Information Sciences 179 (2009) 2014–2021

Contents lists available at ScienceDirect

Information Sciences

journal homepage: www.elsevier .com/locate / ins

Analysis and design of a secure key exchange scheme

Rafael Álvarez, Leandro Tortosa, José-Fco. Vicent *, Antonio ZamoraDepartamento de Ciencia de la Computación e Inteligencia Artificial, Universidad de Alicante, Campus de San Vicente, Ap. Correos 99, E-03080 Alicante, Spain

a r t i c l e i n f o

Article history:Received 23 February 2008Accepted 15 February 2009

Keywords:CryptographySecurityPublic keyKey exchange schemeBlock matricesQuick exponentiationTriangular matricesDiscrete logarithm problem

0020-0255/$ - see front matter � 2009 Elsevier Incdoi:10.1016/j.ins.2009.02.008

* Corresponding author. Tel.: +34 96 590 3900; faE-mail addresses: ralvarez@dccia.ua.es (R. Álvare

a b s t r a c t

We propose a new key exchange scheme where the secret key is obtained by multiplyingthe powers of block upper triangular matrices. After studying the cryptographic propertiesof these block matrices, the theoretical aspects of this scheme are analyzed, concludingthat common ciphertext attacks are not applicable to this cryptosystem. Moreover, ourproposal is compared with the Diffie–Hellman scheme achieving satisfactory results.

� 2009 Elsevier Inc. All rights reserved.

1. Introduction

In large open networks, like the internet, an increasing demand for security can be observed. In order to establish a con-fidential channel (or session) between two users of such a network, classic single-key cryptography requires them to ex-change a common secret key over a secure channel (see [1]). This may work if the network is small and local, but it isinfeasible in non-local or large networks.

To simplify the key exchange problem, public-key cryptography provides a mechanism to allow secret session keys to beexchanged over an insecure channel. In such a framework, every user possesses a key pair consisting of a (non-secret) publickey and a (secret) private key; only public keys are published.

A lot of popular public-key encryption systems are based on number theory problems such as factoring integers or findingdiscrete logarithms. The underlying algebraic structures are, very often, abelian groups; this is especially true in the case ofthe Diffie–Hellman method (DH), that was the first practical public-key technique and introduced in 1976 (see [8]). In such asystem, when two parties want to communicate with each other, the sender encrypts the message with the recipient’s publickey and then transmits the cipher text to the recipient. Upon receiving the encrypted information, the recipient can decryptthe message with his private key (see [13]).

The discrete logarithm problem (DLP, see [9,16,18,23]) is, together with the Integer Factoring Problem (IFP, see[15,22]) and the Elliptic Curve DLP (ECDLP, see [3,7]), one of the main problems upon which public-key cryptosystemsare built. Thus, efficiently computable groups where the DLP is hard to break (see [3,6,17]), are very important incryptography.

. All rights reserved.

x: +34 96 590 3902.z), tortosa@dccia.ua.es (L. Tortosa), jvicent@dccia.ua.es (J.-F. Vicent), zamora@dccia.ua.es (A. Zamora).

R. Álvarez et al. / Information Sciences 179 (2009) 2014–2021 2015

The purpose of this proposal is the analysis and implementation of a key exchange scheme based on a special group ofblock upper triangular matrices. The main idea of this paper is to study the cryptographic behavior of products of the typeMv

1 Mw2 , with v ;w integers and M1;M2 elements of the group of matrices previously mentioned.

In the first place we perform a study of the great cryptographic properties of this group of matrices. Secondly, we proposea key exchange scheme, perform a detailed security analysis and compare it with DH under MATLAB (see [11]).

2. Block upper triangular matrices

Given p a prime number and r; s 2 N, MatrðZpÞ, MatsðZpÞ, Matr�sðZpÞ are the matrices of sizes r � r; s� s and r � s, respec-tively, with elements in Zp and by GLrðZpÞ, GLsðZpÞ, the invertible matrices of sizes r � r and s� s, also with elements in Zp.Let us consider

X ¼A X

0 B

� �; A 2MatrðZpÞ;B 2 MatsðZpÞ;X 2 Matr�sðZpÞ

� �

and the subset

H ¼A X

O B

� �; A 2 GLrðZpÞ;B 2 GLsðZpÞ;X 2 Matr�sðZpÞ

� �:

In order to obtain the cardinality of the subgroup generated by a matrix M 2 H (order of M), we need to calculate powers ofthese block upper triangular matrices. So, we use the following theorem (see [4]).

