Maple Implementation of the Chor-Rivest

Cryptosystem

L. Hernández Encinas, J. Muñoz Masqué, and A. Queiruga Dios

Dpt. Information Processing and Coding, Applied Physics Institute, CSIC

C/ Serrano 144, E28006-Madrid, Spain
{luis, jaime, araceli}@iec.csic.es

Abstract. A Maple implementation of the Chor-Rivest cryptosystem is

presented. The main problems in this implementation are: to determine
discrete logarithms over GF (q h ), q ≈ 200 and h ≈ 25, and to use the
arithmetic of the finite fields in order to encrypt and decrypt messages.

1 Introduction

As it is known, the goal of Cryptography is to guarantee the secrecy and con-

fidentiality of communications between two or more users, who use an insecure
channel ([6], [7]). On the other hand, the goal of cryptanalysis is to break the
security and privacy of communications. Public Key Cryptography (PKC) was
born in 1976 when Diffie and Hellman proposed a protocol for key agreement
using an insecure channel ([4]). In PKC two keys are used: The encryption (or
public) key is used by the sender to encrypt a message; and the decryption
(or private) key is kept in secret by the receiver and it allows him to decrypt
the message. The security of these schemes is based on the computational in-
tractability of some Number Theory problems. In 1985, a cryptosystem based on
the knapsack problem was proposed (see [1], [2]). This system has been recently
broken by Vaudenay ([12]), but only for the parameters originally proposed. The
Chor-Rivest cryptosystem is based on the arithmetic of finite fields and it needs
to compute discrete logarithms. The discrete logarithm problem (DLP) can be
posed as follows: Given a prime integer p, a generator α of the cyclic group Z∗p ,
and an element β ∈ Z∗p , the DLP consists in finding an integer x, 0 < x ≤ p − 1,
such that β = αx . This problem is considered to be difficult because the best
algorithm known for solving it is the number field sieve ([11]) which has  a subex-
((64/9)1/3 +o(1))(ln p)1/3 (ln ln p)2/3 )
ponential expected running time: O e .
The cryptosystem has the interesting property that its security depends on the
knapsack problem but not on the DLP. In fact, the more tractable the DLP, the
easier to implement Chor-Rivest cryptosystem. So, results on how to compute
discrete logarithms more efficiently help to improve the implementations of Chor-
Rivest cryptosystem.
In this paper, we present a Maple implementation of the Chor-Rivest cryp-
tosystem. This implementation includes several procedures to compute discrete
logarithms in the finite field GF (q h ), q ≈ 200 and h ≈ 25. The rest of the paper

V.N. Alexandrov et al. (Eds.): ICCS 2006, Part II, LNCS 3992, pp. 438–445, 2006.

c Springer-Verlag Berlin Heidelberg 2006
 Maple Implementation of the Chor-Rivest Cryptosystem 439

is organized as follows: In section 2, we introduce the Chor-Rivest cryptosystem

to encrypt and decrypt messages. In section 3, the Maple procedures to compute
discrete logarithms in finite fields and the implementation of the cryptosystem
are presented. Finally, in section 4, the conclusions are stated.

2 The Chor-Rivest Cryptosystem

2.1 System Generation
The parameters of the cryptosystem are chosen as follows (for more details, see
[1] and [2]).

1. Let q be a prime and let h ≤ q be an integer so that the DLP can be efficiently
solved in the finite field GF (q h ). This property is crucial because the user has
to compute discrete logarithms in GF (q h ) to determine his keys. It is known
that the DLP can be efficiently solved if the order of the multiplicative
group considered, GF(q h )∗ , factorizes as a product of small prime factors
([8]). The running time of Pohlig-Hellman algorithm is proportional to the
largest prime factor of the order of the group.
2. A random element T ∈ GF (q h ) is chosen such that T is algebraic of degree
h over GF (q), by considering GF (q h ) ≈ GF (q)[T ]/(f (T )), where f (T ) is a
random irreducible monic polynomial of degree h in GF (q)[T ]. Note that
the elements in GF (q h ) are polynomials of degree ≤ h − 1 with coefficients
in GF (q), and the operations are done modulo q and f (T ).
3. Pick a generator g of the group GF (q h )∗ . To determine such generator, one
can choose a random element g ∈ GF (q h )∗ until it verifies g (q −1)/s = 1 for
h

