WO1998048539A1 - Apparatus and method for signing and authenticating digital signatures - Google Patents

Abstract

The method includes the set-up steps of linear algebraic construction of public and private keys (10) and of distribution of those public keys (20). The sender does a linear algebraic signing of the digital document (30) before transmitting the digital document along with the sender id and the signature matrix (40). The receiver does a linear algebraic verification of the received signature matrix (50), and then the receiver does a linear algebraic authentication of the received digital document (60).

Description

APPARATUS & METHOD FOR SIGNING & AUTHENTICATING DIGITAL SIGNATURES

FIELD OF THE INVENTION

The present invention relates to apparatus and methods for authenticating signatures on electronic documents.

BACKGROUND OF THE INVENTION

The disclosures of all publications mentioned in the specification and of the publications cited therein are hereby incorporated by reference.

A state-of-the-art crypto-system based on algebraic coding theory is described in the article "Security-Related Comments Regarding McEliece's Public-Key Cryptosystem" which appears in Advances in Cryptology, Proc. Crypto '87, Vol. 293, and published by Springer Verlag.

SUMMARY OF THE INVENTION The present invention seeks to provide improved apparatus and methods for authenticating signatures on electronic documents.

There is thus provided, in accordance with a preferred embodiment of the present invention, a method for receiving and authenticating a digital signature on an electronic document received from a sender, the method including receiving a message including a sender ID portion, a first message portion and a second message portion m, characterized in that if the message is an authentic message, the first message portion of the message includes a product L x M x R where M is an integer matrix having eigenvalues characterized in that the second message portion m is a non-linear function f of at least some of the eigenvalues, applying a transformation to the first message portion, including multiplying the first message portion by a key corresponding to the sender ID portion, thereby to define a product matrix, wherein the key is proportional to a product R x L ^", wherein R^" and L^" are adjoints of integer matrices R and L respectively which are both secrets of the sender, computing eigenvalues of the product matrix, and applying the non-linear function f to the eigenvalues of the product matrix, thereby to generate a transformed first message portion, and authenticating the message by comparing the transformed first message portion to the second message portion.

Further in accordance with a preferred embodiment of the present invention, the sender ID portion and first and second message portions are included in a single packet.

Still further in accordance with a preferred embodiment of the present invention, the sender ID and the first and second message portions are included in at least two different packets.

Also provided, in accordance with another preferred embodiment of the present invention, is a method for sending a digital signature on a digital document represented by a document derived integer to a receiver which authenticates the digital signature, the method including applying a secret transformation to the document derived integer, thereby to generate a transformed document, L x M x R, where L and R are integer matrices which are secrets known only to the sender and M is an integer matrix having eigenvalues characterized in that the document derived integer is a non-linear function f, known to the sender and to the receiver, of at least some of the eigenvalues, and sending a message including a sender ID portion, information pertaining to the plain document such as the matrix M, the transformed document L x M x R and the document derived integer m.

Further in accordance with a preferred embodiment of the present invention, the document derived integer represents a compressed document.

Still further in accordance with a preferred embodiment of the present invention, the non-linear function f is computable in polynomial time from the eigenvalues.

Additionally in accordance with a preferred embodiment of the present invention, the function f includes a public function.

Still further in accordance with a preferred embodiment of the present invention, the key includes a public key.

Also provided, in accordance with another preferred embodiment of the present invention, is a method for receiving and authenticating a digital signature on an electronic document received from a sender, the method including receiving a message including a sender LD portion, a first message portion and a second message portion, characterized in that if the message is an authentic message, the second message portion of the message includes a nonlinear function of the eigenvalues of the matrix representing the first message portion, applying a linear algebraic integer based transformation to the first message portion, thereby to generate a transformed first message portion, and authenticating the message by comparing the nonlinear function f of the eigenvalues of the transformed first message portion to the second message portion.

Further provided, in accordance with still another preferred embodiment of the present invention, is apparatus for transmitting, receiving and authenticating a digital signature on an electronic document received from a sender, the apparatus including a linear algebraic key constructing unit operative to construct and distribute at least one key, a linear algebraic document signing unit operative to perform a linear algebraic document signing procedure including generating a message including a digital document, sender ID and signature matrix, a linear algebraic matrix verifier operative to verify the signature matrix, and a linear algebraic document authenticator operative to authenticate the digital document.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be understood and appreciated from the following detailed description, taken in conjunction with the drawings in which:

Fig. 1 is a simplified flowchart of a preferred method for setting up and using a system for transmission of electronic documents;

Fig. 2 is a simplified flowchart illustration of a preferred method for performing key construction step 10 of Fig. 1;

Fig. 3 is a simplified flowchart illustration of a preferred method for performing document signing step 30 of Fig. 1;

Fig. 4 is a simplified flowchart illustration of a preferred method for performing signature verification step 50 of Fig. 1;

Fig. 5 is a simplified flowchart illustration of a preferred method for performing document authentication step 60 of Fig. 1; and Figs. 6 - 8 are simplified flowchart illustrations of a second embodiment of the present invention which is similar to the embodiment of Figs. 1 - 5 except that the methods of Figs. 2, 4 and 5 are replaced by the methods of Figs. 6 - 8 respectively.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

Reference is now made to Fig. 1 which is a simplified flowchart of a preferred method for setting up and using a system for transmission of electronic documents. The method includes set-up steps 10 and 20 and system utilization steps 30, 40, 50 and 60. A particular feature of the preferred method of Fig. 1 is that construction of keys, signing of digital documents and authentication thereof are all based on linear algebraic methods contrary to conventional systems. Preferred linear algebra based methods for performing key construction step 10, document signing step 30, signature verification step 50 and document authentication step 60 are described in detail below with reference of Figs. 2 - 5 respectively.

Digital documents may be transmitted from senders to receivers by any conventional electronic communication means including ground and/or satellite aided radio communication, telephone network communication or computer network communication. Distribution of public keys also typically is carried out by means of either radio communication, telephone network communication or computer network communication.

In step 10, public and private keys are generated as described in detail below with reference to Fig. 2.

In step 20, public keys are distributed which conventionally is implemented by maintaining a public file in which each sender deposits his public key in association with an ID. In accordance with a preferred embodiment of the present invention, each sender deposits some or all of the following information in the public file, and this information in combination forms that sender's public key: a. The order, N, of matrices which are used by the sender to generate a signature; b. A non-linear function f; c. A matrix K; d. The determinant of a matrix L; e. The determinant of a matrix R; and f. The format (e.g. as is, compressed or hashed) of the document when signed, typically including an indication of one of the above three format options plus an indication of the compression or hashing method where relevant. where R and L form, in combination, the private key of the sender.

