Security Features of an Asymmetric Cryptosystem based on the Diophantine Equation Hard Problem

The Diophantine Equation Hard Problem (DEHP) is a potential cryptographic problem on the Diophantine equation $U=\sum \limits_{i=1}^n {V_i x_{i}}$. A proper implementation of DEHP would render an attacker to search for private parameters amongst the exponentially many solutions. However, an improper implementation would provide an attacker exponentially many choices to solve the DEHP. The AA,$_{\beta}$-cryptosystem is an asymmetric cryptographic scheme that utilizes this concept together with the factorization problem of two large primes and is implemented only by using the multiplication operation for both encryption and decryption. With this simple mathematical structure, it would have low computational requirements and would enable communication devices with low computing power to deploy secure communication procedures efficiently.

💡 Research Summary

The paper proposes a novel asymmetric public‑key scheme called the AAβ‑cryptosystem, whose security is claimed to rest on two hard problems: (1) the Diophantine Equation Hard Problem (DEHP), defined as finding a “preferred” solution vector {x* i} to a linear Diophantine equation U = ∑ V_i x_i, and (2) the classic integer factorisation problem of a product N = p q of two large primes. The authors argue that a proper implementation of DEHP forces an attacker to search among an exponential number of candidate solutions, while an improper implementation would give the attacker exponentially many choices, effectively breaking the scheme.

Construction.
Let p and q be n‑bit primes. The sender (Along) chooses three 2n‑bit secret integers a₁, a₂, a₃ satisfying a₁ + a₂ = pq and a₁ + a₃ = e_A₂, together with a small integer v (≈0.8125 n‑bits). The public keys are e_A₁ = a₁ + a₂ = pq and e_A₂ = a₁ + a₃. The private keys are d_A₁ = a₁ − a₂ = p and d_A₂ = v. The receiver (Busu) generates two short session keys k₁ and k₂ (each 6 bits) and a message m of length about 4n/5 bits. The ciphertext is

 C = k₁ e_A₁ + k₂ e_A₂ + m.

Decryption is performed by computing (C mod d_A₁) mod d_A₂, which yields m. The authors prove this by simple modular arithmetic.

Security claims.
The paper separates two attack goals:

1. Recover the plaintext from C. This is said to be equivalent to solving AAβ‑DEHP‑1: given C, e_A₁, e_A₂, find either k₁ or k₂, then compute m.
2. Recover the private key from the public key. This is said to be equivalent to solving AAβ‑DEHP‑2: given e_A₁, e_A₂, find the preferred integers a₁, a₂, a₃.

The authors further claim that AAβ‑DEHP‑2 is polynomial‑time equivalent to integer factorisation of e_A₁, i.e., TFactoring. They provide a reduction in both directions, essentially stating that factoring pq yields p and q, from which a₁, a₂, a₃ can be constructed, and conversely, knowing a₁, a₂, a₃ gives p = a₁ − a₂ and q = e_A₁ / p.

Analysis of the DEHP.
The DEHP, as defined, is a linear Diophantine equation with known coefficients V_i and unknowns x_i. The “preferred” solution set is described as the subset containing infinitely many elements, but the concrete examples restrict each x_i to a fixed bit‑length interval (e.g., 64‑bit). In such a setting the search space is at most 2⁶⁴, which is trivial for modern hardware. The authors’ claim that the problem is “exponential” therefore rests on an artificial restriction rather than intrinsic mathematical hardness. Moreover, the DEHP reduces to a bounded integer‑subset‑sum problem, for which lattice‑based attacks (e.g., LLL) are well‑known and often succeed when the modulus and the target are of comparable size.

Lattice‑based attack discussion.
The paper presents two lattice arguments:

• Using Coppersmith’s method on the polynomial f_p(x) = x² − e_A₂ x + pq, they claim the bound on the root is far smaller than the actual secret v, rendering the attack ineffective.
• Using the Gaussian heuristic on the lattice spanned by (1,0,e_A₁), (0,1,e_A₂), (0,0,C), they argue that the vector (k₁, k₂, −m) is not “short” because its norm is roughly the size of m (≈4n/5 bits) while the lattice determinant yields a bound of about (2n/3) bits.

