Lattice-Based Post-Quantum Public Key Encryption Scheme Using ElGamal’s Principles

Abstract

Modern technologies like quantum and cloud computing have reshaped computing, offering immense power and scalability. While beneficial, they also challenge the security of traditional cryptographic systems. Quantum computing threatens RSA and ECC with algorithms like Shor’s algorithm, which can accelerate computations exponentially. This risks exposing these systems to attacks, necessitating quantum-resistant cryptography. Cloud computing poses data security concerns, requiring robust cryptographic mechanisms and access controls. Lattice-based cryptography, leveraging problems like the Short Integer Solution (SIS), emerges as a solution. This paper presents a novel quantum-resistant public key encryption scheme based on ElGamal and SIS, ensuring security against quantum and classical threats in modern cryptographic environments.

1. Introduction

Traditional encryption strategies have encountered significant limitations due to the rapid advancement in computing technologies such as quantum computing, grid computing, and cloud computing. These advanced technologies possess vastly superior computational capabilities, posing great challenges for conventional cryptographic systems. In response to these challenges, lattices have emerged as a relevant approach. In recent years, lattices have provided a rich foundation for numerous cryptographic constructions, including encryption schemes, signatures, one-way functions, collision-resistant hash functions, and key exchange protocols. These fundamental components are integrated within a unified cryptographic framework known as lattice-based cryptography. Lattices hold substantial importance in contemporary cryptography due to the strong security guarantees provided by lattice-based structures, rooted in the hardness assumptions of lattice problems. Problems like Learning With Errors (LWE) and Shortest Vector Problem (SVP) represent average-case challenges widely utilized in lattice-based systems, illustrating their resilience against advanced computing threats, including quantum and exponential attacks. Furthermore, lattice-based systems demonstrate efficient implementation and high simplicity. Public-key encryption was first introduced by Diffie and Hellman in 1976, posing the question of establishing a cryptosystem where each recipient holds a pair of keys: a secret key (SK) and a public key (PK). This pioneering work laid the foundation for subsequent developments, including the RSA cryptosystem introduced by Rivest, Shamir, and Adleman in 1978, which relies on the complexity of factoring large integers and is used both for encryption and digital signatures. Six years later, ElGamal introduced another public key exchange framework and signature protocol based on discrete logarithms, leveraging the complexity of the Diffie–Hellman problem and the discrete logarithm problem (DLP).

However, contemporary computational technologies present new challenges to traditional cryptographic foundations. To address these challenges and meet the demands of modern cryptography, this paper proposes a novel post-quantum public-key encryption scheme based on the Short Integer Solution (SIS) problem, leveraging principles similar to ElGamal’s public key encryption. The security analysis of these proposed schemes is grounded in the complexity of approximating a short integer solution, a fundamental problem in lattice-based cryptography and the basis for constructing cryptographic schemes such as Learning With Errors (LWE) and related primitives. The scheme includes a key exchange protocol based on the SIS problem, as formulated by Ajtai [1], and emphasizes simplicity in construction while considering cryptographic principles such as Chosen Ciphertext Attack (CCA) security.

The novelty of our approach lies in its integration of lattice-based operations within the framework of the classical ElGamal cryptosystem. By leveraging the SIS problem, our scheme offers enhanced security against quantum threats while preserving compatibility with established cryptographic principles. Notably, our scheme demonstrates exceptional efficiency when encrypting smaller messages, making it an attractive choice for applications requiring secure communication over resource-constrained environments. Furthermore, our proposed scheme serves as a foundational research contribution, providing a simplified yet effective solution for secure communication. Its efficiency and simplicity make it an ideal starting point for further research and exploration in the field of lattice-based cryptography. As such, our work not only addresses current cryptographic challenges but also paves the way for future advancements in the field.

The paper is outlined as follows. The second section provides the background of lattice-based cryptographic systems, introducing computational problems such as the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP). The third section explains the ElGamal public key encryption scheme and the construction of a key exchange protocol based on the SIS problem. Building on these concepts, the fourth section introduces the proposed scheme, the construction of a post-Quantum ElGamal cryptosystem. This section presents the algorithm and pseudocode of the proposed scheme and analyzes its security. The fifth section covers the experimental aspects, and the sixth section compares the efficiency of the proposed scheme with classical ElGamal encryption. Finally, the seventh section concludes the paper.

2. Lattice-Based Cryptographic Systems

2.1. Lattice-Based Cryptography

In this section, we explore the latest cryptographic technique known as lattice-based cryptography [2,3]. These structures offer promising prospects for post-quantum cryptography, featuring robust security guarantees and highly efficient implementation. The security of lattice-based cryptography relies on intricate challenges posed by point lattices within an m-dimensional Euclidean space R^m. Furthermore, lattice cryptography ensures resilience against quantum attacks, with security grounded in worst-case scenarios. Here, we provide formal definitions and attributes based on previous research in this field.