Reference is now made to Fig. 2 which is a simplified flowchart illustration of a preferred method for performing the public and private key generation step 10 of Fig. 1.

The method of Fig. 2 preferably comprises the following steps:

Step 70 ~ A security parameter k is selected, k is the total number of bits which need to be correctly guessed by a forger in order to forge a signature. Selection of the size of k is a tradeoff between strength of the signature's security which is obtained if k is large versus the greater amount of transmission time and computation time required to process a signature based on large k.

Step 80 ~ N, the order of the matrices which are used by the sender to generate a signature, is selected. As N grows, the security of the system increases however construction of a message matrix M, described below, increases in complexity.

Step 90 — A non-linear function f of the eigenvalues of message matrix M is selected. This function is not computed at this stage but rather, as each message is transmitted, a message matrix M is generated for that message, and the value of f is computed from the eigenvalues of that matrix M.

Since f is non-linear, f cannot be the sum of the eigenvalues of M nor any other linear combination thereof, f can, for example, be a product of the eigenvalues, i.e. the determinant of M. f may, alternatively be a sum of the squares of the eigenvalues. It is appreciated that f need not necessarily be a product or a sum of squares and may more generally be any suitable non-linear function of the eigenvalues of M.

It is believed that complexity of the form of f enhances the security of the signature but complicates the construction of the matrix M. Step 100 ~ Entry values are selected for the two matrices L and R which, in combination, form the private key of the individual sender. These entry values may be freely selected, however preferably have b bits where b is k/(N^ - 1).

Step 110 — The matrix K is computed by computing the product of the adjoint matrices of R and L, where the adjoint of R is on the left and the adjoint of L is on the right.

Step 120 — Compute the determinants of matrices L and R.

Reference is now made to Fig. 3 which is a simplified flowchart illustration of a preferred method for performing the document signing step 30 of Fig. 1.

The method of Fig. 3 preferably comprises the following steps:

Step 130 — The document to be signed is, optionally, hashed or compressed. Alternatively, this step may be omitted.

Step 140 ~ An integer m is generated which represents the original, hashed or compressed document. Any suitable cipher may be used to generate a sequence of numbers representing each character and punctuation mark in the above document. The integer m is typically a concatenation of the numbers in the sequence and more generally is a combination of the numbers in the sequence. An example of a suitable code or cipher for generating a sequence of numbers as above is ASCII. The code or cipher is known to both the receiver and the sender and may be public knowledge. The choice of the document from which m is to be computed (original, hashed or compressed) is also known to both receiver and sender and may be public knowledge.

Step 150 — A matrix M is generated which is characterized in that the result of operating non-linear function f on the eigenvalues of matrix M is integer m. Examples of methods for generating matrix M are now described.

It is appreciated that the structure of matrix M depends on the specific form chosen for function f and the matrix order N. There are many methods for generating message matrix M, for example:

EXAMPLE 1 :

When f is a product of all the eigenvalues, i.e. m is the determinant of M, then M may be computed from the following product:

Ui * Q * U₂, where Q is a diagonal N x N matrix with Q i = m and

Qϋ = 1 for all 1 < i <= N, and where Ui and U₂ are random N x N unimodular matrices of integer elements.

EXAMPLE 2:

When N = 3 and f is the sum of the squares of the three eigenvalues, then

2 m = Tr(M ). In this case, M may be computed by computing the following product:

U-l * Q * u, where U is a 3 x 3 unimodular matrix whose entries are integers, and Q is the following matrix: t-x w wy - z(t-x) +d

1 x-y y(^χ-y) -z

0 l y, where x, y, z and d are any integers, which may be selected at random, and w = z + xt - x - (m-t ) 12.

7 t may be selected randomly but m-t must be even.

Typically at least some of the eigenvalues of M are irrational and/or complex, in which case the diagonalization transformation of M includes some irrational and/or complex entry values. This property protects the signature scheme against an attack which is described below. A process for satisfying a requirement for irrational and/or complex eigenvalues is described in the example presented in Section VI below.

As in Section VI below, N=2 and a 2 x 2 matrix is selected whose entries are integers but whose eigenvalues are both irrational and complex.

2

When M is generated, typically, an array of N elements is produced

2 under N constraints corresponding to the N eigenvalues. Therefore, N - N parameters of M may typically be freely selected.

Step 160 ~ Compute the product S = L x M x R. S is termed herein the "signature matrix".

Referring back to step 40 of Fig. 1, the digital document is transmitted along with the sender's ID and the signature matrix S. Reference is now made to Fig. 4 which is a simplified flowchart illustration of a preferred method by which the receiver of a signed document performs the signature verification step 50 of Fig. 1. As described above, the following information is received: the document itself, typically as clear text; the sender's ID and the signature matrix S. Verification typically comprises subjecting the received message to 2 verification tests, as described hereinbelow. Preferably, both of the verification tests are passed before the signature is deemed verified. Alternatively, in some applications, the message may be deemed authentic even if only one of the verification tests are passed, for example even if only the first verification test is passed. For example, if it is true that passing, say, the second verification test implies deterministically or statistically, relative to the application, that the other (first) verification tests will also be passed, then the other (first) verification test may be omitted.

In step 170, the sender's public key is retrieved from the public file, using the sender ID to identify the appropriate record in the public file. As described above, the sender's public key typically comprises some or all of the following information: N, f, K, Det(L), Det(R) and the format of the document when signed.

The first verification test is performed in step 180 and typically comprises two divisibility checks both of which are to be passed if the verification test is to be passed. If either or both of the divisibility checks fail, this indicates that the document is not authentic (step 184).

The first check of step 180 is whether or not the determinant of matrix L divides any of the entry values of signature matrix S. The criterion for passing the first check is that the determinant of matrix L does not divide at least one of the entry values of signature matrix S. To perform the check, all of the entry values of S may be checked for divisibility. Alternatively, only a subset of the entry values of S may be checked for divisibility if it is true that non-divisibility of the entry values in the subset implies, deterministically or statistically, relative to the application, the non-divisibility of the remaining entry values in S.

EXAMPLE: The order N of signature matrix S is 2 and the four entry values of S are 16, 20, 400 and 8. If the determinant of matrix L is 4 the check fails because all the entries of the matrix S are divisible by 4. If the determinant of matrix L is 40, the check succeeds because, for example, the entry 20 is not divisible by 40.

