The REESSE2+ Public-key Encryption Scheme

1 Abstract : This paper gives the definitions of an anomalous su pe r -increasing sequence and an anomalous subset sum separately , p ro v e s th e two properties of an anomalous super-increasing sequence, and proposes the REESSE2+ public-key encry ption scheme which includes the three algorithms for key generation, encryption and decryption. The paper discusses the necessity and sufficiency of the lever function for preventing the Sham ir extremum attack, analyzes the security of REESSE2+ against extracting a private key from a public key through the exhaustive search, recovering a plaintext from a ciphertext plus a knapsack of high density through the L 3 lattice basis reduction method, and heuristically obtaining a plaintext through the meet-in-the-middle attack or the adaptive-chosen-ciphertext attack. The authors evaluate the tim e complexity of REESSE2+ encryption and decryption algorithms, compare REESSE2+ with ECC and NTRU, and find that the encryption speed of REESSE2+ is ten thousand times faster than ECC and NTRU bearing the equivalent security, and the decryption speed of REESSE2+ is roughly equivalent to ECC and NTRU respectively. Keywords : Knapsack density, Encry ption algorithm, Lever fu n ct i on , Multivariate cry ptosystem, Anomalous super-increasing se qu enc e, Anomalous subset sum, Security, Time complexity I. I NTRODUCTION E RKLE and Hellman proposed a publi c-key cryptosystem based on the knapsack problem [1] in 1978, the second year after Diffie and Hellman had delivered thei r pioneering paper “New Directions in Cryptography ” [2]. Let { a 1 , … , a n } be a positive integer seq uence, and if a i satisfies a i > ∑ i − 1 j =1 a j for i = 2, … , n , { a 1 , … , a n } is called a super-increasing sequence. Any positive integer seq uence { c 1 , … , c n } may be called a knapsack. Especially, in the MH scheme, { c 1 , … , c n | c i ≡ a i w (% M )} is a public key, where M > ∑ n i =1 a i is a modulus, and W < M is a transform param eter. Assume that the integers x 1 , … , x n ∈ [0, 1] is a plaintext, the subset sum y ≡ ∑ n i =1 c i x i (% M ) is a ciphertext, and then how to solve { x 1 , … , x n } to y ≡ ∑ n i =1 c i x i (% M ) is called the knapsack problem . The super-increasing sequence { a 1 , … , a n } has a weakness that a i + 1 is roughly double a i . Shamir, one of the inventors of the RSA cryptosystem [3], grasped this weakness and i n polynomial time extracted a related private key fro m a public Manuscript received December 28, 2007. Shenghui Su is with the College of Computers, Beijing University of Technology, Beijing 100124, P. R. Ch ina (e-mail: reesse@126.com ). Shuwang Lü is with the School of Gr aduate, Chinese Academy of Sciences, Beijing, 100039 P. R. China (e -mail: swlu@ustc.edu.cn). key through the convergence of infinit esimal points in 1982 [4]. Extracting the pr ivate key is the most radical break, which means that a related plaintext can be recovered from a ciphertext meanwhile. It has been proved that the subset sum problem is NP-Complet e (NPC, shortly) [5], but when D is less than 0.6463 and even 0.9408, a related plaint ext can be recovered from a ciphertext through the procedures calling the L 3 algorithm, namely the L 3 algorithm [6][7][8], where D = n / log 2 max 1 ≤ i ≤ n { c i } ≈ bit-size of a plaintext / bit-size of a ciphertext is called a sequence density or a knapsack density [6][7][8]. It is the L 3 algorithm that const ructs a reduced basis of a lattice by the Gram -Schmidt orthogonal pri nciple and seeks the shortest or an approxim ately shortest nonzero vector in the lattice [9] . In 1995, Schnorr and Hörner put forward a improved lattice basis reduct ion algorithm using pruned enum eration [10] which is able to crack some implementations of the Chor-Rivest cryptosystem with high densities [11] ― a challenging schem e with n = 103 and D = 1.271 for example. In 1996, Ritter gave a new combination of the L 3 algorithm and pruned enumeration for the l ∞ -Norm shortest vect or [12] through which the Orton publi c-key cryptosystem [13] involving compact knapsacks with 1 < D < 2 was broken. What is a compact knapsack? When a i > (2 k – 1) ∑ i − 1 j =1 a j for i = 2, … , n , wh ere k ≥ 2 is an integer, { c 1 , … , c n | c i = pub ( a i )} is called a compact knapsack. Correspondingly, the plai ntext x 1 , … , x n ∈ [0, 2 k – 1], and the density D = n k / log 2 max 1 ≤ i ≤ n { c i }. In this paper, we propose a new public-key cryptosystem which is called REESSE2+, with D ≥ ( n + 1) / 4, and based on the lever function, an anom alous super-increasing sequence and an anomalous subset sum . It is not the successor of REESSE1+, but another applicati on of the lever function; that we design REESSE2+ is not because REESSE1+ has any hidden security trouble, but b ecause REESSE2+ has a smaller modulus and is m ore suitable for embedded or m obile CPUs. Section II of the paper gives the definit ions of an anomalous super-increasing sequence and an anomalous subset sum, and proves the two properties of an anom alous super-increasing sequence. Section III describes in detail the REESSE2+ scheme which contains 3 algorithms for a key pai r, encryption, and decryption as well as owning th e 5 characteristics, proves the correctness of decryption, and analyzes the nonuni queness of a plaintext solution to a ciphertext in an extreme tiny probab ility. Section IV discusses the nece ssity and sufficiency of the lever function, which does involve the the Sham ir attack with ℓ (.) retrogressing to a co nstant, the ineffectiveness of the The REESSE2+ Public-key Encryption Scheme Shenghui Su and Shuwang Lü M 2 mini mum point method with ℓ (.) being i njective, and the relation between the lever functi on and a random oracle. Section V expounds the security of REESSE2+ against extracting a private key from a public key, recovering a plaintext from a ciphertext plus a public key, and seeki ng a plaintext through m eet -in-the-middle at tacks or adaptive-chosen-ciphertext att acks, and argues that solving subset sums is rest ricted by NPC class, the length and density of a sequence, the density of a public key in REESSE2+ i s in linear proportion to the length, and the cost of reducing ciphertexts via the L 3 lattice basis is not negligib le. Section VI analyzes the time complexities of the REESSE2+ encryption and decryption, and compares REESSE2+ in lengths and speeds with ECC and NTRU bearing ma tchable security, and points out t he advantages of REESSE2+ over ECC and NTRU by data li sted. ECC is the ElGamal analogue in an elliptic curve group [14]. Throughout the paper, we stipulate that n ≥ 120, the sign ‘%’ means ‘m odulo’, ‘gcd’ represents the greatest comm on divisor, and ‘log’ denotes a logarithm to the base 2. II. A N ANOMALOUS S UPER - INCREASING S EQUENCE AND AN ANOMALOUS S UBSET S UM Definition 1 : For n positiv e integers A 1 , A 2 , …, and A n , if every A i satisfies A i > ∑ i –1 j =1 ( i – j ) A j , where i > 1, then this series of integers is called an ano malous super-increasing sequence, denoted by { A 1 , …, A n }, and shortly { A i }. Definition 2: Assume that b 1 … b n with every b i ∈ [0 , 1] i s a plaintext block, { X 1 , …, X n } is a sequence or set, and E satisfies E ≡ ∑ n i =1 X i b i L i , where L i = ∑ n j = i b j . Then