Applied Mathematics and Computation 183 (2006) 729–737

www.elsevier.com/locate/amc

Applying quick exponentiation for block uppertriangular matrices

Rafael Alvarez *, Francisco Ferrandez, Jose-Francisco Vicent, Antonio Zamora

Departamento de Ciencia de la Computacion e Inteligencia Artificial, Universidad de Alicante, Campus de San Vicente,

Ap. Correos 99, E-03080 Alicante, Spain

Abstract

The best method for exponentiation is highly dependant on the algebraic set employed. Block upper triangular matricesdefined in Zp, have very interesting properties for multiple applications, in which exponentiation is very important in orderto achieve adequate performance. We analyze the usage of quick exponentiation methods with these matrices and, as apractical application, we propose a new public-key cryptosystem and digital signature scheme based on a generalizationof the well known discrete logarithm problem to block upper triangular matrices.� 2006 Elsevier Inc. All rights reserved.

Keywords: Block matrix; Quick exponentiation; Triangular matrix; Group algebra; Discrete logarithm problem; Primitive polynomial;Companion matrix; Matrix order

1. Introduction

Exponentiation is a fundamental operation in computational number theory (see [5,7]), for example, pri-mality tests based on Fermat’s Little Theorem (see [14]), and generally the optimal exponentiation methoddepends on the algebraic structure employed.

Block upper triangular matrices defined over Zp can generate sets of a large and known order if parametersare chosen adequately. These matrices can be used in many applications, although some require the usage oflarge powers of matrices. To circumvent this problem, we study the usage of a quick exponentiation method toimprove performance with such matrix sets.

One of the most important applications of this type of matrix sets is the field of cryptography (see [9]), sincethey can be employed to implement several types of primitives. In this paper we analyze an application ofblock upper triangular matrices corresponding to a public-key cryptosystem and a digital signature scheme.

Public-key cryptosystems allow exchanging keys securely through an insecure channel, such as the Internet.For that reason, they are essential in numerous areas like electronic commerce, private communications, etc.

0096-3003/$ - see front matter � 2006 Elsevier Inc. All rights reserved.

doi:10.1016/j.amc.2006.05.078

* Corresponding author.E-mail addresses: ralvarez@dccia.ua.es (R. Alvarez), ferrande@dccia.ua.es (F. Ferrandez), jvicent@dccia.ua.es (J.-F. Vicent),

zamora@dccia.ua.es (A. Zamora).

730 R. Alvarez et al. / Applied Mathematics and Computation 183 (2006) 729–737

Digital signatures are also very useful, permitting the identification of the origin of a document in a similarway to traditional signatures, being used in many networking protocols.

The paper is organized as follows: in Section 2 we present some properties concerning block upper trian-gular matrices; the quick exponentiation method is discussed in Section 3; in Section 4 we describe the designof a public-key cryptosystem based on block upper triangular matrices as an application example; and, finally,some conclusions are given in Section 5.

2. Preliminaries

We present some basic linear algebra properties and block upper triangular matrices notions, necessary forthe purpose of the paper, in this section.

Given p a prime number and r; s 2 N ,we denote by Matr�sðZpÞ the matrices of size r · s with elements in Zp,and by GLrðZpÞ and GLsðZpÞ, the invertible matrices of size r · r and s · s respectively.

We define

H ¼A X

O B

� �;A 2 GLrðZpÞ;B 2 GLsðZpÞ;X 2Matr�sðZpÞ

� �:

Theorem 1. The set H has a structure of non-abelian group for the product of matrices.

Proof 1. Given the definition of H, it is obvious that the product operation is closed.

The identity element is I ¼ Ir OO Is

� �, where Ir and Is are respectively the identity matrices r · r and s · s.

The inverse of any element M ¼ A XO B

� �is" #

M�1 ¼ A�1 �A�1XB�1

O B�1;

and the associative property is obvious since they are square matrices. h

Theorem 2. Let M ¼ A XO B

� �be an element of the set H, we consider the subgroup generated by the different

powers of M.