The second check of step 180 is whether or not the determinant of matrix R divides any of the entry values of signature matrix S. The criterion for passing the second check is that the determinant of matrix R does not divide at least one of the entry values of signature matrix S. To perform the check, all of the entry values of S may be checked for divisibility. Alternatively, only a subset of the entry values of S may be checked for divisibility if it is true that non-divisibility of the entry values in the subset implies, statistically or deterministically, relative to the application, the non-divisibility of the remaining entry values in S.

Preferably, steps 180 and 200 are performed not only by the receiver but also, previously, by the sender. This is because occasionally, a "false alarm" can be generated since it is not impossible, although it is believed to be very rare, that a legal signature might fail the tests of steps 180 and/or 200. If the sender finds that steps 180 and/or 200 result in failure, the sender preferably regenerates M by making another choice of the free parameters described above with reference to step 150. The sender then recomputes a new message matrix, regenerates the signature matrix S and verifies that steps 180 and 200 no longer fail. Once the signature has passed these tests it is ready to be transmitted to the receiver and it is now the case that if the receiver encounters failure when performing the test of steps 180 and 200, the failure is clearly indicative of non-authenticity of the document.

Step 190 is performed if the first verification test was passed. In step 190, the products of matrices K and S are computed by multiplication from the left and from the right.

In step 200, the second verification test is performed. The second verification test typically comprises four divisibility checks all of which are to be passed if the verification test is to be passed. If one, some or all of the divisibility checks fail, this indicates that the document is not authentic (step 204). If the signature is verified (step 206), the method continues to document authentication (step 210).

The first check of step 200 is whether or not the determinant of matrix L divides any of the entry values of the product matrix K x S. The criterion for passing the first check is that the determinant of matrix L divides each of the entry values of product matrix K x S. To perform the check, all of the entry values of K x S may be checked for divisibility. Alternatively, only a subset of the entry values of K x S may be checked for divisibility if it is true that divisibility of the entry values in the subset implies, deterministically or statistically, relative to the application, the divisibility of the remaining entry values in K x S.

The second check of step 200 is whether or not the determinant of matrix R divides any of the entry values of product matrix S x K. The criterion for passing the second check is that the determinant of matrix R divides each of the entry values of product matrix S x K. To perform the check, all of the entry values of S x K may be checked for divisibility. Alternatively, only a subset of the entry values of S x K may be checked for divisibility if it is true that divisibility of the entry values in the subset implies, statistically or deterministically, relative to the application, the divisibility of the remaining entry values in S x K.

The third check of step 200 is whether or not the determinant of matrix R divides any of the entry values of the product matrix K x S. The criterion for passing the third check is that the determinant of matrix R does not divide at least one of the entry values of product matrix K x S. To perform the check, all of the entry values of K x S may be checked for divisibility. Alternatively, only a subset of the entry values of K x S may be checked for divisibility if it is true that non-divisibility of the entry values in the subset implies, deterministically or statistically, relative to the application, the non- divisibility of the remaining entry values in K x S.

The fourth check of step 200 is whether or not the determinant of matrix L divides any of the entry values of product matrix S x K. The criterion for passing the fourth check is that the determinant of matrix L does not divide at least one of the entry values of product matrix S x K. To perform the check, all of the entry values of S x K may be checked for divisibility. Alternatively, only a subset of the entry values of S x K may be checked for divisibility if it is true that non-divisibility of the entry values in the subset implies, statistically or deterministically, relative to the application, the non-divisibility of the remaining entry values in S x K. Reference is now made to Fig. 5 which is a simplified flowchart illustration of a preferred method by which the receiver of a signed document performs the document authentication step 60 of Fig. 1.

In step 210, the eigenvalues of message matrix M are computed. A preferred method for computing these eigenvalues is to compute the eigenvalues of product matrix K x S or of product matrix S x K which are each proportional to the eigenvalues of message matrix M. To obtain the eigenvalues of M, the eigenvalues of the product matrix are divided by the proportionality factor P which is Det(L) x Det(R).

In step 220, the non-linear function f is applied to the eigenvalues.

In step 230, m is computed from the original, hashed or compressed document, typically depending on the choice of document formatting used by the sender, which choice is known to the receiver as described above. The computation of m is based on the cipher or code which was used by the sender and which is known to the receiver. The computation of m is described above with reference to step 140 of Fig. 3.

In step 240, the non-linear function f is applied to the eigenvalues of M and the result is compared to m.

As is well known, depending on the form of the function f, it may be preferable to compute f as a function of the eigenvalues of K x S (or S x K) and subsequently perform appropriate division to eliminate the proportionality factor P. This option may be preferable computationally relative to computing f as a function of the eigenvalues of M which entails separate division of each eigenvalue by the proportionality factor P.

If the authentication test of step 240 is passed, the document is deemed authentic (step 250) and a suitable output signal is provided to a human operator or automatic system which is responsible for processing the document once received. Alternatively, the output signal may be provided if the document is deemed not to be authentic. If the authentication test is not passed, the document is deemed not authentic (step 260).

Reference is now made to Figs. 6 - 8 which illustrate a preferred embodiment of the present invention which is believed to be exponential in b, the number of bits of the entries of matrices L, R and W, as described in detail below. The preferred embodiment of the present invention is similar to the embodiment of Figs. 1 - 5 except that the methods of Figs. 2, 4 and 5 are replaced by the methods of Figs. 6 - 8 respectively.

The method of Fig. 6 is similar to the method of Fig. 2 except that step 100 is replaced by step 300 in which the private key of the individual sender is formed by a combination of at least three matrices, termed herein R, L and W, rather than a combination of two matrices as in step 100. Preferred methods for selecting the entry values of R, L and W are described in detail below. Each entry value preferably has b bits.

Another difference between the methods of Figs. 2 and 6 is that there are two public key matrices termed herein K^ and KR. The matrix KL is computed by computing the product of W and the adjoint matrix of L, where W is on the left. The matrix KR is computed by computing the product of the adjoint matrix of W and the adjoint matrix of R, where the adjoint of W is on the right.

In step 320 the determinants of all 3 private key matrices L, R and W are computed whereas in step 120, the determinants of only matrices L and R need to be computed.

The method of Fig. 7 is similar to the method of Fig. 4 except that in step 390, a single product of the public key matrices and the signature matrix is computed whereas in step 190, two products were computed. In step 400, the second verification test includes two ANDed components whereas the second verification test in step 200 includes four ANDed components.

The method of Fig. 8 is similar to the method of Fig. 5 except that the eigenvalues in step 510 are computed from F instead of from F and F .

Any suitable computational device may be employed to carry out the computations shown and described herein, such as a computerized communication server or such as a computer terminal which is connected to a computer network. Preferred techniques useful in implementing the method of Figs. 1- 5 are now described in detail.