E is called an anom alous subset sum. Notice that in definitio n 2, { X 1 , …, X n } is not required to be an anomalous super-increasing sequence. Assume that the i -th bit of the plaint ext block b 1 … b n is 1 or 0, and all the bits after the i -th are 0. According to definition 1, obviously if E > A i , then b i = 1. If the bit-string after the i -th bit contains k 1-bits, and E > ( k + 1) A i , is there b i = 1 yet? Property 1: Assume that { A 1 , …, A n } is an anomalous super- increasing sequence. Then, for i > 1 and an y positive integer k , there exists ( k + 1) A i > ∑ i -1 j =1 ( k + i – j ) A j . Proof. Because { A 1 , …, A n } is an anomalous super-increasing sequence, we have A i > ∑ i -1 j =1 ( i – j ) A j for i = 2, …, n . That is, A i > ( i – 1) A 1 + ( i – 2) A 2 + … + A i – 1 . (1) It is easily inferred from (1) that A i > A 1 + A 2 + … + A i – 1 . (2) Multiplying either side o f (2) by k mak es k A i > k A 1 + k A 2 + … + k A i – 1 . (3) Adding (3) to (1) yields k A i + A i > ( k + i – 1) A 1 + ( k + i – 2) A 2 + … + ( k + 1) A i – 1 , which is written shortly as ( k + 1) A i > ∑ i -1 j =1 ( k + i – j ) A j .  By property 1, when the anom alous subset sum E > ( k + 1) A i , there is b i = 1. Property 2: For any positive integer m ≤ n , if randomly select m elements from the anomalous super-i ncreasing sequence { A i } and construct a subset { A x 1 , … , A x m } in original o rder, the anomalous subset sum E = m A x 1 + ( m – 1) A x 2 + … + A x m is uniquely dete rmined, that is, the m apping from E to { A x 1 , … , A x m } is one-to-one. Proof. By contradicti on. Presume that E is acquired from two different incom patible subsequences { A x 1 , … , A x m } and { A y 1 , … , A y h }. Incompatibility means that the set { A x 1 , … , A x m } ⊄ { A y 1 , … , A y h } and { A y 1 , … , A y h } ⊄ { A x 1 , … , A x m }. Then, E = m A x 1 + ( m – 1) A x 2 + … + A x m = h A y 1 + ( h – 1) A y 2 + … + A y h . First, observe A x m and A y h . If A x m = A y h , continue to observe A x m – 1 and A y h – 1 . Without loss of generality, let A x m – k ≠ A y h – k and the subscript x m – k > y h – k . In terms of defini tion 1 and property 1, we have ( k + 1) A x m – k > h A y 1 + ( h – 1) A y 2 + … + ( k + 1) A y h – k , which indicates that m A x 1 + ( m – 1) A x 2 + … + A x m ≠ h A y 1 + ( h – 1) A y 2 + … + A y h . It is in direct contradi ction to the presumption. Therefore, the mapping relat ion between E and { A x 1 , … , A x m } is one-to-one.  Definition 3 : In a public k ey cryptosystem, the parameter ℓ ( i ) in the key transform is called the lev er function, if it has th e following features [15]: • ℓ (.) is an injection from integers to integers, its domain is [1, n ], and codomain [1, M ). Let Ł n represent the collection of all injections from t he domain to the codomain, t hen ℓ (.) ∈ Ł n and | Ł n | ≥ A n n = n ( n – 1) … 1. • The mapping between i and ℓ ( i ) is establis hed randomly without an anal ytical formul a, so every time a public key is generated, the function ℓ (.) is distinct. • There does not exist any dom inant or special m apping from ℓ (.) to a public key. • An attacker have to consider all the arrangements of the sequence { ℓ ( i ) | i = 1, … , n } when extracting a related private key from a publi c key. Thus, if n is large enough, it is infeasible for the attacker to search the arrangem ents exhaustively. • A receiver owning a private key only needs to consider the linear or square accumulativ e sum of the sequence { ℓ ( i )} when recovering a related plaint ext from a ciphertext. Thus the time complexity of decryption is polyn omial in n , and the decryption is feasible. Obviously, there is t he large amount of calculation on ℓ (.) at ‘a public term inal’, and the small amount of calculati on on ℓ (.) at ‘a private terminal’. 3 III. D ESIGN OF THE REESSE2+ E NCRYPTION S CHEME A. The Key Generation Algorithm This algorithm is employed by a third-party authority. Every user is given a pair of keys. S1: Randomly generate an anom alous super-increasing sequence { A 1 , … , A n } with every A i being even. S2: Find an integer M making M > ∑ n i =1 ( n + 1 – i ) A i and 1.585 n ≤ log M ≤ 2 n . S3: Pick integers W , Z < M meeting gcd( W , M ) = 1 and M / gcd( M , Z ) ≈ n 3 2 n / 2 . Calculate W –1 by W W –1 ≡ 1 (% M ) and - Z by Z + (- Z ) ≡ 0 (% M ). S4: Produce pairwise distinct values ℓ (1), … , ℓ ( n ) ∈ Ω = {5, … , n + 4} at will. S 5 : Compute the sequence { C 1 , … , C n | C i ← ( A i + Z ℓ ( i )) W % M }. At last, the public key is ({ C i }, M ), the private key ({ A i }, W –1 , - Z , M ), and { ℓ ( i )} discarded. Clearly, when Z = 0, the REESSE2+ transform retrogresses to the MH transform. Letting Ω = {5, … , n + 4} is to keep co nformity with the REESSE1+ cryptosystem [15]. In fact, Ω may ta ke other values ─ Ω = {1, … , n } for example. The principles for selecting Ω are that 1) ℓ ( i ) ≥ 1; 2) the elements of Ω are pairwise distinct; 3) decryption time com plexity does not exceed O( n 3 ) arithmetic steps. When we generate { A 1 , … , A n }, let every A i be slightly greater than ∑ i -1 j =1 ( i – j ) A j for i > 2 lest the length of log M should be too larger. In this way, A i > ∑ i -1 j =1 ( i – j ) A j may be regarded as A i ≈ ∑ i -1 j =1 ( i – j ) A j . Further, A i + 1 > ∑ i j =1 ( i + 1 – j ) A j = i A 1 + ( i – 1) A 2 + … + A i = (( i – 1) A 1 + ( i – 2) A 2 + … + A i – 1 ) + ( A 1 + A 2 + … + A i – 1 ) + A i ≈ A i + A i + ( A 1 + A 2 + … + A i – 1 ). Similarly, since slightly A i + 1 > ∑ i j = 1 ( i + 1 – j ) A j , it is n ot difficult to understa nd that A i + 1 ≈ A i + A i + ( A 1 + A 2 + … + A i – 1 ). Therefore, when i > 2, and slightly A i > ∑ i -1 j =1 ( i – j ) A j , we see 2 A i < A i + 1 ≤ 3 A i . Namely, 2 < A i + 1 / A i ≤ 3. As two exceptions, when i = 1, 1 < A i + 1 / A i ≤ 3, and when i = 2, 2 ≤ A i + 1 / A i ≤ 3. For exam ple, there are the sequences {2, 3 , 8, … }, and {2, 5, 10, … }. Moreover, thank s to the existen ce of Z , A 1 is allowed to take a small value. For example, let n = 6 and { A 1 , … , A 6 } = {1, 2, 5, 13, 34, 89}, and then A 6 / A 5 ≈ 2.6176, A 5 / A 4 ≈ 2.6153, A 4 / A 3 ≈ 2.6, and A 3 / A 2 ≈ 2.5. Additionally, {3 0 , 3 1 , … , 3 n – 1 } with M = 3 n is evidently an ano ma lou s super-increasing sequence, and there is log M = log3 n ≈ lo g 2 1.585 n ≈ 1.585 n , which indicates that the conditi on log M ≤ 2 n at step 2 is easily achieved. Meanwhile, we observ e that when 2 < A i + 1 / A i ≤ 3 and log M ≤ 2 n , the number of anomalous super-increasing sequences will be g reater than 3 n because the difference between possible minimal A i and possible maxi mal A i is not less than 2 for i > 3, and also observe that when 2 < A i + 1 / A i ≤ 3, log M ≤ 2 n , possible maxim al A 1 is roughly 3 m , where the exponential m satisfies 1.585( n + m ) ≈ 2 n . For instance, when n = 120 and log M = 2 n , m ≈ 31. B. The Encryption Algorithm Assume that ({ C i }, M ) is the publ ic key, and b 1 … b n is an n -bit plaintext bl ock or symmet ric key, which may possibly be padded with a random binary string. S1: Let Ē ← 0, L ← 0, i ← n . S2: If b i = 1, do L ← L + 1 and Ē ← Ē + L C i % M . S3: Set i ← i – 1. If i ≥ 1, go to S2, or else end. After the algorithm is ex ecuted, the ciphertext Ē is gained. Apparently, Ē may be expressed as Ē ≡ ∑ n i =1 C