IEEE TRANSACTIONS ON COMPUTERS, VOL. 44, NO.

I , JANUARY I Y Y S

A New Public-Key Cipher System Based Upon

the Diophantine Equations
c. H. Lin, C. c. Chang, Senior Member, IEEE, and R. C . T. Lee, Fellow, IEEE

A b ~ t r ~ ~A t new
- public-key (two-key) cipher scheme is pro- while the other is related to NP-complete problems such as
posed in this paper. In our scheme, keys can be easily generated. 0/1 knapsack and so on. To construct cryptosystems based
In addition, both encryption and decryption procedures are
on these computationally hard problems, secret “trapdoor”
simple. To encrypt a message, the sender needs to conduct a
vector product of the message being sent and the enciphering information is added such that a one-way function is invertible.
key. On the other hand, the receiver can easily decrypt it A function F is called a one-way function if and only if the
by conducting several multiplication operations and modulus computation of F ( T ) is easy for all :L: in the dornain of F ,
operations. For security analysis, we also examine some possible while it is computationally infeasible to compute the inverse
attacks on the presented scheme.
F-l(y) given any in the range of F , even if E’ is known.
Index Terms- Public keys, private keys, cryptosystems, Dio- It is a trapdoor one-way function if the inverse becomes easy
phantine equation problems, integer knapsack problems, one-way when certain additional information is given. This additional
functions, trapdoor one-way functions, NP-complete.
information is used as a secret decryption key.
In this paper, a new public-key cipher scheme is proposed.
I. INTRODUCTION By the use of our scheme, the generating steps of keys are
simple. Both the encryption and decryption procedures can
I N (61, Diffie and Hellman proposed their pioneering idea
of public key cryptosystems. In a public key system, each
user IT uses the encryption algorithm E ( P K , , , M ) and the
be completed efficiently. Our cipher scheme is based upon the
Diophantine equations [ 18 1. In general, a Diophantine equation
is defined as follows: We are given a polynomial equation
decryption algorithm D ( P R , , C ) , where P K , is the public
key, PR,,, is the private key of U and M and C are the f ( ~5 2 ,, . . . ! x,) = 0 with integer coefficients and we are
asked to find rational or integral solutions. Throughout this
texts to be encrypted or to be decrypted, respectively. Each
paper, we shall assume that the solutions are nonnegative. For
user publishes his encryption key by putting it on a public
instance, consider the following equation:
directory, while the decryption key is kept secret by himself.
Suppose that user il wants to send a message to user B. k.1 + ~1x2f 7.1;s + k ~ =q 78.
First, A finds the public encryption key, namely PIG,, for B
from the public directory. Then A encrypts the message M The above equation is a Diophantine equation if we have
to C: by C = E(PKb,M ) and sends C to B. On receiving to find a nonnegative solution for this equation. In fact, our
C , B can decode it by computing M = D(PRt,.C). Since .xq) = ( 2 , 5 , 1 :9). Another example of
PRb is private for I?, no one else can perform this decryption a Diophantine equation is
process. Therefore, for practical purposes, the encryption and 32::1:2 + 43.13:23:3 + 513 = 105.
decryption algorithms E and D have to satisfy the following
Diophantine equations are usually hard solve. In [ 141, it was
three requirements.
proved that the problem of deciding whether there are positive 1
1) U(PX,,.E(Pfi’,. M ) ) = M
2 ) Neither of algorithms E and D needs much computing integer solutions for
time. rrz; + j.2 - y = 0.
3) To derive the associate PR, from the publicly known
P K t Lis computationally infeasible [ 5 ] . where a, [l and y are positive integers, is NP-complete [4],
A number of public-key cryptosystems have been proposed
[SI. Some specific cases of Diophantine equations and their
computational complexities were studied in [24[, 1251.
[I], [ 3 ] , [7]. 191, [ 171, [20]-[22], 1261. These systems can be
A famous Diophantine equation problem is Hilbert’s tenth
put into two categories. One is based on hard number theoretic
problem [ I I], which is defined as follows: Given a system
problems such as factoring, taking discrete logarithms, etc.;
of polynomials Pi : c 2 . . . , x,,), 1 5 i 5 VI,, with integer
Manuscript received May 7, 1991; revised July 19. 1992. coefficients, determine whether it has a nonnegative integer
C. H. Lin is with the Department of Computer and Information Sciences, solution or not. In [ 15) and [23], it was shown thal the Hilbert
Tunghai University. Taichung, Taiwan 40704, R.O.C.
C. C. Chang is with the Institute of Computer Science and Information En- problem is undecidable for polynomials with degree 4. It was
gineering. National Chung Cheng University, Chiayi: Taiwan 62 107, R.O.C. shown in [I61 that the Hilbert problem is undecidable for
R. C. T. Lee is with the Department of Computer Sciences, Providence polynomials with 13 variables. Curari and lbarra [lo] also
University, Shalu, Taichung Hsien, Taiwan 43301, R.O.C.; E-mail: rctlee @
host I .pu.edu.tw. proved that several Diophantine equations are in NP-complete
IEEE Log Number 9407 I IS. class.
00 I8-9340/95$04.00 0 1995 IEEE
 14 IEEE TRANSACTIONS ON COMPUTERS, VOL. 44. NO. 1. JANUARY 1995