I. Introduction

A new scheme for a digital signature is now presented. This scheme is based on the insensitivity of the eigenvalues of a square matrix to a similarity transformation. The security of the scheme relies on the difficulty to factor out a product of matrices under nonlinear constraints. The signing process and the authentication part need only a constant amount of multiplications, which is independent on the security parameter.

II. The Digital Signature Scheme

We assume that all the matrix entries used by the signature scheme are integers and the operations made on these parameters are done in full precision and over the integers.

Let represent the "message^*' sent by the signer. It may be the document itself, a compressed version of the document or a hashed version of it. For simplicity we refer to m throughout this work as a hash value of the plain document, although it is not a necessary requirement of the scheme. Let / be a nonlinear function of the eigenvalues of an N x N random nondiaginal "message matrix^"' M. The message matrix M is chosen such that all its entries are integers and its eigenvalues satisfy

where / is known both to the signer and to the verifier. The structure of M depends on the specific form chosen for the function / and on the matrix order N. Next we describe some examples in order to demonstrate the tractabihty of the g teneration of M :

1. When / is a product of all the eigenvalues ( i.e. m is the determinant of M ). M may be computed from the product U₁QU₂ where Q is a diagonal N x N matrix with Q_n = m. and Qu — 1 for all 2 < i < N, and where U_\ and U₂ are random N x N unimodular matrices of integer elements.

2. When N = 3 and /({λ_?;}) = λj + λ; -f λ^ we have m = Tr{M²) and we may compute M from U^~lQU where U is a 3 x 3 unimodular t-x w wy-x(t-x)-f-d \ matrix whose entries are integers, and Q = 1 x-v v(x-y)

V 0 l^{" "} y J where x, y. z and d are integers and may be chosen at random and w = z + xt — x² -f ^≡ - where we note that the integer t may also be chosen at random provided — t² is even.

Note that infinitely many different message matrices M may be generated for a single message . Also note that in the above description of the structure of M, no consideration has been made in regard to security and efficiency issues. Our aim here is to show that it is easy to generate the message matrix M. Issues of security and efficiency are discussed in Sec. V.

It is generally required that the eigenvalues of M, or at least some of them are irrational or complex or both irrational and complex. When this requirement is satisfied, the diagonalization transformation of M contains some irrational and/or complex entry values. This property protects the signature scheme against an attack which is described below. It is easy to satisfy the requirement of irrational and/or complex eigenvalues, as is shown in the example presented in Sec. VI. In this example N = 2 and one easily chooses a 2 x 2 matrix whose entries are integers but its eigenvalues are irrational and complex.

It is further generally required that the message matrix should not be transmitted. This requirement protects the scheme against an attack which is described below in Sec. IV. If the present scheme is used in a notary protocol, then Al should be generated by the notary and never be revealed to the owner of the document. Otherwise a chosen message attack on this scheme may succeed.

Once the sender has an appropriate message matrix he signs the document by transforming this matrix into a signature matrix using the secret private key and sends it over along with the plain document to the addressee. A. The private key

The private key is a pair of matrices L and R, whose entries are integers. Note however that the values of the determinants Det(L) and Det(R) are typically not kept secret from the public since they are used in the verification process.

B. The public key

The main component of the public key is the matrix K, given by the following product

K = RL (2)

where X denotes the adjoint matrix of X.

The matrix K can be found in the public file in association with the name of the signer, together with the function /({λ, }), the determinants Det,(L) and Det(R) and the order N of the matrix. Note that the "public key matrix" K is not a secret for the signer, since he may compute it from the private key matrices.

It is preferable for the security of the present signature scheme that at least one of the entries of K is indivisible by Det(L) (= (Det(L))^' ) and at least one entry is indivisible by Det(R) (= (Det(R)) ^~ ). If for example all the entries of K are divisible by Det(R), then it is very easy to factor K into some arbitrary R' and . This may be simply done by generating R' as a matrix whose entries are integers and whose determinant equals Det(R). Since Det(R) divides all the entries of K, the product of the inverse matrix of R' and K is a. matrix whose entries are integers and whose determinant is Det(L). Therefore the last product is . A similar factorization of K is possible in case that all the entries of K are divisible by Det{L). This situation may be avoided in advance by the owner of the private key. When the matrices R and L are generated the signer may check whether or not K satisfies this security requirement. If this security requirement is not satisfied by the chosen pair R and L, then another pair should preferably be generated.

C. The signature

The private key matrices L and R are used to transform the message matrix M, to form the "signature matrix" S

S = LMR (3)

which is sent to the receiver together with the document. Before sending the signature to the recevier the signer should preferably check if the signature matrix complies with several requirements. These precautions protect the signature against some attacks which are described in Sec. IV below. In addition these precautions also protect the signature against an accidental false alarm of forgery in the verification stage, as described next.

First the signer should preferably check whether the determinants Det(L) and Det,(R) do not divide at least some of the entries of S. That is, at least for some pairs of matrix indices ( i,j ) we have

Det(L) J(S_k,_L (4)

and similarly, at list for some pairs of matrix indices ( k,l ) we have

This property of 5 is typically used in the first verification test, as is shown below. If this requirement is not satisfied, i.e. Det(L) or Det(R) divide all the entries of S. the signer may change M via the free random parameters ( see examples above ) until Eqs.4 and 5 are satisfied. Naturally the probability that Det(L) or Det(R) divide all the entries of S is small.

Preferably the signer should further perform the following test. He computes the two matrices F^ and F^

^(R) = KS (6)

^(L) = SK (7)

and checks whether at least for some pairs of their indices i and j:

Det(R) J(F ^^(R) (8)

This property of S is used in the second verification test, as is shown below. If this condition is not satisfied, i.e. Det(R) divides all the entries of F^ or Det(L) divides all the entries of ^(L) , then the signer may change M via the free random parameters ( see examples above ) until the two matrices F^ and F^ respectively satisfy Eqs.8 and 9. Naturally the probability that Eqs.8 and 9 are not satisfied is small.

Finallv note that the matrix S does not have the same eigenvalues as M and that these eigenvalues cannot yield m when used as an input to Eq.39. Since the public does not know the matrices L and R, the eigenvalues of M cannot be revealed from S without using the public key. Moreover, it seems impossible to forge a matrix 5 such that the eigenvalues, computed after using the public key, will be the same as those of M.