i b i L i (% M ), where L i = ∑ n j = i b j . In terms of defi nition 2, Ē is an anomalous subset sum. C. The Decryption Algorithm Assume that ({ A i }, W –1 , - Z , M ) is the private key, and Ē is the ciphertext. In advance, compute E k = ∑ k i =1 ( k + 1 – i ) A i for k = n , … , 1, Ė k = ∑ k i =1 A i for k = n – 1, … , 1, and store individuall y E n , … , E 1 , Ė n – 1 , … , Ė 1 to a data segment of a decryption program. S1: Compute Ē ← Ē W –1 % M . S2: Repeat Ē ← Ē + (- Z ) % M until Ē is even and Ē ≤ E n . S3: Let b 1 … b n ← 0, E ← Ē , L ← 0, i ← n . S4: If E ≥ ( L + 1) A i , do b i ← 1, L ← L + 1 and E ← E – L A i . S5: Set i ← i – 1. If i ≥ 1 and 0 < E ≤ E i + L Ė i , go to S4. S6: If E ≠ 0, go to S2, or else end. At last, the b 1 … b n is the original plaint ext block or the symmetric key. This algorithm can always terminate norm ally as long as Ē is a true ciphertext. D. Correctness of the Decryption Algorithm Because ( M , +) is an Abelian , namely comm utative group, ∀ k ∈ [0, M ), there is k Z + k (-Z) ≡ k Z + (- k Z) ≡ 0 (% M ). Let b 1 … b n be an n -bit plaintext, and k = ( ∑ n i =1 ℓ ( i ) b i L i ), where L i = ∑ n j = i b j . We need to prove that Ē W –1 + k (-Z) ≡ ∑ n i =1 A i b i L i ≡ E (% M ). According to section III.B, Ē ≡ ∑ n i =1 C i b i L i (% M ), where C i ≡ ( A i + Z ℓ ( i )) W (% M ), hence Ē W –1 + k (-Z) ≡ ( ∑ n i =1 C i b i L i ) W –1 + k (-Z) ≡ W –1 ∑ n i =1 ( A i + Z ℓ ( i )) W b i L i + k (-Z) 4 ≡ ∑ n i =1 ( A i b i L i + Z ℓ ( i ) b i L i ) + k (-Z) ≡ ∑ n i =1 A i b i L i + ∑ n i =1 Z ℓ ( i ) b i L i + k (-Z) ≡ E + Z k + (- k Z) ≡ E (% M ). Apparently, the above proof gives a m ethod for seeking E . Notice that in prac tice, the plaintext b 1 … b n is unknowable in advance, so we have no way to directly compute k . However, because the range of k ∈ [1, ∑ n i =1 i 2 ] is very narrow, we may search k heuristicall y by adding (- Z ) % M , and verify whether E is equal to 0 after some items ( A i L i ) are subtracted from E . It is known from section III.C that the original plaintext b 1 … b n is acquired at the same time the condition E = 0 is satisfied. E. Uniqueness of a Plaintext Solution t o a Ciphertext Because { C i } is not an ano ma lous super-increasing sequence, the mapping from the subsequence { C x 1 , … , C x m }, which is in original order, to the anomal ous subset sum Ē is theoretically many-t o-one. It might possibly result in the nonuniqueness of the plaintext solu tion b 1 … b n when Ē is being unveiled. Suppose that the ciphertext Ē can be obtained from t wo different subsequences, that is, Ē ≡ m C x 1 + ( m – 1) C x 2 + … + C x m ≡ h C y 1 + ( h – 1) C y 2 + … + C y h (% M ). Then, ( m ( A x 1 + Z ℓ ( x 1 )) + ( m –1)( A x 2 + Z ℓ ( x 2 )) + … + ( A x m + Z ℓ ( x m ))) W ≡ ( h ( A y 1 + Z ℓ ( y 1 )) + ( h –1)( A y 2 + Z ℓ ( y 2 )) + … + ( A y h + Z ℓ ( y h ))) W (% M ). It follows that ( mA x 1 + ( m –1) A x 2 + … + A x m + Zk 1 ) ≡ ( hA y 1 + ( h –1) A y 2 + … + A y h + Zk 2 ) (% M ), where k 1 = m ℓ ( x 1 ) + ( m – 1) ℓ ( x 2 ) + … + ℓ ( x m ), and k 2 = h ℓ ( y 1 ) + ( h – 1) ℓ ( y 2 ) + … + ℓ ( y h ). Without loss of generality, let k 1 ≥ k 2 . Because ( M , +) is an Abelian group, there is Z ( k 1 – k 2 ) ≡ ( hA y 1 + ( h –1) A y 2 + … + A y h ) – ( mA x 1 + ( m –1) A x 2 + … + A x m ) (% M ), which is written shortly as Z ( k 1 – k 2 ) ≡ ∑ h i =1 ( h + 1 – i ) A y i + ∑ m j =1 ( m + 1 – j )(- A x j ) (% M ). Letting θ ≡ ∑ h i =1 ( h + 1 – i ) A y i + ∑ m j =1 ( m + 1 – j )(- A x j ) (% M ) gives Z ( k 1 – k 2 ) ≡ θ (% M ). In a cryptographic application, Z is fixed. If the val ue of the variable ( k 1 – k 2 ) exists, the conditi on gcd( Z , M ) | θ must b e satisfied [16]. Thus, we need to observe the probability that the condition holds. If an adversary tries to attack an 80-b it symmetric key or plaintext block through t he exhaustive search, and a computer can verify trillion values per second, it will take 38334 years to verify up all the poten tial values, which indicates that currently 80 bits are quite enough for the security of a sym metric key or plaintext block. Let ñ denote the number of values form ed from ∑ h i =1 ( h + 1 – i ) A y i + ∑ m j =1 ( m + 1 – j )(- A x j ) (% M ). If the coefficients ( h + 1 – i ) and ( m + 1 – j ) before A y i and (- A x j ) are neglected, one of A t , - A t and null, where t ∈ [1, n ], may occurs in ∑ h i =1 A y i + ∑ m j =1 - A x j % M ( A t and - A t will counteract each other if both do in the expression at the sam e time). Therefore, on this assumption, ñ is less than 3 n ≈ 2 1.585 n exclusive of the repeated values. If the coefficients before A y i and - A x j are considered, the number of values form ed from ∑ h i =1 ( h + 1 – i ) A y i is 2 n while t he number of values formed from ∑ m j =1 ( m + 1 – j )(- A x j ) i s a t m o s t 2 n since {- A 1 , … , - A n } is not necessarily an anomalous super-increasing sequence, whi ch means that ñ is at mos t th e ma xi mum b etw ee n 2 2 n and M – 1. It is known from sect ion III.A that M / gcd( M , Z ) ≈ n 3 2 n / 2 holds, which manifests that there are n 3 2 n / 2 integers which can be divided exactly by gcd( M , Z ), and distribute uniforml y on the interval [1, M ]. Obvious ly, the probab ility that any arbitrary integer ∈ (1, M ) can be d ivided exactly by gcd( M , Z ) is n 3 2 n / 2 / M , where the numerator is not less than 2 80 when n ≥ 120. Suppose that log M = 1.585 n , namely M ≈ 2 1.585 n , and the values of θ distribute uniform ly on the interval [1, M ). Then, the probab ility of gcd( Z , M ) | θ is ( ñ ( n 3 2 n / 2 / M )) / ñ ≈ n 3 2 n / 2 / 2 1.585 n ≤ n 3 / 2 n . If the values of θ do not dist ribute uniformly on t he interval [1, M ), then the p robability of gcd( Z , M ) | θ will be much less than n 3 / 2 n . Notice that if m C x 1 + ( m – 1) C x 2 + … + C x m ≡ L y 1 C y 1 + L y 2 C y 2 + … + L y h C y h (% M ) with L y i + 1 ≠ L y i – 1 , then the right of the equation will not influence the uniqueness of a decrypted plai ntext. The preceding analysis make s it clear that when log M ≥ 1.585 n and M / gcd( M , Z ) ≈ n 3 2 n / 2 , the probab ility that the plaintext soluti on b 1 … b n is not unique is l ess than n 3 / 2 n , and almost zeroth when n ≥ 120. Thus, the decryption algorithm can always recover the original plaintext from the ciphertext Ē , which is also validated by the program in C language. F. Characteristics of REESSE2+ REESSE2+ owes the followi ng characteristics compared with classical MH, RSA and ElGamal cryptosystems. • The key transform C i ≡ ( A i + Z ℓ ( i )) W (% M ) is a compound function, and contains four independent vari ables. That is, the n equations cont ain 2 n + 2 unknown variables. Hence, REESSE2+ is a multivariate cryptosystem [15]. • If any of A i , Z , W and ℓ ( i ) is determined, the relati on among the three remainders is still nonlinear ─ thus there is very complicated nonl inear relations among A i , Z , W and ℓ ( i ). • There is indeterminacy of ℓ ( i ). On condition that C i , Z and W are determined, A i and ℓ ( i ) can not be determi ned, and even have no one-to-one relati on for gcd( Z , M ) > 1. On condition that C i , W and A i are determined, Z and ℓ ( i ) can not be determined, and al so have no one-to-one relation when gcd( ℓ ( i ), M ) > 1. • There is insufficiency of t he key mapping. Roundly speaking, a