all prime divisors, s, of q h − 1. Note that q an h are chosen so that q h − 1

has small prime factors, hence the above property is easy to verify.
4. The discrete logarithms, ai = logg (T + αi ), ∀αi ∈ GF (q), are computed.
5. The values bi = aπ(i) are obtained by means of a random permutation,
π : {0, 1, . . . , q − 1} → {0, 1, . . . , q − 1}.
6. A random noise, 0 ≤ r ≤ q h − 2, is added to obtain the public knapsack:
ci ≡ (bi + r)(mod(q h − 1)), i = 0, 1, . . . , q − 1.
7. The public key of the user is the set (c0 , c1 , . . . , cq−1 ).
8. The private key is the set (T, g, π, r).

2.2 Encryption
The sender encrypts the binary message M = (m0 , m1 , . . . , mq−1 ), mi ∈ {0, 1},
i = 0, . . . , q − 1 as follows:


q−1
E= mi · ci (mod(q h − 1)).
i=0

In section 3 we will show how to transform a binary text without constrains

into a binary vector of length q and weight h ([3]) and conversely.
440 L. Hernández Encinas, J. Muñoz Masqué, and A. Queiruga Dios

2.3 Decryption

To decrypt an encrypted message, E, the receiver executes the following steps:

1. Compute s ≡ E − h · r(mod(q h − 1)).


2. Determine the polynomial of degree h − 1, Q(T ) = g s (mod(f (T )).
3. Compute the h roots απ(i) of f (T ) + Q(T ) over the GF (q):

f (T ) + Q(T ) = (T + απ(i) ).
i∈I

4. Apply π −1 in order to recover the coordinates of the original message M

having the bit 1.

3 Implementation and Procedures in Maple

In this section we present the Maple procedures and commands needed to encrypt
and decrypt messages by using the Chor-Rivest system, with real parameters.

3.1 Procedures to Compute Discrete Logarithms in GF (q h )

To generate the system parameters, two procedures to compute discrete loga-

rithms over GF (q h ) are needed: The Pohlig-Hellman algorithm ([6], [8]) which
calls to the Baby-step Giant-step algorithm ([6]). The input of the PohligHellman
procedure is a generator (α) of GF (q h )∗ and an element (β) of the group. The
output is logα β. Our procedure is specifically designed to compute discrete log-
arithms in finite fields and it is suppose that q, h and f = f (T ) are known.
PohligHellman := proc(beta,alpha) local NN, FF, RR, DD, ii, PP, EE, XX,
QQ, EX, GG, LL, AA, jj, GG1, BB, OUT:
NN:=(q^h)-1: FF:=convert(factorset(NN),list):
RR:=nops(FF): DD:=ifactors(NN)[2]:
for ii from 1 to RR do PP[ii]:=DD[ii,1]: EE[ii]:=DD[ii,2]: end do:
for ii from 1 to RR do
XX[ii]:=0: QQ:=PP[ii]: EX:=EE[ii]: GG:=1: LL[-1]:=0:
AA:=Powmod(alpha,NN/QQ,f,T) mod q:
for jj from 0 to EX-1 do
GG:=Powmod(GG*Powmod(alpha,LL[jj-1]*QQ^(jj-1),f,T) mod q,1,f,T)
mod q: GG1:=Powmod(GG,-1,f,T) mod q:
BB:=Powmod(Powmod(beta*GG1,1,f,T) mod q,NN/(QQ^(jj+1)),f,T) mod q:
LL[jj]:=BabyGiant(BB,AA,QQ^EX): XX[ii]:=XX[ii]+LL[jj]*QQ^jj:
end do:
end do:
OUT:=chrem([seq(XX[ii],ii=1..RR)],[seq(PP[ii]^EE[ii],ii=1..RR)]):
return(OUT):
end:
 Maple Implementation of the Chor-Rivest Cryptosystem 441

The above procedure calls to BabyGiant procedure:

BabyGiant := proc(pB, pA, pI) local MM, TT, TT1, GG, ii, jj, kk, AA, OUT:
MM:=ceil(evalf(sqrt(pI))):
TT:=[seq(Powmod(pA,jj,f,T) mod q,jj=0..MM-1)]:
TT1:=[seq([jj-1,TT[jj]],jj=1..nops(TT))]: AA:=Powmod(pA,-MM,f,T) mod q:
for ii from 0 to MM-1 do
GG:=Powmod(pB*Powmod(AA,ii,f,T) mod q,1,f,T) mod q:
if member(GG,TT,’kk’) then OUT:=ii*MM+TT1[kk][1]: end if:
end do:
return(OUT):
end:
Both procedures (preceded by the command with(numtheory)) can be saved
in the file ProcsDLP.mpl to be loaded when it be necessary.