Finally, we sketch the organization of this paper as follows. a message M is transformed to its ciphertext C , where *
Underlying mathematics is described in Section 11. The gen- denotes the vector product operation. Conversely, the ith com-
eration of the system, encryption and decryption algorithms, ponent mi in M can be revealed by the following operation:
will appear in Section 111. Section IV investigates the security
of our cipher scheme. We also show that in order to break our m ; = D ( ( q ; , k ; ) , C ) Lk;C/q;J
= modk, for , i = 1 , 2 . . - . , n .
system, one has to solve some specific Diophantine equations. (3)
Finally, conclusions are made in Section V. Theorem 2.1 shows that (3) is the inverse function of (2). The
following lemmas are helpful in the proof of the theorem.
Lemma 2.1:
11. THE UNDERLYING
MATHEMATICS Let a and b be some positive integers where b > a. Then
2 In this section, we describe the mathematics on which the for all z, cz[z/bl < z if z 2 a b / ( b - a ) .
new cryptosystem is based. Let w be some positive integer and Proof Let rx/bl = c for some integer c. Then x / b 5
the domain 2)be a set of positive integers in the range of [O, w]. +
c < ( z / b 1). We have
Let w = 2' - 1, where b is some positive integer. Assume that
nc < (u:c/b + a ) . (4)
a sending message M with length nb bits is broken up into
n pieces of submessages, namely m l , m2, . . . and mn. Each On the other hand, if z 2 n b / ( h - a ) , then ( b - u)z 2 ab;
submessage is of length b bits. In other words, we can represent that is,
each submessage by a decimal number rni and nr; in V .
Suppose that 71 pairs of integers (y1, k l ) ( q 2 k2) . . ., and
~ ~ ~
(az/b + a ) 5 x. (5)
( y n , k,)are chosen such that the following conditions hold:
Combining (4) and ( 5 ) , we have that a[z/b1 < x if z 2
1) 4;'s are painvise relative primes; i.e., ( q ; ?q j ) = 1 for ab/@ - a ) . 0
i # j. Lemma 5.2:
2) ICi > iii for i = 1 , 2 , . . . n,.
!
Let Ri := qi mod k;. Then kiR;mi[q;/(kiRi)lmod k;q; =
3) yi > ICiw(qL mod k i ) , and qi mod ICi # 0, for i =
kiRiW l - q z / ( w & ) l .
1 , 2 , . " , n.
Prooj. Let a = Rim;, b = kiRi, and x = qi. Since
These n, integer pairs ( q ; , k;)'s will be kept secret and used q; > k;R;w, we know that qi > IC;RSm;/(Ri(k;- mi)).
to decrypt messages. For convenience, we name the above That is, x 2 ab/(b - u) is satisfied. By applying Lemma
three conditions the DK-conditions since they will be used 2.1, it can be seen that R;rri;[q;/(klR;)l < y,,. Therefore,
as deciphering keys. Note that for the generating of pairwise ICiR;ma[q;/(k;l&)l mod kiq; = IC;Ri7rL;[q;/(kjl~i)l. 0
relatively primes, one can consult [2]. Furthermore, the fol- Lemma 2.3:
lowing numbers are computed. First, compute Ri = q2 mod Let mi"s, ICi's, and q i ' s be chosen such that the DK-
ki and compute Pi's such that two conditions are satisfied: 1) conditions are satisfied. Let R; = q; mod IC;. Then
P; mod q; = R;, and 2) PJ mod q; = 0 if i # j . Since qi's LkRim; [<Ii/(kRi)l/qiJ= mi.
are pairwise relatively primes, one solution for Pi's satisfying Proof: Let 6 = Lk;Rim; [q2/ (IC; Ri)l / q ; ] . It can be easily
the above two conditions is that P; = Qib, with seen that the following two inequalities hold:

Qi =nqi 8 < LkiRi.n,,;(qi/(kiRi) I)/%] + (6)

j#i
and
and b; is chosen such that Qib; mod qi = Ri. Since Qi
and qz are relatively prime, bi's can be found by using the 6 L lkin;mi(si/(ICini))/~iJ. (7)
extended Euclid's algorithm [ 5 ] .Note that the average number
Furthermore, the right-hand side of (7) is identical to m i and
of divisions performed by the extended Euclid's algorithm
for finding b; is approximately 0.843 . In(q;) 1.47 [13]. + +
that of (6:) is Lm; kiRirni/qi]. On the other hand, since
mi is an integer and kiR;ma/q7< 1, the right-hand side in
Secondly, compute N; = [qa/(IC;Ri)l for i = 1 , 2 , . . . ,n.
Finally, compute
+
(6) becom'es [mi k;R;m;/q;]= m,. Combining these two
inequalities, we obtain that m; 5 6 < m i . Finally, we have

s i = PiN, mod Q , where Q =

n

i=l
q,. n (1)
6 = mi, since 6 is an integer.
Theorenz2.1: Let ( q l , k l ) , ( q 2 , k 2 ) , . . . ,and ( q n ! k n ) be n
pairs of positive integers satisfying the DK-conditions. Let the
0

vector S be computed by applying (1). Then (3) is the inverse

That is. we have a vector S = (SI, s2,. . . , s,) with each
function of (2). That is, a message enciphered by (2) can be
component computed as above.
decrypted by (3).
After this, S can be used as the enciphering key for
Prooj: Let us prove the theorem by the following two
encrypting messages. By conducting a vector product between
steps.
- First, from (l), define 3, = PiNi; we have a vector
M = ( n b 1 , m2.. . . , m,) and S = (SI, sa, ... , sn);Le.,
S = ( S 1 , S 2 , . . . , S n ) ; i . e., s i = S i m o d c E , f o r . i = 1 , 2 , . - . , n .
n Let C' = M * S = m;s; = Cy=,m,PiNi. Since
C = E ( S ,M ) = M * S = m,~, ( 2 ) Pi's satisfy the following two conditions, 1) Pi mod qa = qi
2=1 mod ki = Ri;and 2 ) Pj mod qi = 0 if i # ,j, k;C' mod
 LIN ct af.:PUBLIC-KEY CIPHER SYSTEM BASED ON DIOPHANTINE EQUATIONS 15

Algorithm 3.1-Key Generating for Each User U:

Step 1. Pick n pairs of positive integers ((11, k ~ )( q, 2 , k ~ ) ,
. . ., and ( y P 1 kn)
, such that the DK-conditions are
satisfied.
Step 2. Compute R; = qz mod k , for i = 1 , 2. . . . , n.
Compute

Qi =
32,

and N , = [ q l / ( k l R z ) lfor
, 7 = 1 . 2. . . . . n, and
compute
n

s=J&i n

,=I
i=l
then C’mod Q = (E:& m , S , ) mod Q = ((m131mod (2) +
% ~ ~ Q)) mod Q = ( m l ( S 1 mod Q)+. . -+m,(%,
. . . + ( 7 1 7 ~ ~ mod Step 3. Compute hi’s such that Q,b, mod q, = Ri for

mod Q ) ) mod Q = (cm,.s,)

n

1=1
mod Q = C mod Q. That
i = 1 , 2 , . . . , n..This can be done by the extended
version of Euclid’s algorithm.
Step 4. Compute Pi = Qib; and s; = PiN, mod Q for
+
is, C’ I C‘(mod Q). Let C’ = C .tQ. for some positive
i 1 1 , 2 , . . . , 7 1.
integer z . We have Lk,C/q,j mod k , = ([k,(C’ - z Q ) / q l J
Step 5. Publish the encryption key PK, = (SI. s2 , . . . , s,)
mod k , = ( Lk,C’/yzJ- k,zQ,) mod k , = [ k z C ’ / q z ~mod k,.
for user C‘.
In other words, rrr, = Lk,C/y,] mod k,. 0
Step 6. Keep the private decryption key PR, =
3 111. THE CONSTRUCTION AND USAGE OF THE CRYPTOSYSTEM
( ( 4 1 ,k l ) , ( 4 2 , k 2 ) , . . . l ( Y n , k ) )
in secret.
Step 7. Keep Pi, Q ; ,h i , N;, and Q in secret or erase them.
In this section, how the new cryptosystem is created and Algorithm 3.2-Encryption Procedure for Sender A:
used is described. First, an informal description is given. Then Step 1. Encrypt M = (ml,mz:...,m,,) by (2); Le.,
algorithms for constructing the cryptosystem, encrypting mes- G = E(S.M)= S * M .
sages, and decrypting messages, respectively, are presented. Step 2. Send out the integer C as the ciphertext of
First, each user picks n pairs of parameters ( 4 1 , k l ) , ( 4 2 . k 2 ) , message M .
. . ., and ( y l l , k n ) such that the DK-conditions are satisfied. Step 3. Exit.
Afterward,
Algorithm 3.3-Decryption Procedure for Receiver B:
Qi = n 43 Step 1. Compute the ith component mi of message M by
3fz computing mi = D((qi,k i ) , C) = LklC/q;] mod
k ; , 1 5 i 5 71.
and IV,= [ y , / ( k l ( q z mod I C l ) ) ] are computed, and b,’s are
Step 2. Exit.
integers chosen such that Q,b, mod 4, = q, mod k,, for
1 = 1.2:..,n. Let P, = Q,b, and 5 , = P,N, mod Q, for In the following, let us illustrate the processing of the
i = 1.2. . . ,71, where
presented cipher scheme by a simple example.
n
Example 3.1: Consider a simple case with 7~ = 3. Let
( q 1 . h ) = (104.6), ( y 2 , k z ) = (147,8), and ( q 3 , k 3 ) =
(121,7). Then R1 = 41 mod k l = 2, R2 = 42 mod k~ = 3,
and R3 = 43 mod k.3 = 2. Let D = {0.1,2,3} with w = 3. It
Therefore, a vector S = ( S I , -52, . . . s T L )is obtained. Then the can be verified that the DK-conditions are satisfied in this case.
~