private key in REESSE2+ includes { A i }, Z , W and 5 discarded { ℓ ( i )} four parts, but there is onl y a dominant mapping from { A i } to { C i }. Thereby, the reversibility of the function is not obvious, and inferring a pri vate key is intractable resorting to m athematical m ethods. • Since the elements of the set Ω are not fixed  Ω = { δ + i % M | i = 5, … , n + 4} for example, and the diversity of the mathem atical definition of an anomalous subset sum , REESSE2+ is a sort of flexible pu blic key cryptosystem. IV. N ECESSITY AND S UFFICIENCY OF THE L EVER F UNCTION The necessity of the lever functi on ℓ (.) means that if the private key in REESSE2+ is secure, ℓ (.) as a function must exist in the key transform. The equivalent co ntrapositive assertion is that if ℓ (.) does not exist or is a constant in the key transform , the private key in REESSE2 + will be insecure. The sufficiency of the lever function ℓ (.) means that if ℓ (.) as a injection exists in the key transform, the private key in REESSE2+ is secure, that is, the Shami r attack method based on the accumulation of minim um points is ineffective. A. Potential Attack by the Shamir Method When ℓ (.) = k Forever If a private key is insecure, a plaintext must be insecure. Hence, the security of the private key i s fundamental and all-around. It is known from section III.A that when ℓ (.) is a constant k , the key transform becom es as C i ≡ ( A i + Zk ) W (% M ) which is equivalent to ℓ (.) being i neffectual or nonexistent. Notice that the variation on ℓ (.) does not influence the correctness of all the algorithms. When C i ≡ ( A i + Z k ) W (% M ), there are C 1 ≡ ( A 1 + Z k ) W (% M ), C 2 ≡ ( A 2 + Z k ) W (% M ), M C n ≡ ( A n + Z k ) W (% M ). Subtracting C 1 from every equality beginning with C 2 gives a difference sequence { C 2 – C 1 , C 3 – C 1 , … , C n – C 1 }. That is to say, C i – C 1 ≡ ( A i – A 1 ) W (% M ) for i = 2, … , n . To a greater degree, A i – A 1 ≡ ( C i – C 1 ) W –1 (% M ). Notice that because W is unknown, and A i is likely large with relation to M , the continued fraction analysis [15] is ineffectual on the REESSE2+ with ℓ (.) = k . Section III.A tells us that when { A 1 , … , A n } is an anomalous super-increasing sequence, and satisfies the constraint conditions, there i s a rough proportion between A i + 1 and A i , namely 2 < A i + 1 / A i ≤ 3 for every i > 2. Considering that A 1 is a small int eger, there also exists a rough proportion between ( A i + 1 – A 1 ) and ( A i – A 1 ) when the subscript i is comparatively large. Therefore, in light of Sham ir extremum m ethod [4], W and { A 2 – A 1 , A 3 – A 1 , … , A n – A 1 } might be found out. Additionally, in consideration of A 1 being small, A 1 can be guessed in acceptable time, which indicates { A 1 , … , A n } may be possibl y inferred. It follows that ( Z k ) can be figured out. The above analysis illustrates that when the lever function ℓ (.) is the constant k , a related private key is likely deduced from a public key and further a related plaint ext is likely recovered from a ciphertext. Thus, ℓ (.) as an injective function is necessary to the REESSE2+ scheme. B. Ineffectiveness o f the Minimum Point Attack with ℓ (.) being Injective In the MH knapsack crypto system, every item of the super-increasing sequence { a 1 , … , a n } is approxima tely double the previous item of itself, that is, a n < 2 –1 M , a n – 1 < 2 –2 M , … , a 1 < 2 – n M . Thus, Shamir broke the MH system by utilizin g this regu larity. In the REESSE2+ scheme, let A i + Z ℓ ( i ) ≡ C i W –1 (% M ), and then { A 1 + Z ℓ (1), A 2 + Z ℓ (2), … , A n + Z ℓ ( n )} is not a super-increasing sequence or an anomalous super- increasing sequence, but a stochastic sequence. Because there does not exist an fixed proportional relation between ( A i + 1 + Z ℓ ( i + 1)) and ( A i + Z ℓ ( i )), namely the value ( A i + 1 + Z ℓ ( i + 1)) / ( A i + Z ℓ ( i )) is not approxi mately unvarying, the minim um point att ack of Shamir is ineffectual on the sequence { A 1 + Z ℓ (1), A 2 + Z ℓ (2), … , A n + Z ℓ ( n )}, which indicates the lever functi on is sufficient for the security of a private key against the Shamir attack method. C. Relation between ℓ (.) and a Random Oracle If an adversary tries to find i , j and k such that ℓ ( k ) = ℓ ( i ) + ℓ ( j ), where i < j < k , he will be confronted with the two difficulties: • Due to W ∈ [1, M ), the discriminant A i + A j – A k ≡ ( C i + C j – C k ) W –1 (% M ) can not be verified in polynom ial tim e. • The function ℓ (.) bears indeterminacy. For exam ple, when ℓ ( i ) + ℓ ( j ) ≠ ℓ ( k ), there exist C i ≡ ( A ′ i + Z ′ ℓ ′ ( i )) W ′ (% M ), C j ≡ ( A ′ j + Z ′ ℓ ′ ( j )) W ′ (% M ), C k ≡ ( A ′ k + Z ′ ℓ ′ ( k )) W ′ (% M ) such that ℓ ′ ( i ) + ℓ ′ ( j ) = ℓ ′ ( k ), A ′ i < A ′ j , and 2 A ′ i + A ′ j < A ′ k . In what follows, the indeterminacy of ℓ (.) will be explain ed further. A function or al gorithm is random ized if its output depends not only on the input but also on some random i ngredient, namely if its output is not uniquely determined by the input . In other words, a random function or algori thm outputs the different value every time it recei ves the same input. According to this defi nition, the random ness of a function or algorithm is almost equivalent to the indeterminacy. Of course, a random functi on or algorithm m ay be a random oracle which is a theoretical black box, and answers to every query with a compl etely random and unpredict able value chosen uniformly from its output dom ain [17][18]. Suppose that R ℓ is an random oracle for t he lever function value { ℓ ( i )}. We construct R ℓ as follows: 6 Input: { C 1 , … , C n }, M . Output: { ℓ (1), … , ℓ ( n )}. S1 : Randomly produce an anomalous super-increasing sequence { A 1 , … , A n } such that ∑ n i =1 ( n + 1 – i ) A i < M , where every A i is even. S2: Pick integers W , Z < M such that gcd( W , M ) = 1 and M / gcd( Z , M ) ≈ n 3 2 n / 2 . S3: Compute ℓ ( i ) by C i ≡ ( A i + Z ℓ ( i )) W (% M ) if gcd( Z , M ) | ( C i W –1 – A i ) for i = 1, … , n . S4: If every ℓ ( i ) is already computed, return { ℓ (1), … , ℓ ( n )}; or else go to S1. According to definiti on 2, every ℓ ( i ) may be outside of [5, n + 4] and pairwise i nconsecutive, namely any ℓ ( i ) ∈ [1, M – 1] is up to the definition and t he requirement. By the way, { A i }, W and Z as side results m ay be outputted. The above algorithm illustrates that the output { ℓ ( i )} depends not only on { C i } and M but also on random W , Z and { A i }. Namely every time for the same i nput ({ C i }, M ), the output { ℓ ( i )} is different or randomized. Therefore, R ℓ is exactly a random oracl e, and it is impossible t hat through R ℓ the adversary obtains the specific { ℓ ( i )} and other private key part generated by the key algorith m. Additionally, because the above algorithm is a random oracle, we do not need to be concerned for its running tim e. The discussion in the section ma nifests soundly that any indeterministic reasoning, if it exists, is in effectual on the private key in REESSE2+. V. S ECURITY A NALYSIS OF THE REESSE2+ S CHEME A. Extracting a Private K ey from a Public Key Is Intractable A public key m ay be treated as the special cipher of a related private key. A ciphertext is the integration of a public key and a