D. Signature verification

When the document is received, its signature. ( i.e. the matrix S ), is preferably tested to prevent forgery. In the first test, the receiver may check whether S satisfies Eqs.δ and 4. This test eliminates a trivial forgery which is described in Sec. IV. If the signature does not pass this test, then its authenticity is disproved. If it passes the first verification test the receiver may move on to the second verification test as follows. The receiver multiplies the two matrices K and 5 and computes _F^(R) and ^(L) as described in Eqs.6 and 7. Then he checks whether S satisfies Eqs.8 and 9. This test also eliminates a trivial forgery attempt which is described in section IV. If the signature does not pass the second verification test, then its authenticity is disproved. If it passes this test the receiver may move on to the third verification test as follows. Note that using Eq.3 and Eq.2 we get from Eq.6

^(R) = Det(L)Det{R)R-^lMR (10)

and similarly we obtain from Eq.7

F^{L) = Det,{R)Det{L)LML-¹ (11)

In other words F^ and F^ satisfy the following properties for all i and j

Det{L) \F™ (12)

Det(R) \F^ (13)

In the third verification test the receiver checks whether 5 satisfies Eqs.12 and 13. This test eliminates a trivial forgery attempt which is described in section IV. If the signature does not pass this verification test, then its authenticity is disproved. If it passes the test the receiver may move on to the authentication test as described next.

Note that the tests described above cannot approve the signature. They may only serve for disproving a signature made with fraudulent keys. A legal signature typically stands the first and the second tests because a legal signer is capable of ensuring that 5 does not fail these tests. A legal signature typically stands the third test too because a signature generated with the legal private key must yield the structure of Eqs.10 and 11. If the signature does not stand one of these tests the receiver may safely reject it. However, once the signature has passed the three tests, the receiver is still not sure whether the signature is authentic and he should preferably perform the last test that is described below.

E. Document authentication

Once the matrix S has passed the tests described above, the receiver preferably computes from it the hash value as follows. First the receiver computes the eigenvalues of M from ^^R^ or F^ since these matrices are just a similarity transform of Aϊ ( except that these transforms are also multiplied by Det(L)Det,(R). see Eq.10 and 11) . Then the receiver feeds the eigenvalues to the function /({A;}) and obtains m. Next the receiver compares m with the hash function of the original message. The received document is considered authentic if the value computed from S and the hash function of the document are found substantially equal.

III. Intractability Assumptions

The security of the scheme proposed here relies on the assumption that it is a difficult task to factor out a product of matrices, where the elements of each one of these matrices are constrained to satisfy some nonlinear constraints. These constraints are expressed in the present scheme by the function / of the eigenvalues of Al and by the determinants of the private key matrices L and R. It seems from the current methods known today for factoring a product of integers, that the later factoring process is easier than factoring matrices under such constraints.

We will assume that the following problems are intractable:

1. Given N x N matrices A and B whose entries are integers, and integers Z)χ and _Dγ, solve for the matrices X and Y whose entries are integers such that:

XAY = B,

Det(X) = D_x,

Det(Y) = D_γ,

where £ χ and Dγ do not divide at least one entry of both A and B.

2. Given N x N matrices A and B whose entries are integers, integers D , Dγ and irrationals μ_\ . . . μ , solve for the matrices X, Y and W whose entries are integers such that:

XWY = B,

XY = A,

Det(X) = D_x.

Det(Y) = D_{Y t}

where D_x and Dy do not divide at least one entry of both A and B and

where the function λ._(W) computes the z-th eigenvalue of W.

3. Given N x N matrices A and B whose entries are integers, integers _Dχ, Dγ, and n and a nonlinear function g({μi}), solve for the matrices X, Y and W whose entries are integers such that:

XWY = B,

XY = A,

Det(X) = D_x,

Det{Y) = Dγ,

where £⁾χ and Dγ do not divide at least one entry of both A and B and

<7({λ.(W » = n

where the function λi(W) computes the z-th eigenvalue of W.

Note that in the last three problems we are factoring a product of matrices, under nonlinear constraints. Also, note that the search for the factors of matrices product, in contrast to integers product, is not limited to a range which is bounded from above by the square root of the product. Finally, note that matrices, in contrast to integers, do not necessarily commute with each other. These facts prevent us from using the known methods for integer factoring and leave us for now only with a naive search method, which seemingly is computationally more difficult than factoring large integers.

IV. Some Unsuccessful Attacks

The purpose of the attacks described in this section is to forge the signature matrix S. The forged signature matrix S' should then pass the verification tests and yield through f({λi}) the desired forged m! . These attacks may be divided into two classes, namely trivial attacks and nontrivial. The trivial attacks are shown to be unsuccessful due to the measures taken by the preliminary signature verification procedure as described above in Sec II. D. The defense against the nontrivial attacks, which are also shown to be unsuccessful, is based on the assumed intractability of the solution to the problems described in Sec. III.

A. Trivial Attacks

In the first trivial attack the forger might generate a matrix Ad' which has the appropriate eigenvalues ( i.e.. the desired m! is computed from /({λ.„}), but since he does not know the secret private key, the matrices L and R, he produces the forged signature matrix S' by multiplying M' with the product matrix LR (= K/{Det{R)Det(L))"^~2)

S' = LRU' (14)

or S' = M'LR (15)

When S' is received, the receiver multiplies it with K{— RL) and obtains either Det,(L)Det R)M', RLM'LR or LRM'RL. This S' does not pass the second and the third verification tests described in Sec. II. D and thus this attack fails.

In a second attack of this kind the forger might try to remedy the problems caused in the previous attack by the second signature verification test, by starting with a forged S' matrix of the form

S' = Det{L)Det(R)D (16)

where D is a matrix of the kind discussed in the previous attack or even of a more general type. However this forgery can be detected already in the first signature verification test, i.e. the test in which the receiver checks whether none of the elements of 5 ( in the present case S' ) or at least some of them are not proportional to Det{L)Det(R). The contradicting requirements made by the first test, where none of the elements of S can be proportional to either _De£(_L) or Det,(R), and by the third test, where all the entries of a product of S must be proportional to Det(L) or Det{R), successfully circumvent both of these attacks. B. Nontrivial Attacks

In the attacks described below, the forger tries to find the private key matrices L and R. He may try to do it in several ways based on the information he obtains from the public key matrix K and from a legal signature matrix S.

In the first attack of this kind, the forger tries to factor the public key matrix K ( see Eq.2 ) into its components R and L. Note that here the forger is actually trying to solve problem 1 of Sec. Ill, where X = R, A is the identity matrix I, Y = L, and B = K. However if the solution of this problem is indeed intractable, this attack does not succeed.

