Research Article A Digital Signature Scheme Based ...

5 downloads 95599 Views 2MB Size Report
cryptosystem by adding a homomorphism as a component of secret key. However, until now, there is no paper on constructing digital signature schemes on theΒ ...
Hindawi Publishing Corporation Mathematical Problems in Engineering Volume 2014, Article ID 630421, 11 pages http://dx.doi.org/10.1155/2014/630421

Research Article A Digital Signature Scheme Based on MST 3 Cryptosystems Haibo Hong, Jing Li, Licheng Wang, Yixian Yang, and Xinxin Niu Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China Correspondence should be addressed to Licheng Wang; [email protected] Received 5 December 2013; Revised 13 March 2014; Accepted 14 March 2014; Published 20 May 2014 Academic Editor: Wang Xing-yuan Copyright Β© 2014 Haibo Hong et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. As special types of factorization of finite groups, logarithmic signature and cover have been used as the main components of cryptographic keys for secret key cryptosystems such as PGM and public key cryptosystems like 𝑀𝑆𝑇1 , 𝑀𝑆𝑇2 , and 𝑀𝑆𝑇3 . Recently, Svaba et. al proposed a revised 𝑀𝑆𝑇3 encryption scheme with greater security. Meanwhile, they put forward an idea of constructing signature schemes on the basis of logarithmic signatures and random covers. In this paper, we firstly design a secure digital signature scheme based on logarithmic signatures and random covers. In order to complete the task, we devise a new encryption scheme based on 𝑀𝑆𝑇3 cryptosystems.

1. Introduction With the interdisciplinary development of information science, physical science, and biological science, a lot of new technology appeared in the field of cryptography and has made new progress. The new branches of cryptography mainly consist of quantum cryptography, chaotic cryptography, DNA cryptography, and so forth. The security of quantum cryptography is based on the Heisenberg uncertainty principle. Quantum cryptography is the only one that can realize unconditional security at present [1–4]. Matthews [5] firstly applied chaos theory in cryptography and proposed a chaotic stream cipher scheme based on revised logistic map. From then on, chaotic cryptography has attracted wide attention [6, 7]. Most of the researches in chaotic cryptography focus on secret key cryptography. With the recent constructions due to Wang et al. [8–14], chaos-based public key cryptographic protocols come to us. DNA cryptography, which utilizes DNA computing, is a new branch of cryptography in recent years [15, 16]. Using the high storage density and high parallelism of DNA molecular, DNA cryptography can realize the encryption, authentication, signature, and so forth [17]. Meanwhile, cryptographers look forward to applying new intractable mathematical problems in classical cryptography. Currently, most public cryptographic primitives are based on

the perceived intractability of certain mathematical problems in very large finite abelian groups [18]. Prominent hard problems consist of the problem of factoring large integers, the discrete logarithm problem over a finite field πΉπ‘ž or an elliptic curve, and so forth. However, due to quantum algorithms for factoring integer and solving the discrete logarithm problem, most known public-key cryptosystems will be insecure when quantum computers become practical. Therefore, it is an imminent work to design effective cryptographic schemes which can resist quantum attacks. Actually, since the 1980s, several experts have been trying to design new cryptography schemes based on difficult problems in group theory. In 1985, Wagner and Magyarik [19] proposed an approach to designing public-key cryptosystems based on groups and semigroups with undecidable word problem. In 2000, Ko et al. [20] developed the theory of braid-based cryptography based on the hardness of the conjugator search problem (CSP) in braid groups. In 2004, Eick and Kahrobaei [21] proposed a new cryptosystem based on polycyclic groups. In 2005, Shpilrain and Ushakov [22] suggested that Thompson’s group may be a good platform for constructing public-key cryptosystems. Recently, Kahrobaei et al. [23] proposed a public key exchange on the basis of matrices over group rings. Meanwhile, an active branch of noncommutative cryptography based on the hardness of group factorization problem has achieved great success during the last two decades. In 1986,

2

Mathematical Problems in Engineering

Magliveras [24] proposed a symmetric cryptosystem 𝑃𝐺𝑀 based on a special type of factorization of finite groups named logarithmic signatures for finite permutation groups. Then, the algebraic properties of logarithmic signatures and cryptosystem 𝑃𝐺𝑀 were specifically discussed in [25, 26]. In 2002, Magliveras et al. [27] put forward two public key cryptosystems 𝑀𝑆𝑇1 and 𝑀𝑆𝑇2 . In 2009, Lempken et al. [18] designed a new public key cryptosystem 𝑀𝑆𝑇3 on the basis of random covers and logarithmic signatures for nonabelian finite groups. Meanwhile, there are some interesting papers studying attacks on 𝑀𝑆𝑇1 , 𝑀𝑆𝑇2 , and 𝑀𝑆𝑇3 [28–33]. In 2010, Svaba and van Trung [34] constructed an 𝑒𝑀𝑆𝑇3 cryptosystem by adding a homomorphism as a component of secret key. However, until now, there is no paper on constructing digital signature schemes on the basis of 𝑀𝑆𝑇 cryptosystem. Hence, Svaba and van Trung put forward an open problem on constructing digital signature schemes based on random covers and logarithmic signatures. Our main contribution is to devise a digital signature scheme based on random covers and logarithmic signatures. In this process, we also construct a secure and more efficient encryption scheme based on 𝑀𝑆𝑇3 cryptosystems. The rest of contents are organized as follows. Necessary preliminaries are given in Section 2. In Section 3, we specifically describe a new encryption scheme and give corresponding security analysis. In Section 4, we propose a digital signature scheme based on random covers and logarithmic signatures; The related comparisons and illustrations are presented in Section 5.

2. Preliminaries 2.1. Cover and Logarithmic Signature. Let 𝐺 be a finite abstract group and let 𝑋 = [π‘₯1 , π‘₯2 , . . . , π‘₯π‘Ÿ ] and π‘Œ = [𝑦1 , 𝑦2 , . . . , 𝑦𝑠 ] be two elements in 𝐺[Z] . Then 𝑋 βŠ— π‘Œ = [π‘₯1 𝑦1 , . . . , π‘₯1 𝑦𝑠 , π‘₯2 𝑦1 , . . . , π‘₯2 𝑦𝑠 , . . . , π‘₯π‘Ÿ 𝑦1 , . . . , π‘₯π‘Ÿ 𝑦𝑠 ] . (1) If 𝑋 = [π‘₯1 , . . . , π‘₯π‘Ÿ ] ∈ 𝐺[Z] , 𝑋 denotes the element βˆ‘π‘Ÿπ‘–=1 π‘₯𝑖 in the group ring Z𝐺. Definition 1 (cover and logarithmic signature [18, 27]). Suppose that 𝛼 = [𝐴 1 , 𝐴 2 , . . . , 𝐴 𝑠 ] is a sequence of 𝐴 𝑖 ∈ 𝐺[Z] , such that βˆ‘π‘ π‘–=1 |𝐴 𝑖 | is bounded by a polynomial in log |𝐺|. Let 𝐴 1 β‹… 𝐴 2 β‹… β‹… β‹… 𝐴 𝑠 = βˆ‘ π‘Žπ‘” 𝑔, π‘”βˆˆπΊ

π‘Žπ‘” ∈ Z.

(2)

Let 𝑆 be a subset of 𝐺. Then 𝛼 is

expressed uniquely (at least one way) as a product of the form [18] 𝑔 = π‘Ž1 β‹… π‘Ž2 β‹… β‹… β‹… π‘Žπ‘  ,

for π‘Žπ‘– ∈ 𝐴 𝑖 . 𝛼 is called tame (factorizable) if the factorization above can be achieved in polynomial in the width 𝑀 of 𝐺. Definition 2 (cover (logarithmic signature) mappings [35]). Let 𝛼 = [𝐴 1 , 𝐴 2 , . . . , 𝐴 𝑠 ] be a cover (logarithmic signature) of type (π‘Ÿ1 , π‘Ÿ2 , . . . , π‘Ÿπ‘  ) for 𝐺 with 𝐴 𝑖 = [π‘Žπ‘–,1 , π‘Žπ‘–,2 , . . . , π‘Žπ‘–,π‘Ÿπ‘– ], where π‘š = βˆπ‘ π‘–=1 π‘Ÿπ‘– . Let π‘š1 = 1 and π‘šπ‘– = βˆπ‘–βˆ’1 𝑗=1 π‘Ÿπ‘— for 𝑖 = 2, . . . , 𝑠. Let 𝜏 denote the canonical bijection 𝜏 : Zπ‘Ÿ1 Γ— Zπ‘Ÿ2 Γ— β‹… β‹… β‹… Γ— Zπ‘Ÿπ‘  󳨀→ Zπ‘š 𝑠

𝜏 (𝑗1 , 𝑗2 , . . . , 𝑗𝑠 ) = βˆ‘π‘—π‘– β‹… π‘šπ‘– .