Taking h as a non-negative integer then

Mh ¼ Ah X ðhÞ

O Bh

" #; ð1Þ

where

X ðhÞ ¼O if h ¼ 0;Ph

i¼1

Ah�iXBi�1 if h P 1:

8<: ð2Þ

Also, if 0 6 t 6 h then

X ðhÞ ¼ AtX ðh�tÞ þ X ðtÞBh�t; ð3ÞX ðhÞ ¼ Aðh�tÞX ðhÞ þ X ðh�tÞBt: ð4Þ

Proof 2. Eq. (1) is proven using induction on h.

For h = 0 and h = 1 the result is obvious.It is supposed to be true for h � 1 and will be demonstrated true for h.

R. Alvarez et al. / Applied Mathematics and Computation 183 (2006) 729–737 731

We have

Mh ¼ MMh�1 ¼A X

O B

� �Ah�1 X ðh�1Þ

O Bh�1

" #¼ Ah AX ðh�1Þ þ XBh�1

O Bh

" #:

From the induction hypothesis, applying (2), we have that

X ðhÞ ¼ AX ðh�1Þ þ XBh�1 ¼ AXh�1

i¼1

Ah�1�iXBi�1 þ XBh�1 ¼Xh�1

i¼1

Ah�iXBi�1 þ XBh�1 ¼Xh

i¼1

Ah�iXBi�1

obtaining the same expression as in (2).Also, if 0 6 t 6 h, we have

Mh ¼ MtMh�t ¼ At X ðtÞ

O Bt

" #Ah�t X ðh�tÞ

O Bh�t

" #¼ Ah AtX ðh�tÞ þ X ðtÞBh�t

O Bh

" #:

Comparing this result to (1) we obtain (3). Expression (4) is proven in the same way. h

As a consequence, in the case t = 1 we have

X ðhÞ ¼ AX ðh�1Þ þ XBh�1;

or

X ðhÞ ¼ Ah�1X þ X ðh�1ÞB:

And, taking a and b integers such as a + b P 0, we have

X ðaþbÞ ¼ AaX ðbÞ þ X ðaÞBb: ð5Þ

Given M 2 H, it is known (see [8]) that o(M) = mcm(o(A),o(B)). On the other hand, the way to obtain a max-imum o(M) is shown in [6,13].

Let

f ðxÞ ¼ a0 þ a1xþ � � � þ ar�1xr�1 þ xr;

gðxÞ ¼ b0 þ b1xþ � � � þ bs�1xs�1 þ xs

be two primitive polynomials in Zp½x�, A, B the corresponding associated or companion matrices, and P and Q

two invertible matrices, then we have the following construction:

A ¼ PAP�1; B ¼ QBQ�1:

With this, the order of M ¼ A XO B

� �is

oðMÞ ¼ mcmðpr � 1; ps � 1Þ;

this number can be maximized taking r and s conveniently (see [10]).

In Table 1, where the value that appears in the column o(M) represents the number of decimal digits (theinteger 2128 has 39 digits), it can be observed that the values of r and s do not need to be very big to optimizethe order.

It is easy to reduce a general discrete logarithm problem (DLP, see [2,11,15]) in a cyclic group (with ordero(M)) whose factorization is known. It is very important, when choosing the group, that the order is prime orat least with very big prime factors. So if o(M) is a prime number, it will require on the order of

ffiffiffiffiffiffiffiffiffiffiffioðMÞ

poper-

ations to compute the discrete logarithm in group H (see [18]).

Theorem 3. Let M ¼ A XO B

� �2 H, with order m, we have that

ðX ðk1ÞÞðk2Þ ¼ ðX ðk2ÞÞðk1Þ;

where k1 and k2 are non-negative integer.