Both arguments are superficial. The first ignores that the secret v is only about 0.8125 n bits, far smaller than the bound, but the bound itself is derived under unrealistic assumptions about the size of the unknown root. The second ignores that the lattice dimension is only three; in such low dimensions the LLL algorithm can often recover hidden relations even when the target vector is not the shortest, especially when the coefficients (k₁, k₂) are tiny (6 bits). A straightforward exhaustive search over the 2¹² possible (k₁, k₂) pairs combined with a single modular reduction recovers m instantly, making the lattice argument unnecessary.

Key size and parameter choices.
The scheme uses extremely small session keys (6 bits) and a relatively large message block (≈0.8 n bits). This asymmetry is atypical: most modern schemes keep the random padding or session key size comparable to the security level. With only 64 possible values for each k_i, an attacker can trivially enumerate all possibilities and test the decryption equation, obtaining the plaintext without solving any hard problem.

The public modulus e_A₁ is the product of two n‑bit primes, exactly as in RSA. Consequently, the security of the scheme collapses to the hardness of factoring a standard RSA modulus. The additional structure (the linear combination with e_A₂) does not add any security; it merely leaks a linear relation between the secret parameters. The claim that DEHP is “harder” than factoring is unsupported; the reduction shows they are equivalent, and the DEHP component does not increase the security margin.

Improper design examples.
The authors illustrate two “improper” designs to warn readers. The first uses 2×2 singular matrix G and non‑singular matrices A, B to exchange a key. They show that an attacker can replace A with a matrix A′ that satisfies A′ G = A G, thereby obtaining the same shared key. This example highlights that using singular matrices in a linear relation creates an under‑determined system, which is precisely the situation exploited in the DEHP definition. The second example demonstrates that choosing public parameter g₁ of length 2n bits while secret a₁, a₂ are only n bits allows an attacker to compute a₂ = ⌊e_A / g₁⌋, again exposing the secret.

Performance claims.
The authors argue that because encryption and decryption consist only of integer multiplications, the algorithm runs in O(n²) time for both operations, outperforming RSA (O(n³) decryption) and ECC (O(n³) for both). While the arithmetic is indeed simple, the overall efficiency must be weighed against security. The scheme’s reliance on a small‑size random component (k₁, k₂) and the need to handle very large messages (4n/5 bits) may offset any gains from the reduced arithmetic complexity. Moreover, modern RSA implementations use Chinese Remainder Theorem (CRT) optimisation to achieve O(n²) decryption, narrowing the claimed gap.

Overall assessment.
The AAβ‑cryptosystem is an interesting academic exercise that attempts to combine a newly defined Diophantine‑equation problem with classic RSA‑style factorisation. However, the paper suffers from several critical weaknesses:

1. Ill‑defined hardness: The DEHP, as presented, does not constitute a well‑studied hard problem. Its difficulty hinges on arbitrary bit‑length restrictions rather than intrinsic number‑theoretic complexity.
2. Parameter imbalance: Using 6‑bit session keys makes exhaustive search trivial, undermining the claimed security.
3. Redundant security: The scheme’s security reduces to factoring the RSA‑like modulus e_A₁; the additional DEHP component adds no real protection.
4. Insufficient cryptanalysis: The lattice‑based arguments are superficial and ignore practical attacks that exploit the small key space.
5. Implementation concerns: The need for 2n‑bit secret parameters while exposing only n‑bit components can lead to side‑channel leakage, as shown in the “improper design” examples.

In conclusion, while the AAβ‑cryptosystem offers a low‑complexity arithmetic profile, its security foundations are not rigorously established. Until a formal reduction to a well‑accepted hard problem (beyond ordinary integer factorisation) and a thorough analysis of parameter choices are provided, the scheme cannot be recommended for real‑world deployment. Existing, well‑vetted systems such as RSA, ECC, and lattice‑based NTRU remain the safer choices for asymmetric encryption.