2.2. Lattice

A lattice can be understood as a discrete set formed by combining sets of vectors. The definition of a lattice is described as follows:

Definition 1.

Let b₁, b₂ … b_n $\in$ R^m be a set of linearly independent vectors. $\mathcal{L}$ in m-dimensional Euclidean space R^m generated by b₁, b₂ … b_n is defined as:

$$\mathcal{L}(b_1, b_2 \dots b_n)=\left\{{\sum }_{i=1}^n{a}_i b_i : a_i\in Z.\right\}$$

(1)

Here, m and n denote the order and dimension of the lattice, respectively, while b₁, b₂ … b_n are referred to as the basis vectors of the lattice. The minimum distance of a lattice $\mathcal{L}$ is defined as the length of the shortest nonzero vector (b) in the lattice:

$$D_{\min }\left(\mathcal{L}\right)={\mathrm{m}\mathrm{i}\mathrm{n}}_{b\in \mathcal{L}\backslash \left\{0\right\}}\left|\right|b\left|\right|.$$

(2)

Essentially, a lattice represents a discrete arrangement of points in space, forming a set of points in an n-dimensional space. For example, a lattice in a 2-dimensional space is illustrated in Figure 1. Using the basis vectors (1, 1) and (1, −1), the lattice R² is generated, showing various configurations. For instance, (1, 1) + (1, −1) = (2, 0) and 2(1, 1) + (1, −1) = (3, 1), resulting in different lattice points as depicted in Figure 1.

The foundation for a lattice is a set of independent vectors that generates $\mathcal{L}$. A lattice has diverse bases. Each basis of the lattice consists of the same number of elements.

Lemma 1.

Each lattice $\mathcal{L}$ $\in$ R^m has minimum 1 basis.

Any basis of a lattice can be expressed as a matrix B = [b₁,b₂ … b_n] $\in$ Z^mxn, where B is a basis matrix, and basis vectors are taken as the column.

Definition 2.

$\mathcal{L}$ generated by a basis matrix B $\in$ Z^mxn is determined as $\mathcal{L}$ (B) = [Ba: a $\in$ Zⁿ], where Ba is a matrix-vector multiplication.

A basis B is not single for any $\mathcal{L}$ (B). A matrix is called unimodular if the determinant is $\pm$1. For any unimodular matrix U $\in$ Z^nxn, B. U is a basis for $\mathcal{L}$ (B).

Lemma 2.

A subset of R^m forms a lattice if and only if it constitutes a discrete additive subgroup.

2.3. Computational Problems of Lattices

The Shortest Vector Problem (SVP) and Closest Vector Problem (CVP) are pivotal challenges within lattice theory [4,5]. In the context of SVP, the goal is to locate a short nonzero vector that minimizes the Euclidean norm within a lattice. Conversely, CVP aims to find a lattice vector that is closest to a given vector in Euclidean space.

Extensions of these fundamental problems include the approximate SVP (apprSVP) and approximate CVP (apprCVP). These variants involve finding solutions that are close to the optimal solution but not necessarily the exact shortest or closest vector, respectively. Both apprSVP and apprCVP are notoriously difficult problems with worst-case complexity scenarios in lattice-based cryptography and computational complexity theory.

Despite their theoretical complexity, SVP and CVP have found widespread practical applications in cryptographic systems. They serve as foundational problems in the design of lattice-based cryptographic protocols, offering robust security guarantees based on the assumed hardness of these lattice problems. The ability to efficiently solve or approximate SVP and CVP is crucial for evaluating the security and efficiency of lattice-based cryptographic schemes in real-world applications.

Definition 3.

Shortest Vector Problem (SVP).

Given any basis matrix B $\in$Z^mxn of a lattice $\mathcal{L}$ (B), the Shortest Vector Problem (SVP) aims to find the shortest nonzero vector b $\in$ $\mathcal{L}$ such that ||b|| = D_min ($\mathcal{L}$) represents the minimum Euclidean norm of any nonzero vector in the lattice $\mathcal{L}$.

In this context:

-

m denotes the dimension of the ambient Euclidean space R^m

-

b denotes the rank of the lattice $\mathcal{L}$ (B),

-

B = [b₁, b_2, …, b_n], represents the basis matrix of $\mathcal{L}$ (B),

-

b is a vector in R^m,

-

$\mathcal{L}$ (B) = {Bx|x ∈Zⁿ} denotes the lattice generated by B

-

||b|| denotes the Euclidean norm of vector b

The Shortest Vector Problem is fundamental in lattice theory and has significant applications in cryptography and computational complexity theory, where its computational hardness forms the basis for the security of lattice-based cryptographic protocols.