Table 1Order of M, for different values of p, r and s

p r s o(M) p r s o(M)

3 32 31 30 19 16 19 3948 47 39 32 31 5764 63 47 64 63 98

5 32 31 38 31 16 15 4030 33 39 32 31 6464 63 61 64 63 111

7 24 27 39 251 12 13 4632 31 43 32 31 7664 63 70 64 63 168

11 22 21 39 257 9 10 4032 31 50 32 31 9364 63 67 64 63 169

732 R. Alvarez et al. / Applied Mathematics and Computation 183 (2006) 729–737

Proof 3. Denoting Y ¼ X ðk1Þ and Z ¼ X ðk2Þ, according to Theorem 2, we have

Y ¼ X ðk1Þ ¼Xk1

j¼1

Ak1�jXBj�1;

and

Z ¼ X ðk2Þ ¼Xk2

j¼1

Ak2�jXBj�1:

Therefore, we can do

Zðk1Þ ¼Xk1

j¼1

Ak1�jZBj�1 ¼ Ak1�1Z þ Ak1�2ZBþ � � � þ AZBk1�2 þ ZBk1�1

¼ Ak1�1Xk2

j¼1

Ak2�jXBj�1

!þ Ak1�2

Xk2

j¼1

Ak2�jXBj�1

!Bþ � � � þ A

Xk2

j¼1

Ak2�jXBj�1

!Bk1�2

þXk2

j¼1

Ak2�jXBj�1

!Bk1�1 ¼

Xk2

j¼1

Ak1þk2�1�jXBj�1 þXk2

j¼1

Ak1þk2�2�jXBj þ � � � þXk2

j¼1

Ak2�jþ1XBjþk1�3

þXk2

j¼1

Ak2�jXBj�2þk1 ¼ ðAk1þk2�2X þ Ak1þk2�3XBþ � � � þ Ak1 XBk2�2 þ Ak1�1XBk2�1Þ

þ ðAk1þk2�3XBþ Ak1þk2�4XB2 þ � � � þ Ak1�1XBk2�1 þ Ak1�2XBk2Þ

þ � � � þ ðAk2 XBk1�2 þ Ak2�1XBk1�1 þ � � � þ AXBk1þk2�3Þ þ ðAk2�1XBk1�1 þ Ak2�2XBk1 þ � � � þ XBk1þk2�2Þ

¼ Ak1þk2�2X þ 2Ak1þk2�3XBþ 3Ak1þk2�4XB2 þ � � � þ 3A2XBk1þk2�4 þ 2AXBk1þk2�3 þ XBk1þk2�2:

As the series are equal interchanging k1 and k2, we can suppose without loss of generality that, k1 6 k2. Withthe distribution of the coefficients, that appear as a result of this expression, we can simplify the previousexpression, obtaining

Zðk1Þ ¼ ðX ðk2ÞÞðk1Þ ¼Xk1�1

j¼1

ðjÞAk1þk2�1�jXBj�1 þ k1Ak1�1X ðk1þ1ÞBk1�1 þXk1�1

j¼1

ðjÞAj�1XBk1þk2�1�j;

R. Alvarez et al. / Applied Mathematics and Computation 183 (2006) 729–737 733

and therefore

Zðk1Þ ¼ ðX ðk2ÞÞðk1Þ ¼Xk1�1

j¼1

ðjÞðAk1þk2�1�jXBj�1 þ Aj�1XBk1þk2�1�jÞ þ k1Ak1�1X ðk1þ1ÞBk1�1;

when developing Y ðk2Þ ¼ ðX ðk1ÞÞðk2Þ we will arrive at the same expression, regardless if k1 6 k2 or k1 > k2, sinceboth terms exchange respect to the sum, for that reason

Y ðk2Þ ¼ Zðk1Þ:

With this, the theorem is demonstrated. h

3. Quick exponentiation

In certain applications based on block upper triangular matrices, the usage of big powers of matrices isrequired (see [1]); so the implementation of an efficient and trustworthy quick exponentiation algorithm(see [4,17]) becomes necessary for the accomplishment of this task.

Given n 2 N, then a ordered set of indices exist

I ¼ fi1; i2; i3; i4; . . . ; iqg;

so that n ¼ 2i1 þ 2i2 þ 2i3 þ � � � þ 2iq .