plaintext, so the ciphertext has no direct help to inferring the private key. In this section, we m ake further analysis of the security of the private key in terms of exhaustive search. In the REESSE2+ scheme, the key t ransform is C i ≡ ( A i + Z ℓ ( i )) W (% M ), where ℓ ( i ) ∈ {5, … , n + 4}, 1.585 n ≤ log M ≤ 2 n , W meets gcd( W , M ) = 1, and Z m eets M / gcd( M , Z ) ≈ n 3 2 n / 2 . If an adversary attempt to guess W , because the number of potential values o f W equals ϕ ( M ), the probab ility of hitting W is 1 / ϕ ( M ). Clearly, we can make ϕ ( M ) ≥ n 3 2 n / 2 by taking a fit M . Because of log M ≤ 2 n , M can be factorized in tolerable tim e, which indicates that gcd( M , Z ) may possibly is found out in polynomi al time. Furtherm ore, Z may be guessed. However, owing to M / gcd( M , Z ) ≈ n 3 2 n / 2 , the pro bability of successfully guessing Z by brute force is approxima tely 1 / ( n 3 2 n / 2 ), not greater than 1 / 2 80 as n ≥ 120. Clearly, it is al most zeroth. If the adversary guess the sequence { ℓ (1), … , ℓ ( n )}, namely an arrangement of {5, … , n + 4}, the probability of successfully guessing { ℓ (1), … , ℓ ( n )} is 1 / n !, where n ! = n ( n – 1) … 1 is the factorial of n . According to section III.A, the num ber of all possible { A 1 , … , A n } is greater than 3 n when 2 < A i + 1 / A i ≤ 3 and log M ≤ 2 n . Therefore, the probability of successfully guessing { A i } by brute force is 1 / 3 n . If the adversary assume the values of W , Z and { ℓ ( i )}, and { A i }computed from A i ≡ W –1 C i – Z ℓ ( i ) (% M ) is an anomalous super-increasing sequence, the guess is successful. However, the time complexity of such a guess is up to O( n 3 2 n / 2 n ! ϕ ( M )). If assume the values of Z , { A i } and { ℓ ( i )}, the sufficient and necessary condition for ( A i + Z ℓ ( i )) W ≡ C i (% M ) to have solutions is gcd( A i + Z ℓ ( i ), M ) | C i . Hence, W does not al ways exist. Similarly, Z does not always exi st, and neither does ℓ ( i ). B. Recovering a Plaintext from a Ciphertext and a Public Key Is Intractable 1) Solving Subset Sums Is Rest ricted by NPC, Lengths and Densities: The subset sum problem is similar to the partition problem and the integer program ming problem [5] [19]. If the solution to a subset sum is just the sho rtest vector in a related lattice, and it could be sought in polynom ial tim e, the subset sum problem will degenerate from the NP-Complete class. Coster, Joux, LaMacchia etc s howed that when the density D < 0.9408, the solution vector to a norm al subset sum is the shortest [8]. Schnorr and Hörner showed that for the Chor- Rivest cryptosystem with D < 1.271, the solution vector to a related subset sum is the shortest [10]. Ritter showed th at for the Orton cryptosystem with 1 < D < 2, the solution vector to a related subset sum is the shortest in l ∞ -Norm [12]. The general l ∞ -Norm shortest vect or problem is known to be NP-Complete [12] [20], and thus when the le ngth n augments, even though the density is still kept reasonable, any breaking method t hrough l ∞ -Norm, including the Ritter method, will gradually disable. The l 2 -Norm shortest vect or problem is open [8][12] for a fixed dim ension which equals n + 1, and NP-hard for a varying dimension [21]. Thus, we conjecture that when n increases, and D is kept unvaried, the probability of breaking subset sum ciphert exts through l 2 -Norm [8][22] will gradually decrease, which is validated by our experim ents afterwards. Of course, when the density D increases, and n is kept unvaried, the probability of solvi ng subset sums by the sam e algorithm will also decrease. Coster, Joux, LaMacchia etc thought that an l ∞ -Norm lattice oracle yields a better density bound t han an l 2 -Norm lattice oracle [8], which seems to be validated by [12]. They also judged that “we cannot hope to asym ptotically im prove the 0.9408 bound by reducing a polynom ial number of bases wit h different b n + 1 vectors. However for small di mensions it m ight be possible to im prove the bound even though any such advantage will disappear as n g rows.” [8], which is likewise applicable to the Ritter method since the main difference is barely in standards for vector measure between the two methods. The foregoing argumentat ion makes it clear that so long as the density D of a sequence is greater than 2, and the length n is large enough ― n ≥ 120 for example, a subset sum ci phertext will be secure because in this case, the shortest nonzero vector 7 in a lattice either can not be transformed into the righ t solution to a subset sum, or can not be found out in polynomial time. Notice that in general, when the sequence density D > 1, there will be many subsets of weights with the same sum, and thus a sequence with D > 1 appli ed to a cryptosystem should be devised elaborately. 2) Density of a Publ ic Key in REESSE2+ Is i n Linear Proportion to n: In the REESSE2+ scheme, a ciphertext Ē is one anomalous subset sum, nam ely Ē ≡ ∑ n i =1 C i b i L i (% M ), wh ere L i = ∑ n j = i b j , and ∑ n i =1 b i L i ≤ n ( n + 1) / 2. To seek a solution ( b 1 L 1 , … , b n L n ) to Ē in po lynomial time, an adversary must construct a suitable lattice basis according to { C 1 , … , C n }. Clearly, an intuitionistic way is to let the lattice be spanned by the linearly independent vectors → b 1 = (1, 0, … , 0, N C 1 ), → b 2 = (0, 1, … , 0, N C 2 ), M → b n = (0, 0, … , 1, N C n ), → b n +1 = (0, 0, … , 0, N S ), where N > ( n 1/ 2 ) / 2 is a positive integ er, S ∈ { Ē + 0 M , Ē + 1 M , … , Ē + ( n ( n + 1)/2) M }, and the dimension of each → b i is n + 1. Because all the nonzero elements of a solution vector are distinct from one another, and greater than or equal t o 1, → b n +1 may not be desi gned as (½, ½, … , ½, N S ). However, it is specious  when the elements of a solution vector distribut e on a interval beyond [0, 1], even if the density D < 0.6463, the shortest vector in a lattice is not the solution to an anomalous subset sum . For example, let {211, 122, 300} be a sequence wit h the density D = 3 / 9 < 0.6463, and a related Diophanti ne equation be 211 x + 122 y + 300 z = 1177 with a constraint that the nonzero items of { x , y , z } descend gradually by 1. It is easily understood that the unique ly fit solution is ( x , y , z ) = (3, 2, 1). By the basis reduction , let the lattice ′ = → b 1 + → b 2 + → b 3 + → b 4 , where is the integer set, and → b 1 = (1, 0, 0, 211 N ), → b 2 = (0, 1, 0, 122 N ), → b 3 = (0, 0, 1, 300 N ), → b 4 = (0, 0, 0, 1177 N ). Then, 3 → b 1 + 2 → b 2 + 1 → b 3 – 1 → b 4 = (3, 2, 1, 0) is a solution vector, and 2 → b 1 – 1 → b 2 – 1 → b 3 – 0 → b 4 = (2, –1, –1, 0) is also a solution vector. The former is satisfied with th e constraint, but it s distance (3 2 + 2 2 + 1 2 + 0 2 ) 1 / 2 > (2 2 + (–1) 2 + (–1) 2 + 0 2 ) 1 / 2 in l 2 -Norm, or 3 > 2 in l ∞ -Norm. That i s, the solution (3, 2, 1, 0) is not the shortest nonzero vector in ′ . Therefore, the adversary has to transform an anomal ous subset sum to a normal subset sum to obtain a right solution vector each element of which is either 0 or 1, and further he need to consider the new layout of the sequence { C 1 , … , C n } as a public key. In conformity with Ē ≡ ∑ n i =1 C i b i L i (mod M ), there are only the alternative manners  the sequence { C 1 , … , C n } is written