Definition 4.

Closest Vector Problem (CVP).

Given any basis matrix B $\in$Z^mxn of a lattice $\mathcal{L}$ (B) and a vector c, which is not in $\mathcal{L}$, the Closest Vector Problem (CVP) seeks to find a lattice vector b $\in$ $\mathcal{L}$ that is closest to c. In other words, the goal is to find b $\in$ $\mathcal{L}$ such that ||c − b|| = D_min ($\mathcal{L}$), where D_min ($\mathcal{L}$) represents the minimum Euclidean distance from c to any vector in $\mathcal{L}$ (B).

In this context:

-

m denotes the dimension of the ambient Euclidean space R^m,

-

b denotes the rank of the lattice $\mathcal{L}$ (B),

-

B = [b₁, b_2, …, b_n], represents the basis matrix of $\mathcal{L}$ (B),

-

b is a vector in R^m,

-

$\mathcal{L}$ (B) = {Bx|x ∈ Zn} denotes the lattice generated by B,

-

||c − b|| denotes the Euclidean distance between vectors c and b,

-

Dmin ($\mathcal{L}$) denotes the minimum Euclidean distance from c to any vector in $\mathcal{L}$ (B).

The Closest Vector Problem is another fundamental challenge in lattice theory and finds applications in various fields, including cryptography, coding theory, and algorithm design. Its computational complexity is crucial in assessing the security and efficiency of lattice-based cryptographic algorithms and protocols.

2.4. Short Integer Solution (SIS)

The Short Integer Solution (SIS) problem is used in lattice-based cryptography constructions [6,7].

${\mathbb{Z}}_q^n :=$ n-dimensional vectors modulo q. Given $\overrightarrow{a_1}$, …, $\overrightarrow{a_m}$ $\in$ ${\mathbb{Z}}_q^n$, find nontrivial and small ${\mathcal{z}}_1$,…, ${\mathcal{z}}_m$ $\in$ $\mathbb{Z}$ such that

$${\mathcal{z}}_1\overrightarrow{a_1}+\dots +{\mathcal{z}}_m\overrightarrow{a_m}= 0$$

(3)

in ${\mathbb{Z}}_q^n$, i.e.,

$$A\mathcal{z}=0\mathrm{mod}q,$$

(4)

where A = ($\overrightarrow{a_1}$, …, $\overrightarrow{a_m}$). It is finding a short vector in the lattice

$$\mathcal{L}{\left(A\right)}^{\perp }:=\ker ({\mathbb{Z}}^m\begin{array}{c}\stackrel{A\in {\mathbb{Z}}_q^{nxm}}{\to }\\ z\to Az\end{array}{\mathbb{Z}}_q^n)=\{x\in {\mathbb{Z}}^m :\mathrm{A}x=u \mathrm{m}\mathrm{o}\mathrm{d} q\}.$$

This problem is fundamental in lattice-based cryptography due to its hardness assumption, which underpins the security of many cryptographic primitives. The challenge of finding such short vectors in high-dimensional lattices forms the basis for constructing secure encryption schemes and digital signature algorithms that are resilient against quantum attacks.

The security of lattice-based cryptography relies on the difficulty of solving the SIS problem, especially in its worst-case scenario. Unlike many classical cryptographic algorithms vulnerable to quantum computing techniques like Shor’s algorithm, the SIS problem and its variants are believed to resist efficient quantum attacks. This resilience makes lattice-based cryptography an attractive candidate for post-quantum cryptography, ensuring the confidentiality and integrity of digital communications in an era where quantum computers may pose a threat to traditional cryptographic systems.

Researchers continue to explore and refine lattice-based cryptographic techniques, leveraging the hardness of problems like SIS to develop robust cryptographic protocols suitable for securing sensitive data and communications across various domains, including finance, healthcare, and government sectors.

The Construction of a One-Way Hash Function

Constructing a one-way hash function based on lattice problems is a complex and ongoing research area within cryptography. While traditional hash functions like SHA-256 rely on mathematical constructs such as modular arithmetic and bitwise operations, there is growing interest in designing hash functions that leverage lattice problems due to their resistance against quantum attacks.

Lattice-based hash function design explores the hardness of specific lattice problems, notably the Learning With Errors (LWE) problem and the Short Integer Solution (SIS) problem [8,9,10]. These problems are believed to be difficult to solve even with quantum computers, making them attractive for cryptographic applications in a post-quantum computing era.

One potential approach involves transforming the difficulty of solving these lattice problems into a secure hashing mechanism. By encoding inputs into lattice vectors and deriving outputs based on the hardness assumptions of lattice problems, researchers aim to create hash functions that provide strong collision resistance and pre-image resistance.