n-tuple S of integers is published and used as the public key Since Q1 = 17787, Q 2 = 12584, and Q 3 = 15288,
of the cryptosystem for enciphering messages. and Q = 1849848, if bl = 70, b2 = 114. and b3 = 98
The chosen parameters ( 4 1 . k l ) , ( q 2 . k 2 ) ; . ., and (y,, kIL)are are chosen, we have PI = Q l h l = 1245090, and P2 =
kept and used as the private key to decipher messages received. Q 2 b 2 = 1434576, P3 = Q 3 h 3 = 1498224. Moreover,
Specifically, let user A be the sender and user B be the since N1 = [ q l / ( k l R 1 ) 1 = 9, Nz = [42/(k2R2)1 = 7 ,
receiver, and let A be sending a message represented by and N3 = [ q 3 / ( k 3 R ~ ) 1= 9, we have S I = PlN1 mod
M = (rri1, m 2 , . . . . mTL)
~
Q = 106722, 5-2 = P2N2 mod Q = 792702, and s3 =
P3N3 mod Q = 535080. In other words, a vector S =
where 7rr, is a b-bits submessage represented by a decimal (106722,792792.535080) is obtained.
number in the range of [0,Zb - 11. Then ( m l ,m 2 , . . . . m,) is Now, we assume that user A wants to send a message
enciphered by (2) into an integer C. Afterward, the integer C M , say represented by binary string 111101. Let M be
is sent to user B as the ciphertext of the original message M . broken up into three submessages with length 2-bit; Le.,
On the receiving of integer C, user B IS able to convert C M = (11,11,01) or A4 = ( m l . n , 2 , m 3 ) = ( 3 , J . l ) in
into { r r t , 1 , 1 1 ~ 2.~. . , 1 1 1 , ) by applying (3). decimal representation. il also computes C = ( m l ,r r L Z , m 3 ) *
16 [EEE TRANSACTIONS ON COMPUTERS, VOL. 44, NO I. JANUARY 1995

(s1,s2.s3) = 3233622 and sends the integer C to B instead We shall prove that the linear Diophantine equation problem
of sending the original message M . is NP-complete. It can be reduced from the integer knapsack
When B receives the integer C , he can reveal the original problem, which has been proved to be in the class of NP-
message M b y applying (3) on the received integer C. He will completeness [8]. For better understanding, we present the
obtain integer knapsack problem briefly here.
Integer Knapsack Problem [a]: Given an ri-tuple S of pos-
7131 = LklC/ql] mod kl
itive integer, S = (SI. s 2 , . . . , ,s7,), and two positive integers e
= 10; x 3233622/104] mod 6 and f, determine whether there is a sequence of nonnegative
= Ll9401732/104J mod 6 integers, M = ( m l .r n 2 , . . . . m T 1 )such
, that
= 186555 mod 6 = 3, 71

m 2 = Lk2C/q2] mod k2
= 18 x 3233622/137] mod 8 and such that
= 125868976/147] mod 8 n