Theorem 1. Let M ¼ A XO B

� �2 H. Taking h as a non-negative integer then

Mh ¼ Ah XðhÞ

O Bh

" #; where XðhÞ ¼

O if h ¼ 0;Phi¼1

Ah�iXBi�1 if h P 1:

8><>:

Also, if 0 6 t 6 h then

XðhÞ ¼ AtXðh�tÞ þ XðtÞBh�tXðhÞ ¼ Aðh�tÞXðhÞ þ Xðh�tÞBt:

When t ¼ 1, we have

XðhÞ ¼ AXðh�1Þ þ XBh�1 or XðhÞ ¼ Ah�1X þ Xðh�1ÞB:

Taking a, b integers such as aþ b P 0, XðaþbÞ ¼ AaXðbÞ þ XðaÞBb.

3. Order of the elements

In our scheme, the space of keys is bounded by the order of the group generated by the following matrix:

M ¼A X

0 B

� �2 H:

So, it is desirable to get orders as high as possible, and now, we describe the way to guarantee that this order is maximum(see [12,14]).

Let f ðxÞ ¼ a0 þ a1xþ � � � þ an�1xn�1 þ xn a monic polynomial in Zp½x�, whose companion n� n matrix is

A ¼

0 1 0 � � � 0 00 0 1 � � � 0 0... ..

. ... . .

. ... ..

.

0 0 0 � � � 1 00 0 0 � � � 0 1�a0 �a1 �a2 � � � �an�2 �an�1

26666666664

37777777775:

If f is an irreducible polynomial in Zp½x�, then the order of the matrix A is equal to the order of any root of f in Fpn and theorder of A divides pn � 1 (see [19]). Moreover, assuming that f is a primitive polynomial in Zp½x�, the order of A is exactlypn � 1.

2016 R. Álvarez et al. / Information Sciences 179 (2009) 2014–2021

Odoni et al. [19] propose an extended scheme based on the construction of block matrices like this

Table 1Order o

r

23345

A ¼

A1 0 � � � 00 A2 � � � 0

..

. ...� � � ..

.

0 0 � � � Ak

266664

377775;

where Ai is the companion matrix of fi, and fi, for i ¼ 1;2; . . . ; k, are different primitive polynomials in Zp½x� of degree ni, fori ¼ 1;2; . . . ; k, respectively.

The order of each block Ai is pni � 1, for i ¼ 1;2; . . . ; k. Therefore, the order of A is lcmðpn1 � 1; pn2 � 1; . . . ; pnk � 1Þ.In order to use this type of matrix in a public-key system, the aforementioned authors conjugate this matrix A with an

invertible matrix P of size n� n, with n ¼ n1 þ n2 þ � � � þ nk, obtaining a new matrix A ¼ PAP�1 that has the same order asA. If we construct the blocks A and B of M 2 H using primitive polynomials, we can guarantee the order.

Let f ðxÞ ¼ a0 þ a1xþ � � � þ ar�1xr�1 þ xr , gðxÞ ¼ b0 þ b1xþ � � � þ bs�1xs�1 þ xs be two primitive polynomials in Zp½x� and A, Bthe corresponding associated or companion matrices. Let P and Q be two invertible matrices, such that A ¼ PAP�1 andB ¼ QBQ�1. With this construction, the order of M is lcmðpr � 1; ps � 1Þ.

Using cyclotomic fields theory and root of unity, we know that the polynomial xn � 1 is divided by xd � 1 if djn; therefore,if we chose r and s such that they are relatively prime, the number of common divisors is diminished and thelcmðpr � 1; ps � 1Þ will be maximum.

The order of M, as a function of p, r and s are shown in Tables 1 and 2; where r and s are the sizes of blocks A and B, respec-tively. For big sizes of p (Table 1), we obtain a very high order of M with very small sizes for blocks A and B. Furthermore, wecan also obtain great orders of M with very small values of p, r, and s (Table 2).