In a second attack the forger may try to analyze a legal signature matrix S and factor it into its components L. l and R. In doing so the forger is solving problem 2 or 3 of Sec. Ill, where X = L, W = M, Y = R. and B = S. The forger may factor S either with a constraint in which the resulted message matrix A should have the same eigenvalues that the original Al matrix had ( problem 2 ). or with a constraint in which the eigenvalues of the resulted M matrix satisfy Eq.39 ( problem 3 ) . Nevertheless if these problems are indeed intractable, this attack fails.

In a third attack the forger might try to use Eq.6 and Eq.7 in order to find such an S' which results with a pair of forged matrices '^(R) and ^(L) whose eigenvalues give a forged m! through Eq.39. Again, the forger tries to solve problem 1 of Sec. III. Here there are two possibilities due respectively to Eq.6 and Eq.7. In the first one X = F'^(R A = I, Y = (5')^_1 and B = K while in the second, X = {S')^~l and Y = F*^L The difficulty the forger is facing here stems from the following points: 1) the requirement that S' should be indivisible by both Det(L) and Det(R) ( Eqs.4 and 5 ), 2) the requirement that F'^ is indivisible by Det(R) but all its elements must be divisible by Det(L), ( Eqs.8 and 12 ), and a similar requirement put on F'^ ( Eqs.9 and 13 ) and, 3) from the requirement that the eigenvalues of the forged '^(R) and F'^ should satisfy the nonlinear relation 777/ = /({A*}). Due to the assumed difficulty to solve problem 1 of Sec. Ill for S' and for F'W ( or F'W ) this attack fails too.

In a fourth attack the forger might analyze a legal signature in order to extract the diagonalization transformation of F^ and F^^L Let P denote the diagonalization matrix of Al ( i.e. P^~lMP is a diagonal matrix ). then the diagonalization matrix of F^(R) is PR and the diagonalization matrix of F^fL)is given by PL^'1. In Eqs.10 and 11 we see that in case that Al is diagonal, then P is the unity matrix and the diagonalization transformation is simply the matrix R ( for F^(R) in Eq.10 ) or the matrix L ( for F^(L) in Eq.ll ). Therefore in that case the private key is immediately revealed. Also note that in case that P is a unimodular matrix and all its entry values are integers, then any M' may yield F ^(R) and F ^(L) which stand the second and the third preliminary signature verification tests ( Eqs.8. 9. 12 and 13 ) since A/⁷, P^~lM'P and PAVP^~X are matrices of integer entries and have the same eigenvalues. However, once P is not unimodular and not all of its elements are integers, the similarity transformation of M', made with P does not necessarily yield a matrix of integer entries. Therefore two measures are taken against such an attack as described above in Sec. II:

1. The message matrix M is never diagonal and

2. The eigenvalues of M, or at least some of them, are irrational and/or complex.

When these requirements are satisfied, we are guaranteed that P is not the identity matrix and at least some of its entry values are irrational and/or complex. If the forger attempts to use PR and PL^~l in order to generate a fraudulent signature matrix of the form LP^~lAI'PR then he must obtain that some of the entries of S' calculated in this way, are irrational and/or complex. When a signature matrix of this kind is received by the addressee, it cannot be correctly represented because the verification process assumes that all the entries are integers. Such a matrix cannot be correctly interpreted since the verification operations are made in full precision and only over the integers. On the other hand, an attempt to solve for M' and S', such that S' = LP^~lM'PR is a matrix of integer entries, and the eigenvalues of Al' satisfy the nonlinear relation of Eq.39, is equivalent to an iteration of the third attack described before. This attack has already been warded off on grounds of the assumed difficulty to solve problem 1 of Sec. III. Then the best the forger may do with these matrices is to factor the two products PR and PL^~l . Since none of the three matrices P, R and L are known to the forger, he is required again to solve problem 1 of Sec. Ill, which is assumed to be intractable.

V. Security and Efficiency Considerations

The analysis made in the last two sections enables us to generate the key matrices L and R and the message matrix M such that the signature system is both secure and efficient. According to this analysis there are two weak points in the present signature scheme. The first one is described by the first nontrivial attack discussed in the previous section. In order to find the private key matrices R and L from which K is constructed ( see Eq.2 ), it is typically sufficient for the forger to guess all the bits of one of these matrices. Then by substitution of this guess into Eq.2 he may verify whether his guess indeed decomposes K into two matrices whose entries are integers and their determinants are given. Let 6_R and b_L respectively denote the number of bits in each entry of R and Z. Since the determinant of each one of these matrices is known, the forger should not guess all N² entries of F^ and F^^L One of the entries may be computed from the others and from the knowledge of the determinant. Thus for a security of order k we have

A: = (N² - 1)6_L = (N² - 1)6_R (17) Now for a given k value, the number of bits in each one of the private key matrices is given by - ϊ . Note that the number of multiplications needed to compute K is independent on k, and is of order 0(N³). Also note that the number of basic operations needed to compute K is 2N³b_Rb_L = _{7j ∑} ϊy> k²- If the number of bits in each entry of R and L is respectively given by b_κ and b_L ( Eq.17 ) then the range from which the forger should guess the private key is of the order 0(2^k) . It is easy to show that when the measures described above are taken, i.e. the matrices L and R are generated according to Eq.17, then the signature is also protected against the second and the third nontrivial attacks described in Sec. IV.

The second weak point in the scheme is described by the fourth nontrivial attack discussed in the last section. If one can guess the matrix M then he may compute its diagonalization matrix P and find the private key matrices from the diagonalization matrices PR and PL^-1 of F^ and F^ respectively. Let 6 denote the number of bits in each entry of M. Since the A⁷ eigenvalues of M are known from F^^R' and F^^L the forger should not guess all N² entries of the message matrix. N entries may be computed from the others and from the knowledge of the N eigenvalues of AL Thus for a security of order k we have

A: = ( >V² - N)6_M (18)

Now the number of bits in M is given by ^ k. If the number of bits in each entry of M is given by 6 ( Eq.18 ) then the range from which the forger should guess the message matrix is of the order 0(2^k).

As is shown next, Eq.18 only provides a lower bound to the total number of bits in the message matrix. The actual value of b_λl and the total number of bits in M, are determined also by the method by which the matrix M is generated and by the form of the nonlinear function /. The relation between the message integer m and the eigenvalues of AL also affects the number of bits in the entries of Λf . If m. is the hash value of the document we want to prevent a collision with the hash value of a forged document. A security parameter of order k implies that the length of the message integer m is given by b_m = 2k. In this case the probability for a collision between a legal document and a forged one is at most of the order of 0(2^~k).