as { nC 1 , ( n – 1) C 1 , … , C 1 , ( n – 1) C 2 , ( n – 2) C 2 , … , C 2 , …… , 2 C n – 1 , C n – 1 , C n }, or as { C 1, 1 , C 1, 2 , … , C 1, n , C 2, 1 , C 2, 2 , … , C 2, n – 1 , …… , C n – 1, 1 , C n – 1, 2 , C n , 1 }, where C 1, 1 = C 1, 2 = … = C 1, n = C 1 , C 2, 1 = C 2, 2 = … = C 2, n – 1 = C 2 , …… , C n – 1, 1 = C n – 1, 2 = C n – 1 , C n , 1 = C n . It should be noted that the sol ution vector through the second manner m ight be possibly unstable. Still take the sequence {211, 122, 300} and the equation 211 x + 122 y + 300 z = 1177. By the first manner, they may be written respectively as {633, 422, 211, 244, 122, 300}, and as 633 b 1 + 422 b 2 + 211 b 3 + 244 b 4 + 122 b 5 + 300 b 6 = 1177 with b i ∈ [0, 1]. Then, the right solution vector to the rewritten equ ation is (1, 0, 0, 1 , 0, 1) if it can be found out in polynom ial tim e. No matter what m anner is adopted, the length of the extended sequence is n + … + 1 = n ( n + 1) / 2, and the size of the matrix corresponding to a lattice basis is 1 + n ( n + 1) / 2 by 1 + n ( n + 1) / 2. Hence, the density of the sequence { C 1 , … , C n } is in substance D = ( n + … + 1) / log max 1 ≤ i ≤ n { C i } = n ( n + 1) / (2 log max 1 ≤ i ≤ n { C i }) ≈ n ( n + 1) / (2 log M ). For REESSE2+, n ≥ 120 and log M ≤ 2 n , so D ≥ n ( n + 1) / (4 n ) = ( n + 1) / 4 > 30 > 2. In light of the argum entation in section V.B.1, the ciphertexts in the REESSE2+ sch eme with D > 30 and a large n are secure against the lattice basis reduction attack. 3) Cost of Reducing C iphertexts via a L 3 Lattice Basis Is not Negligible: The set of all integral linear co mbinations of n linearly independent vectors → b 1 , …, → b n ∈ d , as you see above, is call ed a lattice of dim ension n . In the subset sum problem, it is easily understood that d = O( n ) frequently. The original L 3 algorithm perform s O( n 5 ) arithmetic steps on O( n 2 )-bit integers [9]. Owing to Gram-Schmidt orthogonalization, redu ct ion pr oc ess pr oduces rational coefficients each of which is expressed by a O( n 2 )-bit numerator and a O( n 2 )-bit denomi nator. Hence, when n is comparatively large, the L 3 algorithm is expensi ve for practical cryptanalytic application s. If the rationals are cursorily substituted with floating-p oint numbers, the algorit hm might not norm ally term inate, or the 8 output basis m ight not be reduced. There was only provabl e floating-point L 3 algorithm known wi th a precision of O (2 n ) bits [23]. In pract ice, people use its heuristic version [24] . By the cascade mode [25], the fl oating-point L 3 runs in O(2 n 7 ) bit operations. In 2006, Schnorr brought forward Segment L 3 -reduction under floating-point ari thmetic [26] . SLLL 0 runs in O( n 4 ) arithmetic steps with O( n 2 )-bit floating-point numbers. SLLL in O( n 4 log n ) arithmetic steps with O( n )-bit floating-point numbers. SLLL + in O( n 3 log n ) arithmetic steps with O( n 2 )-bit flo at ing - point numbers. Obviously , the bit operations of SLLL, O( n 6 log n ), is the lowest, but still laborio us. If the SLLL is employed for attacking the ciphertexts in the REESSE2+ system with n ≥ 120, first, m ust consider acquiring the non-modular subset sum ∑ n i =1 C i b i L i from Ē , which ne eds O( n 2 ) heuristic tria ls, and second, must lay n 2 vectors in constructing a basis according to s ection V.B.2. On the basis of the two points, the bit operations of SLLL for REESSE2+ can be estimated at least at O( n 2 ) O(( n 2 ) 6 log n 2 ) = O( n 2 ( n 2 ) 6 log n 2 ) ≈ O((2 7 ) 2 (2 7 × 2 ) 6 log 2 7 × 2 ) ≈ O(2 14 2 84 2 4 ) = O(2 102 ), and clearly, it is not neglig ible. C. Preventing Meet-in-the-middle Attacks Let b 1 … b n be a plaintext, t =  n / 2  , and S = Ē + kM be a related ciphertext, where k ∈ [0, n ( n + 1) / 2]. Construct a table with entries ( ∑ n i = t + 1 C i b i L i , ( b t + 1 … b n )), try each combination of b 1 … b t , and judge whether F = S – ∑ t i =1 C i b i L i is the first com ponent of some entry in the table. Therefore, the meet-in-the-m iddle attack m ethod is likewise appli cable for the REESSE2+ scheme [22]. Because an adversary needs O( n 2 ) heuristic trials for acquiring the non-modul ar subset sum S from Ē , the cost of the meet-in-the-mi ddle attack is O( n 2 )O( n 2 n / 2 ) = O( n 3 2 n / 2 ) steps. Thus, when n = 120, this cost is approxim ately O(2 80 ) steps, and is enough for the security of a cryptosy stem at present. Also, it indicates that when n = 120, the num ber of bits which can be protected effectually by the REESSE2+ scheme is 80, and if the number of bits encrypte d is greater than 80, an adversary should substitute the meet-in-the-mi ddle attack for the brute force attack. It is interesting that thos e bits after the bit string protected effectually exactly play a role resisting the adaptive-chosen -ciphertext attack. D. Avoiding the Adaptive-chosen-ciphertext Attack Theoretically, absolu te most of public key cryp tographies may probably be faced by th e adaptive-chosen-ciphertext a t t a c k . In 1998, Bleichenbacher dem onstrated a practical adaptive- chosen-ciphertext attack on a form of RSA encryption [27]. In the sam e year, the Cramer-Shoup asym metric encryption algorithm from the extremely malleable ElGamal algorithm was proposed [28]. It is the first effi cient scheme proven to be secure against adaptive-chos en-ciphertext attack using standard cryptographic assum ptions, which indicates that not all uses of cryptographic hash funct ions require random oracles  some require only the property o f collision resistance. An effectual approach to avoiding the adaptive-chosen- ciphertext attack is t o append a stochastic fixed-length binary sequence to the terminal of ev ery plaintext bock when it is encrypted. Thus, when a plai ntext block is encry pted at different time with the same public key, the generated ciphertext blocks are dist inct from one another. For exampl e, a concrete impl ementation is referred to the OAEP+ schem e [29]. VI. A NALYSIS OF T IME C OMPLEXITY OF THE REESSE2+ S CHEME Since the key generation algori thm is not required to be real-time, it is not intended to analyze the time complexity of this algorithm. Hereunder, the time com plexity of an algorithm is measured by the am ount of bit operations (abo, shortl y). Usually, the abo of a comparison operati on is neglected. In terms of [22], the abo of a modular addition is O(2log M ), and the ab o of a modular multiplication is O(2log 2 M ) = O(2(log M ) 2 ), where M is a modulus. A. Time Complexity of th e Encryption Algorith m It is known from sect ion III.B that the encryption algorithm has one loop, the loop body contains onl y a statement: ( Ē + L C i ) mod M , and the num ber of loop iterations is n . Because L ∈ [1, n ] is extremely small, the bit operation s of the multiplication in the ex pression ( Ē + L C i ) mod M may be neglected, and the ( Ē + L C i ) mod M m ay be regarded as modular addition arithme tic. In th is way, the abo of encryption is O(2 n log M ), a linear function of n . Obviously , the encryption speed is extraordinarily fast. B. Time Complexity of th e Decryption Algorithm It is known from sect ion III.C that the decryption algorithm contains two loops lay ered predominantly. Step 1 contains a modular mu ltiplication, and its abo is approximat ely Mult = O(2 log 2 