The p, r and s parameters must be chosen to guarantee a certain security level. More precisely, the attacks based on squareroot algorithms [20] must be considered. These attacks basically establish the possibility of reducing the discrete logarithmproblem on a finite group, to several problems of the discrete logarithm of smaller size. This is determined by the factors thatgenerate the order of the original group. In the proposed key exchange scheme, the order of M is not prime, since it is theleast common multiple of pr � 1 and ps � 1. Nevertheless, the greatest prime factor than we can achieve is pr � 1 or ps � 1(see [21]). For this reason, we must optimize the selection of p; r and s so that one of the factors is maximal and the other(that does not necessarily have to be prime) is minimal. In this way, we reduce the number of bits required for a certain levelof security (see [10]).

4. Key exchange scheme

Let M1 ¼A1 X1

0 B1

� �and M2 ¼

A2 X2

0 B2

� �be two elements of the set H with orders m1 and m2 respectively.

We define the following notation for a pair of numbers x; y 2 N:

Axy ¼ Ax1Ay

2;

Bxy ¼ Bx1By

2

and

Cxy ¼ Ax1XðyÞ2 þ XðxÞ1 By

2:

If two users U and V wish to exchange a key, they may execute the following steps:

(1) U and V agree on p 2 N and M1;M2 2 H, with m1;m2 the orders of M1 and M2, respectively.(2) U generates two random private keys r; s 2 N such that

1 6 r 6 m1 � 1; 1 6 s 6 m2 � 1

and computes Ars;Brs;Crs constructing

f M, for big p.

s p � 2100 bits p � 2160 bits p � 2200 bits

3 2400 2640 2800

4 2600 2960 21200

5 2700 21120 21400

5 2800 21280 21600

6 21000 21600 22000

Table 2Order of M, for small p.

r s p ¼ 5 bits p ¼ 13 bits p ¼ 29 bits

31 32 2145 2230 2302

47 48 2219 2348 2457

60 61 2279 2445 2584

130 131 2605 2963 21264

216 217 21004 21599 22099

R. Álvarez et al. / Information Sciences 179 (2009) 2014–2021 2017

C ¼Ars Crs

0 Brs

� �:

(3) U sends C to V .(4) V generates two random private keys v ;w 2 N such that

1 6 v 6 m1 � 1; 1 6 w 6 m2 � 1

and computes Avw;Bvw, Cvw constructing

D ¼Avw Cvw

0 Bvw

� �:

(5) V sends D to U.(6) The public keys of U and V are respectively the matrices C and D.(7) U computes

Ku ¼ Ar1AvwXðsÞ2 þ Ar

1CvwBs2 þ XðrÞ1 BvwBs

2:

(8) V computes

Kv ¼ Av1ArsX

ðwÞ2 þ Av

1 CrsBw2 þ XðvÞ1 BrsB

w2 :

The following theorem shows that Ku ¼ Kv .

Theorem 2. If Ku ¼ Ar1AvwXðsÞ2 þ Ar

1CvwBs2 þ XðrÞ1 BvwBs

2 and Kv ¼ Av1 ArsX

ðwÞ2 þ Av

1 CrsBw2 þ XðvÞ1 BrsB

w2 , then Ku ¼ Kv .

Proof. We have

C ¼Ars Crs

0 Brs

� �¼ Mr

1Ms2; D ¼

Avw Cvw

0 Bvw

� �¼ Mv

1 Mw2 ;

Mr1 ¼

Ar1 XðrÞ1

0 Br1

" #; Mv

1 ¼Av

1 XðvÞ1

0 Bv1

" #;

Ms2 ¼

As2 XðsÞ2

0 Bs2

" #and Mw

2 ¼Aw

2 XðwÞ2

0 Bw2

" #:

Let

Mu ¼ Mr1DMs

2 ¼Au Ku

0 Bu

� �

and

Mv ¼ Mv1 CMw

2 ¼Av Kv

0 Bv

� �:

Then

Mu ¼ Mr1DMs

2 ¼ Mr1Mv

1 Mw2 Ms

2 ¼ Mv1Mr

1Ms2Mw

2 ¼ Mv1CMw

2 ¼ Mv

and, consequently, Ku ¼ Kv . h

As we have demonstrated in this theorem, now both U and V share a common and secret key,

Ku ¼ Kv ¼ P:

The private keys are r; s and v ;w, respectively. These keys do not have to be prime numbers (we avoid primality tests) andwith the appropriate quick exponentiation algorithm proposed in [2] the matrix powers can be computed efficiently.