The sequences 𝐴 𝑖 are called the blocks; the vector (π‘Ÿ1 , . . . , π‘Ÿπ‘  ) with π‘Ÿπ‘– = |𝐴 𝑖 | is the type of 𝛼 and the length of 𝛼 is defined to be 𝑙(𝛼) = βˆ‘π‘ π‘–=1 π‘Ÿπ‘– . More generally, if 𝛼 = [𝐴 1 , 𝐴 2 , . . . , 𝐴 𝑠 ] is a logarithmic signature (cover) for 𝐺, then each element 𝑔 ∈ 𝐺 can be

(4)

𝑖=1

Then the surjective (bijection) mapping 𝛼󸀠 : Zπ‘š β†’ 𝐺 induced by 𝛼 is 𝛼󸀠 (π‘₯) = π‘Ž1𝑗1 β‹… π‘Ž2𝑗2 β‹… β‹… β‹… π‘Žπ‘ π‘—π‘  ,

(5)

where (𝑗1 , 𝑗2 , . . . , 𝑗𝑠 ) = πœβˆ’1 (π‘₯). 2.2. MST3 Cryptosystems and Suzuki 2-Groups. In [18], Lempken et al. utilized logarithmic signatures and random covers to construct a generic 𝑀𝑆𝑇3 encryption scheme. In this scheme, the public key consists of a tame logarithmic signature as well as some random numbers, and the secret key is composed of a random cover and a sandwich transformation of the cover [27]. The intractability assumptions of this scheme are group factorization problem on nonabelian groups. Furthermore, motivated by attacks in [31], Svaba and van Trung devised an enhanced version of the generic scheme [34] named 𝑒𝑀𝑆𝑇3 cryptosystems. In this scheme, they introduced a secret homomorphism to mask the secret logarithmic signature with a transformation of a random cover. Meanwhile, they proposed a new setup with random encryption. Until now, the only instantiation of 𝑀𝑆𝑇3 cryptosystems is a Suzuki 2-group of order π‘ž2 with π‘ž = 2π‘š (π‘š β‰₯ 3) [18, 34]. From [34], the Suzuki 2-group of order π‘ž2 can be denoted by 𝐴(π‘š, πœƒ), where πœƒ is an automorphism of Fπ‘ž with an odd order. Moreover, the group 𝐴(π‘š, πœƒ) can be represented by a matrix group 𝐺 and

(i) a cover for 𝐺 (or 𝑆) if π‘Žπ‘” > 0 for all 𝑔 ∈ 𝐺 (𝑔 ∈ 𝑆), (ii) a logarithmic signature for 𝐺 (or 𝑆) if π‘Žπ‘” = 1 for every 𝑔 ∈ 𝐺 (𝑔 ∈ 𝑆).

(3)

𝐺 = {𝑆 (π‘Ž, 𝑏) | π‘Ž, 𝑏 ∈ Fπ‘ž } ,

(6)

1 π‘Ž 𝑏 𝑆 (π‘Ž, 𝑏) = (0 1 π‘Žπœƒ ) 0 0 1

(7)

where

is a 3 Γ— 3 matrix over Fπ‘ž . Hence, 𝐺 is of order π‘ž2 and the center Z(𝐺) = {𝑆(0, 𝑏) | 𝑏 ∈ πΉπ‘ž }. Besides, to store the group

Mathematical Problems in Engineering

3

elements conveniently, 𝑆(π‘Ž, 𝑏) can be denoted by (π‘Ž, 𝑏, π‘Žπœƒ ), so the product of two elements in group 𝐺 is 𝑆 (π‘Ž1 , 𝑏1 ) 𝑆 (π‘Ž2 , 𝑏2 ) =

𝑆 (π‘Ž1 , 𝑏1 , π‘Ž1πœƒ ) 𝑆 (π‘Ž2 , 𝑏2 , π‘Ž2πœƒ )

= (π‘Ž1 + π‘Ž2 , 𝑏1 + 𝑏2 + π‘Ž1 π‘Ž2πœƒ , π‘Ž1πœƒ + π‘Ž2πœƒ ) ,

(8)

and the computation of the product just requires a single multiplication and four additions in Fπ‘ž . Furthermore, the inverse of an element in group 𝐺 is πœƒ βˆ’1

𝑆(π‘Ž, 𝑏, π‘Ž )

πœƒ

πœƒ

πœƒ+1

= 𝑆 (π‘Ž, π‘Ž β‹… π‘Ž + 𝑏, π‘Ž ) = 𝑆 (π‘Ž, π‘Ž

Encryption Input: a message π‘₯ ∈ Z and the public key [𝛼, 𝛾, 𝑓]. Output: a ciphertext (𝑦1 , 𝑦2 ) of the message π‘š. (1) Choose a random 𝑅 ∈ Z|Z| . (2) Compute 𝑦1 = 𝛼󸀠 (𝑅) β‹… π‘š, 𝑦2 = 𝛾󸀠 (𝑅)

πœƒ

+ 𝑏, π‘Ž ) , (9)

and it also requires a single multiplication and one addition in Fπ‘ž . If 𝑔 = 𝑆(π‘₯, 𝑦) ∈ 𝐺 and π‘₯, 𝑦 ∈ πΉπ‘ž , then π‘₯ and 𝑦 can be denoted by π‘”β‹…π‘Ž and 𝑔⋅𝑏 , respectively. Hence, 𝑔 = 𝑆(π‘”β‹…π‘Ž , 𝑔⋅𝑏 ), where π‘”β‹…π‘Ž and 𝑔⋅𝑏 are the corresponding projections of 𝑔 along the first and second coordinates.

3. Building Block: A New MST 3 Encryption Scheme Through comparison and analysis, we find that it is rather difficult to devise signature schemes based on the two 𝑀𝑆𝑇3 encryption schemes [18, 34]. Therefore, in order to complete the task, we design a new encryption scheme based on logarithmic signatures and random covers. In our scheme, the original secret key 𝑓 becomes a component of public key, and the encryption process is also simplified. Meanwhile, compared with original schemes, our scheme has a bit improvement in efficiency. 3.1. Description of the Scheme Key Generation Input: a large group 𝐺 = 𝐴(π‘š, πœƒ), π‘ž = 2π‘š . Output: a public key [𝛼, 𝛾, 𝑓] with corresponding private key [𝛽, (𝑑0 , . . . , 𝑑𝑠 )]. (1) Choose a tame logarithmic signature 𝛽 = [𝐡1 , 𝐡2 , . . . , 𝐡𝑠 ] = (𝑏𝑖𝑗 ) = (𝑆(0, 𝑏(𝑖𝑗)⋅𝑏 )) of type (π‘Ÿ1 , π‘Ÿ2 , . . . , π‘Ÿπ‘  ) for Z, where 𝑏𝑖𝑗 ∈ 𝐺 and 𝑏(𝑖𝑗)⋅𝑏 ∈ Fπ‘ž . (2) Select a random cover 𝛼 = [𝐴 1 , 𝐴 2 , . . . , 𝐴 𝑠 ] = (π‘Žπ‘–π‘— ) = (𝑆(π‘Ž(𝑖𝑗)β‹…π‘Ž , π‘Ž(𝑖𝑗)⋅𝑏 )) of the same type as 𝛽 for a certain subset 𝐽 of 𝐺 such that 𝐴 1 , . . . , 𝐴 𝑠 βŠ† 𝐺 \ Z, where π‘Žπ‘–π‘— ∈ 𝐺, π‘Ž(𝑖𝑗)β‹…π‘Ž ∈ Fπ‘ž \ {0}, and π‘Ž(𝑖𝑗)⋅𝑏 ∈ Fπ‘ž . (3) Choose 𝑑0 , 𝑑1 , . . . , 𝑑𝑠 ∈ 𝐺 \ Z. (4) Construct a homomorphism 𝑓 : 𝐺 β†’ Z defined by 𝑓(𝑆(π‘Ž, 𝑏)) = 𝑆(0, π‘Ž). (5) Compute 𝛾 := (β„Žπ‘–π‘— ) = (𝑆(β„Ž(𝑖𝑗)β‹…π‘Ž , β„Ž(𝑖𝑗)⋅𝑏 )), where β„Žπ‘–π‘— = βˆ’1 π‘‘π‘–βˆ’1 β‹… 𝑓(π‘Žπ‘–π‘— ) β‹… 𝑏𝑖𝑗 β‹… 𝑑𝑖 . (6) Output public key [𝛼, 𝛾, 𝑓] and private key [𝛽, (𝑑0 , . . . , 𝑑𝑠 )].

(10)

= 𝑑0βˆ’1 β‹… 𝑓 (𝛼󸀠 (𝑅)) β‹… 𝛽󸀠 (𝑅) β‹… 𝑑𝑠 . (3) Output (𝑦1 , 𝑦2 ). Decryption Input: a ciphertext pair (𝑦1 , 𝑦2 ) and the private key [𝛽, 𝑑0 , . . . , 𝑑𝑠 ]. Output: the message π‘š ∈ Z corresponding to ciphertext (𝑦1 , 𝑦2 ). (1) Compute 𝑅 = π›½σΈ€ βˆ’1 (𝑦2 π‘‘π‘ βˆ’1 𝑓(𝑦1 )βˆ’1 𝑑0 ). (2) Compute π‘š = 𝛼󸀠 (𝑅)βˆ’1 β‹… 𝑦1 . (3) Output π‘š. Correctness For π‘š ∈ Z and 𝑅 ∈ Z|Z| , we have 𝑦1 = 𝛼󸀠 (𝑅) β‹… π‘š, 𝑦2 = 𝛾󸀠 (𝑅) βˆ’1 𝑓 (π‘Žπ‘ π‘—π‘  ) 𝑑𝑠 = 𝑏1𝑗𝑖 𝑑0βˆ’1 𝑓 (π‘Ž1𝑗1 ) 𝑑1 β‹… β‹… β‹… 𝑏𝑠𝑗𝑠 π‘‘π‘ βˆ’1

= 𝑏1𝑗𝑖 𝑏2𝑗2 β‹… β‹… β‹… 𝑏𝑠𝑗𝑠 𝑑0βˆ’1 𝑓 (π‘Ž1𝑗1 π‘Ž2𝑗3 β‹… β‹… β‹… π‘Žπ‘ π‘—π‘  ) 𝑑𝑠 = 𝛽󸀠 (𝑅) β‹… 𝑑0βˆ’1 β‹… 𝑓 (𝛼󸀠 (𝑅)) β‹… 𝑑𝑠

(11)

= 𝛽󸀠 (𝑅) β‹… 𝑑0βˆ’1 β‹… 𝑓 (𝛼󸀠 (𝑅) β‹… π‘š) β‹… 𝑑𝑠 = 𝛽󸀠 (𝑅) β‹… 𝑑0βˆ’1 β‹… 𝑓 (𝑦1 ) β‹… 𝑑𝑠 βˆ’1

󳨐⇒ 𝛽󸀠 (𝑅) = 𝑦2 β‹… π‘‘π‘ βˆ’1 β‹… 𝑓(𝑦1 )

β‹… 𝑑0 ;

then using π›½σΈ€ βˆ’1 we can recover the random number 𝑅 by βˆ’1

π›½σΈ€ βˆ’1 (𝛽󸀠 (𝑅)) = π›½σΈ€ βˆ’1 (𝑦2 π‘‘π‘ βˆ’1 𝑓(𝑦1 ) 𝑑0 ) = 𝑅.