Consider now the second example given above in Sec. II for the generation of AL In this example AL contains 9 elements. Since the 3 eigenvalues are known, only 6 entries are free to be chosen at random. These six entries carry together k secret bits. Thus these parameters are integers of length

However, at least one of the other entries of this message matrix is of length 2k and as a result we find that all the entries of S are approximately 3k bit integers. In other words, since m is a 2k bit integer, all the entries of the signature matrix are of length 3 ;, at least for a message matrix of the scheme presented in example 2 of Sec. II. This result has a serious consequence, the number of transmitted bits is as large as 3iV²A_ . Perhaps, more work may reveal other schemes for generating M such that the number of transmitted bits is smaller: for now we advise to use the simple case N — 2. This case is demonstrated in the next section. The message matrix discussed in the example of Sec. VI contains 4 entries but only two parameters, from which these entries are computed, carry the secret bits, since the two eigenvalues are known. Therefore the length of each one of these parameters should be A . However, at least one of the entries of M is an integer of length 2A., and as a result the entries of the signature matrix are 3A; bit integer each. Thus the number of transmitted bits is of the order of 12A;. The number of multiplications needed to compute S is 0(N³).

VI. A Simple Example

Here we describe an example which demonstrates the new signature. In this example some general parameters of the signature are described first. Next we describe the key generation part, which occurs only once as a preliminary step to signature usage. Then a model for generating Al is described together with the signing process, and finally we describe the signature verification step and the document authentication process.

Consider a simple case in which the order of the matrices involved is N = 2 and the nonlinear function of the eigenvalues is given by

/(λ_{1 ;} λ₂) = λ? + 3AiA₂ + A², (19) The security parameter taken in this example is A. = 18.

A. Key generation

The elements of the private key matrices L and R are chosen from a uniform distribution of 6 bit numbers,

The determinants of these matrices are respectively Det(L) = —92 and

Det(R) = 4811.

The public key matrix K may be generated from Eqs.20 and 21,

633 3253 \ K = (22)

V 685 2821 J where we note that both Det(L) and Det{R) do not divide any one of the elements of K. Also note that since each entry of L and R is a 6 bit integer the total number of bits in K is 48. A brute force attack to factor K requires 2¹⁸ operations, the safety value chosen for this simple example.

B. The Signing Process

Here the sender starts from the hash value of the document, which is m = 14748630620 (23)

From Eq.19 he finds that this number should be computed from a message matrix M whose trace and determinant satisfy

m = (Tr(M))² + Det{M) (24)

Since it is required that the eigenvalues of M are complex he chooses the value of the trace such that

and then he computes the determinant of M using Eq.23 and 24. Also if he chooses the trace such that |4m —

is not a square, then the eigenvalues are both irrational and complex.

Next the sender generates the message matrix using the following scheme

where t is the chosen value of the trace of M, d is the value of AI's determinant and the two integers x and y are free to be chosen at random. In the present case the sender chooses t = 108622, from which he computes, using Eq.23 and 24. d = 2949891736, and chooses the two random integers x = 480, and y = 282. Now the message matrix is -231285038950244 -232105198771360 \ M = (27)

V 230467777328989 231285039058866 / where we note that each entry of M is of length a bit longer than 2A;. A brute force attack aimed to find the diagonalization transformation of , in order to compute R and L, as described in Sec. IV, requires now much more than 2^k operations.

Finally the sender signs the document by computing the signature matrix using Eq.3

and sends it over to the receiver along with the plain document. Note that the total number of bits in S is about 12k, as has been estimated in Sec. V.

C. Signature Verification

The first verification step taken by the receiver is to check whether the received signature matrix 5 satisfies Eqs.4 and 5. Let X and Y denote N x N matrices of integer entries and z an integer. Then by X = Y mod z we mean that X_τj — Yi_j mod z for all 1 < i < N and 1 < j < N . Using this definition the receiver computes the remainder obtained by dividing each entry of S ( or at, least some of them ) by Det(L) and Det(R) and finds ( -21 -18 \

S mod Det(L) = (29)

\ -ι -6 ; and

Since the entries of S are neither divisible by Det(L) nor by Det(R), the receiver does not reject the signature yet. Next he computes F^ and F^ using Eqs.6 and 7 in order to compute the eigenvalues of the message matrix once the second and the third verification tests are successful.

and

/ -724813662927047829115 -3885690201703619676551

F^(L) = (32)

V 135202452758725693799 724813662878970428451 Indeed in the present case he finds using Eqs.8, 9, 12 and 13

and

/ 0 0 \ F^(R) mod Det(L) = F^(L> mod Det(R) = . (35)

\ 0 0 /

In other words, the signature has passed the three verification tests.

D. Document Authentication

Now the receiver may compute the trace and determinant of F^ or F^ in order to get :

Tr(F^(R)) = Tr(F^(L)) = -48077400664 (36)

and

I^~)ei(F^(R)) = Det F^{L)) = 2949891736 (37)

from which he computes

( r(F^ψ A Det(F⁽ ) ₌ (Tr(F^))² 4- DetjF^) _{= u Q , (38)} (Det{L)Det{R))² {Det{L)Det{R))^{2 v ;}

Now the receiver compares this value to the hash function of the plain document Eq.23. Since he finds that the two values are identical, he accepts the document and the signature as authentic. VII. Conclusion

This work described a new signature scheme. The new scheme invokes the fact that the eigenvalues of a square matrx are insensitive to a similarity transformation. The security of this scheme is based on the fact that there is no known efficient algorithm for factoring a product of matrices under nonlinear constraints. This signature scheme is very efficient since most of the computations involved in the signing, in the verification and in the authentication procedures are linear transformations of matrices ( i.e. the number of the involved multiplications depends on the size of the matrix and not on the security requirements ). It should be noted however, that while most of the required computations are linear in nature, some of them are not linear, so the system may be considered as a nonlinear one.

This scheme may be a solution to the long standing performance problem from which most of the other ( highly nonlinear in nature ) signature schemes suffer.

It is desirable to think of using linear algebraic methods ( in the right blend of nonlinearity ) for constructing building blocks for an efficient cryp- tosystem. Key exchange and public key cryptography may become more efficient due to the ease of use of linear transformations.

The description of the preferred techniques useful in implementing the method of Figs. 1-5 ends here. Preferred techniques useful in implementing the method of Figs. 6- 8 are now described in detail.

VIII. The Generalized Digital Signature Scheme

We assume that all the matrix entries used by the signature scheme are integers and the operations made on these parameters are done in full precision and over the integers.