= 175979 mod 8 = 3 .
a=1

m3 = Lk3C/q3] mod kg Theorem 4.1: The linear Diophantine equation problem is

= 17 x 3233622/121] mod 7 NP-complete.
= 122635354/121] mod 7 Proojl Suppose that there exists an algorithm, called
procedure X(S,C), with inputs S and C‘, and output “yes” or
= 187069 mod 7 = 1. “no,” which can solve the linear Diophantine equation problem
That is, ( m l ?m2,7n3) = ( 3 , 3 , l ) , or the corresponding binary in polynomial time. By applying procedure X ( S ,C), we can
strings (11.11.Ol), is obtained. By concatenating the three also solve the integer knapsack problem in polynomial time.
submessages together, the original message M = (111101) is Procedure I K ( S .e , , f ) is as follows:
thus revealed. procedure I K ( S ,e. f )
boolean : flag
Iv. SECURITY OF THE CRYFTOSYSTEM
for I = t‘ to f do
In this section, we investigate the security of the proposed if X(S,I ) = ”yes” then flag = true
method. Since there exists no technique to prove that a given
encryption scheme is absolutely secure, the only approach endfor
available for us is to see whether anyone can think of a way to if flag = true then print (’there exists a solution’)
break it [21]. In the following, we examine some possible at- else print (’there is no solution’)
tacks on the cryptosystem from the viewpoint of a cryptanalyst.
endif
Two possibilities are considered. First, the cryptanalyst tries
to decipher an intercepted ciphertext. Second, the cryptanalyst endprocedure
does not decipher a ciphertext directly, but tries to determine Therefore, the integer knapsack problem is reduced to the lin-
the secret decryption key. With this key, he will have the same ear Diophantine equation problem with the reduction process
capability as the legitimate message receiver for deciphering done in polynomial time. Finally, using the fact that the linear
messages. Diophantine equation problem is in NP and the fact that the
integer knapsack problem is NP-complete, we have that the
A. Brute Force for Deciphering the Ciphertext linear Diophantine equation problem is NP-complete. 0
With the publicly known encryption key S and the inter-
cepted ciphertext C, a cryptanalyst may try to decode the B. Brute Force to Reconstruct the Secret Decryption Key
Step 1 in Algorithm 3.3 without knowing the private key PRb On the other hand, a cryptanalyst may not be interested in
of the legitimate receiver. To decrypt the ciphertext in this deciphering the intercepted ciphertext. He may try to reveal the
case, he has to solve the following problem. For convenience, decryption key that is kept private by the receiver. Knowing
we call it the linear Diophantine equation problem. Let S = this secret key, he will be able to decipher any message sent to
{ s l : 1 = 1 , 2 , . . . . n} be a set of given positive integers the receiver as he wants. Nevertheless, how can he determine
and C be a positive integer. The linear Diophantine equation the private decryption key? That is, how can he reconstruct the
problem is to determine a sequence of nonnegative integers, secret key by knowing the public key? Specifically, he has to
M = (rnl,mz,....m,), such that solve the following problem: Given rt integers s1: s2,. . . , snr
find the corresponding n pairs ( ql ,k1 ), ( q2, k 2 ) , . . . ( qn , ICn).
&,s, = c. We assume that the key generilting procedure is known to
2=1 him. From Step 2 to Step 4 in Algorithm 3.1, since s; = P;N;
LIN et ai.:PUBLIC-KEY CIPHER SYSTEM BASED ON DIOPHANTINE EQUATIONS 17

mod Q and P, mod q, = R,, he can deduce that s, E R,N, by the following exhaustive searching steps.
(mod q , ) for i = 1 . 2 , . . . . n. In other words, the following Step 1. Compute t i , for i = 1: 2. ...:n, as follows
equations are obtained:
s2: ’ . . ,sa-l! Sifl,.. ’ ,sn)
ti =
gcd(s1, ~ .
2 . ., . ~ - 1 s;,
, s i + i , .. . , s,)
where gcd denotes the greatest common divisor.
where Step 2. Compute r ; j = j . si mod t i , for j = 1 , 2 , . . . w. ~

and i = 1,2,...,n, , where 7u = 2” - 1 if each

R;= q; mod IC;, 1 5 *i 5 n. submessage is of length b bits.
(8)
Step 3. Compute hi = C mod f ; , for i = I , 2, . . ,71.
Step 4. Search h; for i = l,Z,...,n, , from the set
Equation (8) can be rewntten as
{ r l ; , T z i , . . . , r w i } . If h; = r k i , then m,;= k .

s, = q , x , + R, [q,/(IC,R,)1,for some z,. 1 5 z 5 n. (9) From the above procedure, n i i seems to be deducible
from C and (SI, ~ 2 , . .. , sn). However, if we decompose the
Let v, = [ q z / ( / c z R z )Then
l. v, - 1 < y,/(k,&) 5 w, and message into submessages of length 100 bits each; Le., b =
IC,&(u, - I ) < q7 5 IC,R,u,. We have 100, then w = 21°0 - 1. This number has magnitude of value
about lo3’. If we use a computer that can test lo6 numbers
qz = k , R , ( v z - l ) + y r , with 15 y p 5 k,R,. .1 5 z _< n. (10) per second. It requires about 2.7 x years to complete the
Substituting (10) into (9), we obtain the following equations search for each hi. The Step 4 of exhaustive searching in the
above algorithm will be extremely impossible.
k,R,(v, - l ) ~ ,yZzt+ + R,w,- S, =0 4
v. CONCLIJSION AND DISCUSSION
with A new public-key cryptosystem is investigated in this paper.
The motivation of this attempt is trying to use real numbers
for its dense property. However, if real numbers are used
as keys, several disturbing problems, such as representation
Equation (1 1) is a system of n Diophantine equations with and precision will be encountered. With the help of integer
degree 4 and has variables ki, &, v;,xi,and yi, for 1 5 i 5 n. functions, the possibility of using an integer as a key is
Our job of breaking the cipher system consists of the following increased significantly. That is, for a cryptanalyst who tries
steps: to break the cipher, he has to conduct an exhaustive search on
Step 1. Find IC;, Ri, u;, xi, and yi satisfying ( l l ) , for a long list of integer numbers.
l l i < n . Further, we would make some discussion on the parameters
Step 2. Calculate qi by using (10). used in the presented cipher scheme. By using a concept
Step 3. Check whether pi’s are relatively prime. If they similar to that of block cipher [ 5 ] ,a sending message of length
are not, go to Step 1. Otherwise, we have found n b bits will be broken into n pieces of submessages with
at least one possible solution in the form of each b bits long. The time complexity needed to compute
l:(ql, kl)>(QZ. w.
Step 4. Randomly generate a message M
‘ ’ .,(qn, kn)).