(12)

Consequently, using 𝑦1 we can recover message π‘š by π‘š = 𝛼󸀠 (𝑅)βˆ’1 β‹… 𝑦1 .

(13)

4

Mathematical Problems in Engineering

3.2. Security Analysis 3.2.1. Attack on Private Key. (a) In general, the adversary tries to obtain 𝛽 and (𝑑0 , 𝑑𝑠 ) from the equation βˆ’1

𝛽󸀠 (𝑅) = 𝑦2 β‹… π‘‘π‘ βˆ’1 β‹… 𝑓(𝑦1 )

β‹… 𝑑0 ,

(14)

where 𝑅 ∈ Z|Z| , 𝑦1 = 𝛼󸀠 (𝑅) β‹… π‘š, 𝑦2 = 𝛾󸀠 (𝑅), and 𝑓(𝑦1 )βˆ’1 ∈ Z. The adversary mainly attempts to compute enough values 𝛽󸀠 (𝑅𝑖 ) in order to construct 𝛽 using the corresponding conclusion in [27]. If 𝛽 is of type (π‘Ÿ1 , π‘Ÿ2 , . . . , π‘Ÿπ‘  ), then one can construct a logarithmic signature equivalent to 𝛽 by using 𝑛 selected values 𝛽󸀠 (𝑅𝑖 ), where 𝑛 = 1 βˆ’ 𝑠 + βˆ‘π‘ π‘˜=1 π‘Ÿπ‘˜ . Let {𝑅1 , 𝑅2 , . . . , 𝑅𝑛 } be a collection of random numbers chosen by the adversary. Then βˆ’1

𝛽󸀠 (𝑅𝑖 ) = 𝑦𝑖2 π‘‘π‘ βˆ’1 𝑓(𝑦𝑖1 ) 𝑑0 βˆ’1

= 𝑓(𝑦𝑖1 ) 𝑦𝑖2 π‘‘π‘ βˆ’1 𝑑0 ,

𝑖 = 1, . . . , 𝑛,

(15)

where 𝑦𝑖1 = 𝛼󸀠 (𝑅𝑖 ) β‹… π‘š, 𝑦𝑖2 = 𝛾󸀠 (𝑅𝑖 ), and 𝑓(𝑦𝑖1 )βˆ’1 ∈ Z. Note that in the equation above, 𝑓(𝑦𝑖1 )βˆ’1 and 𝑦𝑖2 are known and 𝛽󸀠 (𝑅𝑖 ) ∈ Z; then we have βˆ’1

𝑓(𝑦𝑖1 )

𝑦𝑖2 π‘‘π‘ βˆ’1 𝑑0

∈Z

󳨐⇒ 𝑑0 ∈ 𝑑𝑠 𝑦𝑖2βˆ’1 𝑓 (𝑦𝑖1 ) Z.

(16)

Since 𝑑𝑠 ∈ 𝐺 \ Z, there are π‘ž2 βˆ’ π‘ž possibilities for 𝑑𝑠 . If 𝑑𝑠 is chosen, from 𝑑0 ∈ 𝑑𝑠 𝑦𝑖2βˆ’1 𝑓(𝑦𝑖1 )Z, there are π‘ž possibilities for 𝑑0 . Hence, there are π‘ž(π‘ž2 βˆ’ π‘ž) suitable pairs (𝑑0 , 𝑑𝑠 ). Besides, for each solution pair (𝑑0 , 𝑑𝑠 ), there are π‘ž equivalent solutions (𝑑0 𝑧, 𝑑𝑠 𝑧) with 𝑧 ∈ Z. Consequently, there are π‘ž2 βˆ’ π‘ž different solutions, so the success probability of the attacker is 1/π‘ž(π‘ž βˆ’ 1). (b) In this attack, an adversary mainly wants to utilize equivalent secret key [π›½βˆ— , (𝑑0βˆ— , . . . , π‘‘π‘ βˆ— )] to replace the real secret key [𝛽, (𝑑0 , . . . , 𝑑𝑠 )]. From [34], we can see that the adversary only needs to let π‘‘π‘–βˆ— = 𝑑𝑖 𝑧𝑖 (1 ≀ 𝑖 ≀ 𝑠) and π‘π‘–π‘—βˆ— = 𝑏𝑖𝑗 𝑐𝑖𝑗 (1 ≀ 𝑖 ≀ 𝑠, 1 ≀ 𝑗 ≀ π‘Ÿπ‘– ) for 𝑧𝑖 , 𝑐𝑖𝑗 ∈ Z. So for the first block of 𝛾, we have β„Ž1𝑗 = 𝑏1𝑗 𝑑0βˆ—βˆ’1 𝑧0 𝑓 (π‘Ž1𝑗 ) 𝑑1 .

(17)

Let 𝑏𝑖1βˆ— = 𝑖𝑑; then 𝑐𝑖1 = 𝑏𝑖1 ; we have βˆ— 𝑐11 𝑑0βˆ—βˆ’1 𝑧0 𝑓 (π‘Ž11 ) 𝑑1 β„Ž11 = 𝑏11 βˆ— βˆ—βˆ’1 = 𝑏11 𝑑0 𝑓 (π‘Ž11 ) (𝑑1 𝑐11 𝑧0 ) 󳨐⇒ 𝑑1βˆ— = 𝑑1 𝑐11 𝑧0 ,

β„Ž1𝑗 = 𝑏1𝑗 𝑑0βˆ—βˆ’1 𝑧0 𝑓 (π‘Ž1𝑗 ) (𝑑1βˆ— 𝑐11 𝑧0 ) βˆ— 𝑏1𝑗 = 𝑏1𝑗 𝑐1𝑗 =

βˆ’1 β„Ž1𝑗 𝑑1βˆ—βˆ’1 𝑓(π‘Ž1𝑗 ) 𝑑0βˆ—

βˆ’1

𝑗 = 2, . . . , π‘Ÿ2 ,

βˆ— 𝑏2𝑗 = 𝑏2𝑗 𝑐2𝑗 = β„Ž2𝑗 𝑑2βˆ—βˆ’1 𝑓(π‘Ž2𝑗 ) 𝑑1βˆ— 󳨐⇒ 𝑐2𝑗 = 𝑐21 = 𝑏21

.. .

𝑠

= 𝛽󸀠 (𝑅) 𝑑0βˆ—βˆ’1 𝑧0βˆ’1 𝑓 (𝛼󸀠 (𝑅)) π‘‘π‘ βˆ— 𝑧0 βˆπ‘π‘˜ π‘˜=1

(18)

(19)

𝑠

= (𝛽󸀠 (𝑅) βˆπ‘π‘˜ ) 𝑑0βˆ—βˆ’1 𝑓 (𝛼󸀠 (𝑅)) π‘‘π‘ βˆ— . π‘˜=1

Let 𝛽󸀠 (𝑅) = 𝑏1π‘₯1 𝑏2π‘₯2 β‹… β‹… β‹… 𝑏𝑠π‘₯𝑠 , π›½βˆ— := (π‘π‘–π‘—βˆ— ), and π‘π‘–π‘—βˆ— = 𝑏𝑖𝑗 𝑐𝑖 for 𝑐𝑖 ∈ Z; then βˆ— βˆ— βˆ— 𝑏 β‹… β‹… β‹… 𝑏𝑠π‘₯ π›½βˆ— (𝑅) = 𝑏1π‘₯ 1 2π‘₯2 𝑠

= 𝑏1π‘₯1 𝑐1 𝑏2π‘₯2 𝑐2 β‹… β‹… β‹… 𝑏𝑠π‘₯𝑠 𝑐𝑠

(20)

𝑠

= 𝛽󸀠 (𝑅) βˆπ‘π‘˜ . π‘˜=1

Since π›½βˆ— is tame, so the adversary can use forgery secret key [π›½βˆ— , (𝑑0βˆ— , . . . , π‘‘π‘ βˆ— )] to recover the random number 𝑅. Meanwhile, from conclusions in [31], as there are π‘ž = |𝐺/Z| possible choices for 𝑑0 in 𝑑0 Z, the complexity for this attack is O(π‘ž). Since the center Z of Suzuki 2-group has a large order π‘ž, so the attack is computationally infeasible. 3.2.2. Attack on Ciphertext OW (onewayness). In the stage of encryption, from the equation 𝑦1 = 𝛼󸀠 (𝑅) β‹… π‘₯, we can get that π‘₯ = 𝛼󸀠 (𝑅)βˆ’1 β‹… 𝑦1 . Hence, if the adversary wants to recover message π‘₯, he either directly seeks the random number 𝑅 or recovers 𝑅 from 𝛾󸀠 (𝑅). However, since π‘ž is large enough and 𝛾󸀠 is a one-way map, so the attack is computationally infeasible. IND (indistinguishability). Although we cannot give a formal proof on the indistinguishability of the scheme, we would like to analyse it in a heuristic manner. Suppose that (𝑦1βˆ— , 𝑦2βˆ— ) is the ciphertext of π‘š0 or π‘š1 , where 𝑦1βˆ— = 𝛼󸀠 (𝑅) β‹… π‘šπ›Ώ , 𝑦2βˆ— = 𝛾󸀠 (𝑅), 𝛿 = 0 or 1, π‘š0 , and π‘š1 are randomly selected by the adversary. Then we can analyse the following two cases:

