# A Brief Retrospective Look at the Cayley-Purser Public-key Cryptosystem, 19 Years Later

The purpose of this paper is to describe and analyze the Cayley-Purser algorithm, which is a public-key cryptosystem proposed by Flannery in 1999. I will present two attacks on it, one of which is apparently new. I will also examine a variant of the Cayley-Purser algorithm that was patented by Slavin in 2008, and show that it is also insecure.

## Authors

• 6 publications
11/28/2020

### A Closer Look at the Tropical Cryptography

We examine two public key exchange protocols proposed recently by Grigor...
10/18/2019

### Support for public-key infrastructures in DNS

Traditionally, publicly available repositories of certificates offer the...
01/24/2018

### On the Gold Standard for Security of Universal Steganography

While symmetric-key steganography is quite well understood both in the i...
09/07/2021

### OSKR/OKAI: Systematic Optimization of Key Encapsulation Mechanisms from Module Lattice

In this work, we make systematic optimizations of key encapsulation mech...
03/01/2021

### New Public-Key Crypto-System EHT

In this note, an LWE problem with a hidden trapdoor is introduced. It is...
10/28/2020

### On the Failure of the Smart Approach of the GPT Cryptosystem

This paper describes a new algorithm for breaking the smart approach of ...
02/01/2012

### The watershed concept and its use in segmentation : a brief history

The watershed is one of the most used tools in image segmentation. We pr...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

When she was only 16 years of age, Sarah Flannery won the EU Young Scientist of the Year Award for 1999. Her project consisted of a proposal of a public-key cryptosystem based on by matrices with entries from , where is the product of two distinct primes and . The cryptosystem she proposed was named the Cayley-Purser algorithm.111The cryptosystem was named after the mathematicians Arthur Cayley and Michael Purser. Flannery [3] states that the Cayley-Purser algorithm was based in part on ideas in an unpublished paper by Michael Purser.

Because this algorithm was faster than the famous RSA public-key cryptosystem, it garnered an incredible amount of press coverage in early 1999; see, for example, the BBC News article [1] published on January 13, 1999. However, at the time of this press coverage, the algorithm had not undergone any kind of serious peer review. Unfortunately, the Cayley-Purser algorithm was shown to be insecure later in 1999, e.g., as reported by Bruce Schneier [5] in December, 1999.

Ms Flannery later wrote an interesting book, entitled In Code: A Mathematical Journey [3], which recounts her experiences relating to her work on the algorithm. The technical description and the analysis of the Cayley-Purser algorithm, as well as an attack on it, are found in [3, Appendix A].

In this paper, I will describe the Cayley-Purser algorithm and two attacks on it, one of which is apparently new. I will also comment a bit on the underlying mathematical theory. Finally, I will examine a variant of the Cayley-Purser algorithm, which was patented in 2008 by Slavin, and show that it is also insecure.

## 2 The Cayley-Purser Algorithm

In this section, we describe the Cayley-Purser algorithm, which is presented in [3, pp. 274–277]. Note that all material in this section is paraphrased from [3].

Setup: Let , where and are large distinct primes. (We assume that it is infeasible to factor .) denotes the by invertible matrices with entries from . Let be chosen such that . Define . Then choose a secret, random positive integer and let .

The public key consists of .

The private key consists of .

Encryption: Let be the plaintext to be encrypted. The following computations are performed:

1. choose a secret, random positive integer

2. compute

3. compute

4. compute

5. compute

6. the ciphertext is .

Decryption: Let be the ciphertext to be decrypted. The following computations are performed:

1. compute (note: )

2. compute

Observe that the factorization is not needed in order to decrypt ciphertexts; the matrix is all that is required.

The correctness of the decryption process is easy to show.

###### Theorem 1.

[3] If the ciphertext is an encryption of the plaintext , then the decryption of yields .

###### Proof.

First we show that :

 LK=(C−1EC)(D−1BD)substituting for L and % K =C−1(D−1AD)CD−1BDsubstituting for E =D−1C−1ACDD−1BDbecause C and D commute=D−1C−1ACBDcancelling DD−1=D−1B−1BDbecause B−1=C−1AC=I.

