1 Introduction
When she was only 16 years of age, Sarah Flannery won the EU Young Scientist of the Year Award for 1999. Her project consisted of a proposal of a publickey cryptosystem based on by matrices with entries from , where is the product of two distinct primes and . The cryptosystem she proposed was named the CayleyPurser algorithm.^{1}^{1}1The cryptosystem was named after the mathematicians Arthur Cayley and Michael Purser. Flannery [3] states that the CayleyPurser algorithm was based in part on ideas in an unpublished paper by Michael Purser.
Because this algorithm was faster than the famous RSA publickey cryptosystem, it garnered an incredible amount of press coverage in early 1999; see, for example, the BBC News article [1] published on January 13, 1999. However, at the time of this press coverage, the algorithm had not undergone any kind of serious peer review. Unfortunately, the CayleyPurser algorithm was shown to be insecure later in 1999, e.g., as reported by Bruce Schneier [5] in December, 1999.
Ms Flannery later wrote an interesting book, entitled In Code: A Mathematical Journey [3], which recounts her experiences relating to her work on the algorithm. The technical description and the analysis of the CayleyPurser algorithm, as well as an attack on it, are found in [3, Appendix A].
In this paper, I will describe the CayleyPurser algorithm and two attacks on it, one of which is apparently new. I will also comment a bit on the underlying mathematical theory. Finally, I will examine a variant of the CayleyPurser algorithm, which was patented in 2008 by Slavin, and show that it is also insecure.
2 The CayleyPurser Algorithm
In this section, we describe the CayleyPurser algorithm, which is presented in [3, pp. 274–277]. Note that all material in this section is paraphrased from [3].
Setup: Let , where and are large distinct primes. (We assume that it is infeasible to factor .) denotes the by invertible matrices with entries from . Let be chosen such that . Define . Then choose a secret, random positive integer and let .
The public key consists of .
The private key consists of .
Encryption: Let be the plaintext to be encrypted. The following computations are performed:

choose a secret, random positive integer

compute

compute

compute

compute

the ciphertext is .
Decryption: Let be the ciphertext to be decrypted. The following computations are performed:

compute (note: )