𝑦1σΈ€  = 𝛼󸀠 (𝑅󸀠 ) β‹… π‘š1

󳨐⇒ 𝑐1𝑗 = 𝑐11 = 𝑏11 ,

β„Ž2𝑗 = 𝑏2𝑗 𝑑1βˆ—βˆ’1 𝑐11 𝑧0 𝑓 (π‘Ž2𝑗 ) 𝑑2βˆ— 𝑐21 𝑐11 𝑧0

𝛾󸀠 (𝑅) = 𝛽󸀠 (𝑅) 𝑑0βˆ’1 𝑓 (𝛼󸀠 (𝑅)) 𝑑𝑠

𝑦1 = 𝛼󸀠 (𝑅) β‹… π‘š0

𝑗 = 2, . . . , π‘Ÿ1 ,

βˆ— 𝑐21 𝑑1βˆ—βˆ’1 𝑐11 𝑧0 𝑓 (π‘Ž21 ) 𝑑2 󳨐⇒ 𝑑2βˆ— = 𝑑2 𝑐21 𝑐11 𝑧0 , β„Ž21 = 𝑏21

We can get that 𝑐𝑖𝑗 = 𝑐𝑖1 = 𝑏𝑖1 for all 𝑖 = 1, . . . , 𝑠. If we denote 𝑐𝑖𝑗 = 𝑐𝑖 , then π‘‘π‘–βˆ— = 𝑑𝑖 𝑧0 βˆπ‘–π‘˜=1 π‘π‘˜ . Consider

𝑦2 = 𝛾󸀠 (𝑅) , 𝑦2σΈ€  = 𝛾󸀠 (𝑅󸀠 ) .

(21)

Since 𝑅 and 𝑅󸀠 are randomly selected, and they admit the same distribution, thus, 𝑅 and 𝑅󸀠 are statistically indistinguishable for the adversary. It can be denoted by 𝑅 β‰ˆπ‘  𝑅󸀠 . Meanwhile, since 𝛼󸀠 and 𝛽󸀠 are both one-way maps, so we can get that 𝛼󸀠 (𝑅) β‰ˆπ‘  𝛼󸀠 (𝑅󸀠 ) and 𝛾󸀠 (𝑅) β‰ˆπ‘  𝛾󸀠 (𝑅󸀠 ). Besides, since

π‘š0 β‰ˆπ‘  π‘š1 , so 𝛼󸀠 (𝑅) β‹… π‘š0 β‰ˆπ‘  𝛼󸀠 (𝑅󸀠 ) β‹… π‘š1 . Consequently, we can get that (𝑦1 , 𝑦2 ) β‰ˆπ‘  (𝑦1σΈ€  , 𝑦2σΈ€  ).

Mathematical Problems in Engineering

5

4. A Digital Signature Scheme Based on the New MST 3 Cryptosystem

𝑆2 .

In this section, we utilize the encryption scheme above to construct a digital signature scheme based on random covers and logarithmic signatures.

Meanwhile, 𝑆1 = π›½σΈ€ βˆ’1 (𝑓(𝑐1 )βˆ’1 β‹… 𝑑0 β‹… 𝑐2 β‹… π‘‘π‘ βˆ’1 ) and 𝑐1 = 𝛼󸀠 (𝑆1 ) β‹… Hence, βˆ’1

β‹… 𝑑0 β‹… 𝛾󸀠 (𝑆1 ) β‹… π‘‘π‘ βˆ’1

βˆ’1

β‹… 𝑑0 β‹… 𝑐2 β‹… π‘‘π‘ βˆ’1

𝑓(𝛼󸀠 (𝑆1 ))

4.1. Description of the Scheme

= 𝑓(𝑐1 )

Key Generation

= 𝑓(𝛼󸀠 (𝑆1 ) β‹… 𝑆2 )

βˆ’1

Input: a large group 𝐺 = 𝐴(π‘š, πœƒ) and π‘ž = 2π‘š . Output: a public key [𝛼, 𝛾, 𝑓, 𝐻] with corresponding private key [𝛽, (𝑑0 , . . . , 𝑑𝑠 )]. (1) Choose a tame logarithmic signature 𝛽 = [𝐡1 , 𝐡2 , . . . , 𝐡𝑠 ] := (𝑏𝑖𝑗 ) = (𝑆(0, 𝑏(𝑖𝑗)⋅𝑏 )) of type (π‘Ÿ1 , π‘Ÿ2 , . . . , π‘Ÿπ‘  ) for Z, where 𝑏𝑖𝑗 ∈ 𝐺 and 𝑏(𝑖𝑗)⋅𝑏 ∈ Fπ‘ž . (2) Select a random cover 𝛼 = [𝐴 1 , 𝐴 2 , . . . , 𝐴 𝑠 ] := (π‘Žπ‘–π‘— ) = (𝑆(π‘Ž(𝑖𝑗)β‹…π‘Ž , π‘Ž(𝑖𝑗)⋅𝑏 )) of the same type as 𝛽 for a certain subset 𝐽 of 𝐺 such that 𝐴 1 , . . . , 𝐴 𝑠 βŠ† 𝐺 \ Z, where π‘Žπ‘–π‘— ∈ 𝐺, π‘Ž(𝑖𝑗)β‹…π‘Ž ∈ Fπ‘ž \ {0}, and π‘Ž(𝑖𝑗)⋅𝑏 ∈ Fπ‘ž . (3) Choose 𝑑0 , 𝑑1 , . . . , 𝑑𝑠 ∈ 𝐺 \ Z. (4) Construct a homomorphisms 𝑓 : 𝐺 β†’ Z defined by 𝑓(𝑆(π‘Ž, 𝑏)) = 𝑆(0, π‘Ž). (5) Compute 𝛾 := (β„Žπ‘–π‘— ) = (𝑆(β„Ž(𝑖𝑗)β‹…π‘Ž , β„Ž(𝑖𝑗)⋅𝑏 )), where β„Žπ‘–π‘— = βˆ’1 π‘‘π‘–βˆ’1 β‹… 𝑓(π‘Žπ‘–π‘— ) β‹… 𝑏𝑖𝑗 β‹… 𝑑𝑖 . (6) Define a hash function 𝐻 : 𝐺 Γ— 𝐺 β†’ 𝐺. (7) Output public key [𝛼, 𝛾, 𝑓, 𝐻] and private key [𝛽, (𝑑0 , . . . , 𝑑𝑠 )]. Signature Input: a message π‘š ∈ 𝐺 and private key [𝛽, (𝑑0 , . . . , 𝑑𝑠 )]. Output: signature 𝜎 = (𝑆1 , 𝑆2 ). (1) Randomly select 𝑧 ∈ Z and compute a random element π‘Ÿ = 𝑑0βˆ’1 𝑧𝑑𝑠 ∈ 𝐺. Let 𝑐2 = π‘Ÿ, 𝑐1 = 𝐻(π‘š, π‘Ÿ). (2) Compute 𝑆1 = π›½σΈ€ βˆ’1 (𝑓(𝑐1 )βˆ’1 β‹… 𝑑0 β‹… 𝑐2 β‹… π‘‘π‘ βˆ’1 ) and 𝑆2 = 𝛼󸀠 (𝑆1 )βˆ’1 β‹… 𝑐1 . (3) Output 𝜎 = (𝑆1 , 𝑆2 ).

Verification Input: the message π‘š ∈ 𝐺, signature 𝜎 = (𝑆1 , 𝑆2 ), and public key [𝛼, 𝛾, 𝑓, 𝐻]. Output: 0 or 1. (1) Compute 𝐴 = 𝛼󸀠 (𝑆1 ) β‹… 𝑆2 and 𝐡 = 𝐻(π‘š, 𝛾󸀠 (𝑆1 ) β‹… 𝑓(𝑆2 )). (2) If 𝐴 = 𝐡, output 1; otherwise output 0. Correctness. For a given message π‘š ∈ 𝐺, 𝛾󸀠 (𝑆1 ) = 𝑑0βˆ’1 β‹… 𝑓 (𝛼󸀠 (𝑆1 )) β‹… 𝛽󸀠 (𝑆1 ) β‹… 𝑑𝑠 󳨐⇒ 𝑆1 = π›½σΈ€ βˆ’1 (𝑓(𝛼󸀠 (𝑆1 ))

βˆ’1

β‹… 𝑑0 β‹… 𝛾󸀠 (𝑆1 ) β‹… π‘‘π‘ βˆ’1 ) . (22)

σΈ€ 

βˆ’1

= 𝑓(𝛼 (𝑆1 ))

β‹… 𝑑0 β‹… 𝑐2 β‹… π‘‘π‘ βˆ’1

β‹… 𝑑0 β‹… (𝑓(𝑆2 ) βˆ’1

󳨐⇒ 𝛾󸀠 (𝑆1 ) = 𝑓(𝑆2 )

βˆ’1

β‹… 𝑐2 ) β‹…

(23) π‘‘π‘ βˆ’1

β‹… 𝑐2

󳨐⇒ 𝑐2 = 𝛾󸀠 (𝑆1 ) β‹… 𝑓 (𝑆2 ) . Consequently, we have 𝐻 (π‘š, 𝑐2 ) = 𝑐1 󳨐⇒ 𝐻 (π‘š, 𝛾󸀠 (𝑆1 ) β‹… 𝑓 (𝑆2 )) = 𝛼󸀠 (𝑆1 ) β‹… 𝑆2 .