3.2 Message Transformation

The procedures to transform a binary message without constraints, T , into a
binary vector of length q and weight  h, and its inverse, are the following. T is
divided into blocks of length log2 hq bits. Each block can be considered as the
   
binary representation of an integer n, where 0 ≤ n < hq . Then, if n ≥ q−1 h , the
first bit of the output, v, is 1; otherwise, the bit is 0. Then q and h are updated
and the procedure is iterated q times.
Transformation := proc(int::integer,qq::integer,hh::integer)
local NN, QQ, HH, LL, ii:
NN:=int: QQ:=qq: HH:=hh: LL:=array(1..QQ):
for ii from 1 to QQ do
if NN >= binomial(QQ-ii,HH) then
LL[ii]:=1: NN:=NN-binomial(QQ-ii,HH): HH:=HH-1:
else LL[ii]:=0:
end if:
end do:
return([seq(LL[ii],ii=1..QQ)]):
end:
ITransformation:=proc(pL::list,pQ::integer,pH::integer)
local iN, ii, iQ, iH, lL:
iN:=0: iQ:=pQ: iH:=pH: lL:=pL:
if nops(lL) <> iQ or numboccur(lL,1) <> iH or
apply(max,seq(lL[i],i=1..iQ)) > 1 or
apply(min,seq(lL[i],i=1..iQ)) < 0 then
return(’Error’):
end if:
for ii from 1 to iQ do
if lL[ii] = 1 then iN:=iN+binomial(iQ-ii,iH): iH:=iH-1: end if:
end do:
return(iN):
end:
442 L. Hernández Encinas, J. Muñoz Masqué, and A. Queiruga Dios

Both procedures (preceded by the command with(ListTools))) can be saved

in the file ProcsMessT.mpl to be loaded when it be necessary.
3.3 The Cryptosystem
In this subsection we present the Maple commands to generate the keys, encrypt
and decrypt messages using the Chor-Rivest cryptosystem.
First, the receiver, R, restarts Maple to clear the memory and variables, loads
the procedures to compute discrete logarithms, and determine the parameters
of the system, which are saved in a file.
>restart: read "C:/CASA2006/ProcsDLP.mpl":
>q:=197; h:=24; G:=GF(q,h):
> f:=128+18*T+121*T^2+107*T^3+132*T^4+110*T^5+88*T^6+107*T^7+97*T^8+
159*T^9+131*T^10+95*T^11+73*T^12+168*T^13+130*T^14+171*T^15+40*T^16+
70*T^17+28*T^18+69*T^19+19*T^20+ 172*T^21+139*T^22+88*T^23+T^24:
>save q, h, "C:/CASA2006/Parameters.crc";
R computes and saves his private key (noise, permutation and generator).
>noise:=rand(1..(q^h)-2): r:=noise();
with(combinat,randperm): pii:=map(x->x-1,randperm(q));
factrs:=convert(factorset((q^h)-1),list); nfactrs:=nops(factrs);
>rg:=rand(0..1): rg1:=rand(1..q-1):
expg:=[seq(rg(),i=1..3)]: coefg:=[seq(rg1(),i=1..3)]:
g:=coefg[1]*expg[1]*T^2+coefg[2]*expg[2]*T+coefg[3]*expg[3]:
for i from 1 to nfactrs do
if Powmod(g,((q^h)-1)/factrs[i],f,T) mod q = 1 then
print ("Please, choose a different value for g"):break:
end if:
end do:
>save f, r, pii, g, "C:/CASA2006/PrivateKey.prk":
Finally, R computes the DL ai and determines the elements of the public key
(the knapsack), ci , i = 0, . . . , 196, which are saved and made public.
>for i from 0 to q-1 do
PH:=PohligHellman(T+i,g): a[i]:=PH: b[i]:=a[pii[i+1]]:
c[i]:=(b[i]+r) mod ((q^h)-1):
end do:
PublicKey:=[seq(c[i],i=0..q-1)]:
save PublicKey, "C:/CASA2006/PublicKey.puk":
Some partial results obtained in this example are:
r = 5941772462477504021712491678951306610250731126197044392,
π = [81, 146, 160, . . . 64, 111, 169],
g = T + 8,
P ublicKey = {7625323205730082217130100275895618289835684684023020528,
...,
10145577571184720190572346163115496979342053810009806448}.
 Maple Implementation of the Chor-Rivest Cryptosystem 443

