, as a simple computation shows, we have (6) (7) (8) (9) and (10) and (11), shown at the bottom of the page.

Hence, it sufces to change one of the two plaintexts and to keep the other. and Moreover, the expressions cannot vanish simultaneously as

(10) (11)

ALVAREZ et al.: KNOWN-PLAINTEXT ATTACK TO TWO CRYPTOSYSTEMS BASED ON THE BB EQUATION

425

the vanishing of both expressions imply tradicts the assumption. Consequently, if

, which con, then either

Here, . The values of (6) and (7) are given at the bottom of the page, and the values of (8)(13) are

or

and we proceed as in the rst case. The cryptanalysis to the original cryptosystem as formulated in [2] is similar to the previous one, by using an analogous system to (5), which provides the following expressions:

By using the software package MAPLE over an Intel Pentium D PC, CPU 3.20 GHz, 2.00 GB RAM, under Windows XP (SP 2), the running time to compute these values was 0.062 s. , say For a prime number with bitlength

where

and using the following four random plaintexts:

III. NUMERICAL EXAMPLES A numerical example with articially small values is presented below. Suppose that the secret keys are , and let us consider the following plaintext-ciphertext pairs:

the

running

time

to compute , and

the

values

of

was 0.065 s. For a larger prime of 128 bits

the running time to break the cryptosystem was 0.078 s. For the secret primary key of 192 bits

426

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMSII: EXPRESS BRIEFS, VOL. 55, NO. 5, MAY 2008

and secondary keys

3) The cryptanalysis proposed does not involve general factorization algorithms, but only to compute the greatest common divisor of several pairs of integers and a few factors much smaller than the modulus in these greatest common divisors. As is well known, e.g., see [1, Sec. 2.4], can be computed efciently in polynomial the , by using the Extended Eutime, clidean Algorithm. ACKNOWLEDGMENT The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. REFERENCES
[1] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography. Boca Raton, FL: CRC, 1997. [2] N. R. Murthy and M. N. S. Swamy, Cryptographic applications of Brahmagupta-Bhskara equation, IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 53, no. 7, pp. 15651571, Jul. 2006. [3] N. R. Murthy and M. N. S. Swamy, Authors reply, IEEE Trans. Circuits Syst. I., Reg. Papers, vol. 54, no. 4, pp. 928929, Apr. 2007. [4] A. M. Youssef, A comment on cryptographic applications of Brahmagupta-Bhakara equation, IEEE Trans. Circuits Syst. I., Reg. Papers, vol. 54, no. 4, pp. 927928, Apr. 2007.

the running time to break the cryptosystem was 0.094 s. In this . case, we obtained IV. CONCLUDING REMARKS 1) As shown above, it usually sufces to consider four distinct plaintext-ciphertext pairs to recover the primary and the secondary keys of the both proposed symmetric cryptosystems in a computationally feasible way. in are 2) Although the values assumed to be quadratic residues in [2] and [3], which is justied by the authors (personal communication) in order to avoid vulnerabilities, this property seems to play no role in the cryptanalysis proposed.