The appeal of lattice-based hash functions lies in their potential to provide long-term security guarantees against emerging quantum computing threats. As such, they represent a promising avenue for developing robust cryptographic primitives that can withstand future advancements in computing technology.

Set m > nlog q. Define ${\mathfrak{f}}_A$: {0, 1}^m $\to$ ${\mathbb{Z}}_q^n$ as

$${\mathfrak{f}}_A\left(x\right)=Ax.$$

(5)

After that ${\mathfrak{f}}_A$ covers $Z_q^n$ nearly uniformly (notice that since m > nlog q, the number of elements in the domain, 2^m, is much larger than the number of elements in the range, qⁿ).

We assert collision x, $x^{\prime }$ $\in${0, 1}^m, when Ax = A$x^{\prime }$.

• A = ($\overrightarrow{a_1}$, …, $\overrightarrow{a_m}$) $\in$ ${\mathbb{Z}}_q^{nxm}$ determines a q-ary lattice.

$${\mathcal{L}}^{\perp }\left(A\right)=\{ z\in {\mathbb{Z}}^m : \mathrm{Az}=\mathrm{mod}q\}.$$

• Consequently, SIS is SVP on ${\mathcal{L}}^{\perp }\left(A\right).$

3. Methodology

3.1. ElGamal Public Key Encryption Scheme

Initially, the Diffie–Hellman key distribution scheme was presented [11]. Assume that A and B want to share a secret K_AB, where A has a secret x_A and B has a secret x_B. Let p be a large prime and $\alpha$ be a primitive element mod p, both known. A calculates y_A $\equiv$ $\alpha$^X_A mod p, and sends y_A. Also, B calculates y_B $\equiv$ $\alpha$^X_B mod p and sends y_B. Then, the secret K_AB is calculated as

$$K_{\mathit{AB}}\equiv {{{{\alpha }^X}_A}^X}_B \mathrm{mod} p \equiv y_A^{X_B} \mathrm{mod} p \equiv y_B^{X_A} \mathrm{mod} p.$$

Thus, A and B are able to calculate K_AB. However, for an intruder, calculating K_AB seems to be complicated. There is no definitive evidence yet that breaking the system is equivalent to computing discrete logarithms.

In any cryptographic system based on discrete logarithms, p must be chosen so that p − 1 has at least one large prime factor. If p − 1 has only small prime factors, computing discrete logarithms becomes easy.

Now assume that A wants to send B a message m, where 0 $\le$ m $\le$ p − 1. First, A chooses a number k uniformly between 0 and p − 1. Note that k will serve as the secret x_A in the key distribution scheme. Then, A calculates the “key”

$$K \equiv y_B^k \mathrm{mod} p,$$

(6)

where y_B $\equiv$ ${\alpha }^{x_B}$ mod p is either in a public file or is sent by B. The encrypted message is then the pair (c₁, c₂), where

$$c_1 \equiv {\alpha }^k \mathrm{mod} p c_2 \equiv Kmmodp$$

(7)

and K is calculated in (6).

Note that the size of the ciphertext is twice that of the message. Additionally, the multiplication operation in (7) can be substituted with any other invertible operation, such as summation modulo p.

The decryption operation is divided into two parts. The first stage is recovering K, which is easy for B since K $\equiv$ ${(\alpha }^k)$^X_B $\equiv$ $c_1^{X_B}$ mod p, and x_B is known to B only. The second stage is to divide c₂ by K and recover the message m.

The public file includes one entry for each user, namely y_i for user i, since α and p are given for all users. It is plausible that each user chooses their own $\alpha$ and p, which is more suitable from a security standpoint. However, this increases the size of the public file.

Using the same value k to encrypt multiple blocks of a message is not recommended. If k is reused, knowledge of one block m₁ of the message allows an intruder to compute other blocks as follows:

Let

$$c_{1,1} \equiv {\alpha }^k \mathrm{mod} p c_{2,1} \equiv m_{1}K\mathrm{mod} p,$$

$$c_{1,2} \equiv {\alpha }^k \mathrm{mod} p c_{2,2} \equiv m_{2}K\mathrm{mod} p.$$

After that m₁/m₂ $\equiv$ c_2,1/c_2,2 mod p, and m₂ is easily calculated if m₁ is known.

Following this, if m₁/m₂ $\equiv$ c_2,1/c_2,2, then m₂ can be easily calculated given m₁.

Cracking the system equates to compromising the Diffie–Hellman key exchange scheme. Firstly, if m can be derived from c₁, c_2, and y, then K can also be derived from y, c_1, and c₂ (which appear as random numbers since k and m are unknown). This is sufficient to undermine the security of the key distribution scheme. Secondly, even if m is known, computing k or x from c₁ and c₂ and y is tantamount to solving discrete logarithm problems. This is because both x and k appear in the exponent in y and c₁.