In the encryption process, the sender, S, restarts Maple and loads some pro-
cedures and the public key of the receiver.
>restart: with(StringTools): read "C:/CASA2006/ProcsMessT.mpl":
read "C:/CASA2006/Parameters.crc": read "C:/CASA2006/PublicKey.puk":
S writes down the text of his message, computes the length and the number
of blocks of the message, transforms and divides the message into blocks of the
same length, and transforms it in blocks of length q and weight h.
>Text:="Computer Algebra Systems and Their Applications, CASA’2006";
>ltext:=nops(Explode(Text)); lengt:=floor(log[2](binomial(q,h)));
lblock := floor(lengt/8); lmess:=lblock*ceil(ltext/lblock);
nblocks:=lmess/lblock; mascii:=map(Ord,Explode(Text)):
for i from 1 to lmess do
if (i<=ltext) then masciic[i]:=mascii[i]: else masciic[i]:=0: end if:
end do:
>for i from 1 to nblocks do
mess256[i]:=(convert([seq(masciic[j],j=(i-1)*lblock+1..i*lblock)],
base,256,10)):
messblock[i]:=sum(mess256[i][’j’]*10^(’j’-1),’j’=1..nops(mess256[i])):
M[i]:=Transformation(messblock[i],q,h):
end do:
Finally, S encrypts the message and saves it in a file to be sent to R.
>for i from 1 to nblocks do
E[i] := sum(M[i][’j’]*PublicKey[’j’],’j’=1..q) mod ((q^h)-1):
end do:
EncryptedMessage:=[seq(E[j],j=1..nblocks)]:
save EncryptedMessage, "C:/CASA2006/EncryptedMessage.mes":
The encrypted message corresponding to the original one is:
{10855811452733482391430481217627249373290172810833537037,
3202585566164216102458406919307132366444257340079736316,
11323380025066712989876028216475460861617165984770898397,
211917943989265378754649813365968072528466655688931543,
5620567254380493400571633868218080569011665365895027971}.
To recover the original message, the receiver restarts Maple and loads some
Maple procedures, the parameters of the system, his private key, and the en-
crypted message.
>restart: with(StringTools): with(numtheory):
read "C:/CASA2006/Parameters.crc": read "C:/CASA2006/PrivateKey.prk":
read "C:/CASA2006/EncryptedMessage.mes":
read "C:/CASA2006/ProcsMessT.mpl":
Then, R computes the polynomials of degree h over GF (q h ), Qi (T ), and
determines the roots of f (T ) + Qi (T ), by factoring those polynomials. In the
example, some partial results are:
444 L. Hernández Encinas, J. Muñoz Masqué, and A. Queiruga Dios