(24)

4.2. Security Analysis 4.2.1. Attack on Private Key. (a) Compared with the encryption scheme in Section 3, we add a secure hash function in the signature scheme. Hence, analysis of the security of the signature scheme is similar to that in the encryption scheme. In the signature scheme, the goal of the general attack is also to determine 𝛽 and (𝑑0 , 𝑑𝑠 ) from the equation βˆ’1

𝛽󸀠 (𝑅) = 𝑦2 π‘‘π‘ βˆ’1 𝑓(𝑦1 ) 𝑑0 ,

(25)

where 𝑦1 = 𝛼󸀠 (𝑅) β‹… π‘₯, 𝑦2 = 𝛾󸀠 (𝑅), and 𝑓(𝑦1 )βˆ’1 ∈ Z. Let {𝑅1 , 𝑅2 , . . . , 𝑅𝑛 } be a collection of random numbers chosen by the adversary. Then we have βˆ’1

𝛽󸀠 (𝑅𝑖 ) = 𝑦𝑖2 π‘‘π‘ βˆ’1 𝑓(𝑦𝑖1 ) 𝑑0 βˆ’1

= 𝑓(𝑦𝑖1 ) 𝑦𝑖2 π‘‘π‘ βˆ’1 𝑑0 ,

(26)

where 𝑦𝑖1 = 𝛼󸀠 (𝑅𝑖 ) β‹… π‘₯, 𝑦𝑖2 = 𝛾󸀠 (𝑅𝑖 ), and 𝑓(𝑦𝑖1 )βˆ’1 ∈ Z. Then βˆ’1

𝑓(𝑦𝑖1 ) 𝑦𝑖2 π‘‘π‘ βˆ’1 𝑑0 ∈ Z 󳨐⇒ 𝑑0 ∈ 𝑑𝑠 𝑦𝑖2βˆ’1 𝑓 (𝑦𝑖1 ) Z.

(27)

As described in Section 3, there are π‘ž2 βˆ’ π‘ž different solutions; the success probability of the adversary is 1/π‘ž(π‘ž βˆ’ 1). (b) In our signature scheme, we construct a ciphertext pair (𝑐1 , 𝑐2 ) then obtain the signature 𝜎 = (𝑆1 , 𝑆2 ) by decrypting the pair (𝑐1 , 𝑐2 ). Therefore, analysis of the equivalent key is similar to that in Section 3. In this attack, an adversary mainly wants to utilize equivalent secret key [π›½βˆ— , (𝑑0βˆ— , . . . , π‘‘π‘ βˆ— )]

6

Mathematical Problems in Engineering

to replace the real secret key [𝛽, (𝑑0 , . . . , 𝑑𝑠 )]. As described in Section 3, for a random number 𝑅 ∈ Z|Z| , 𝛾󸀠 (𝑅) = 𝛽󸀠 (𝑅) 𝑑0βˆ’1 𝑓 (𝛼󸀠 (𝑅)) 𝑑𝑠 𝑠

= 𝛽󸀠 (𝑅) 𝑑0βˆ—βˆ’1 𝑧0 𝑓 (𝛼󸀠 (𝑅)) π‘‘π‘ βˆ— 𝑧0 βˆπ‘π‘˜ π‘˜=1

(28)

𝑠

= (𝛽󸀠 (𝑅) βˆπ‘π‘˜ ) 𝑑0βˆ—βˆ’1 𝑓 (𝛼󸀠 (𝑅)) π‘‘π‘ βˆ— . π‘˜=1

Let 𝛽󸀠 (𝑅) = 𝑏1π‘₯1 𝑏2π‘₯2 β‹… β‹… β‹… 𝑏𝑠π‘₯𝑠 and π›½βˆ— := (π‘π‘–π‘—βˆ— ), π‘π‘–π‘—βˆ— = 𝑏𝑖𝑗 𝑐𝑖 ; then βˆ— βˆ— βˆ— 𝑏 β‹… β‹… β‹… 𝑏𝑠π‘₯ π›½βˆ— (𝑅) = 𝑏1π‘₯ 1 2π‘₯2 𝑠

= 𝑏1π‘₯1 𝑐1 𝑏2π‘₯2 𝑐2 β‹… β‹… β‹… 𝑏𝑠π‘₯𝑠 𝑐𝑠

(29)

𝑠

= 𝛽󸀠 (𝑅) βˆπ‘π‘˜ . π‘˜=1

Consequently, the complexity for this attack is O(π‘ž). While, due to the center Z of Suzuki 2-group having a large order π‘ž, so the attack is computationally infeasible. 4.2.2. Unforgeability. Suppose that Eve attempts to forge a message-signature pair (π‘šβˆ— , 𝑆1βˆ— , 𝑆2βˆ— ) such that 𝛼 (𝑆1βˆ— ) β‹… 𝑆2βˆ— = 𝐻 (π‘šβˆ— , 𝛾󸀠 (𝑆1βˆ— ) β‹… 𝑓 (𝑆2βˆ— )) .

(30)

Case 1. Eve chooses a random number 𝑆1βˆ— ∈ Z|Z| and 𝑆2βˆ— ∈ 𝐺 then computes 𝛼(𝑆1βˆ— ) β‹… 𝑆2βˆ— and 𝛾(𝑆1βˆ— ) β‹… 𝑓(𝑆2βˆ— ). If Eve can get a message π‘šβˆ— satisfying the above equation, then he can answer the preimage of hash function 𝐻, but it is infeasible since 𝐻 is a secure cryptographic hash function. Case 2. Eve randomly selects two elements π‘šβˆ— ∈ 𝐺 and 𝑆2βˆ— ∈ 𝐺 and computes 𝑐2βˆ— = 𝐻(π‘šβˆ— , 𝑐1βˆ— ). In order to obtain a valid 𝑆1βˆ— , Eve selects 𝑐1βˆ— and computes 𝑦 = 𝐻(π‘šβˆ— , 𝑐1βˆ— β‹… 𝑓(𝑆2βˆ— )) β‹… (𝑆2βˆ— )βˆ’1 . Getting a right 𝑆1βˆ— such that 𝛼(𝑆1βˆ— ) β‹… 𝑆2βˆ— = 𝐻(π‘šβˆ— , 𝛾󸀠 (𝑆1βˆ— ) β‹… 𝑓(𝑆2βˆ— )) is equivalent to solving the equations 𝑐1βˆ— = 𝛾󸀠 (𝑆1βˆ— ) and 𝑦 = 𝛼󸀠 (𝑆1βˆ— ). Since 𝛼󸀠 and 𝛾󸀠 are both one-way functions, so Eve cannot answer right 𝑆1βˆ— by considering the corresponding ciphertext (𝑐1βˆ— , 𝑦). Case 3. Eve randomly chooses one pair (π‘šβˆ— , 𝑆1βˆ— ) and π‘Ÿ ∈ Z then computes 𝑆2βˆ— = 𝛼󸀠 (𝑆1βˆ— )βˆ’1 β‹… 𝐻(π‘šβˆ— , 𝛾󸀠 (𝑆1βˆ— ) β‹… π‘Ÿ). If 𝑓(𝑆2βˆ— ) = π‘Ÿ, then Eve can forge one valid signature. Note that the probability of this case is Pr[𝑓(𝑆2βˆ— ) = π‘Ÿ] = 1/π‘ž for |Z| = π‘ž. Since π‘ž is large enough, this attack is computationally infeasible.

5. Comparisons and Illustrations 5.1. Comparisons. In this subsection, we compare 𝑒𝑀𝑆𝑇3 encryption scheme in [34] and our encryption scheme on number of basic operations. Then, we make further efforts to show the performance of our signature scheme. We

summarize the number of basic operations (addition (ADD), multiplication (MULT), exponentiation with πœƒ (EXP(πœƒ)), etc.). Table 1 shows the number of operations required for 𝑒𝑀𝑆𝑇3 scheme and our scheme. The corresponding operations are namely addition (ADD), multiplication (MULT), exponentiation with πœƒ (EXP(πœƒ)), generation of m-bit random R (PRNG) [36], and factorization of 𝛽󸀠 (𝑅) ∈ Z with respect to a logarithmic signature 𝛽 using the Algorithms 9, 10, and 11 (FACTOR) [34]. Table 2 presents the number of operations required for public key and secret key. The corresponding operations are, namely, addition (ADD) and multiplication (MULT) generation of π‘š-bit random 𝑅 (PRNG) [36]. For example, when 𝑠 = 26, V = 52, the number of multiplication for secret key 𝛽 is 1792 and the number of generation of π‘š-bit random 𝑅 is 760; when 𝑠 = 23, V = 44, the number of multiplication for secret key 𝛽 is 2688 and the number of generation of π‘š-bit random 𝑅 is 948; when 𝑠 = 20, V = 58, the number of multiplication for secret key 𝛽 is 4864 and the number of generation of π‘š-bit random 𝑅 is 712. Table 3 indicates the performance of the signature scheme. Table 4 indicates parameter size in our schemes. Here, we mainly analyse the number of elements in Suzuki 2-group. Remark 3. In the community of cryptography based on chaos theory, a lot of efforts were focused on secret key cryptography in early years [5–7]. Recently, Wang et al. [8–14] made progress on building public key agreement protocols by using chaos theory. The corresponding schemes also have high efficiency and strong security. Being different from quantum cryptography, chaotic cryptography, and DNA cryptography, 𝑀𝑆𝑇3 cryptosystem is a public key cryptosystem of classical cryptography. The hardness of our encryption scheme is based on a type of intractable mathematical problem called group factorization problem. Meanwhile, our encryption scheme and signature scheme are efficient in classical computer. 5.2. A Toy Example. In this subsection, we present a toy example of signing a random element π‘š ∈ Fπ‘ž . In fact, our method is universal in the sense that it can be used to sign documents or realize authentication protocols based on images. Key Generation Input: a Suzuki 2-group 𝐺 = 𝐴(π‘š, πœƒ) with π‘š = 8, π‘ž = 28 and 𝑠 = 2. Output: public key [𝛼, 𝛾, 𝑓, 𝐻] and private key [𝛽, 𝑑0 , 𝑑1 , 𝑑2 ]. In general, let a pair (π‘Ž, 𝑏) denote an element of group 𝐺. For simplicity, we use a binary number of an element 𝑏 ∈ Fπ‘ž to present (0, 𝑏) ∈ Z and a binary numbers pair to present (π‘Ž, 𝑏) ∈ 𝐺.