M ). Step 2, … , and step 6 compose the outer loop body. It contains a modular addition and an inner loop. The abo of the modular addition is Addi = O(2 log M ). Let Ū denote the num ber of the outer loop iterations. The value of Ū rests with L = L 1 , namely t he number of 1-bits in a plaintext block and ℓ (1), … , ℓ ( n ), namely a distri bution of integers 5, … , n + 4. Note that this distribution is unifo rm. Due to the indeterminacy of L i and ℓ ( i ), we only can compute roughly the expected value of Ū . For convenience, we may substitute ℓ ( i ) ∈ [5, n + 4] with ℓ ( i ) 9 ∈ [1, n ]. Firstly, let L = n . Then U min = ( n )1 + ( n – 1)2 + … 1( n ) = n ( n + 1)( n + 2) / 6, and U max = n 2 + ( n – 1) 2 + … + 1 2 = n ( n + 1)(2 n + 1) / 6. Let k = U max – U min + 1 = n ( n + 1)( n – 1) / 6 + 1 = n ( n 2 –1) / 6 + 1, and Ū n be the expected value as L = n . We have Ū n = ( t 1 U min + t 2 ( U min + 1) + … + t k – 1 ( U max – 1) + t k U max ) / n !, where t 1 = t k = 1, the integers t 2 , … , t k – 1 ≥ 0, and t 1 + t 2 + … + t k = n !. Since it is infeasible to compute u 2 , … , and u k – 1 , let Ū n ≈ ( U min + U max ) / 2 = n ( n + 1) 2 / 4. For instance, let n = 3 and L = 3. Then L 1 = 3, L 2 = 2, L 1 = 1, and ℓ ( i ) ∈ {1, 2, 3}. The enumeration of ( L 1 , L 2 , L 3 ) × ( ℓ (1), ℓ (2), ℓ (3)) = L 1 ℓ (1) + L 2 ℓ (2) + L 3 ℓ (3) is as follows: U min = (3, 2, 1) × (1, 2, 3) = 10, (3, 2, 1) × (1, 3, 2) = 11, (3, 2, 1) × (2, 1, 3) = 11, (3, 2, 1) × (2, 3, 1) = 13, (3, 2, 1) × (3, 1, 2) = 13, and U max = (3, 2, 1) × (3, 2, 1) = 14. Therefore, Ū 3 ≈ ( U min + U max ) / 2 = (10 + 14) / 2 = 12 while Ū 3 = (10 + 2 × 11 + 2 × 13 + 14) / (3 × 2 × 1) = 12. Both the values are equal. Likewise, when n = 4 and L = 4, Ū 4 ≈ ( U min + U max ) / 2 = (20 + 30) / 2 = 25 while Ū 4 = (20 + 3 × 21 + 22 + 4 × 23 + 2 × 24 + 2 × 25 + 2 × 26 + 4 × 27 + 28 + 3 × 29 + 30) / (4 × 3 × 2 × 1) = 25. Both the values are also equal. Secondly, let L = n – 1. Then U min = ( n – 1)1 + ( n – 2)2 + … + 1( n – 1) = n ( n – 1)( n + 1) / 6. For computati onal convenience, let U max ≈ ( n – 1) 2 + ( n – 2) 2 + … + 1 2 = n ( n – 1)(2 n – 1) / 6. Therefore, Ū n – 1 ≈ ( U min + U max ) / 2 = ( n – 1) n 2 / 4. Simil arly, we may obtain Ū n – 2 ≈ ( n – 2) ( n – 1) 2 / 4, … , and Ū 1 ≈ 1(1 + 1) 2 / 4. If the symmetric key b 1 … b n ≠ 0 and L ∈ [1, n ] is uniformly distributed, the expected num ber of the outer loop iterati ons is Ū ≈ ( Ū n + Ū n – 1 + … + Ū 1 ) / n = ( n + 1)(3 n 2 + 11 n + 10) / 48. However, for a reasonable symm etric key, L is equal to n / 2 around. Therefore, the further reasonable expected value should be Ū ≈ (( n + 1) (3 n 2 + 11 n + 10) / 48 + Ū n / 2 ) / 2 = (( n + 1)(3 n 2 + 11 n + 10) / 48 + n ( n + 2) 2 / 32) / 2 ≈ ( n + 1)( n 2 + 3 n + 2) / 22. When 96 ≤ n ≤ 176, there is Ū ≈ 6( n 2 + 3 n + 2) ≈ 6( n 2 + 3 n ). At step 5, the ineq uality E ≤ E i + L Ė i is a very strong constraint which causes that the expect ed number of the inner loop iterations is at most n / 2. Similar to section VI.A, the bit operations of the multiplication in the ex pression E – L A i may be neglected, and the E – L A i may be regarded as ordinary subtraction arithm etic. In this way, the abo of t he inner loop is Inlp = O(½ n log M ). By the algorithm, on ly if Ē is even and Ē ≤ E n , is the inner loop executed. Obviously, the probability of Ē being an even number is 1 / 2. Additionally, in practi ce, there are A i + 1 / A i ≤ 3 and M / ∑ n i =1 ( n + 1 – i ) A i ≥ 3, which means that probability o f Ē ≤ E n is at most 1 / 3. Furth er, the probab ility that the two conditions are satisfied si multaneously by Ē i s a t m o s t 1 / 6 . Therefore, the abo of th e decryption algorithm is O( Mult + Ū Addi + (1/6) Ū InLp ) = O(2 log 2 M + 6( n 2 + 3 n )(2 log M ) + ( n 2 + 3 n )(½ n log M )) ≈ O(0.5 n 3 log M + 13.5 n 2 log M + 36 n log M + 2 log 2 M ). Clearly, it i s a cubic function of n . Further, in the REESSE2+ system, due to 1.585 n ≤ lo g M ≤ 2 n , the abo of the decryption is at least O(0.79 n 4 + 21.39 n 3 + 62 n 2 ), and at most O( n 4 + 27 n 3 + 80 n 2 ). C. Comparison of REESSE2+ w ith ECC and NTRU To the REESSE2+ scheme, assume that log M = 1.6 n in this section. Then, possible m aximal A 1 is 3 m , where m satisfies 1.585( n + m ) ≈ 1.6 n . When n = 120, m ≈ 1, and when n = 176, m ≈ 1.6. Further, it is well understood that the le ngth of a private key (lPvtk, shortly ) is roughly 1.585 n (2 m + n – 1) / 2 in bits, the length of a public key (lPubk, shortly) is 1.6 n 2 in bits, and the length of a ciphertext (l Ciph, shortly) is 1.6 n in bits. It follows that the abo of decryption is O(0.8 n 4 + 21.6 n 3 + 63 n 2 ). It is known from sect ion V.C that as n = 120 or n = 176, the security of REESSE2+ is equival ent to 2 80 or 2 112 steps, namely 2 36 or 2 68 mips years respectively. Assume that P ≠ 2, 3 is a prime, and y 2 = x 3 + ax + b with a , b ∈ ( P ) is an elliptic curve. Then , according to [15] and [30], for the elliptic curve cryptosystem, the abo of encryption is roughly O(40 log 3 P + 50 log 2 P + 10 log P ), and the abo of decryption roughly TABLE I C OMPARISON OF REESSE2+ WITH ECC AND NTRU IN L ENGTH security (mips years) modulus (bits) lPvtk (bits) lPubk (bits) REESSE2 + /120 2 36 192 11508 23040 ECC /160 2 36 160 160 640 NTRU /251 2 36 8 1004 2008 REESSE2 + /176 2 68 282 24856 49562 ECC /224 2 68 224 224 896 NTRU /347 2 68 9 1388 3123 10 O(20 log 3 P + 40 log 2 P + 20 log P ), where some subordinate operations are ignored. It is known from [30] that as log P = 160 or log P = 224, the security of EEC is equival ent to 2 80 or 2 112 steps, namely 2 36 or 2 68 mips years respectively. In light of [31] , the security of NTRU with N = 251, q = 197 and d = 48 is equivalent to th at of ECC with log P = 160, and NTRU with N = 347, q = 269 and d = 66 is equivalent to ECC with log P = 224. In these two cases, the length of a plaint ext block encrypted by NTRU i s 80 bits and 112 bits respectively . According to [32], the effort of the NTRU encryption is 4 N 2 additions and N divi sions by q . Generally speakin g, the addition produces bi nary carry. Additionall y, the effort of the decryption is roughly double that of the encryption. Hence, we see that the abo of encryption is roughl y O(4 N 2 ( N + log q ) + N log q ( N + log q )), and the abo of decryption is roughl y O(8 N 2 ( N + log q ) + 2 N log q ( N + log q )). When the securities of REESSE2 +, ECC and NTRU match reciprocally, their l engths and performances can be com pared. Please see Table I and II. The some facts can be observed from Table I and II. The size of a private key or a public key i n REESSE2+ is longest, but is still tolerable. The length o f a ciphertext in REESSE2+ is shortest, ECC secondary, and NTRU longest. The encryption speed of REESSE2+ is fastest, NTRU secondary, and ECC slowest. The decryption effort of REESSE2+ is roughly equivalent to NTRU and ECC since the rat ios among them three all are not large from the angle of bit operation. Furthermore, to satisfy extraordinary requirements under some circum stances, the bit-length of a pri vate key or a public key can be shortened through a com pression algorithm. VII. C ONCLUSION Resorting to the key transform C i ≡ ( A i + Z ℓ ( i )) W (% M ), REESSE2+ avoids the Shamir ex tremum attack. Resorting to an anomalous subset sum