Then it is easy to verify that

 LYL=K−1YK−1=X.

## 3 Two Attacks

The basis of the two attacks we will describe is the observation from [3, p. 290] that any scalar multiple can be used in place of in the decryption process. This is easy to see, because

 (μC)−1E(μC)=C−1EC. (1)

Therefore, using in step 1 of the decryption process still results in the correct value of being computed.

Thus, it is sufficient for an attacker to compute up to a scalar multiple. This will allow any ciphertext to be decrypted, since the factorization is not required in order to be able to decrypt ciphertexts.

### 3.1 Linear Algebra Attack

The attack described in this section is very simple but apparently new. It turns out to be straightforward to construct the private key (or a scalar multiple ) directly from the public key by solving a certain system of linear equations in . We make use of the following two equations involving :

 CB=A−1C (2)

and

 CG=GC (3)

Note that (2) follows from the formula . It is also clear that (3) holds because is a power of and hence and commute.

We observe that (2) and (3) are sufficient to compute , up to a scalar multiple, by solving a system of linear equations in . In these equations, and are known matrices and we are trying to determine . Let

 C=(abcd), (4)

where . Then (2) and (3) each yield four homogeneous linear equations (in ) in the four unknowns . The solution space of (2) is a -dimensional subspace of , as is the solution space of (3). However, when we solve all eight equations simultaneously, we get precisely the scalar multiples of (i.e., the solution space is a -dimensional subspace of ).

We will justify the statements made above in the next section. For now, we illustrate the attack with a toy example.

###### Example 1.

Suppose and , so . Suppose we define

 A=(1680719399748318143)

and

 C=(29101657534124803).

Then

 B=(119471712463014946).

Finally, suppose ; then

 G=(143814332075924068).

The system of linear equation to be solved is

 ⎛⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜⎝24034463019287017122703301928795700172446300957017124723020759273240143322630027324799806127207590799814330⎞⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟⎠⎛⎜ ⎜ ⎜⎝abcd⎞⎟ ⎟ ⎟⎠=⎛⎜ ⎜ ⎜⎝0000⎞⎟ ⎟ ⎟⎠.

The solution to this system is

 (a,b,c,d)=μ(28365,13928,25231,28756),

. It is straightforward to verify that this solution space indeed consists of all the scalar multiples of .

### 3.2 Cayley-Hamilton Attack

The other attack I will present is the original attack presented in [3, pp. 290–292]. It is in fact even more efficient than the attack we just described above. We summarize it briefly now.

The Cayley-Hamilton theorem states that every square matrix over a commutative ring satisfies its own characteristic polynomial. The characteristic polynomial of is the polynomial in the indeterminate , where is an by matrix and is the by identity matrix. When , the characteristic polynomial is quadratic. In this case, as noted in [3, p. 291], it follows that any power of can can be expressed as a linear combination of and .

Recall that is a power of and hence is also a power of . So the unknown matrix can be expressed in the form , for scalars and . Since we only have to determine up to a scalar multiple, we can WLOG take , and write (we are ignoring here the unlikely possibility that ). Suppose we substitute this expression for into (2). Then we obtain

 (αI2+G)B=A−1(αI2+G).

Rearranging this, we have

 α(B−A−1)=A−1G−GB.

If we compute the two matrices and , we can compare any two corresponding nonzero entries of these two matrices to determine .

###### Example 2.

We use the same parameters as in Example 1. First we compute

 B−A−1=(2403420999142004723).

and

 A−1G−GB=(1797746142542710780).

From this, we see that

 28534(B−A−1)=A−1G−GB,

so . Hence,

 28534I2+G=(121514332075923845)

should be a multiple of . In fact, it can be verified that

 (121514332075923845)=5485C.

When the Cayley-Purser algorithm was proposed, there was some mathematical analysis provided to justify its security against certain types of attacks [3, pp. 277–283]. There are some interesting mathematical points related to this that I would like to discuss in this section. I will also look briefly at the efficiency of encryption and decryption.