Mathematical Problems in Engineering

7

Table 1: Number of basic operations for one encryption/decryption.

Encryption1 Decryption2

F2π‘š ADD 8𝑠 βˆ’ 6 8𝑠 βˆ’ 7 4𝑠 + 15 4𝑠 + 10

𝑒𝑀𝑆𝑇3 scheme [34] Our scheme 𝑒𝑀𝑆𝑇3 scheme Our scheme

F2π‘š MULT 2𝑠 βˆ’ 2 2𝑠 βˆ’ 2 𝑠+5 𝑠+3

F2π‘š EXP(πœƒ) β€” β€” 1 β€”

F2π‘š PRNG 1 1 β€” β€”

Factor β€” β€” 1 1

1

Compared with 𝑒𝑀𝑆𝑇3 scheme, our scheme reduces a step of multiplication with the element of the center Z in the stage of encryption. Thus, the number of (F2π‘š ADD) reduces once. 2 In the stage of decryption, our scheme reduces a step of inverse operation, a step of multiplication operation, and a F2π‘š EXP(πœƒ) operation, so the number of (F2π‘š ADD) reduces five times and (F2π‘š MULT) reduces twice.

Table 2: Number of basic operations for public key generation. F2π‘š ADD F2π‘š MULT F2π‘š PRNG

Secret key 𝛽 𝑇3 β€” 5 V βˆ‘π‘™=1 π‘Ÿπ‘™βˆ—

Secret key [𝑑0 , . . . , 𝑑𝑠 ] β€” 𝑠 + 14 2(𝑠 + 1)

Public key 𝛼 𝑇 π‘‡βˆ’π‘  2𝑇 βˆ’ 𝑠

Public key 𝛾 9𝑇 + 𝑠 2𝑇 + 𝑠 β€”

{0 if 𝑒𝑖 = 1 𝑒𝑖 βˆ— . 𝑇 = βˆ‘π‘ π‘–=1 π‘Ÿπ‘– , π‘Ÿπ‘– = βˆπ‘—=1 π‘Ÿπ‘–π‘— β‹… 𝑀𝑖 for 1 ≀ 𝑖 ≀ 𝑠 and βˆ‘π‘ π‘–=1 𝑒𝑖 = V, where 𝑀𝑖 = { {1 if 𝑒𝑖 > 1 4 For π‘Ž ∈ Fπ‘ž , πœƒ : π‘Ž β†’ π‘Ž2 is a Frobenius automorphism. Hence, πœƒ can be reduced to a multiplication. 5 V represents the number of blocks before fusion. 3

(i) For simplicity, we use a one-way function 𝐻 as the hash function in our scheme. That is, 𝐻: 𝐺 Γ— 𝐺 β†’ 𝐺 is given by π‘Ž

𝑏

𝐻 ((π‘Ž1 , 𝑏1 ) , (π‘Ž2 , 𝑏2 )) = (π‘Ž1 2 , 𝑏12 ) .

(31)

Actually, one can also use standard hash functions like SHA1 and so forth. (ii) A factorizable logarithmic signature 𝛽 = [𝐡1 , 𝐡2 ] = (𝑏𝑖,𝑗 ) = (𝑆(0, 𝑏(𝑖𝑗)β‹…2 )) of type (π‘Ÿ1 , . . . , π‘Ÿπ‘  ) for Z. (1) We first construct canonical logarithmic signature [𝐡1βˆ— , 𝐡2βˆ— , 𝐡3βˆ— ] of type (4, 8, 8) in standard form: 𝐡1βˆ— = {[0 0 0 0 0 0 0 0] , [0 1 0 0 0 0 0 0] , [1 0 0 0 0 0 0 0] , [1 1 0 0 0 0 0 0]} ,

(2) Fuse blocks 𝐡1βˆ— , 𝐡3βˆ— to construct the product 𝐡2 = (𝐡1βˆ— β‹… = 𝐡2βˆ— . That is, 𝐡1 , 𝐡2 is the logarithmic signature of type (π‘Ÿ1 , π‘Ÿ2 ) (π‘Ÿ1 = 8, π‘Ÿ2 = 32) 𝐡3βˆ— ) and let 𝐡1

𝐡1 = {[1 1 0 0 0 0 0 0] , [0 1 0 0 1 0 0 0] , [0 1 0 1 0 0 0 0] , [0 0 0 1 1 0 0 0] , [0 0 1 0 0 0 0 0] , [0 0 1 0 1 0 0 0] , [1 1 1 1 0 0 0 0] , [1 1 1 1 1 0 0 0]} , (33) 𝐡2 = {[1 1 0 1 0 0 0 0] , [1 1 1 1 0 0 0 1] , [0 1 0 1 0 0 1 0] , [1 1 1 1 1 0 1 1] , [0 1 1 0 1 1 0 0] , [0 1 1 1 0 1 0 1] ,

𝐡2βˆ— = {[1 1 0 0 0 0 0 0] , [0 1 0 0 1 0 0 0] ,

[1 0 1 0 0 1 1 0] , [0 1 1 1 1 1 1 1] ,

[0 1 0 1 0 0 0 0] , [0 0 0 1 1 0 0 0] ,

[1 0 0 1 0 0 0 0] , [1 0 1 1 0 0 0 1] ,

[0 0 1 0 0 0 0 0] , [0 0 1 0 1 0 0 0] ,

[0 0 0 1 0 0 1 0] , [1 0 1 1 1 0 1 1] ,

[1 1 1 1 0 0 0 0] , [1 1 1 1 1 0 0 0]} ,

[0 0 1 0 1 1 0 0] , [0 0 1 1 0 1 0 1] ,

𝐡3βˆ— = {[1 1 0 1 0 0 0 0] , [1 1 1 1 0 0 0 1] ,

[1 1 1 0 0 1 1 0] , [0 0 1 1 1 1 1 1] ,

[0 1 0 1 0 0 1 0] , [1 1 1 1 1 0 1 1] ,

[0 1 0 1 0 0 0 0] , [0 1 1 1 0 0 0 1] ,

[0 1 1 0 1 1 0 0] , [0 1 1 1 0 1 0 1] ,

[1 1 0 1 0 0 1 0] , [0 1 1 1 1 0 1 1] ,

[1 0 1 0 0 1 1 0] , [0 1 1 1 1 1 1 1]} . (32)

[1 1 1 0 1 1 0 0] , [1 1 1 1 0 1 0 1] , [0 0 1 0 0 1 1 0] , [1 1 1 1 1 1 1 1] ,

8

Mathematical Problems in Engineering Table 3: Number of basic operations for digital signature scheme.

Signature Verification

F2π‘š ADD 4𝑠 + 11 8𝑠 βˆ’ 7

F2π‘š MULT 𝑠+3 2𝑠 βˆ’ 2

F2π‘š EXP(πœƒ) β€” β€”

[0 0 0 1 0 0 0 0] , [0 0 1 1 0 0 0 1] , [1 0 0 1 0 0 1 0] , [0 0 1 1 1 0 1 1] , [1 0 1 0 1 1 0 0] , [1 0 1 1 0 1 0 1] , [0 1 1 0 0 1 1 0] , [1 0 1 1 1 1 1 1]} . (34) (i) A random cover 𝛼 = [𝐴 1 , 𝐴 2 ] = (π‘Žπ‘–π‘— ) = (𝑆(π‘Ž(𝑖𝑗)β‹…1 , π‘Ž(𝑖𝑗)β‹…2 )) of the same type as 𝛽 𝐴 1 = {([0 1 0 1 0 1 0 1] , [0 0 1 0 1 0 0 0]) , ([0 1 1 0 0 0 1 0] , [0 0 0 0 0 1 0 0]) , ([1 0 1 1 1 0 1 0] , [1 1 1 1 0 0 0 0]) , ([1 1 1 1 1 0 1 0] , [0 1 0 1 1 1 1 0]) ,

F2π‘š PRNG 1 β€”

Factor 1 β€”

Table 4: Parameter size. Public key Secret key Encryption Signature Number of elements 6

2𝑇6

𝑇+𝑠+1

2

2

𝑇 is the same as Table 2.