2018 R. Álvarez et al. / Information Sciences 179 (2009) 2014–2021

5. Security analysis

Brute force attacks can not be used if we choose a big enough order for M1 and M2 as, for example, 1024 bits.A widely used algorithm for the cryptanalysis of public-key schemes based on matrix powers is due to Menezes and Wu

(see [18]). It, basically, establishes the possibility of reducing the full discrete logarithm problem to a series of smaller dis-crete logarithms over finite fields. This algorithm is not viable for the presented scheme since no matrix powers arepublished.

Another technique for effectively cryptanalyzing some schemes based on block upper triangular matrices, has been devel-oped by Climent et al. [5] and is based on the Cayley–Hamilton theorem.

Theorem 3. Cayley–Hamilton theorem Let a matrix M 2 GLnðZpÞ and its characteristic equation

qMðkÞ ¼ detðkIn �MÞ ¼ a0 þ a1kþ a2k2 þ � � � þ an�1k

n�1 þ kn:

Then

qMðMÞ ¼ a0 þ a1M þ a2M2 þ � � � þ an�1Mn�1 þMn ¼ 0n;

where In is the identity matrix of size n and 0n the null matrix of the same size.

This attack is not viable either, since two different matrices with different characteristic equations are employed. Let usanalyze the inefficiency of this type of attack.

Consider

M1 ¼A1 X1

0 B1

� �2 H; M2 ¼

A2 X2

0 B2

� �2 H

be two matrices of sizes n ¼ r þ s, and assume that

detðkI �M1Þ– 0 and detðkI �M2Þ – 0;

then

qM1ðkÞ ¼ det

kI � A1 �X1

0 kI � B1

� �� �¼ detðkI � A1Þ � detðkI � B1Þ ¼ qA1

ðkÞ � qB1ðkÞ ¼ a0 þ a1kþ a2k

2 þ � � � þ an�1kn�1 þ kn;

qM2ðkÞ ¼ det

kI � A2 �X2

0 kI � B2

� �� �¼ detðkI � A2Þ � detðkI � B2Þ ¼ qA2

ðkÞ � qB2ðkÞ ¼ b0 þ b1kþ b2k

2 þ � � � þ bn�1kn�1 þ kn

with qM1ðkÞ – qM2

ðkÞ.The Cayley–Hamilton theorem guarantees that qM1

ðM1Þ ¼ qM2ðM2Þ ¼ 0, so

a0I þ a1M1 þ a2M21 þ � � � þ an�1Mn�1

1 þMn1 ¼ 0;

a0I þ a1M1 þ a2M21 þ � � � þ an�1Mn�1

1 ¼ �Mn1;

multiplying by M1

a0M1 þ a1M21 þ a2M3

1 þ � � � þ an�1Mn1 ¼ �Mnþ1

1 :

Replacing the value of Mn1

a0M1 þ a1M21 þ a2M3

1 þ � � � þ an�1ð�a0I � a1M1 � a2M21 � � � � � an�1Mn�1

1 Þ ¼ �Mnþ11

and grouping terms we obtain

Mnþ11 ¼ b0I þ b1M1 þ b2M2

1 þ � � � þ bn�1Mn�11

with b0 ¼ a0an�1 and bi ¼ an�1ai � ai�1 for i ¼ 1; . . . ;n� 1.Following this process for a certain p P n, we have

Mp1 ¼ c0I þ c1M1 þ c2M2

1 þ � � � þ cn�1Mn�11 ; ð1Þ

then

Mp1 ¼

Ap1 XðpÞ1

0 Bp1

" #¼ c0

I 00 I

� �þ c1

A1 X1

0 B1

� �þ � � � þ cn�1

An�11 Xðn�1Þ

1

0 Bn�11

" #:

R. Álvarez et al. / Information Sciences 179 (2009) 2014–2021 2019

Consequently,

Ap1 ¼ c0I þ c1A1 þ c2A2

1 þ � � � þ cn�1An�11 ;

XðpÞ1 ¼ c1X1 þ c2Xð2Þ1 þ � � � þ cn�1Xðn�1Þ1 ;

Bp1 ¼ c0I þ c1B1 þ c2B2

1 þ � � � þ cn�1Bn�11 :

If we proceed like in expression (1), we obtain

Mp2 ¼ d0I þ d1M2 þ d2M2

2 þ � � � þ dn�1Mn�12 :

In the scheme that we are analyzing, we know M1 and M2 so we can set up the following linear system:

Mr1 ¼ e1M1 þ e2M2

1 þ � � � þ en�1Mn�11 ;

Mv2 ¼ f1M2 þ f2M2

2 þ � � � þ fn�1Mn�12 :

Since r and s are private keys, coefficients e1; e2; . . . ; en�1 and f1; f2; . . . ; fn�1, as well as the matrices Mr1 and Mv

2 are unknown,rendering the system unsolvable. Therefore, the Climent et al. technique (see [5]), based on the Cayley–Hamilton theorem,cannot be used to obtain a system suitable for cryptanalysis.