=
y;’s will be proportional to n2 as R increases [ 2 ] . When
q i ’ s are determined, ki’s can be chosen from 2) and 3) in
1 ( m l : r r i 2.,. . ! 7 n n ) . Encrypt hl by the Step 4 the DK-conditions. Thus the time required to choose ki’s is
in Algorithm 3.2 into an integer C. proportional to n. Further, the time needed to find hi’s grows
Step 5. Decrypt C into M” by Step 1 in Algorithm 3.3 at the rate of n(1ogn) when qi’s and ki’s are determined.
using the TL pairs ( ( 4 1 ,h ) ,((12, k 2 ) ; . -,(qn!I C n ) ) From Section IV, we know that the execution time required,
obtained. for a cryptanalyst to solve the corresponding problems, in-
Step 6. If MI‘ and the M generated in Step 4 are equal, creases when n increases. Theoretically, the security of the
stop; otherwise go to Step 1 again. presented scheme will be increased as 71 is large. For inatance,
Up to now, there seems to be no easy way of executing Step when n = 100 and b = 100, it will be rather difficult to solve
1 (solving a Diophantine equation with degree 4). Even if we the problems presented in Section IV. Further. let us estimate
succeed, there is no guarantee that the qi’s found by us are how large the C value is. We consider that the number of
relatively prime to one another. Therefore, it seems difficult bits needed to store the product of the first TL prime numbers
to break our system in this way. is proportional to n(logn,). Then the number of bits required
to represent si is proportional to n(1ogn). In other words,
the number of bits to represent a C value is proportional to
C. Attack Due to the Greatest Common Divisor of s i ’ s + +
b n(1og n ) (log n ) , where b is the number of bits in each
Another ciphertext attack is to observe the greatest com- submessage. Since a sending message is of length b n bits. We
mon divisor of st’s. On intercepting the ciphertext C and conclude that the ciphertext expansion rate of the presented
the publicly known s1, sa,. . . , sn, the cryptanalyst hopes to scheme is O(1og n).
decrypt C into M as in the Step 1 of Algorithm 3.3. Since the Finally, we would like to point out that the advantage of the
cryptanalyst has no legitimate ( q z ,k,)’s, m, may be obtained presented scheme is that the encryption and decryption steps
18 IEEE TRANSACTIONS ON COMPUTERS, VOL. 44, NO. 1. JANUARY 1995

are relatively easy. For encryption, it requires n multiplication [24] S. P. Tung, “Computational complexities of diophantine equations with
operations and n addition operations. For decryption, n mul- parameters,” J. Algorithms, vol. 8, 1987, pp 324-336.
[25l S. P. Tung, “Complexity of sentences over number rings,” SIAM J.
tiplication operations and n modulus operations are needed. Comourina. vol. 20. No. I. Februarv 1991. DD. 126143.
Thus, from the viewpoint of computation time, our algorithm 1261 H. 6. W i l h n s , “A modification of fhe RSA’public-key encryption pro-
cedure,” IEEE Tram. Information Theon, vol. 26, 1980, pp. 726729.
is rather efficient.