([1 0 1 0 0 1 0 0] , [1 0 1 0 0 0 0 1]) , ([1 1 1 0 0 0 0 0] , [1 1 0 0 1 1 1 0]) , ([0 0 0 0 0 0 0 1] , [0 0 1 0 1 1 0 0]) , ([1 1 1 0 1 1 0 1] , [0 0 1 0 0 0 1 0]) , ([1 1 0 0 0 0 0 0] , [0 0 0 0 0 1 0 0]) , ([0 1 1 0 1 1 1 1] , [1 0 0 0 0 0 0 1]) , ([0 0 1 0 0 0 0 0] , [1 1 0 0 0 0 0 0]) ,

([1 1 1 1 1 0 0 0] , [1 0 0 1 1 1 1 0]) ,

([1 1 0 1 1 0 1 0] , [0 0 0 1 1 0 1 0]) ,

([1 1 0 0 0 1 1 1] , [0 0 0 1 0 1 0 0]) ,

([0 1 0 0 1 0 1 0] , [0 1 0 1 1 1 0 0]) ,

([0 1 0 1 1 0 1 1] , [1 1 1 0 1 0 1 1]) ,

([1 1 1 1 0 1 1 1] , [0 0 1 0 1 0 1 0]) ,

([0 0 0 1 0 0 1 1] , [1 0 1 0 1 1 1 1])} ,

([1 0 0 1 0 1 1 1] , [1 1 1 0 0 1 0 1]) ,

𝐴 2 = {([0 1 0 1 1 1 0 1] , [0 0 1 1 1 1 1 0]) , ([0 0 1 1 0 0 1 0] , [0 0 0 0 1 0 0 0]) , ([0 1 0 0 1 0 1 0] , [1 1 1 0 0 0 1 1]) , ([1 1 0 0 1 1 0 0] , [0 0 0 0 1 0 1 1]) ,

([0 1 0 0 1 1 1 0] , [1 0 1 1 1 0 1 1]) , ([1 1 1 1 1 0 1 0] , [0 1 0 0 1 1 0 0]) , ([1 1 1 1 0 1 0 0] , [1 0 0 1 1 1 0 0]) , ([0 0 0 0 0 0 1 1] , [1 0 1 0 1 1 1 0]) , ([0 0 0 0 1 1 0 0] , [1 0 1 0 1 1 0 1]) ,

([1 1 1 0 1 0 0 1] , [1 0 0 1 1 1 1 0]) ,

([1 1 1 1 1 0 0 1] , [0 0 1 0 1 0 0 0]) ,

([1 0 0 0 1 0 1 1] , [1 0 1 1 0 0 0 0]) ,

([0 0 0 0 1 1 0 1] , [0 1 0 0 0 0 1 0]) ,

([0 0 1 1 1 0 1 1] , [1 1 0 1 1 0 1 0]) ,

([0 1 0 1 1 1 0 1] , [0 1 1 0 1 0 1 1])} . (35)

([0 1 1 1 0 1 0 1] , [0 1 0 1 1 1 0 1]) , ([0 0 1 1 0 0 0 1] , [0 1 1 1 1 1 0 0]) ,

(ii) Select 𝑑0 , 𝑑1 , 𝑑2 ∈ 𝐺 \ Z: 𝑑0 = ([1 1 1 1 0 1 0 0] , [1 1 1 1 1 0 0 1]) ,

([0 0 1 0 1 1 1 0] , [0 0 1 0 0 1 1 0]) ,

𝑑1 = ([0 0 1 0 0 0 1 0] , [0 1 0 0 1 1 1 1]) ,

([1 1 0 1 1 1 1 1] , [1 1 0 0 1 0 1 1]) ,

𝑑2 = ([1 1 1 0 1 0 1 1] , [1 0 1 1 0 0 0 0]) .

([0 1 0 0 0 0 1 1] , [1 1 0 0 0 1 1 0]) , ([0 1 1 1 0 1 1 1] , [1 0 0 1 0 0 1 1]) ,

(36) (iii) Construct a homomorphism 𝑓: 𝐺 β†’ Z: 𝑓(π‘Ž, 𝑏) = (0, π‘Ž).

Mathematical Problems in Engineering βˆ’1 (iv) Compute 𝛾 = (β„Žπ‘–,𝑗 ), β„Žπ‘–,𝑗 = π‘‘π‘–βˆ’1 ⋅𝑓(π‘Žπ‘–,𝑗 )⋅𝑏𝑖,𝑗 ⋅𝑑𝑖 = [𝑉1 , 𝑉2 ], and 𝑖 = 0, 1, 2:

𝑉1 = {([1 1 0 1 0 1 1 0] , [1 0 1 0 1 1 1 1]) ,

9 ([1 1 0 0 1 0 0 1] , [0 0 1 1 1 0 1 0]) , ([1 1 0 0 1 0 0 1] , [0 0 0 0 1 1 0 0]) ,

([1 1 0 1 0 1 1 0] , [0 0 0 1 0 0 0 0]) ,

([1 1 0 0 1 0 0 1] , [1 0 0 1 1 0 0 1]) ,

([1 1 0 1 0 1 1 0] , [1 1 0 1 0 0 0 0]) ,

([1 1 0 0 1 0 0 1] , [0 0 1 1 0 1 0 0]) ,

([1 1 0 1 0 1 1 0] , [1 1 0 1 1 0 0 0]) ,

([1 1 0 0 1 0 0 1] , [0 1 1 0 1 0 1 0]) ,

([1 1 0 1 0 1 1 0] , [1 1 1 0 0 0 1 0]) ,

([1 1 0 0 1 0 0 1] , [1 1 1 1 0 0 1 0]) ,

([1 1 0 1 0 1 1 0] , [1 1 0 1 0 1 0 1]) ,

([1 1 0 0 1 0 0 1] , [0 0 0 1 1 1 1 0]) ,

([1 1 0 1 0 1 1 0] , [1 0 0 1 0 0 0 1]) , ([1 1 0 1 0 1 1 0] , [1 1 0 1 0 0 0 1])} , (37) 𝑉2 = {([1 1 0 0 1 0 0 1] , [1 1 0 1 1 1 1 1]) , ([1 1 0 0 1 0 0 1] , [1 0 0 1 0 0 0 1]) ,

([1 1 0 0 1 0 0 1] , [0 0 1 1 1 0 0 1]) , ([1 1 0 0 1 0 0 1] , [1 0 1 1 0 0 0 0])} . (38) Signature

([1 1 0 0 1 0 0 1] , [0 1 1 0 0 1 0 1]) ,

(i) Choose a message 𝑀 = ([1 0 0 1 1 1 0 1], [1 1 0 1 0 1 0 1]). (ii) Sample 𝑧 = ([0 0 0 0 0 0 0 0], [1 0 0 1 1 0 1 0]) (∈ Z) and compute π‘Ÿ = 𝑑0βˆ’1 β‹… 𝑧 β‹… 𝑑2

([1 1 0 0 1 0 0 1] , [1 1 0 1 0 1 1 1]) ,

𝑐2 = π‘Ÿ = ([0 0 0 1 1 1 1 1] , [0 0 0 1 1 0 1 1]) ,

([1 1 0 0 1 0 0 1] , [1 0 1 0 1 1 0 0]) ,

𝑐1 = 𝐻 (𝑀, π‘Ÿ)

([1 1 0 0 1 0 0 1] , [0 1 0 0 1 0 1 0]) ,

([1 1 0 0 1 0 0 1] , [1 1 0 0 1 1 1 1]) , ([1 1 0 0 1 0 0 1] , [0 1 0 1 1 0 0 0]) , ([1 1 0 0 1 0 0 1] , [1 1 1 1 0 0 1 1]) , ([1 1 0 0 1 0 0 1] , [1 1 0 0 1 1 0 1]) , ([1 1 0 0 1 0 0 1] , [1 0 0 1 1 1 1 1]) , ([1 1 0 0 1 0 0 1] , [1 0 1 0 1 0 1 0]) ,

= ([0 0 0 1 0 1 0 1] , [0 1 1 0 0 1 0 0]) . (39) (iii) Signature 𝜎 = (𝑆1 , 𝑆2 ): 𝑆1 = 71 (∈ Zπ‘ž ) , 𝑆2 = ([0 0 1 1 1 0 1 1] , [0 1 0 1 0 1 1 0]) . (40) Verification

([1 1 0 0 1 0 0 1] , [0 0 0 0 1 0 0 1]) ,

(i) Compute

([1 1 0 0 1 0 0 1] , [1 1 0 0 0 0 1 1]) ,

π‘Œ1 = 𝛼󸀠 (𝑆1 ) β‹… 𝑆2

([1 1 0 0 1 0 0 1] , [0 1 0 1 0 1 0 0]) , ([1 1 0 0 1 0 0 1] , [0 1 1 0 1 1 0 0]) , ([1 1 0 0 1 0 0 1] , [1 1 1 0 1 1 1 1]) , ([1 1 0 0 1 0 0 1] , [1 1 1 0 0 0 1 1]) , ([1 1 0 0 1 0 0 1] , [1 1 1 0 1 1 1 1]) , ([1 1 0 0 1 0 0 1] , [0 0 0 0 1 0 0 1]) , ([1 1 0 0 1 0 0 1] , [0 1 1 0 0 1 0 0]) , ([1 1 0 0 1 0 0 1] , [1 1 1 0 1 1 0 1]) , ([1 1 0 0 1 0 0 1] , [1 0 0 0 0 0 1 1]) ,

= ([0 0 0 1 0 1 0 1] , [0 1 1 0 0 1 0 0]) . (41) (ii) Compute 𝛾󸀠 (𝑆1 ) = ([0 0 0 1 1 1 1 1] , [0 0 1 0 0 0 0 0]) , 𝑓 (𝑆2 ) = ([0 0 0 0 0 0 0 0] , [0 0 1 1 1 0 1 1]) , π‘Œ2 = 𝛾󸀠 (𝑆1 ) β‹… 𝑓 (𝑆2 ) = ([0 0 0 1 1 1 1 1] , [0 0 0 1 1 0 1 1]) . (42)

10 Since π‘Œ1 βˆ’ 𝑐1 = [0 0 0 0 0 0 0 0] and π‘Œ2 βˆ’ 𝑐2 = [0 0 0 0 0 0 0 0], so we can get that 𝐻(𝑀, 𝛾󸀠 (𝑆1 ) β‹… 𝑓(𝑆2 )) = 𝛼󸀠 (𝑆1 ) β‹… 𝑆2 .