### 4.1 Security Analysis from [3]

The main possible attack discussed in [3, pp. 277–283] involves trying to use (2) to compute (or a scalar multiple of ). The argument given is that the number of solutions (for ) to (2) is so large that it would be infeasible to distinguish the real value of from the extra “bad” solutions to (2). It is noted that the number of solutions for is equal to , where denotes the centralizer of , i.e., the set of matrices in that commute with . (The actual set of solutions to (2) is a coset of .)

Then, a lower bound on is obtained from the observation that every power of (or, equivalently, every power of ) is an element of the set . Hence, . Then, an analysis of the number of group elements of all possible orders is done, and it is shown that most group elements have order that is close to . Since there are only scalar multiples of the correct , there are many “bad” solutions remaining.

The above-described analysis is correct. But, more precisely, it turns out that it is fairly straightforward to determine the exact number of solutions to (2) using some standard group theoretic arguments. Note also that the solution space of (2) or (3) contains tuples where the corresponding matrices (4) turn out not be invertible.

We need some definitions to get started. For now, we confine our attention to for a prime . The following results are found in various standard algebra textbooks, such as Dummit and Foote [2]. Details of these calculations are presented in Mathewson [4].

Two matrices and are similar if for some matrix . (Thus, if (2) holds, then and are similar.) Similarity is an equivalence relation and the equivalence classes under similarity are known as conjugacy classes. The conjugacy class containing is denoted by . It follows from the orbit-stabilizer theorem that

 |GL(2,q)|=|CGL(2,n)(A)|⋅|conj(A)| (5)

for any . Further, it is well-known that

 |GL(2,q)|=(q2−1)(q2−q). (6)

Now, it is fairly easy to determine the various conjugacy classes by using the fact that any conjugacy class contains a unique matrix in rational canonical form. The rational canonical forms in have the following possible structures:

case (1)
 (a00a).
case (2)
 (0b1c).

Case 2 further subdivides into three subcases:

case (2a)

is not a perfect square in ,

case (2b)

in , and

case (2c)

is a nonzero perfect square in .

Further, for a given matrix expressed in rational canonical form, it is relatively straightforward to determine . Then can also be determined, from (5) and (6). Table 1 lists the number of conjugacy classes of all possible sizes (note that these results are all given in [4]).

The Cayley-Purser algorithm lives in . So the relevant sizes of conjugacy classes would be obtained by working modulo and modulo , and then applying the Chinese remainder theorem to derive the sizes of the conjugacy classes in . The vast majority of these conjugacy classes in have size very close to , which indicates that the solution to (2) will be a two-dimensional subspace of .

The second possible attack considered in [3] involves trying to determine the private key from the public key . It is known that , where is secret. However, might be chosen from a small range of values (in [3], ). So we might consider trying various values of until the equation can be solved. However, even if is known, it is not easy to solve this equation. For example, consider the special case where and is a scalar multiple of the identity. Solving for is then equivalent in difficulty to extracting square roots in , which is equivalent to factoring . So this particular attack will not succeed.

Of course, these two analyses are not sufficient to establish the security of the Cayley-Purser algorithm. As we saw in the previous section, an attack that utilizes all the public information allows to be computed up to a scalar multiple, which breaks the cryptosystem.

### 4.2 Efficiency of Encryption and Decryption

We also have a few comments about the efficiency of encryption and decryption in the Cayley-Purser algorithm. One of the attractive features of the Cayley-Purser algorithm is its speed relative to RSA. It is reported in [3, pp. 284–289] that Cayley-Purser encryption and decryption is roughly 20–30 times faster than the comparable RSA operations.

Clearly Cayley-Purser decryption is much faster than RSA decryption, because Cayley-Purser decryption just requires a few fast matrix operations, whereas RSA decryption uses an exponentiation modulo . On the other hand, Cayley-Purser encryption involves exponentiating the matrix , which is an expensive operation. However, there is a trick that can be used to speed up encryption. A careful reading of the Mathematica code that is provided in [3] shows that step 2 of the encryption method is implemented by computing a linear combination of and the identity. Using the Cayley-Hamilton theorem, it can easily be shown that this is a quicker way of obtaining a matrix that is actually a power of . With this modification to the encryption algorithm, no matrix exponentiations are required to encrypt a plaintext.