Q1 (T ) = 119T 23 + T 22 + 53T 21 + . . . + 84T 2 + 17T + 80,

f (T ) + Q1 (T ) = (T + 69)(T + 111)(T + 1) · · · (T + 50)(T + 96)(T + 159),
{απ(i) } = {128, 15, 16, 147, 36, 158, . . ., 76, 79, 82, 86, 91, 101}.
Later, R applies the inverse permutation to recover the coordinates of the
original message, obtains the partial messages and computes the integer numbers
corresponding to each partial message of length q and weight h.
>nblocks:=nops(EncryptedMessage); alias(alpha = RootOf(f)):
for j from 1 to nblocks do
sprime[j]:=EncryptedMessage[j]-h*r mod ((q^h)-1):
Q[j]:=Powmod(g,sprime[j],f,T) mod q:
end do:
>parc:=[]: R:=[]:
for j from 1 to nblocks do
pol[j]:=Factor(f+Q[j],alpha) mod q: sol[j]:=[msolve(pol[j]=0,q)]:
for i from 1 to h do
parc:=[op(parc),-rhs(op(sol[j][i])) mod q]:
end do:
if member(0,parc) then parc:=Rotate(parc,1): end if:
R:=[op(R),parc]: parc:=[]:
end do:
>Pos:=[]: psc:=[]:
for j from 1 to nblocks do
for i from 1 to h do
member(R[j][i],pii,’pos’): psc:=sort([op(psc),pos]):
end do:
Pos:=[op(Pos),psc]: psc:=[]:
end do:
>for j from 1 to nblocks do
m[j]:=array(1..q):
for i from 1 to h do m[j][Pos[j,i]]:=1: end do:
for i from 1 to q do
if m[j][i]<>1 then m[j][i]:=0: end if:
end do:
end do:
>for j from 1 to nblocks do
Me[j]:=ITransformation(convert(m[j],list), q, h):
end do:
Dm:=[seq(Me[j],j=1..nblocks)]:
Finally, the receiver decrypts the message and obtains the original message.
>for i from 1 to nblocks do
Mes:=(convert(Dm[i],base,256)): Message[i]:=map(Char,Mes):
end do:
RecoveredText:=Implode(Flatten([seq(Message[i],i=1..nblocks)],1));
“Computer Algebra Systems and T heir Applications, CASA 2006”
 Maple Implementation of the Chor-Rivest Cryptosystem 445

Most of the time of CPU is spent in the calculation of discrete logarithms. In

this example, the process of generation of the parameters and keys has required
19.37 minutes on a Pentium 4 CPU, 3.00Ghz. Note that this work is executed
only when the keys have to be stated. The CPU time used for encrypting and
decrypting the message have been of 0.124 and 0.108 seconds, respectively.

4 Conclusions
We have presented a Maple implementation of the Chor-Rivest cryptosystem
over finite fields by using commands and procedures. The main problems in this
implementation are to determine discrete logarithms over a finite field GF (q h ),
where q ≈ 200 and h ≈ 25, and to use the arithmetic in these finite fields.

Acknowledgements. This work has been supported by Ministerio de Edu-

cación y Ciencia (Spain), under grants SEG2004-02418 and MTM2005-00173.
Authors thank anonymous referees for their valuable suggestions.

References
1. B. Chor, Two issues in public key cryptography. RSA bit security and a new knap-
sack type system, The MIT Press, Cambridge, MS, 1985.
2. B. Chor and R.L. Rivest, A knapsack-type public key cryptosystem based on arit-
methic in finite fields, IEEE Trans. Inform. Theory 34, 5 (1988), 901–909.
3. T.M. Cover, Enumerative source encoding, IEEE Trans. Inform. Theory 19 (1973),
73–77.
4. W. Diffie and M. E. Hellman, New directions in Cryptography, IEEE Trans. In-
form. Theory 22 (1976), 644–654.
5. T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete
logarithm, IEEE Trans. Inform. Theory 31 (1985), 469–472.
6. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of applied cryptography,
CRC Press, Boca Raton, FL, 1997.
7. R.A. Mollin, An introduction to cryptography, Chapman & Hall/CRC, Boca Raton,
FL, 2001.
8. R.C. Pohlig and M.E. Hellman, An improved algorithm for computing logarithms
over GF (p) and its cryptographic significance, IEEE Trans. Inform. Theory 24
(1978), 106–110.
9. R.L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures
and public-key cryptosystems, Commun. ACM 21 (1978), 120–126.
10. A. Shamir, A polynomial-time algorithm for breaking the basic Merkle-Hellman
cryptosystem, IEEE Trans. Inform. Theory 30, 5 (1984), 699–704.
11. O. Schirokauer, D. Weber and T. Denny, Discrete logarithms: the effectiveness
of the index calculus method, Algorithmic Number Theory, LNCS 1122 (1996),
337–361, Springer-Verlag, Berlin.
12. S. Vaudenay, Cryptanalysis of the Chor-Rivest cryptosystem, J. Cryptology 14
(2001), 87-100.