This paper gives the definitions of an anomalous super-increasing sequence and an anomalous subset sum separately, proves the two properties of an anomalous super-increasing sequence, and proposes the REESSE2+ public-key encryption scheme which inclu
des the three algorithms for key generation, encryption and decryption. The paper discusses the necessity and sufficiency of the lever function for preventing the Shamir extremum attack, analyzes the security of REESSE2+ against extracting a private key from a public key through the exhaustive search, recovering a plaintext from a ciphertext plus a knapsack of high density through the L3 lattice basis reduction method, and heuristically obtaining a plaintext through the meet-in-the-middle attack or the adaptive-chosen-ciphertext attack. The authors evaluate the time complexity of REESSE2+ encryption and decryption algorithms, compare REESSE2+ with ECC and NTRU, and find that the encryption speed of REESSE2+ is ten thousand times faster than ECC and NTRU bearing the equivalent security, and the decryption speed of REESSE2+ is roughly equivalent to ECC and NTRU respectively.
This paper gives the definition and property of a bit-pair shadow, and devises the three algorithms of a public key cryptoscheme called JUOAN that is based on a multivariate permutation problem and an anomalous subset product problem to which no sube
xponential time solutions are found so far, and regards a bit-pair as a manipulation unit. The authors demonstrate that the decryption algorithm is correct, deduce the probability that a plaintext solution is nonunique is nearly zero, analyze the security of the new cryptoscheme against extracting a private key from a public key and recovering a plaintext from a ciphertext on the assumption that an integer factorization problem, a discrete logarithm problem, and a low-density subset sum problem can be solved efficiently, and prove that the new cryptoscheme using random padding and random permutation is semantically secure. The analysis shows that the bit-pair method increases the density D of a related knapsack to a number more than 1, and decreases the modulus length lgM of the new cryptoscheme to 464, 544, or 640.
To examine the integrity and authenticity of an IP address efficiently and economically, this paper proposes a new non-Merkle-Damgard structural (non-MDS) hash function called JUNA that is based on a multivariate permutation problem and an anomalous
subset product problem to which no subexponential time solutions are found so far. JUNA includes an initialization algorithm and a compression algorithm, and converts a short message of n bits which is regarded as only one block into a digest of m bits, where 80 <= m <= 232 and 80 <= m <= n <= 4096. The analysis and proof show that the new hash is one-way, weakly collision-free, and strongly collision-free, and its security against existent attacks such as birthday attack and meet-in-the- middle attack is to O(2 ^ m). Moreover, a detailed proof that the new hash function is resistant to the birthday attack is given. Compared with the Chaum-Heijst-Pfitzmann hash based on a discrete logarithm problem, the new hash is lightweight, and thus it opens a door to convenience for utilization of lightweight digital signing schemes.
It is well known that the inverse function of y = x with the derivative y = 1 is x = y, the inverse function of y = c with the derivative y = 0 is inexistent, and so on. Hence, on the assumption that the noninvertibility of the univariate increasing
function y = f(x) with x > 0 is in direct proportion to the growth rate reflected by its derivative, the authors put forward a method of comparing difficulties in inverting two functions on a continuous or discrete interval called asymptotic granularity reduction (AGR) which integrates asymptotic analysis with logarithmic granularities, and is an extension and a complement to polynomial time (Turing) reduction (PTR). Prove by AGR that inverting y = x ^ x (mod p) is computationally harder than inverting y = g ^ x (mod p), and inverting y = g ^ (x ^ n) (mod p) is computationally equivalent to inverting y = g ^ x (mod p), which are compatible with the results from PTR. Besides, apply AGR to the comparison of inverting y = x ^ n (mod p) with y = g ^ x (mod p), y = g ^ (g1 ^ x) (mod p) with y = g ^ x (mod p), and y = x ^ n + x + 1 (mod p) with y = x ^ n (mod p) in difficulty, and observe that the results are consistent with existing facts, which further illustrates that AGR is suitable for comparison of inversion problems in difficulty. Last, prove by AGR that inverting y = (x ^ n)(g ^ x) (mod p) is computationally equivalent to inverting y = g ^ x (mod p) when PTR can not be utilized expediently. AGR with the assumption partitions the complexities of problems more detailedly, and finds out some new evidence for the security of cryptosystems.
We illustrate through example 1 and 2 that the condition at theorem 1 in [8] dissatisfies necessity, and the converse proposition of fact 1.1 in [8] does not hold, namely the condition Z/M - L/Ak < 1/(2 Ak^2) is not sufficient for f(i) + f(j) = f(k).
Illuminate through an analysis and ex.3 that there is a logic error during deduction of fact 1.2, which causes each of fact 1.2, 1.3, 4 to be invalid. Demonstrate through ex.4 and 5 that each or the combination of qu+1 > qu * D at fact 4 and table 1 at fact 2.2 is not sufficient for f(i) + f(j) = f(k), property 1, 2, 3, 4, 5 each are invalid, and alg.1 based on fact 4 and alg.2 based on table 1 are disordered and wrong logically. Further, manifest through a repeated experiment and ex.5 that the data at table 2 is falsified, and the example in [8] is woven elaborately. We explain why Cx = Ax * W^f(x) (% M) is changed to Cx = (Ax * W^f(x))^d (% M) in REESSE1+ v2.1. To the signature fraud, we point out that [8] misunderstands the existence of T^-1 and Q^-1 % (M-1), and forging of Q can be easily avoided through moving H. Therefore, the conclusion of [8] that REESSE1+ is not secure at all (which connotes that [8] can extract a related private key from any public key in REESSE1+) is fully incorrect, and as long as the parameter Omega is fitly selected, REESSE1+ with Cx = Ax * W^f(x) (% M) is secure.
The authors discuss what is provable security in cryptography. Think that provable security is asymptotic, relative, and dynamic, and only a supplement to but not a replacement of exact security analysis. Because the conjecture P != NP has not been p
roven yet, and it is possible in terms of the two incompleteness theorems of Kurt Godel that there is some cryptosystem of which the security cannot or only ideally be proven in the random oracle model, the security of a cryptosystem is between provability and unprovability, and any academic conclusion must be checked and verified with practices or experiments as much as possible. Extra, a new approach to proof of P != NP is pointed out. Lastly, a reward is offered for the subexponential time solutions to the three REESSE1+ problems: MPP, ASPP, and TLP with n >= 80 and lg M >= 80, which may be regarded as a type of security proof by experiment.