ACKNOWLEDGMENT
The authors thank the referees for many helpful suggestions Chu-Hsing Lin receibed the B S degree in applied
mathematics from National Tsing Hua Unversity in
and comments. 1980, the M S degree, also in applied mathematin,
from National Chung Hsing University in 1987,
REFERENCES and the Ph.D degree in computer science5 from
National Tsing Hua University in I99 I
[ l ] E. F. Brickell, “A new knapsack based cryptosystem,” in Crypto ’83. He served in Chung Cheng Armed Force\
rump session, 1983. Preparatory School, Taiwan, from 1980 to 1982.
[2] C. C. Chang and_J. C. Shieh, “Pairwise relatively prime generating From 1983 to 1985, he worked for the Information
polynomials and their applications,” in Proc. Int. Workshop on Discrete Department of the Land Bank of Taiwan. and wa\
Algorithms and Complexity, Kyushu, Japan, Nov. 1989, pp. 137-140. involved in developing the banking system Since
[3] B. Chor, and R. L. Rivest, “Knapsack Type Public Key Cryptosystem 1989, he has been on the faculty of the Department of Computer and
Based on Arithmetic in Finite Field,” IEEE Trans. Inform. Theory, vol. tnformation Sciences at Tunghai Univer\ity, Taichung, Taiwan, and now he
34, No. 5 , 1988, pp. 901-909. I F an associate p r o f e w r In the department. HI\ current intere\tF include
[4] S. A. Cook, “The Complexity of Theorem-Proving Procedures,” Proc. computer secunty, cryptology, data engineering, and de\ign and analysis of
3rd Ann. ACM Symposium on Theory of Computing, New York: Asso- computer algorithms
ciation for Computing Machinery, 1971, pp. 15 1-155. He was the winner of the 1991 AceR Long-Term Award for Out\tanding
[ 5 ] D. E R. Denning, Cryptography and Data Security Reading. MA: Ph D. Dissertation
Addison-Wesley, 1982.
[6] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE
Trans. Inform. Theoty, vol. 22, pp. 64&654, 1976.
[7] T. El Gamal, “A public key cryptosystem and signature scheme based
on discrete logarithms,” IEEE Trans. Inform. Theory, vol. 3 I , no. 4, pp.
469-472, 198.5. Chin-Chen Chang (M’88-SM’92) was born in
181 M. R. Garey and D. S . Johnson, Computers and Intractubili@: A Guide Taichung, Taiwan, Republic of China, on November
to the Theory of NP-Completeness. Reading, NY: W. H. Freeman and 12, 19.54. He received the B.S. degree in applied
Company, 1979. mathematics in 1977 and the M. S. degree in com-
[91 S . Goldwasser and S. Micah, “Probabilistic encryption,” J. Comp. Syst. puter and decision science in 1979 from National
Sci., vol. 28, no. 2, pp. 270-299, 1984. Tsing Hua University, Hsingchu, Taiwan, and the
[ I O ] E. M . Gurari, and 0. H. Ibarra, “An Np-complete number theoretic Ph.D. degree in computer engineering in 1982 from
problem,” in Proc. 10th Ann. ACM Symp. Theory Computing. New National Chiao Tung University, Hsingchu, Taiwan.
York: Association for Computing Machinery, 1978, pp. 205-21.5. During the acadmic years 1980-83, he was on the
[ I I ] D. Hilbert, “Mathematische Probleme,” Vortrag, gehalten auf dem facultv at the Denxtment of Computer Eneineerine
internationalen Mathematiker Kongrass zu Paris, 1900, Nachr. Akad. at National Chiao Tung Universiiy. From1983 t i
Wiss. Gottingen Math.-Phys., pp. 253-297; Translation: Bull. Am. Math. 1989, he was on the faculty at the Institute of Applied Mathematics, National
Soc., vol. 8, 1901, pp. 437-479. Chung Hsing University, Taichung. Taiwan. From August 1989 to July 1992,
[12) D. E. Knuth, The Art of Computer Programming, Vol. I : Fundamental he was the head and professor of the Institute of Computer Science and
Algorithms. second ed. Reading, MA: Addison-Wesley, 1980. Information Engineering at National Chung Cheng University, Chiayi, Taiwan.
1131 ~, The Art of Computer Programming, Vol. 2: Seminumerical Since Augusl 1992, he has been the Dean of the College of Engineering at
Algorithms, 2nd ed. Reading, MA: Addison-Wesley, 1981. National Chung Cheng University. In addition, he has served as a consultant to
[14) K. Manders and L. Adleman, “NP-complete decision problems for wveral research institutes and government departments. His current research
binary quadratics,” J. Comput. Syst. Sci., vol. 16, pp. 168-184, 1978. interests include database design, computer cryptography, data compression,
[ 1.51 Y. MatijaseviE, “Enumerable sets are Diophantine,” Dokl. Akad. Nauk
and data structures.
SSSK, vol. 191, 1970, pp. 279-282 (in Russian); English translation in
Dr. Chang was the Associate Editor of Computer Quarferlj, Journal of
Soviet Math. Dokl., vol. 1 I , pp. 354-357.
Computers, Journal o f the Chinese Institute of Engineering, Journal of Elec-
(161 Y. MatijaseviE and J. Robinson, “Reduction of an arbitrary Diophantine trical Engineering, International Journal on Policy and i n j h m t i o n , Journal
equation to one in 13 unknowns,” Acta Arithmetica, vol. 27. pp.
rf Information and Management Science, and the Journal of Information
521-553, 1975.
Sciences and Engineering, and is the regional editor of Information Sciences
[I71 R. C. Merkle and M. Hellman, “Hiding information and signatures in
trap-door knapsacks,” IEEE Trans. Inform. Theory, vol. 24, pp. 525-530, and Editor-in-Chief of Journal of Information and Education. He was elected
as an outstanding youth of the Republic of China in 1984. In the same
1978.
year, he was also elected as an Outstanding Talent in Information Science of
[IS] L. J . Mordell, Diophanrine Equations, vol. 30 in Pure and Applied
Mathematics, Paul A. Smith and Samuel Eilenberg, Eds. London and the Republic of China. He obtained the 1986-1987, 1988-1989, 1990-1991.
New York: Academic Press, 1969. 1992-1994 Distinguished Research Awards of the National Science Council
[I91 S. C. Pohlig and M. E. Hellman, “An improved algorithm for computing of the Republic of China. He also obtained the 1987 Chung-Shan Academic
logarithms over GF(p) and its cryptographic significance,” IEEE Trans. Publication Award from the Chung-Shan Acadmic Foundation of the Republic
Inform. Theory, vol. 24, no. I , pp. 106-110. of China. He was the winner of the 1990, 1991, and 1992 Acer Long-Term
[20] M. 0. Rabin, “Digitalized signatures and public-key functions as in- Award for Outstanding M.S. Thesis Supervision, the 1991 Acer Long Term
tractable as factorization,” Tech. Rep. TR-2 12, Laboratory for Computer Award for Outstanding Ph.D. Dissertation Supervision, and the 1992 Xerox
Science, MIT, 1979. Foundation Award for Ph.D. Dissertation Study Supervision. He was the
[21] R. I.. Rivest, A. Shamir, and L. Adleman, “A method for obtaining winner of the best Paper Award at the Second International Conference on
digital signatures and public-key cryptosystems,” Communications of CISNA sponsored by the British Council. He was also the winner of the 1992
the Association for Computing Machine?, vol. 21, No. 2, 1978, pp. Outstanding Teaching Materials Award of the Ministry of Education of the
12&126. Republic of China. Dr. Chang has published more than seventy papers in well-
[22] A. Shamir, “Embedding cryptographic trapdoors in arbitrary knapsack known international joumals. Dr. Chang is a member of the Chinese Language
systems,” Technical memo TM-230, Laboratory for Computer Science, Computer Society, the Chinese Institute of Engineering of the Republic of
MIT. 1982. China, the International Association for Cryptological Research, the Computer
[23) T. Skolem, “Diophatische gleichungen,” Ergebisse d. Math. u. Ihrer Society of the Republic o f China, and the Phi Tau Phi Society of the Republic
Grenzpbieu, Ed. 5, Julius Springer, 1939. of China.
LIN ef a[.: PUBLIC-KEY CIPHER SYSTEM BASED ON DIOPHANTINE EQUATIONS 19