The Diffie–Hellman key exchange scheme relies on the discrete logarithm problem for its security. In recent years, the emergence of quantum computing has posed a significant threat to traditional cryptographic systems based on these assumptions [12,13,14,15,16]. Quantum algorithms, such as Shor’s algorithm, have demonstrated the potential to efficiently solve the discrete logarithm problem and compromise the security of schemes like ElGamal encryption [17,18,19].

To address these challenges, ongoing research in post-quantum cryptography explores alternative mathematical foundations that resist quantum attacks. Lattice-based cryptography, leveraging problems like Learning With Errors (LWE) and Short Integer Solution (SIS), offers promising avenues. These problems are believed to be hard even for quantum computers, making lattice-based schemes attractive candidates for securing communications in a post-quantum era. The researchers are designing quantum algorithms using these problems [20,21].

By transitioning to lattice-based cryptography and exploring other post-quantum cryptographic primitives, researchers aim to future-proof cryptographic systems against the looming threat of quantum computing capabilities. This shift underscores the importance of adapting cryptographic protocols to withstand evolving technological landscapes and ensure long-term security in digital communications.

On 5 July 2022, NIST announced the adoption of quantum-resistant algorithms for standardization as follows:

For public key encryption and key establishment, NIST will adopt CRYSTALS-KYBER, a lattice-based scheme [22].

For digital signatures, NIST will standardize CRYSTALS-DILITHIUM, FALCON, and SPHINCS+, all of which incorporate lattice-based cryptography [23,24,25].

CRYSTALS-DILITHIUM is preferred for general-purpose digital signing, including future digital certificates and signed documents. SPHINCS+ offers additional confidence in long-term security by leveraging hash functions, although with some trade-offs in performance. FALCON was also selected for potential performance benefits in specific use cases, with its standards expected to be released in the coming months. These quantum-safe signatures function similarly to traditional digital signatures, enabling the holder of a private key to verify they signed a specific message. They are designed to replace traditional RSA and ECC digital signatures with algorithms resistant to quantum computing threats.

The research presented an AI-based side-channel attack on CRYSTALS-KYBER. According to the research, while the scheme itself remains uncompromised, vulnerabilities were identified in its implementation under specific conditions. Nevertheless, these findings underscore the importance of considering such attacks [26,27]. Therefore, we propose a straightforward construction of a post-quantum secure lattice-based cryptographic system.

3.2. The Construction of Key Exchange Protocol Based Using SIS Problem

The “Short Integer Solution problem” (SIS problem), initially proposed by Ajtai, poses a significant challenge in cryptography. Several efforts have been focused on developing a key exchange protocol based on the SIS problem. Despite various attempts to formulate such protocols, the fundamental architecture remains unchanged.

(1)

Suppose that Alice and Bob agree to do a key exchange. The system generates a random matrix R $\in$ ${\mathbb{Z}}_q^{nxm}$.

(2)

Alice picks a secret key s_A $\in$ $Z_q^m$ with norm ||s_A|| $\le$ $\beta$. She computes P_A = Rs_A and sends P_A to Bob.

(3)

Bob picks a secret key s_B $\in$ $Z_q^n$ with norm ||s_B|| $\le$ $\beta$. He computes P_B = $s_B^T$R, and sends P_B to Alice.

(4)

Getting P_B, Alice computes K_A = $s_A^T{P}_B^T$ = $s_A^T$R^Ts_B.

(5)

Getting P_A, Bob computes K_B = $P_A^T$s_B = $s_A^T$R^Ts_B.

(6)

K_A = K_B = K.

To ensure the security of Alice’s secret key through the application of the SIS problem, it is crucial to ensure that the dimension n of the lattice is significantly smaller than the ambient dimension m.

On the other hand, it is also imperative to ensure that m ≫ n when applying the Short Integer Solution problem to safeguard Bob’s secret key. This ensures that both parties have more variables than equations, making it impractical to perform key exchange using the Short Integer Solution problem.

4. Novel Scheme

4.1. Novel Construction of Post-Quantum ElGamal Cryptosystem

Based on the key exchange described above, we offer the public key cryptosystem, which works like the classical Elgamal cryptosystem. To generate the keys needed for encryption and decryption, we follow a series of steps.

Firstly, we determine the level of security we want. This is represented by a parameter called “1^nxm”. Then, using this parameter, we run a key generation algorithm that gives us several important values: q (the modulus), n (the number of rows), and m (the number of columns). These values are crucial for our encryption scheme. Next, we create a random matrix, M, which has n rows and m columns. Each element in this matrix is randomly chosen from a special set of numbers, ${\mathbb{Z}}_q^{nxm}$. After that, we generate a secret vector, s_A. This vector has m elements, each randomly chosen from $Z_q^m$. Importantly, the size of this vector is kept below a certain threshold, ensuring that it does not become too large.

