Improved cryptanalysis of a ElGamal Cryptosystem Based on Matrices Over Group Rings

: ElGamal cryptosystem has emerged as one of the most important construction in Public Key Cryptography (PKC) since Diffie-Hellman key exchange protocol was proposed. However, public key schemes which are based on number theoretic problems such as discrete logarithm problem (DLP) are at risk because of the evolution of quantum computers. As a result, other non-number theoretic alternatives are a dire need of entire cryptographic community. In 2016, Saba Inam and Rashid Ali proposed a ElGamal-like cryptosystem based on matrices over group rings in ‘Neural Computing & Applications’. Using linear algebra approach, Jia et al. provided a cryptanalysis for the cryptosystem in 2019 and claimed that their attack could recover all the equivalent keys. However, this is not the case and we have improved their cryptanalysis approach and derived all equivalent key pairs that can be used to totally break the ElGamal-like cryptosystem proposed by Saba and Rashid. Using the decomposition of matrices over group rings to larger size matrices over rings, we have made the cryptanalysing algorithm more practical and efficient. We have also proved that the ElGamal cryptosystem proposed by Saba and Rashid does not achieve the security of IND-CPA and IND-CCA.


Introduction
The security of ElGamal encryption scheme depends on the difficulty of solving the discrete logarithm problem. The standard security notion for ElGamal encryption scheme is indistinguishability under a chosen plaintext attack (IND-CPA) whereas a stronger notion of security is indistinguishability under a chosen ciphertext attack (IND-CCA).
Due to the inability of resisting quantum attacks, various traditional cryptosystem based on DLP are not considered secure and there has been interest in constructing ElGamal encryption scheme via non-number theoretic platform structures. In this context, Majid Khan et al. [6] proposed two new ElGamal public key encryption schemes based on the large commutative subgroups of general linear groups on the residual ring which was later cryptanalyzed by Jia et al. [4] using structural attack.
In 2016, Inam and Ali improved it [3] and proposed a new ElGamal-like cryptosystem based on matrices over group ring. The authors claimed that the cryptosystem is safe against known plaintext attacks and has the potential to resist quantum attacks. But using a linear algebra attack, this proposed cryptosystem was rendered insecure in [5] where the authors also claimed that they could retrieve all the equivalent keys which can be used for decryption. Inam and Ali also provided a simple fix for their cryptosystem which they claimed that it has the ability to defend chosen ciphertext attacks.
Our Contribution: In this paper, we have proved that the ElGamal cryptosystem proposed by Saba and Rashid does not achieve the security of IND-CPA and IND-CCA which makes the cryptosystem completely insecure. We have developed a cryptanalytic attack and derived all equivalent keys (including the keys generated by authors in [5]) that can be used to totally break the ElGamal-like cryptosystem by Saba and Rashid. We have decomposed group ring elements to matrices over base ring and it makes the proposed cryptanalytic algorithm more efficient and practical.
The rest of this article is organized as follows. The second section provides necessary background for this work. In section 3, we present the ElGamal-like cryptosystem proposed by Saba Inam and Rashid Ali. In section 4 and 5, we prove that the proposed scheme is not secure against IND-CPA and IND-CCA adversary. In section 6, we develop a stronger attack which derives all the equivalent keys for the proposed cryptosystem. We also discuss the computational complexity of the scheme. Conclusions are finally drawn in section 7.

Preliminaries
Definition 1 (Group Ring). : Let R be a Commutative ring with unity and G = {g 1 , g 2 , · · · , g k } be a finite multiplicative group.
which clearly has k entries αg 1 , αg 2 , · · · , αg k in row 1 in some order and rest all other entries are permutation of this row. Thus for each p ∈ GR, the associated matrix Mp can be defined by only k unknowns αg 1 , αg 2 , · · · , αg k and their permutations. Thus, for any matrix A ∈ Mn(GR), say, Definition 2 (Circulant matrices and their properties [1]). let F be a finite field. We define a k × k circulant matrix C over F as where the elements of each row of C are identical to those of the previous row, but are moved one position to the right and wrapped around.
Circulant matrices have the following important properties: (i) If A and B are two n × n circulant matrices then so is AB and the matrix product is commutative, that is,

Description of the public key cryptosystem
In this section, we describe the ElGamal-like cryptosystem proposed by Saba Inam and Rashid Ali [3].
Let Mn(GR) be the set of all n × n matrices over the group ring GR and H ⊂ Mn(GR) be the subgroup of all n × n invertible circulant matrices over GR. Bob and Alice communicate in the following steps.