In order to cryptanalyze this scheme we must apply square root algorithms to the calculation of discrete logarithms. Wecan choose the blocks A1;A2;B1 and B2 so that the inefficiency of this type of attack is guaranteed.

6. Optimized key exchange scheme

The exponents of the matrices appearing in our scheme do not have to be prime (we avoid primality tests), nor big num-bers, since the fundamental piece of the key exchange scheme is the order of the matrix M1ðM2Þ. In order to improve theefficiency of matrix powers calculations, a fast exponentiation algorithm [2] optimized for block upper triangular matricesis used.

The fastest algorithm for calculating discrete logarithms is the square root algorithm, that can reach a complexity order offfiffiffi�q

p, where �q is the greater prime factor of the order of the group.In our scheme the order of the group is lcmðpr � 1; ps � 1Þ, so we must make this number big enough to avoid attacks

based on the previously mentioned algorithms, for example 1024 bits. Moreover, to prevent these attacks we need to avoidthat pr � 1 and ps � 1 have great common divisors. These two parameters (lcm and mcd), together with the execution time,conform different options for selecting an optimal size for matrix M1. We must maximize the difference between lcm andmcd, while minimizing execution time.

In Fig. 1, we can observe that the difference (in bits) between lcm and mcd increases with the difference between the sizesof the blocks A1 (r) and B1 (s) of matrix M1 (the same happens for matrix M2). Therefore, a good size for block A1 is r ¼ 2.

In order to obtain the optimal size for block B1, the execution time of our key exchange scheme must be analyzed for avalue of p that achieves a group order of approximately 1024 bits. The results shown in Fig. 2 are the arithmetic mean of thevalues of r and s after a 100 tests. Therefore, the values of Table 3 are optimal for our scheme.

7. Comparison with Diffie–Hellman

A comparison between the Diffie–Hellman key exchange and our proposal has been performed. The values r ¼ 2; s ¼ 89and p ¼ 2903 have been taken as optimal since great differences between lcm and mcd are achieved, together with manage-

Fig. 1. Difference between lcm and mcd (bits) for different block sizes.

Fig. 2. Proposed scheme execution time (s) for different sizes.

Table 3Optimal values for the proposed scheme.

r s p Order of M (bits) Execution time (s)

2 83 5167 1024 1.448202 89 2903 1024 1.651562 97 2437 1024 1.97230

Table 4Performance comparison with Diffie–Hellman (s).

Maximum Minimum Arithmetic mean Standard deviation

Diffie–Hellman 12.8750 12.6406 12.7065 0.0959Matricial scheme 1.7343 1.5843 1.6593 0.02589

2020 R. Álvarez et al. / Information Sciences 179 (2009) 2014–2021

able block sizes ðA1;B1Þ and acceptable execution times. In the Matricial Scheme 10,000 tests have been performed obtainingthe following parameters: value of p necessary to obtain an order of about 1024 bits, maximum and minimum executiontime and the arithmetic mean of the 10,000 tests times and finally the standard deviation.

Similarly in the case of Diffie–Hellman key exchange, 10,000 tests have been performed for key sizes 1024 bits with aprime size number of 512 bits, obtaining the same parameters (maximum, minimum execution time, arithmetic mean ofthe 10,000 tests times and the standard deviation).

The test computer is an Intel Pentium 4 with a clock rate of 3.06 GHz, 512 KB of cache, 400 MHz of front-side-bus and1024 MB of RAM; both schemes have been implemented under MATLAB (7.0.1.24704 R14) Service Pack 1, with the sameinitial conditions.

As shown in Table 4 the proposed key exchange scheme has better performance than Diffie–Hellman under the same ini-tial conditions, with a similar level of security (key size of approximately 1024 bits) and employing equivalent fast exponen-tiation algorithms for both schemes. Therefore, we can conclude that there is a platform on which our scheme exceedsDiffie–Hellman easily.