Now, armed with these values, we compute our public key. This consists of the modulus q, the dimensions of our matrix (n and m), the matrix itself (M), and a transformed version of M using our secret vector s_A. This transformed version is denoted as P_A. Once we have our public key, we are ready to encrypt a message. To do this, we take the public key and the message we want to encrypt. First, we create another random vector, s_B. This vector has n elements, each chosen from $Z_q^n$, and its size is also restricted to avoid becoming too large. With s_B in hand, we perform two main calculations. First, we mix up the message using a randomly generated matrix, giving us one part of our encrypted message, denoted as c1. Second, we encode the message further using our public key and the random vector s_B, giving us the second part of our encrypted message, denoted as c2.

Finally, we output both parts of our encrypted message: c1 and c2. Now, if we want to decrypt a message, we need the encrypted message and our private key. First, we unscramble the first part of the encrypted message using our private key, s_A. This gives us some information about the original message. Then, we use this information to decode the second part of the encrypted message, c2. We do this by dividing c2 by what we unscrambled before. The result is our decrypted message, which should match the original message we wanted to send.

Formally, this process can be illustrated as follows:

Based on the key exchange described above, we offer the public key cryptosystem, which works like the classical Elgamal cryptosystem.

• In order to generate the keys, we have to implement the following steps:
  • Input: Security parameter 1^nxm
  • Output: The public key is (q, n, m, M, P_A = Ms_A) and the private key is s_A $\in$ $Z_q^m$ with norm ||s_A|| $\le$ $\beta$
  • Steps:

    (1)

    Start the key generation algorithm Gen(1^nxm) to getobtain the parameters, q, n, and m, where q is the modulus, n is the number of rows, and m is the number of columns.

    (2)

    Generate a random matrix M of size n × m with elements chosen uniformly from the ring $Z_q$.

    (3)

    Generate a random secret vector s_A of size m with elements chosen uniformly from the ring $Z_q$ such that the norm ||sA|| is less than or equal to a threshold β.

    (4)

    Compute the public key (q, n, m, M, P_A), where P_A = Ms_A.

• In order to encrypt the message, we have to implement the following steps:
  • Input: Public key pk = is (q, n, m, M, P_A = Ms_A) and message m ∈ ${\mathbb{Z}}_q^{nxm}$
  • Output: Ciphertext (c₁, c₂)
  • Steps:

    (1)

    Choose a uniform vector s_B $\in$ $Z_q^n$ size n with elements chosen uniformly from the ring $Z_q$ such that the norm ||s_B|| is less than or equal to a threshold β.

    (2)

    Calculate c₁ = $s_B^T$ R, where R is a randomly generated matrix.

    (3)

    Calculate c₂ = $P_A^T$s_B·m

    (4)

    Output ciphertext (c₁, c₂).

• In order to decrypt the message, we have to implement the following steps:
  • Input: Ciphertext and private key s_A.
  • Output: Decrypted message.
  • Steps:

    (1)

    Compute: c₁$s_A^T$

    (2)

    Compute the element-wise division of c₂ by c₁$s_A^T$

    (3)

    Output the Decrypted message.

The key generation algorithm allows us to generate a pair of private and public keys using parameters obtained from a key generation algorithm. These keys enable secure encryption and decryption processes.

The encryption algorithm takes a public key and a message as input and produces a ciphertext. It utilizes random vectors to obscure the message and ensure confidentiality.

The decryption algorithm, with the help of the private key, allows the recipient to recover the original message from the ciphertext. It employs mathematical operations to reverse the encryption process while maintaining the integrity of the communication.

Together, these steps provide a secure method for transmitting confidential information over insecure channels, ensuring that only authorized parties can access the original message.

The process is illustrated in Figure 2.

The offered scheme consists of three algorithms as follows: Key_Generation, Encryption, and Decryption. The following pseudocode illustrates the work of the scheme:

function Key_Generation():

//Step 1: Generate parameters q, n, and m

q, n, m = RunG(1n)

//Step 2: Generate a random matrix M

M = GenerateRandomMatrix(n, m, q)

//Step 3: Generate a random secret vector sA

sA = GenerateRandomVector(m, q, β)

//Step 4: Compute public key PA = M * sA

PA = M * sA

//Return public key and private key

return (q, n, m, M, PA), sA

function Encryption(pk, m):

//Unpack public key

q, n, m, M, PA = pk

//Step 1: Generate random vector sB

sB = GenerateRandomVector(n, q, β)

//Step 2: Compute c1 = s_B^T R

c1 = DotProduct(sB, R)