Key generation (KeyGen):
(i) Alice Choose random A, B ∈ H and compute M 1 = AB 2 , M 2 = BA 2 (ii) Select a random invertible matrix N ∈ GLn(GR) and generate the key pairs (pk, sk) given by where pk is public key and sk is secret key.
Encryption (Enc pk (m)): (i) Bob represents the message m as an element M ∈ Mn(GR).
(ii) Choose a random invertible matrix X ∈ H and η, a unit of the group ring GR and compute the ciphertext as Enc pk (m) = C = (C 1 , C 2 ), where Decryption (Dec sk (C)): (i) Using her secret keys A, B Alice computes (ii) She obtains the message using C 2 and S as

Correctness of the protocol: Since
The authors in [3] have used the commutative circulant matrices over the group ring GR, where R is a commutative ring with unity and G is a finite group. We believe that the authors wanted the group G to be an abelian group, otherwise the circulant matrices will not commute and the proposed cryptosystem will not work. Hence from now onwards we assume that G is a finite abelian group.

Analysis of IND-CPA security of the cryptosystem
Consider the following IND-CPA experiment with the challenger C and and efficient adversary A: (i) Challenger C generates the key pair (pk, sk) and publishes pk = (P 1 , and submits these to C. (iii) Challenger C selects a bit b ← {0, 1} uniformly at random and sends the challenge ciphertext The adversary is successful in the above experiment and outputs 1 if and only if b = b ′ In step two, if the adversary A chooses two messages D 0 and D 1 such that det(D 0 ) ≠ det(D 1 ), then it can compute Thus the adversary A succeeds in the above IND-CPA security experiment with probability 1. Hence the proposed scheme is not secure against a chosen plaintext attack.

Analysis of IND-CCA security of the cryptosystem
The authors in [3] have presented a chosen cipher text attack for their scheme and they proposed a fix where they replace the one sided ciphertext with the two sided ciphertext as follows: Consider the following IND-CPA experiment with the challenger C and and efficient adversary A: (i) Challenger C generates the key pair (pk, sk) and publishes pk = (P 1 , submits these to C. (iii) Challenger C selects a bit b ← {0, 1} uniformly at random and sends the challenge ciphertext to the adversary A.
(iv) A continues to query the decryption oracle except for the challenge ciphertext C.
(v) The adversary A outputs a bit b ′ .
The adversary is successful in the above experiment and outputs 1 if and only if b = b ′ In step two, if the adversary A chooses two messages D 0 and D 1 such that det(D 0 ) ≠ det(D 1 ), then it can compute Thus the adversary A succeeds in the above IND-CCA security experiment with probability 1.
Additionally, an adversary can decrypt any plaintext M by playing the following game with the challenger: Hence the proposed fix for the scheme is not secure against a chosen ciphertext attack as claimed by authors in [3].