compute
Observe that the factorization is not needed in order to decrypt ciphertexts; the matrix is all that is required.
The correctness of the decryption process is easy to show.
Theorem 1.
[3] If the ciphertext is an encryption of the plaintext , then the decryption of yields .
Proof.
First we show that :
Then it is easy to verify that
∎
3 Two Attacks
The basis of the two attacks we will describe is the observation from [3, p. 290] that any scalar multiple can be used in place of in the decryption process. This is easy to see, because
(1) 
Therefore, using in step 1 of the decryption process still results in the correct value of being computed.
Thus, it is sufficient for an attacker to compute up to a scalar multiple. This will allow any ciphertext to be decrypted, since the factorization is not required in order to be able to decrypt ciphertexts.
3.1 Linear Algebra Attack
The attack described in this section is very simple but apparently new. It turns out to be straightforward to construct the private key (or a scalar multiple ) directly from the public key by solving a certain system of linear equations in . We make use of the following two equations involving :
(2) 
and
(3) 
Note that (2) follows from the formula . It is also clear that (3) holds because is a power of and hence and commute.
We observe that (2) and (3) are sufficient to compute , up to a scalar multiple, by solving a system of linear equations in . In these equations, and are known matrices and we are trying to determine . Let
(4) 
where . Then (2) and (3) each yield four homogeneous linear equations (in ) in the four unknowns . The solution space of (2) is a dimensional subspace of , as is the solution space of (3). However, when we solve all eight equations simultaneously, we get precisely the scalar multiples of (i.e., the solution space is a dimensional subspace of ).
We will justify the statements made above in the next section. For now, we illustrate the attack with a toy example.
Example 1.
Suppose and , so . Suppose we define
and
Then
Finally, suppose ; then
The system of linear equation to be solved is
The solution to this system is
. It is straightforward to verify that this solution space indeed consists of all the scalar multiples of .
3.2 CayleyHamilton Attack
The other attack I will present is the original attack presented in [3, pp. 290–292]. It is in fact even more efficient than the attack we just described above. We summarize it briefly now.
The CayleyHamilton theorem states that every square matrix over a commutative ring satisfies its own characteristic polynomial. The characteristic polynomial of is the polynomial in the indeterminate , where is an by matrix and is the by identity matrix. When , the characteristic polynomial is quadratic. In this case, as noted in [3, p. 291], it follows that any power of can can be expressed as a linear combination of and .
Recall that is a power of and hence is also a power of . So the unknown matrix can be expressed in the form , for scalars and . Since we only have to determine up to a scalar multiple, we can WLOG take , and write (we are ignoring here the unlikely possibility that ). Suppose we substitute this expression for into (2). Then we obtain
Rearranging this, we have
If we compute the two matrices and , we can compare any two corresponding nonzero entries of these two matrices to determine .
Example 2.
We use the same parameters as in Example 1. First we compute
and
From this, we see that
so . Hence,
should be a multiple of . In fact, it can be verified that
4 Discussion and Comments
When the CayleyPurser algorithm was proposed, there was some mathematical analysis provided to justify its security against certain types of attacks [3, pp. 277–283]. There are some interesting mathematical points related to this that I would like to discuss in this section. I will also look briefly at the efficiency of encryption and decryption.
4.1 Security Analysis from [3]
The main possible attack discussed in [3, pp. 277–283] involves trying to use (2) to compute (or a scalar multiple of ). The argument given is that the number of solutions (for ) to (2) is so large that it would be infeasible to distinguish the real value of from the extra “bad” solutions to (2). It is noted that the number of solutions for is equal to , where denotes the centralizer of , i.e., the set of matrices in that commute with . (The actual set of solutions to (2) is a coset of .)
Then, a lower bound on is obtained from the observation that every power of (or, equivalently, every power of ) is an element of the set . Hence, . Then, an analysis of the number of group elements of all possible orders is done, and it is shown that most group elements have order that is close to . Since there are only scalar multiples of the correct , there are many “bad” solutions remaining.
The abovedescribed analysis is correct. But, more precisely, it turns out that it is fairly straightforward to determine the exact number of solutions to (2) using some standard group theoretic arguments. Note also that the solution space of (2) or (3) contains tuples where the corresponding matrices (4) turn out not be invertible.
We need some definitions to get started. For now, we confine our attention to for a prime . The following results are found in various standard algebra textbooks, such as Dummit and Foote [2]. Details of these calculations are presented in Mathewson [4].
Two matrices and are similar if for some matrix . (Thus, if (2) holds, then and are similar.) Similarity is an equivalence relation and the equivalence classes under similarity are known as conjugacy classes. The conjugacy class containing is denoted by . It follows from the orbitstabilizer theorem that
(5) 
for any . Further, it is wellknown that
(6) 
Now, it is fairly easy to determine the various conjugacy classes by using the fact that any conjugacy class contains a unique matrix in rational canonical form. The rational canonical forms in have the following possible structures:
 case (1)

 case (2)

Case 2 further subdivides into three subcases:
 case (2a)

is not a perfect square in ,
 case (2b)

in , and
 case (2c)

is a nonzero perfect square in .
Further, for a given matrix expressed in rational canonical form, it is relatively straightforward to determine . Then can also be determined, from (5) and (6). Table 1 lists the number of conjugacy classes of all possible sizes (note that these results are all given in [4]).
Case  Size of conjugacy class  Number of conjugacy classes 

case (1)  
case (2a)  
case (2b)  
case (2c) 
The CayleyPurser algorithm lives in . So the relevant sizes of conjugacy classes would be obtained by working modulo and modulo , and then applying the Chinese remainder theorem to derive the sizes of the conjugacy classes in . The vast majority of these conjugacy classes in have size very close to , which indicates that the solution to (2) will be a twodimensional subspace of .
The second possible attack considered in [3] involves trying to determine the private key from the public key . It is known that , where is secret. However, might be chosen from a small range of values (in [3], ). So we might consider trying various values of until the equation can be solved. However, even if is known, it is not easy to solve this equation. For example, consider the special case where and is a scalar multiple of the identity. Solving for is then equivalent in difficulty to extracting square roots in , which is equivalent to factoring . So this particular attack will not succeed.
Of course, these two analyses are not sufficient to establish the security of the CayleyPurser algorithm. As we saw in the previous section, an attack that utilizes all the public information allows to be computed up to a scalar multiple, which breaks the cryptosystem.
4.2 Efficiency of Encryption and Decryption
We also have a few comments about the efficiency of encryption and decryption in the CayleyPurser algorithm. One of the attractive features of the CayleyPurser algorithm is its speed relative to RSA. It is reported in [3, pp. 284–289] that CayleyPurser encryption and decryption is roughly 20–30 times faster than the comparable RSA operations.
Clearly CayleyPurser decryption is much faster than RSA decryption, because CayleyPurser decryption just requires a few fast matrix operations, whereas RSA decryption uses an exponentiation modulo . On the other hand, CayleyPurser encryption involves exponentiating the matrix , which is an expensive operation. However, there is a trick that can be used to speed up encryption. A careful reading of the Mathematica code that is provided in [3] shows that step 2 of the encryption method is implemented by computing a linear combination of and the identity. Using the CayleyHamilton theorem, it can easily be shown that this is a quicker way of obtaining a matrix that is actually a power of . With this modification to the encryption algorithm, no matrix exponentiations are required to encrypt a plaintext.
5 A Variation due to Slavin
In this section, I discuss a variation of the CayleyPurser algorithm due to Slavin [6]. I am not aware of any analysis of this algorithm in the cryptographic literature. However, it is not difficult to see that it is also insecure.
The following description is from the 2008 U.S. patent [6]. It is clear that this cryptosystem is similar to the CayleyPurser algorithm in many respects; however, several of the equations have been modified.
Setup: Let , where and are distinct primes. Let be chosen such that . Define . Then choose a secret, random positive integer and let .
The public key consists of .
The private key consists of .
Encryption: Let be the plaintext to be encrypted. The following computations are performed:

choose a secret, random positive integer

compute

compute

compute

let under some secretkey cryptosystem such as AES.

the ciphertext is .
Remark: The value is used as a key in a secretkey cryptosystem. This is different from the CayleyPurser algorithm, but it does not affect the security of this cryptosystem.
Decryption: Let be the ciphertext to be decrypted. The following computations are performed:

compute

compute
Using the fact that and commute, it is not difficult to verify that and therefore ; hence, decryption will succeed.
5.1 The Attack
Our attack is based on the following observation from [6].
Lemma 2.
Define and . Then .
Proof.
We compute as follows:
∎
We now describe our attack on Slavin’s cryptosystem. First, note that and can both be computed from public information. Using the two equations and , we can carry out either of the attacks described in Section 3 to compute a scalar multiple of the unknown matrix , say . Thus for some unknown value .
Slavin [6] argues that, unlike the situation in the CayleyPurser algorithm, it is not sufficient to compute a scalar multiple of . In the CayleyPurser algorithm, equation (1) allows to be computed by an attacker using any scalar multiple of . On the other hand, in Slavin’s cryptosystem, the “key” . If we replace by a scalar multiple, then the attacker doesn’t obtain the correct value of .
However, an attacker can compute by a slightly different approach. Consider the equation . We can rewrite this as . From this, it is a simple matter to compute . Computing is infeasible unless the factorization of is known; however, it turns out that we do not need to compute .
Finally, consider the equation . We can rewrite this as . Since and are known, the attacker can compute and use it to decrypt the ciphertext .
Thus, the steps in the attack are summarized as follows:

Compute and from , and .

Compute , where for some unknown value .

Use the equation to compute .

Given a ciphertext , compute .

Use to decrypt .
Observe that steps 1–3 only involve the public key; they only need to be carried out once. Steps 4–5 then allow the decryption of a specific ciphertext; they can be repeated as often as desired, for various ciphertexts.
Example 3.
Suppose and , so . Suppose we define
and
Then
Finally, suppose ; then
The attack begins by computing and :
and
Using the linear algebra attack, the system of linear equation to be solved is
The solution to this system is
Let
Then is an unknown scalar multiple of . However, the attacker can compute
By comparing to , it is easy to see that .
Now suppose a plaintext is encrypted. First, is computed for a random exponent . Suppose that ; then
Then
and
Given , the attacker can compute
which yields the “key” .
6 Final Comments
The CayleyPurser algorithm was a huge news story in early 1999. However, like many other “broken” cryptosystems, it has been forgotten to a certain extent. I hope that this paper serves to highlight some interesting mathematical techniques that can be used to analyze and break this cryptosystem as well as the later, lesserknown variant that was patented by Slain in 2008.
References
 [1] Teenager’s email code is a cracker. BBC News, January 13, 1999, http://news.bbc.co.uk/2/hi/science/nature/254236.stm.
 [2] David S. Dummit and Richard M. Foote. Abstract Algebra, Third Edition. Wiley, 2003.
 [3] Sarah Flannery with David Flannery. In Code: A Mathematical Journey. Workman Publishing Company, 2001.
 [4] Lindsey Mathewson. The Class Equation of GL(). Masters Thesis, University of WisconsinMilwaukee, 2012,
 [5] Sarah Flannery’s publickey algorithm. CryptoGram, December 15, 1999. Schneier on Security, https://www.schneier.com/cryptogram/archives/1999/1215.html.
 [6] Keith R. Slavin. Public Key Cryptography Using Matrices. United States Patent No. US 7,346,162 B2. March 18, 2008.
Comments
There are no comments yet.