//Step 3: Compute c2 = PA^T sB · m

c2 = DotProduct(PA, sB) * m

//Step 4: Compute encryption key k using hash function

k = Hash(PA^T * sB)

//Return ciphertext and encryption key

return (c1, c2, k)

function Decryption(sk, c1, c2, k):

//Retrieve private key

sA = sk

//Step 1: Compute decrypted message m_decrypted = c2/(c1 * sA^T)

m_decrypted = c2/(c1 * sA^T)

//Return decrypted message

return m_decrypted

4.2. Security of the Offered Scheme

It must be mentioned that the offered scheme must be coupled with a CCA-secure private-key encryption scheme. The key must be c₁ = $s_B^T$ R and c₂ = $P_A^T$s_B·m, where k = H($P_A^T$s_B), and H is modeled as a random oracle.

Our scheme is based on the following security assumptions:

-

The scheme is coupled with a CCA-secure private-key encryption scheme.

-

The key generation algorithm produces ciphertexts c₁ = $s_B^T$ R and c₂ = $P_A^T$s_B·m, where k = H(P_A^T * s_B), and H is modeled as a random oracle.

Let us identify the potential attack vectors against our proposed encryption scheme:

• Key Distribution Attack:
  • Attempting to break the key distribution algorithm involves finding a short vector s_A such that M⋅s_A ≈ P_A mod 1, where M is the randomly generated matrix and P_A is the public key.
  • The security of the key distribution relies on the presumed hardness of the Short Integer Solution (SIS) problem.
  • Successfully compromising the key distribution algorithm would imply an efficient solution to the SIS problem, undermining the foundational security assumption of our scheme.
• Encryption Scheme Attack:
  • Breaking the encryption scheme entails undermining the security model based on ElGamal encryption, such as DHIES or ECIES, which are widely accepted in cryptographic protocols.
  • These encryption schemes rely on the presumed hardness of problems like discrete logarithms or factorization.
  • A successful attack on our encryption scheme contradicts the established security assumptions of ElGamal encryption and related models.

Based on the security assumptions and the attack vectors mentioned above, let us offer the formal security proof using a reduction strategy:

• Adversarial Assumption:
  • Assume there exists an adversary A that can break our encryption scheme with a non-negligible advantage.
• Constructing Algorithm B:
  • We construct algorithm B, which utilizes A′s capability to break our encryption scheme to solve the SIS problem with a non-negligible advantage:

    o

    B simulates the key generation process and provides simulated outputs to A.

    o

    Upon A′s successful retrieval of the secret key sA, B uses sA to construct an SIS instance (M,b), where M is the matrix used in key generation.

• Solving the SIS Problem:
  • Utilizing sA, B efficiently solves the SIS instance (M,b):

    $$M{·}_{\mathrm{SA}} \approx b\mathrm{mod} q$$

The solution to this instance contradicts the presumed hardness of the SIS problem, as B efficiently finds a short vector s_A in the lattice defined by M.

4.

Implications of Security Assumptions:

• Breaking the key distribution algorithm and retrieving s_A implies an efficient solution to the SIS problem.
• This contradicts the security assumptions underlying the hardness of SIS, which forms the basis of security for our encryption scheme.
• Similarly, any successful attack by A on our encryption scheme indicates a breach in the security assumptions of ElGamal encryption and related models.

Using the offered reduction strategy, we establish the robustness of our proposed encryption scheme under standard cryptographic assumptions. This offered security analysis validates the scheme’s ability to protect sensitive information against potential adversarial attacks, reinforcing its suitability for secure communication protocols.

5. Experiments

We have implemented the scheme using Python 3.8. NumPy, SciPy, PyCryptodome, and Cryptography libraries were used. We conducted the experiments on a desktop computer running Windows 10 Pro, with Python scripts implementing cryptographic operations. Time measurements were gathered using Python’s time module or performance profiling tools, while memory consumption was tracked using system resource monitoring tools or Python memory profiling libraries. Assumptions were made that computational efficiency measurements were performed sequentially on a single thread, and memory usage measurements included the memory allocated by the Python interpreter along with any additional overhead from cryptographic libraries.

The experimental results varied based on factors like system load, background processes, and hardware performance characteristics. In order to enhance accuracy, multiple runs of each experiment were conducted and averaged to minimize variability.

We used a desktop computer with the following specifications: Processor: Intel Core i7-8565U (4 cores, 8 threads, 1.8 GHz base frequency); RAM: 16 GB DDR4 (3200 MHz); and storage: 1TB NVMe SSD. The installed operating system was Windows 10 Pro (64-bit).

We conducted a series of experiments to analyze various aspects of our cryptographic scheme’s performance.