## 5 A Variation due to Slavin

In this section, I discuss a variation of the Cayley-Purser algorithm due to Slavin [6]. I am not aware of any analysis of this algorithm in the cryptographic literature. However, it is not difficult to see that it is also insecure.

The following description is from the 2008 U.S. patent [6]. It is clear that this cryptosystem is similar to the Cayley-Purser algorithm in many respects; however, several of the equations have been modified.

Setup: Let , where and are distinct primes. Let be chosen such that . Define . Then choose a secret, random positive integer and let .

The public key consists of .

The private key consists of .

Encryption: Let be the plaintext to be encrypted. The following computations are performed:

1. choose a secret, random positive integer

2. compute

3. compute

4. compute

5. let under some secret-key cryptosystem such as AES.

6. the ciphertext is .

Remark: The value is used as a key in a secret-key cryptosystem. This is different from the Cayley-Purser algorithm, but it does not affect the security of this cryptosystem.

Decryption: Let be the ciphertext to be decrypted. The following computations are performed:

1. compute

2. compute

Using the fact that and commute, it is not difficult to verify that and therefore ; hence, decryption will succeed.

### 5.1 The Attack

Our attack is based on the following observation from [6].

###### Lemma 2.

Define and . Then .

###### Proof.

We compute as follows:

 CNC−1=C(AGA−1)C−1substituting for N =CACC−1GCC−1A−1C−1inserting CC−1 twice =BC−1GCB−1because B=CAC =BGC−1CB−1because G and C commute=BGB−1cancelling C−1C=M.

We now describe our attack on Slavin’s cryptosystem. First, note that and can both be computed from public information. Using the two equations and , we can carry out either of the attacks described in Section 3 to compute a scalar multiple of the unknown matrix , say . Thus for some unknown value .

Slavin [6] argues that, unlike the situation in the Cayley-Purser algorithm, it is not sufficient to compute a scalar multiple of . In the Cayley-Purser algorithm, equation (1) allows to be computed by an attacker using any scalar multiple of . On the other hand, in Slavin’s cryptosystem, the “key” . If we replace by a scalar multiple, then the attacker doesn’t obtain the correct value of .

However, an attacker can compute by a slightly different approach. Consider the equation . We can rewrite this as . From this, it is a simple matter to compute . Computing is infeasible unless the factorization of is known; however, it turns out that we do not need to compute .

Finally, consider the equation . We can rewrite this as . Since and are known, the attacker can compute and use it to decrypt the ciphertext .

Thus, the steps in the attack are summarized as follows:

1. Compute and from , and .

2. Compute , where for some unknown value .

3. Use the equation to compute .

4. Given a ciphertext , compute .

5. Use to decrypt .

Observe that steps 1–3 only involve the public key; they only need to be carried out once. Steps 4–5 then allow the decryption of a specific ciphertext; they can be repeated as often as desired, for various ciphertexts.

###### Example 3.

Suppose and , so . Suppose we define

 A=(16807383901733321788)

and

 C=(10106104202772227626).

Then

 B=(17590360663283333331).

Finally, suppose ; then

 G=(1130317971531518194).

The attack begins by computing and :

 M=BGB−1=(18545203652598710952)

and

 N=AGA−1=(3771651841894130360).

Using the linear algebra attack, the system of linear equation to be solved is

 ⎛⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜⎝1917118941,182140518411815018214125920267641894101259251841940805315206080179716891020608332640316885315033264179710⎞⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟⎠⎛⎜ ⎜ ⎜⎝abcd⎞⎟ ⎟ ⎟⎠=⎛⎜ ⎜ ⎜⎝0000⎞⎟ ⎟ ⎟⎠.

The solution to this system is

 (a,b,c,d)=μ(12688,23061,22337,38578),

Let

 C′=(12688230612233738578).

Then is an unknown scalar multiple of . However, the attacker can compute

 C′AC′=(2701127739269568680)

By comparing to , it is easy to see that .

Now suppose a plaintext is encrypted. First, is computed for a random exponent . Suppose that ; then

 D=(18776312182061722838).

Then

and

 K=DBD=(3393521771362807314)

Given , the attacker can compute

 μ2C′EC′=(3393521771362807314),

which yields the “key” .