that is an extension of the connotat ion of the lever function, REESSE2+ avoi ds the L 3 basis reduction attack. Moreover, to place the multiple coefficient L i before every element in a set makes the subset sum have a direction, which can resists parallel arithmetic. The mathematical im plications of an anomalous super- increasing sequence and an anomalous sunset sum are not unique. For instance, we may define an anom alous super-increasing sequence with A i > ∑ i -1 j =1 ( i – j ) 2 A j , and correspondingly an anom alous subset sum with Ē ≡ ∑ n i =1 C i b i L i 2 (% M ), where L i = ∑ n j = i b j . In this case, the density of a public-key sequence will increase while the sp eed of the decryption algorithm will decrease. The REESSE2+ public-key schem e is another application of the lever function and its connotation, holds a comparatively small m odulus, and provides embedded com putation platforms or mobile com putation platform s with fast encryption and decryption im plementations. Similar to the REESSE1+ crypto system, to design a signature scheme on the basis of t he REESSE2+ encryption scheme should be feasible . A CKNOWLEDGMENT The authors would like to thank the Academicians Jiren Cai, Zhongyi Zhou, Jianhua Zheng, Changxiang Shen, Zhe ngyao Wei, Andrew C. Yao, Binxing Fang, Guangnan Ni, and Xicheng Lu for their im portant guidance, advice, and suggestions. The authors also would like to thank the Pr ofessors Dingyi Pei, Jie Wang, Ronald L. Rivest, Moti Yung, Dingz hu Du, Mulan Li u, Huanguo Zhang, Dengguo Feng, Yixian Yang, Maozhi Xu, Qi bin Zhai, Hanliang Xu, Xuejia Lai, Yongfei Han, Yupu Hu, Rongquan Feng, Ping Luo, Dongdai L in, Jianfeng Ma, Lusheng Chen, Wenbao Han, Lequan M in, Bogang Lin, Hong Zhu, Renji Tao, Zhiying Wang, Quanyuan W u, and Zhic hang Qi for their important counsel, suggestions, and corrections. R EFERENCES [1] R. C. Merkle and M. E. Hellman, “Hiding inform ation and Signatures in Trapdoor Knapsacks,” IEEE Transactions on Info rmation Theory , vol. 24, no. 5, pp. 525-530, Sep. 1978. [2] W. Diffie and M. E. Hellman, “New Directions in Cr yptography,” IEEE Transactions on Information Theory , vol. 22, no. 6, pp. 644–654, Nov. 1976. [3] R. L. Rivest, A. Shamir and L. M. Adlem an, “On Digital Signatures and Public Key Cryptosystems,” Technical R eport , MIT Laboratory for Computer Science, M IT/LCS/TR-212, Jan. 1979. [4] A. Sham ir, “A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem ,” in Proc. the 23th IEEE Symposium o n the Foundations of Computer Science , 1982, pp. 145–152. [5] Oded Goldreich, Foundations of Cryptography: Basic Tools , UK: Cambridge University Press, 2001, ch.1-2. [6] E. F. Brickell, “Solving Low Density Knapsacks,” in Proc. Advance in Cryptology: CRYPTO ’83 , Plenum Press, 1984, pp. 25–37. [7] J. C. Lagarias and A. M. Odlyzko, “Solving Low Density Subset Sum Problems,” J. Assoc. Comp. Mach. , vol. 32, no. 1, pp. 229-246, Jan. 1985. [8] M. J. Coster, A. Joux and B. A. LaMacchia etc., “Improved Low-Density Subset Sum Algorithm s,” Computational Complexity , vol. 2, issue 2, pp. 111–128, Dec. 1992. [9] A. K. Lenstra, H. W. L enstra and L. Lovász, “Factoring Polynomials with Rational Coefficients,” Mathematische Annalen , vol. 261, pp. 515-534, 1982. TABLE II C OMPARISON OF REESSE2+ WITH ECC AND NTRU IN A BO security (mips years) lCiph (bits) abo of e ncrypt. abo of decrypt. REESSE2 + /120 2 36 192 51,840 204,120,000 ECC /160 2 36 640 165,121,600 82,947,200 NTRU /251 2 36 2008 65,789,108 131,578,216 REESSE2 + /176 2 68 282 111,514 887,319,910 ECC /224 2 68 896 452,088,000 226,800,000 NTRU /347 2 68 3123 172,574,204 345,148,408 11 [10] C. P. Schnorr and H.H.Hörner, “Attacking the Chor-Rivest Cryptosystem by Impr oved Lattice Reduction,” in Proc. Advace in Cryptology: EUROCRYPT ’95 , Springer-Verlag, 1995, pp. 1- 12. [11] B. Chor and R. L. Rivest, “A Knapsack-type Public Key Cryptosystem Based on Arithmetic in Finite Fields,” in Proc. Advance in Cryptology: CRYPTO ’84 , Springer-Verlag, 1985, pp. 54-65. [12] H. Ritter, “Breaking Knapsack Cryptosystems by Max-Norm Enum e- ration,” in Proc. 1st International Conference of the Theory and Application of Cryptology - Pragocrypt ’96 , 1996, pp. 480- 492. [13] G. Orton, “ A Multiple-Iterated Trapdoor for Dense Compact Knapsacks,” in Proc. Advance in Cryptology: EUROCRY PT ’94 , Springer-Verlag, 1994, pp. 112-130. [14] T. ElGamal, “A Public-key Cryp tosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Transactions on Information Theo ry , vol. 31, no. 4, pp. 469–472, Jul. 1985. [15] Shenghui Su and Shuwang Lü. (2006, Dec.). The Design, Analy sis and Optimization of the REE SSE1+ Pub lic-key Cryptosystem. [Online]. Available: http://www. arxiv.org/ pdf/cs/0702046. [16] Song Y. Yan, Number Theory for Computing . (2nd ed.) New York: Springer-Verlag, 2002, ch. 1. [17] M. Bellar e and P. Rogaway, “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” in Proc. the 1st ACM Conference on Computer and Communications Security , New York: ACM Press, 1993, pp. 62–73. [18] Ran Canetti, Oded Goldreich a nd Shai Halevi, “The Random Oracle Methodology Revisited, ” in Proc. the 30 th Annual ACM Symposium on Theory of Computing , New York: ACM Press, 1998, pp. 209–218. [19] Ding Z. Du and Ker-1 Ko. Theory of Computational Complexity . John Wiley & Sons, 2000, ch. 3, 11. [20] P. van Em de Boas, “ Another NP-Complete Partition Problem and the Complexity of Com puting Short Vectors in a Lattice, ” TR 81-04 , Dept. of Mathematics, Univ. of Amsterdam, 1981. [21] M. Ajtai, “The Shortest Vector Problem in l 2 is NP-hard for Randomized Reductions ,” in Proc. 30 th STOC , 1998, pp. 10-19. [22] A. J. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography , London, UK: CRC Press, 1997, ch 2, 3. [23] C. P. Schnorr , “A More Efficient Algorithm for Lattice Reduction,” Journal of Algorithms , vol. 9, issue 1, pp. 47- 62, March 1988. [24] C. P. Schnorr and M. Euchner “Lattice Ba sis Reduction and Solving Subset Sum Problem s,” Fundamentals of Computer Theory , New York: Springer-Verlag, 1991, pp. 68-85. [25] Phong Q. Nguên and Damien Stehlé, “Floating-Point L 3 Revisited,” in Proc. Advance in Cryptology: EUROCRY PT ’05 , Springer-Verlag, 2005, pp. 215-233. [26] C. P. Schnorr , “Fast LLL-Type Lattice Reduction,” Information and Computation , vol. 204, no. 1, pp. 1-25, 2006. [27] Daniel Bleichenbacher, “Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1,” in Proc. Advance in Cryptology: Crypto ’98 , Springer-Verlag, 1998, pp. 1–12. [28] Ronald Cram er and Victor Shoup, “A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack,” in Proc. Advance in Crypto logy: Crypto ’98 , Springer-Verlag, 1998, pp. 13–25. [29] Victor Shoup, “OAEP Reconsidered,” in Proc. Advance in Cryptology: Crypto ’01 , Springer-Verlag, 2001, pp. 239–259. [30] Stallings Willian, Cryptography and Network Security: Principles and Practice . (2nd ed.) New Jersey: Prentice- Hall, 1999, pp. 193–199. [31] N. Howgrave-Graham, J. H. Silverman, A. Singer and W. Whyte “Choosing Parameter Sets for NTRU Encrypt with NAEP and SVES-3,” in Proc. of CT-RSA ’05 , Springer-Verlag, 2005, pp. 118–135. [32] J. Hoffstein, J. Pipher and J. H. Silverman, “NTRU: A Ring-based Public Key Cryptosystem,” in Proc. the Algorithmic Number Theory Symposium - ANTS III , Sp r i n g er - V er l a g , 1998, pp. 267-288.