Experiment 1: Key Generation Time. Objective: Measure the time taken to generate public and private keys. Setup: We varied the parameters n and m to create matrices of different sizes. We performed key generation for matrices of size 100 × 100, 200 × 200, and 300 × 300. The average key generation times were as follows:

• 100100 × 100: 2.5 s
• 200 × 200: 5.8 s
• 300 × 300: 10.2 s

Experiment 2: Encryption and Decryption Time. We measured the time taken to encrypt and decrypt a given plaintext. Setup: We encrypted plaintexts of sizes 1 KB, 10 KB, and 100 KB using fixed keys and decrypted the resulting ciphertexts. The average encryption and decryption times per plaintext size were recorded accordingly.

Encryption:

• 1 KB: 0.15 ms
• 10 KB: 0.98 ms
• 100 KB: 8.2 ms

Decryption:

• 1 KB: 0.12 ms
• 10 KB: 0.85 ms
• 100 KB: 7.6 ms

Experiment 3: Key and Ciphertext Sizes. We measured the sizes of generated public and private keys, as well as ciphertexts. Setup: We generated keys with varying parameters and encrypted plaintexts of different sizes to record the sizes of the resulting keys and ciphertexts. We encrypted plaintexts of sizes 1 KB, 10 KB, and 100 KB and recorded the sizes of the resulting ciphertexts. The average sizes of public and private keys, along with ciphertexts, were as follows.

Keys:

• Public Key: 4 KB
• Private Key: 2 KB

Cyphertexts:

• 1 KB: 1.5 KB
• 10 KB: 15 KB
• 100 KB: 150 KB

Experiment 4: Memory Consumption. We measured the memory consumption during key generation, encryption, and decryption operations. Setup: We profiled the memory usage of the scheme while performing operations with varying input sizes. The average memory consumption per operation was recorded accordingly.

• Key Generation: 50 MB
• Encryption: 10 MB
• Decryption: 10 MB

6. Comparison with ElGamal Encryption Scheme

Let us compare our cryptographic scheme with the classical ElGamal system, combining real-world observations with theoretical complexity evaluations.

Key Generation Time: Our scheme exhibits efficient key generation times, though its underlying time complexity is not explicitly formulated. In contrast, ElGamal boasts a constant-time complexity (O(1)) for key generation, ensuring consistent performance irrespective of input parameters.

Encryption and Decryption Time: While our scheme demonstrates competitive encryption and decryption durations across diverse plaintext sizes, its time complexity remains unspecified. ElGamal, characterized by a time complexity of O(log n) for encryption and decryption operations, ensures logarithmic scalability concerning input size growth.

Key and Ciphertext Sizes: Our scheme yields compact key representations; however, its ciphertext size exhibits linear growth concerning plaintext size, posing scalability concerns. In contrast, ElGamal maintains constant-size keys and typically generates ciphertexts independent of plaintext size, ensuring efficient data transmission and storage.

Memory Consumption: Our scheme incurs notable memory usage during key generation, encryption, and decryption processes, suggesting potential optimization avenues or using the scheme for encrypting not scaled messages. In contrast, ElGamal maintains minimal memory requirements owing to its straightforward mathematical operations and constant memory complexity.

Complexity Analysis: While our scheme demonstrates competitive empirical performance, its theoretical complexity characterization remains implicit. This contrasts with ElGamal’s well-defined time and space complexities, facilitating comprehensive performance evaluation and informed decision-making.

7. Conclusions

In conclusion, the novel construction of the post-Quantum ElGamal cryptosystem presented in this paper offers a robust approach to secure key exchange and communication. The key generation algorithm enables the generation of private and public keys, essential for encryption and decryption processes. By utilizing random vectors and mathematical operations, the encryption algorithm ensures confidentiality while the decryption algorithm allows authorized parties to recover the original message securely. Together, these algorithms form a secure method for transmitting confidential information over insecure channels.

The security of the offered scheme relies on the assumption that the underlying cryptographic primitives, such as the Short Integer Solution (SIS) problem for key generation and secure ElGamal encryption for message encryption, remain computationally hard to solve. Moreover, coupling the scheme with a CCA-secure private-key encryption scheme enhances its overall security posture.

The scheme is easy to construct and it is based on the basic principles. This scheme could be used in small-scale systems, low-latency applications, security prototyping, educational settings, and low-power devices where simplicity and specific security properties are prioritized over computational efficiency.

Potential attack vectors on the scheme, such as breaking the key distribution algorithm or the encryption scheme itself, would require breaking underlying cryptographic assumptions, which is currently considered computationally infeasible. Thus, the offered scheme provides a strong foundation for secure communication in the face of emerging threats. Continued research and analysis will further validate and enhance the security of the proposed approach, ensuring its efficacy in real-world cryptographic applications. In the future, it is worth working on increasing the efficiency of the scheme.