R. C. T. Lee (A’74-M’755SM”GF’89) received Theorem Proving (Academic Press), which has been translated into Japanese,
the B.S. degree in electrical engineering from Italian, and Russian. This book has been so popular that Academic Press
the National Taiwan University in 1961 and the selected it as one of four Computer Science Classics. His article on clustering
M.S. and Ph.D. degrees from the University of analysis “Clustering Analysis and its Applications” appeared in Advances in
Berkeley, in 1963 and 1967, respectively, all in Information System Science (J. T. Tou Ed., Plenum Press), and he also has a
electrical engineering and computer science. chapter on complier writing in Handbook of software Engineering (C. R. Vick
Dr. Lee worked for National Cash Register, and C. V. Ramamoorthy Eds., Van Norstrand Reinghold). He was recently
Hawthorn, California, the National Institutes of invited to write an article on parallel computing that appeared in Advances in
Health, Bethesda, MD, and the Naval Research Parallel Computing (D. J. Evans, Ed., JAI Press). His book on algorithms will
Laboratory, Washington, DC before joining the be published by Prentice Hall International. Dr. Lee has organized more than
National Tsing Hua University in 1975. At the twenty international conferences. He is now an Editor or Associate Editor
National Tsing Hua University, he has been department chairman for the of the following journals: Intemational Joumal of Pattern Recognition and
Applied Mathematics and the Computer Science and Electrical Engineering Machine Inrelligence, Annals of Mathematics and Artificial Intelligence, IEEE
departments, Dean of Engineering, Provost, and Acting President of National TRANSACTIONS ON KNOWLEDGE AND DATAENG~NEERING, International Joumal
Tsing Hua University. His present job is President of Providence University. of Foundations on Computer Science, Computers and Operalions Research
Dr. Lee has published nearly lifty journal papers on various subjects in Joumal of Parallel Algorithms and Applications and htemational Joumal of
computer science, including mechanical theorem proving, pattern recognition CompurarionalGeomet? and Applications, Journul ofParullr1 A lgorithms and
and clustering analysis, database design, and sequential and parallel algorithm Applications, and Information Science Joumal. He is presently a reviewer for
design. He w.is a coauthor of the book, Symbolic Logic and Mechanical Mathematical Reviews.