In order to compute the powers of A (or B), taking Ae ¼ A2e, we have

An ¼ A2i1þ2i2þ���þ2iq ¼ A2i1 A2i2 � � �A2iq ¼ Ai1 Ai2 � � �Aiq ;

we use

Ae ¼A if e ¼ 0;

Ae�1Ae�1 if e P 1:

�

That is to say, computing big powers of matrices A or B, is reduced to multiplying matrices quickly. Forexample

A1234 ¼ A210þ27þ26þ24þ21 ¼ A10A7A6A4A1:

In the case of block X we have

X ð20Þ ¼ X ;

X ð21Þ ¼ X ð1þ1Þ ¼ AX ð1Þ þ X ð1ÞB ¼ AX þ XB ¼ X ð1Þ;

X ð22Þ ¼ X ð2þ2Þ ¼ A2X ð2Þ þ X ð2ÞB2 ¼ A1X ð1Þ þ X ð1ÞB1 ¼ X ð2Þ;

..

.

X ð2eÞ ¼ X ð2

e�1þ2e�1Þ ¼ A2e�1

X ð2e�1Þ þ X ð2

e�1ÞB2e�1 ¼ Ae�1X ðe�1Þ þ X ðe�1ÞBe�1 ¼ X ðeÞ:

The general case is expressed in the following theorem.

Theorem 4. Given an integer number n, whose binary decomposition is

n ¼Xq

j¼1

2ij ;

and a set of indices I = {i1, i2, i3, i4, . . . , iq}, we have:

X ðnÞ ¼Xq

k¼1

AnðkÞ1 X ðn

ðkÞ2ÞBnðkÞ

3 ; ð6Þ

734 R. Alvarez et al. / Applied Mathematics and Computation 183 (2006) 729–737

where

nðkÞ1 ¼Xq�k

j¼1

2ij for k ¼ 1; 2; 3; . . . ; q� 1; and nðqÞ1 ¼ 0;

nðkÞ2 ¼ 2iq�kþ1 for k ¼ 1; 2; 3; . . . ; q;

nðkÞ3 ¼Xq

j¼q�kþ2

2ij for k ¼ 2; 3; . . . ; q; and nð1Þ3 ¼ 0:

Proof 4. We are going to prove (6), using induction.

For q = 1 we have, I = {i1}

X1

k¼1

AnðkÞ1 X ðn

ðkÞ2ÞBnðkÞ

3 ¼ Anð1Þ1 X ðn

ð1Þ2ÞBnð1Þ

3 ¼ A0X ð2i1 ÞB0 ¼ X ð2

i1 Þ ¼ X ðnÞ:

We suppose that (6) is true for the numbers n whose set of indices I have q � 1 elements, and will be demon-strated true for n 2 N whose set have q elements.

X ðnÞ ¼ X ðð2i1þ2i2þ2i3þ���þ2

iq�1 Þþ2iq Þ ¼ X ðn0þ2iq Þ ¼ An0X ð2

iq Þ þ X ðn0ÞB2iq ¼ A2i1þ2i2þ2i3þ���þ2

iq�1X ð2

iq Þ þ X ðn0ÞB2iq

¼ A2i1þ2i2þ2i3þ���þ2iq�1

X ð2iq Þ þ

Xq�1

k¼1

AnðkÞ1 X ðn

ðkÞ2ÞBnðkÞ

3

!B2iq ¼ A2i1þ2i2þ2i3þ���þ2

iq�1X ð2

iq Þ þXq�1

k¼1

AnðkÞ1 X ðn

ðkÞ2ÞBnðkÞ

3þ2iq

¼Xq

k¼1

AnðkÞ1 X ðn

ðkÞ2ÞBnðkÞ

3 :

With this the theorem is demonstrated. h

4. Application

Block upper triangular matrices can be used to implement a public-key cryptosystem with interesting prop-erties. We analyze in the following how the quick exponentiation algorithm applied to set H (see Section 2)makes this application feasible in terms of performance.

Public-key cryptosystems (see [16]) are essential for electronic commerce or electronic banking transactions.They assure privacy of transactions, as well as integrity of messages and senders or receivers.

A lot of popular public-key encryption systems are based on number-theoretic problems such as factoringof integers or finding discrete logarithms and the underlying algebraic structures are, very often, abeliangroups.