Key recovery attack
In this section, we propose a method where we generate all the equivalent key pairs for the cryptosystem in [3] from the public key pk only.
From the public information any adversary A has the ability to get the public keys pk = (P 1 , P 2 ). A find a solution of the following system to obtain all equivalent key pairs (P, Q). (1) The above system has atleast a solution namely P = AB −1 and Q = A −1 B as Theorem 3. If the adversary is able to find a solution P, Q to the equation (1), then the ElGamal-like cryptosystem proposed by Saba and Rashid is completey broken with equivalent keys P, Q.
Proof. Using the equivalent keys P and Q, plaintext M can be retrieved from a ciphertext pair (C 1 , C 2 ) as Thus, the proposed scheme is not secure and a total break of the scheme is performed where equivalent key pairs (P, Q) are computed from the public key pair (P 1 , P 2 ).
In Example 1 in appendix, we derive all the equivalent key pairs (P, Q) for the toy example provided in [3] and obtain the plaintext M.  where A ∈ M n 2 k 2 ×2nk (R) and X ∈ M 2nk×1 (R) is the unknwon vector.
Step 4: Solve for a system of equations over ring R P P 2 − P −1 1 Q −1 = 0 using equation 3 and formulate the invertible matrices P and Q −1 .
Step 5: Find a i and b j using P, Q −1 and formulate key pairs P, Q.
Step 6: Compute M = C 2 PC 1 Q In example 2 in appendix, we execute our proposed algorithm to cryptanalyze the toy example provided in [3]. We decompose the elements of group ring to matrices over same ring and use it to obtain equivalent key pairs and the corresponding plaintext from the given public key pairs and ciphertext.

Computational complexity of the proposed algorithm over finite field F p
In this section, we compute the complexity of Algorithm 1 where the commutative ring R is a prime field, that is, R = Fp. -Inverses in finite field Fp can be computed using (log p) 3 bit operations [7]. -Solving a system of p equation in r unknowns over Zn has complexity [11] of O(pr ω−1 ) .
Using above complexity results, we have the following complexity: (i) The embedding in step 3 is nothing but the rearrangement of the coefficients of the elements of the group ring GR and hence its complexity is neglected. (ii) In step 4 we need to perform 2 matrix multiplications, 1 matrix inversion and 1 subtraction and then solve the system given in equation 3. Hence the complexity of step 3 is O((nk) ω (log p) 3 +2(nk) ω (log p) 2 + (nk) 2 (2nk) ω−1 (log p) 3 ) = O((nk) ω+1 (log p) 3 ). (iii) In step 5, the complexity of matrix inversion to find Q from Q −1 is O((nk) ω (log p) 3 ). We then rearrange to obtain P and Q from P and Q respectively. . (iv) Step 6 requires 3 matrix multiplications with complexity O((nk) ω (log p) 2 ).
Thus the overall complexity of Algorithm 1 is O((nk) ω+1 (log p) 3 ), which is polynomial in the size of the entry of the matrices.

Conclusion
We have presented a generic kind of cryptanalysis of a new ElGamal-like cryptosystem based on matrices over group ring. Though the author claimed that their cryptographic protocol seems to be resistant to known plaintext attacks, ciphertext only attacks and chosen plaintext attacks, we have proved that the proposed scheme is not even secure against the weaker security notion IND-CPA and also against IND-CCA of ElGamal cryptosystem. We then designed a strong linear algebra attack which requires polynomial time to compute all the equivalent keys for a given public key pair. The addition and multiplication table for the group ring GR are provided in Table A1 and Table A2 respectively:   which can further be written as where a, b are free parameters. Hence, a solution to the above system is given by The following are the invertible key pairs obtained by these solutions Also, g 1 g −1 1 = 1 = g 1 , g 1 g −1 2 = y = g 2 and g 2 g −1 1 = y = g 2 , g 2 g −1 2 = 1 = g 1 . Then the embedding of the group ring elements are given by Step 1: Now consider the public key elements and P 2 = and for some plaintext M, the ciphertext pair (C 1 , C 2 ) given by Step 2: Choose arbitrary (a, b), (c, d) ∈ GR 2 and form circulant matrices P and Q −1 as and Step 3: Then the embedded matrices are The embedded public key elements are given by and the embedded ciphertext matrices are Step 4: The equation P P 2 − P −1 1 Q −1 = 0 can be written as which corresponds to the following system of equations Step Hence the equivalent key pairs are given by (P i , Q i ) or (P 1 , Q i ), 1 ≤ i ≤ 8 which are exactly the same as extracted in Example 1.
Step 6: Using any of these possible pairs, say which is the original plaintext which was encrypted in toy example in [3].