8. Conclusions

We propose a key exchange scheme, based on the behavior of matrix products of the type Mv1 Mw

2 , where M1;M2 are ele-ments of a non-abelian group of block upper triangular matrices with a big enough order, being v ;w integers. One of themain advantages of this scheme is the absence of big prime numbers, avoiding the need for primality tests. Moreover, theproposed scheme is very efficient since it employs fast exponentiation algorithms for such type of matrices.

The proposed scheme has also been analyzed in terms of security and common techniques for computing discrete loga-rithms are not applicable if the underlying group of matrices is used. Also, the Menezes and Wu reduction algorithm is notviable since no matrix powers are published. Moreover, eigenvector and eigenvalue attacks will lead to large systems ofpolynomial equations with unknown exponents having infeasible solution for large n with known techniques; and we can-not use techniques based on the Cayley–Hamilton theorem because two different matrices appear, M1 and M2 that have dif-ferent characteristic equations.

R. Álvarez et al. / Information Sciences 179 (2009) 2014–2021 2021

Finally we have compared our proposal to the well known Diffie–Hellman key exchange achieving better performance forthe same security level.

References

[1] R. Alvarez, Aplicaciones de las matrices por bloques a los criptosistemas de cifrado en flujo, Ph.D. Thesis Dissertation, University of Alicante, 2005.[2] R. Alvarez, F. Ferrández, J.F. Vicent, A. Zamora, Applying quick exponentiation for block upper triangular matrices, Applied Mathematics and

Computation 183 (2006) 729–737.[3] I. Blake, G. Seroussi, N. Smart, Elliptic Curves in Cryptography, London Mathematical Society, Lecture Notes. Series, vol. 265, Cambridge University

Press, 1999.[4] J.J. Climent, Propiedades espectrales de matrices: el indice de matrices triangulares por bloques, La raiz Perron de matrices cociclicas no negativas,

Thesis for Doctoral Degree, 1993.[5] J.J. Climent, E. Gorla, J. Rosenthal, Cryptanalysis of the CFVZ cryptosystem, Advances in Mathematics of Communications (AMC) 1 (2006) 1–11.[6] D. Coppersmith, A. Odlyzko, R. Schroeppel, Discrete logarithms in GFðpÞ, Algorithmica (1986) 1–15.[7] J.J. Climent, F. Ferrandiz, J.F. Vicent, A. Zamora, A non linear elliptic curve cryptosystem based on matrices, Applied Mathematics and Computation 74

(2005) 150–164.[8] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (1976) 644–654.[9] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory 31 (1985) 469–

472.[10] F. Ferrandez, Sistemas criptográficos de curva eléptica basados en matrices, Thesis for Doctoral Degree, 2004.[11] Ye.A. Gayev, B.N. Nesterenko, MATLAB for Math and Programming, National Aviation University, Kyiv, 2006.[12] K. Hoffman, R. Kunze, Linear Algebra, Prentice-Hall, New Jersey, 1971.[13] Seok Ko, Choon Seong Leem, Yun Ji Na, Chui Young Yoon, Distribution of digital contents based on public key considering execution speed and security,

Information Sciences 174 (3–4) (2005) 237–250.[14] N. Koblitz, A Course in Number Theory and Cryptography, Springer-Verlag, 1987.[15] I.C. Lin, C.C. Chang, Security enhancement for digital signature scheme with fault tolerance in RSA, Information Sciences 177 (19) (2007) 4031–4039.[16] K. McCurley, The discrete logarithm problem, Cryptology and Computational Number Theory, Proceedings of Symposia in Applied Mathematics 42

(1990) 49–74.[17] A. Menezes, P. Van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, Florida, 2001.[18] A. Menezes, Yi-Hong Wu, The discrete logarithm problem in GLðn; qÞ, Ars Combinatoria 47 (1997) 22–32.[19] R.W.K. Odoni, V. Varadharajan, P.W. Sanders, Public key distribution in matrix rings, Electronic Letters 20 (1984) 386–387.[20] S.C. Pohlig, M.E. Hellman, An improved algorithm for computing logarithms over GFðpÞ and its cryptographic significance, IEEE Transactions on

Information Theory 24 (1978) 106–110.[21] H. Reisel, Mersenne numbers, MTAC 12 (1958) 207–213.[22] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems, ACM Communications 21 (1978) 120–126.[23] W. Stallings, Cryptography and Network Security. Principles and Practice, third ed., Prentice Hall, New Jersey, 2003.