Let Fq be a finite field of q elements so that q = pn for some prime p and integer n. It is well known that themultiplicative group of non-zero elements of Fq, denoted by F �q, is a cyclic group of order q � 1. Thus if a is agenerator of this multiplicative group, then every non-zero element b in Fq is given by b = ax for some integerx; in fact for each b there is an unique integer in the range 0 6 x 6 q � 1 with this property. For a given x anda, the power ax can be quickly computed by the square-and-multiply method. The inverse problem, i.e., theproblem of finding, for a given a and b, the x in the range 0 6 x 6 q � 1 satisfying b = ax, is the discrete log-arithm problem (DLP).

The DLP for a set G is finding, for given a,b 2 G, a non-negative integer x (if it exists) such that b = ax. Thesmallest such integer x is called the discrete logarithm of b to the base a, and is written x = logab. Clearly, thediscrete logarithm problem for a general group G is exactly the problem of inverting the exponentiation func-tion (see [12] for more information).

This is especially true for the Diffie–Hellman method (DH, see [3]), that was the first practical public-keytechnique to be published. The security of this method for key exchanges, is based on the discrete logarithmproblem, and it uses a prime number p and a primitive element r 2 Zp.

R. Alvarez et al. / Applied Mathematics and Computation 183 (2006) 729–737 735

Privacy or security of messages is not the only problem area in cryptology. It is also important that useridentity can be authenticated. Digital signature is a property of asymmetric cryptography, that allows authen-tication. It consists of two processes: signing a message and verifying a message signature; and it must dependon the message to be signed.

The method presented in this section generalizes the DH approach to a non-abelian group based on thepowers of a block upper triangular matrix, which is a very flexible technique.

We consider the subgroup generated by the following element:

M ¼A X

O B

� �2 H;

taking A and B as described in Section 2 to maximize the order of M.

4.1. Key exchange protocol

Let U and V be two interlocutors who wish to exchange a key, then

(1) U and V agree on p and M.(2) U generates a random private key k1 2 N, with 1 6 k1 6 o(M), and computes

Mk1 ¼ Ak1 X ðk1Þ

O Bk1

" #¼ Ak1 Y

O Bk1

" #:

(3) V generates a random private key k2 2 N, with 1 6 k2 6 o(M), and computes

Mk2 ¼ Ak2 X ðk2Þ

O Bk2

" #¼ Ak2 Z

O Bk2

" #:

(4) The public key of U and V are respectively Y and Z.(5) U generates

N 1 ¼A Z

O B

� �and N k1

1 ¼Ak1 Zðk1Þ

O Bk1

" #:

(6) V generates

N 2 ¼A Y

O B

� �and Nk2

2 ¼Ak2 Y ðk2Þ

O Bk2

" #:

In this way, the key shared by U and V is P ¼ Zðk1Þ ¼ Y ðk2Þ, as shown in Theorem 3. Now, both interlocutorsshare a common and secret element. An attacker could know p, M, N1 and N2 but, to obtain the shared secret,would have to face a problem with a similar complexity to that of the DLP (see [12]).

4.2. Data encryption

We have to start from the same public and private elements seen previously in Section 4.1 (which we sup-pose already done).

The interlocutor U wishes to, privately, send a message to V. The message must be encoded as a matrixD = X(h) 2 G.

736 R. Alvarez et al. / Applied Mathematics and Computation 183 (2006) 729–737

4.2.1. Encryption

(1) U computes the matrices T 1 ¼A DO B

� �and T 2 ¼

A PO B

� �, that are invertible since A and B are invert-

ible too.(2) U computes matrix C = T1T2 and sends this matrix to V.

4.2.2. Decryption

(1) V generates the matrix T 2 ¼A PO B

� �and computes its inverse.

(2) V obtains T1 carrying out the product CT�12 .

(3) V recovers the message D selecting, the respective block of T1.

With this, the encryption and decryption functions of U and V would be respectively:

(1) Ek1ðDÞ ¼ T 1T 2.

(2) Dk2ðCÞ ¼ CT�1

2 .

With the appropriate quick exponentiation algorithms proposed in Section 3 the matrix powers can becomputed efficiently. The complexity of the problem that an attacker would face is in the order of that ofthe DLP acting, in effect, as a deterrent for a possible attack.