Conflict of Interests The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments This work is partially supported by the National Natural Science Foundation of China (NSFC) (nos. 61103198, 61121061, 61370194) and the NSFC A3 Foresight Program (no. 61161140320).

References [1] C. H. Bennett and G. Brassard, β€œQuantum cryptography: public key distribution and coin tossingin,” in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, pp. 175–179, Bangalore, India, 1984. [2] C. H. Bennett, β€œQuantum cryptography using any two nonorthogonal states,” Physical Review Letters, vol. 68, no. 21, pp. 3121– 3124, 1992. [3] C. H. Bennett, G. Brassard, and N. D. Mermin, β€œQuantum cryptography without Bell’s theorem,” Physical Review Letters, vol. 68, no. 5, pp. 557–559, 1992. [4] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, β€œQuantum cryptography,” Reviews of Modern Physics, vol. 74, no. 1, pp. 146– 195, 2002. [5] R. Matthews, β€œOn the derivation of a β€œchaotic” encryption algorithm,” Cryptologia, vol. 13, no. 1, pp. 29–42, 1989. [6] M. S. Baptista, β€œCryptography with chaos,” Physics Letters A, vol. 240, no. 1-2, pp. 50–54, 1998. [7] G. Alvarez, G. Pastor, F. Montoya, and M. Romera, β€œChaotic cryptosystems,” in Proceedings of the IEEE International Carnahan Conference on Security Technology, pp. 332–338, 1999. [8] X.-Y. Wang and Q. Yu, β€œBlock encryption algorithm based on dynamic sequences of multiple chaotic systems,” Communications in Nonlinear Science and Numerical Simulation, vol. 14, no. 2, pp. 574–581, 2009. [9] X. Wang and J. Zhao, β€œAn improved key agreement protocol based on chaos,” Communications in Nonlinear Science and Numerical Simulation, vol. 15, no. 12, pp. 4052–4057, 2010. [10] Y. Niu and X. Wang, β€œAn anonymous key agreement protocol based on chaotic maps,” Communications in Nonlinear Science and Numerical Simulation, vol. 16, no. 4, pp. 1986–1992, 2011. [11] L. Hongjun, W. Xingyuan, and K. Abdurahman, β€œImage encryption using DNA complementary rule and chaotic maps,” Applied Soft Computing, vol. 12, no. 5, pp. 1457–1466, 2012. [12] X. Wang and D. Luan, β€œA novel image encryption algorithm using chaos and reversible cellular automata,” Communications in Nonlinear Science and Numerical Simulation, vol. 18, no. 11, pp. 3075–3085, 2013. [13] W. Xingyuan and L. Dapeng, β€œA secure key agreement protocol based on chaotic maps,” Chinese Physics B, vol. 22, no. 11, Article ID 110503, 2013.

Mathematical Problems in Engineering [14] Y.-Q. Zhang and X.-Y. Wang, β€œSpatiotemporal chaos in mixed linearβ€”nonlinear coupled logistic map lattice,” Physica A: Statistical Mechanics and Its Applications, vol. 402, pp. 104–118, 2014. [15] L. M. Adleman, β€œMolecular computation of solutions to combinatorial problems,” Science, vol. 266, no. 5187, pp. 1021–1024, 1994. [16] D. Boneh, C. Dunworth, R. J. Lipton, and J. Sgall, β€œOn the computational power of DNA,” Discrete Applied Mathematics, vol. 71, no. 1–3, pp. 79–94, 1996. [17] G. Cui, L. Qin, Y. Wang, and X. Zhang, β€œAn encryption scheme using DNA technology,” in Proceedings of the 3rd International Conference on Bio-Inspired Computing: Theories and Applications (BICTA ’08), pp. 37–41, October 2008. [18] W. Lempken, T. van Trung, S. S. Magliveras, and W. Wei, β€œA public key cryptosystem based on non-abelian finite groups,” Journal of Cryptology, vol. 22, no. 1, pp. 62–74, 2009. [19] N. R. Wagner and M. R. Magyarik, β€œA public-key cryptosystem based on the word problem,” in Advances in Cryptology, vol. 196 of Lecture Notes in Computer Science, pp. 19–36, Springer, Berlin, Germany, 1985. [20] K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, J. Kang, and C. Park, β€œNew public-key cryptosystem using braid groups,” in Advances in cryptologyβ€”CRYPTO 2000, vol. 1880 of Lecture Notes in Computer Science, pp. 166–183, Springer, Berlin, Germany, 2000. [21] B. Eick and D. Kahrobaei, β€œPolycyclic groups: a new platform for cryptology?” http://arxiv.org/abs/math/0411077. [22] V. Shpilrain and A. Ushakov, β€œThompsons group and public key cryptography,” in Applied Cryptography and Network Security, vol. 3531 of Lecture Notes in Computer Science, pp. 151–164, 2005. [23] D. Kahrobaei, C. Koupparis, and V. Shpilrain, β€œPublic key exchange using matrices over group rings,” Groups, Complexity, and Cryptology, vol. 5, no. 1, pp. 97–115, 2013. [24] S. S. Magliveras, β€œA cryptosystem from logarithmic signatures of finite groups,” in Proceedings of the 29th Midwest Symposium on Circuits and Systems, pp. 972–975, Elsevier Publishing, Amsterdam, The Netherlands, 1986. [25] S. S. Magliveras and N. D. Memon, β€œAlgebraic properties of cryptosystem PGM,” Journal of Cryptology, vol. 5, no. 3, pp. 167– 183, 1992. [26] A. Caranti and F. Dalla Volta, β€œThe round functions of cryptosystem PGM generate the symmetric group,” Designs, Codes and Cryptography, vol. 38, no. 1, pp. 147–155, 2006. [27] S. S. Magliveras, D. R. Stinson, and T. van Trung, β€œNew approaches to designing public key cryptosystems using oneway functions and trapdoors in finite groups,” Journal of Cryptology, vol. 15, no. 4, pp. 285–297, 2002. [28] M. I. GonzΒ΄alez Vasco and R. Steinwandt, β€œObstacles in two public key cryptosystems based on group factorizations,” Tatra Mountains Mathematical Publications, vol. 25, pp. 23–37, 2002. [29] J.-M. Bohli, R. Steinwandt, M. I. GonzΒ΄alez Vasco, and C. MartΒ΄Δ±nez, β€œWeak keys in MST 1 ,” Designs, Codes and Cryptography, vol. 37, no. 3, pp. 509–524, 2005. [30] M. I. GonzΒ΄alez Vasco, C. MartΒ΄Δ±nez, and R. Steinwandt, β€œTowards a uniform description of several group based cryptographic primitives,” Designs, Codes and Cryptography, vol. 33, no. 3, pp. 215–226, 2004. [31] S. S. Magliveras, P. Svaba, T. van Trung, and P. Zajac, β€œOn the security of a realization of cryptosystem MST 3 ,” Tatra Mountains Mathematical Publications, vol. 41, pp. 65–78, 2008.

Mathematical Problems in Engineering [32] S. R. Blackburn, C. Cid, and C. Mullan, β€œCryptanalysis of the MST 3 public key cryptosystem,” Journal of Mathematical Cryptology, vol. 3, no. 4, pp. 321–338, 2009. [33] M. I. G. Vasco, A. L. P. del Pozo, and P. T. Duarte, β€œA note on the security of MST 3 ,” Designs, Codes and Cryptography, vol. 55, no. 2-3, pp. 189–200, 2010. [34] P. Svaba and T. van Trung, β€œPublic key cryptosystem MST 3 cryptanalysis and realization,” Journal of Mathematical Cryptology, vol. 4, no. 3, pp. 271–315, 2010. [35] W. Lempken and T. van Trung, β€œOn minimal logarithmic signatures of finite groups,” Experimental Mathematics, vol. 14, no. 3, pp. 257–269, 2005. [36] P. Marquardt, P. Svaba, and T. van Trung, β€œPseudorandom number generators based on random covers for finite groups,” Designs, Codes and Cryptography, vol. 64, no. 1-2, pp. 209–220, 2012.

11

Advances in

Operations Research Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Advances in

Decision Sciences Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Journal of

Applied Mathematics

Algebra

Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Journal of

Probability and Statistics Volume 2014

The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of

Differential Equations Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Volume 2014

Submit your manuscripts at http://www.hindawi.com International Journal of

Advances in

Combinatorics Hindawi Publishing Corporation http://www.hindawi.com

Mathematical Physics Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Journal of

Complex Analysis Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of Mathematics and Mathematical Sciences

Mathematical Problems in Engineering

Journal of

Mathematics Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Discrete Mathematics

Journal of

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Discrete Dynamics in Nature and Society

Journal of

Function Spaces Hindawi Publishing Corporation http://www.hindawi.com

Abstract and Applied Analysis

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of

Journal of

Stochastic Analysis

Optimization

Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Volume 2014