4.3. Signature scheme

We propose a digital signature scheme, that requires the original message, in order to verify the signature.The following scheme is based on the ElGamal digital signature scheme. We suppose that the users U and V

have exchanged the key P, and U has sent the message D to V, according to the protocol proposed in Section4.2. If the transmitter U wishes to digitally sign the message D proceeds in the following way:

(1) U generates a random number r 2 N.(2) U, computes Q = D � P(r).(3) The digital signature is (r,Q).

If the receiver wishes to verify the digital signature of U, he proceeds in the following way:

(1) V computes R = Q + P(r).(2) V compares D and R, turning out to be an authentic signature if D = R and false if D 5 R.

5. Conclusions

The quick exponentation method must be selected regarding the characteristics of each application. There-fore, we have studied the usage of a quick exponentiation algorithm to efficiently compute powers of blockupper triangular matrices. These matrices provide some interesting properties for many mathematical pur-poses. Choosing parameters as described in Section 2, we can optimize the order of matrix M 2 H to satisfydifferent requirements efficiently.

As a sample application, we have proposed a new public-key cryptosystem and digital signature schemebased on block upper triangular matrices employing the quick exponentiation algorithm in order to optimizeperformance.

Public-key cryptosystems are important in all areas of electronic business and private communications.Existing methods rely on problems that are difficult to solve with current knowledge and computing technol-ogy. Since computational power is increasing continuously, the required key length for a desired level of

R. Alvarez et al. / Applied Mathematics and Computation 183 (2006) 729–737 737

security needs to be enlarged accordingly. It is, therefore, desirable to look for techniques in more complexalgebraic sets.

The proposed cryptosystem is based on the discrete logarithm problem for matrices and presents the advan-tage of reducing the required key length for a given level of security. This is achieved as a consequence of theusage of the quick exponentiation and the algebraic properties of set H.

References

[1] G.B. Agnew, R.C. Mullin, S.A. Vanstone, Fast exponentiation in GF(2n), Advances in Cryptology – Proceedings of Eurocrypt ’88,vol. 330, Springer-Verlag, 1998, pp. 251–255.

[2] D. Coppersmith, A. Odlyzko, R. Schroeppel, Discrete logarithms in GF(p), Algorithmica 1 (1986) 1–15.[3] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (1976) 644–654.[4] J. Gathen, Efficient and optimal exponentiation in finite fields, Computational Complexity 1 (1991) 360–394, MR 94a:68061.[5] D.M. Gordon, A survey of fast exponentiation methods, Journal of Algorithms 27 (1998) 129–146.[6] K. Hoffman, R. Kunze, Linear Algebra, Prentice-Hall, New Jersey, 1971.[7] D.E. Knuth, Seminumerical algorithms, The Art of Computer Programming, vol. 2, Addison-Wesley, Massachusetts, 1981.[8] N. Koblitz, A Course in Number Theory and Cryptography, Springer-Verlag, 1987.[9] P.J. Lee, C.H. Lim, Method for Exponentiation in Public-Key Cryptosystems, United States Patent 5,999, 1999, p. 627.

[10] R. Lidl, H. Niederreiter, Introduction to Finite Fields and their Applications, Cambridge University Press, 1994.[11] K. McCurley, The discrete logarithm problem. Cryptology and computational number theory, Proceedings of Symposia in Applied

Mathematics 42 (1990) 49–74.[12] A. Menezes, W. Yi-Hong, The discrete logarithm problem in GL(n,q), Ars Combinatoria 47 (1997) 22–32.[13] R.W.K. Odoni, V. Varadharajan, P.W. Sanders, Public key distribution in matrix rings, Electronic Letters 20 (1984) 386–387.[14] R.G.E. Pinch, Some primality testing algorithms, Notices AMS 40 (1993) 1203–1210.[15] S. Pohlig, M. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE

Transactions IT-24 (1979) 106–110.[16] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the

ACM 21 (2) (1978) 120–126.[17] G. Shuhong, J. Gathen, D. Panario, V. Shoup, Algorithms for exponentiation in finite fields, Journal of Symbolic Computation 29 (6)

(2000) 879–889.[18] A.L. Wells, A polynomial form for logarithms modulo a prime, IEEE Transactions on Information Theory 30 (1984) 845–846.