Let m represent the "message" sent by the signer. It may be the document itself, a compressed version of the document or a hashed version of it. For simplicity we refer to m throughout this work as a hash value of the plain document, although it is not a necessary requirement of the scheme. Let £ denote the set of N eigenvalues of an N x N random nondiaginal "message matrix" AL ( i.e. C —

) and let / be a nonlinear function of £,. The message matrix AL is chosen such that all its entries are integers and its eigenvalues satisfy m = /(£) (39)

where / is known both to the signer and to the verifier. The structure of Al depends on the specific form chosen for the function / and on the matrix order N. Examples which demonstrate several easy ways to generate AL are described in Sec.II.

It is generally required that the eigenvalues of NL or at least some of them are irrational or complex or both irrational and complex. When this condition is satisfied, the diagonalization transformation of M contains some irrational and/or complex entry values. This property protects the signature scheme against an attack which is described in Sec. IV. It is easy to satisfy the requirement of irrational and/or complex eigenvalues, as is shown in the example presented in Sec. VI. In this example N = 2 and one easily chooses a 2 x 2 matrix whose entries are integers but its eigenvalues are irrational and complex. It is further generally required that the message matrix should not be transmitted. This requirement protects the scheme against another attack which is described in Sec. IV.

Once the sender has an appropriate message matrix he signs the document by transforming this matrix into a signature matrix using the secret private key and sends it over along with the plain document to the addressee.

A. The private key

The private key is a pair of integer matrices L and R which are typically kept secret by the signer. Note however that the determinants Det(L) and Det(R) are not kept secret from the public since they are used in the verification process.

B. The public key

The main component of the public key comprises the matrices K and K ^κ , given by the following product K^iL) = WL (40)

and

K^W = RW (41)

where W is an integer matrix which is kept secret from the public but its determinant Det(W) is known to the public and where X denotes the adjoint matrix of X.

The matrices K and K can be found in the public file in association with the name of the signer, together with the function /(£), the determinants Det(L). Det{R) and Det(W) and the order N of the matrix.

Note that Eqs.40 and 41 generalize Eq.2. These equations reduce to Eq.2 when W = R, where K becomes equal to K, or W = Z, where K ^R becomes equal to K. This generalization of the presented scheme is important in order to protect the private key against the matrix factorization attack described in Sec. X.

It is preferable for the security of the present signature scheme that at least one of the entries of K^M is indivisible by Det(L) (= (Det(L))^{' l} ) and at least one entry is indivisible by Det(W) (= (Det(W))^{' ~} ) and similarly at least one of the entries of A^'(n) is indivisible by Det,(R) (= (-De^P))^^-1 ) and at least one entry is indivisible by Det(W). If for example all the entries of K^w are divisible by Det(W) , then the forger may factor out K ^L using the matrix factorization scheme described in Sec. IV to get W' and L' . Next he may multiply K " by W' from the left and divide all the entries of this product by Det(W). The result of the last computation is the desired R' . Finally the forger respectively computes some private key matrices V and Rl from L' and R ^', which satisfy requirements that the original private key matrices L and R are generally required to satisfy. This situation may be avoided in advance by the generator of the public key ( who is not necessarily the signer ) by testing the matrices L, R and W. When the matrices L, R and W are generated K and K ^* should preferably be tested for complience with the security requirement described above. If this security requirement is not satisfied by the chosen matrices L, R and W, then another set of matrices should preferably be generated.

C. The signature

The private key matrices L and R are used to transform the message matrix Nl, to form the "signature matrix" S

S = LMR (42)

which is sent to the receiver together with the document. Before sending the signature to the recevier the signer should check if the signature matrix complies with several security requirements. These requirements protect the signature against some attacks which are described in Sec. IV. In addition these requirements also protect the signature against an accidental false alarm of forgery in the verification stage, as described next.

First the signer should check whether the determinants Det(L) and Det(R) do not divide at least some of the entries of S. That is, at least for some pairs of matrix indices ( i,j ) we have

and similarly, at list for some pairs of matrix indices ( k.l ) we have

Det(R) )(S _l. (44)

This property of S is used in the first verification test, as is shown below. If this requirement is not satisfied, i.e. Det(L) or Det(R) divide all the entries of 5, the signer may change AL via the free random parameters ( see examples in Sec. II ) until Eqs.43 and 44 are satisfied. Naturally the probability that Det(L) or Det(R) divide all the entries of S is small.

The signer should further perform the following test. He computes the matrix F

F = K^{L) SK⁽ⁿ⁾ (45)

and checks whether at least for some pairs of the indices i and j:

Det(W) ](F_id (46)

This property of F is used in the second verification test, as is shown below. If this requirement is not satisfied, i.e. Det(W) divides all the entries of F, then the signer may change AL via the free random parameters ( see examples in Sec. II ) until the matrix F satisfies Eq.46. Naturally the probability that Eq.46 is not satisfied is small.

Finally note that the matrix 5 does not have the same eigenvalues as NL and that these eigenvalues cannot yield m when used as an input to Eq.39. Since the public typically does not know the matrices L and _R, the eigenvalues of NL cannot be revealed from S without using the public key. Moreover, it seems impossible to forge a matrix S such that the eigenvalues, computed after using the public key, will be the same as those of NL

D. Signature verification

When the document is received, its signature, ( i.e. the matrix S ), is tested to prevent forgery. In the first test, the receiver may check whether 5 satisfies Eq.43 and 44. This test eliminates a trivial forgery which is described in Sec. IV. If the signature does not pass this test, then its authenticity is disproved. If it passes the first verification test the receiver may move on to the second verification test as follows. The receiver computes from S the matrix F according to Eq.45. Then he checks whether F satisfies Eq.46. This test eliminates another trivial forgery attempt which is described in section IV. If the signature does not pass the second verification test, then its authenticity is disproved. If it passes this test the receiver may move on to the third verification test as follows. Note that using Eq.42 and Eqs.40

,- 1

F = Det(L)Det{R)W^~l MW (47)

In other words, F should preferably satisfy the following property for all i and j

In the third verification test the receiver checks whether F satisfies Eq. 48. This test, like the previous two verification tests, eliminates another forgery attempt which is described in section IV. If the signature does not pass this verification test, then its authenticity is disproved. If it passes the test the receiver may move on to the authentication test as described below.

Note that the tests described above cannot approve the signature. They may only serve for disproving a signature made with fraudulent keys. A legal signature must stand the first and the second tests because a legal signer is capable of ensuring that S does not fail these tests. A legal signature must stand the third test too bacause a signature generated with the legal private key must yield the structure of Eq.47. If the signature does not stand one of these tests the receiver may safely reject it. However, once the signature has passed the three tests, the receiver is still not sure whether the signature is authentic and he should preferably perform the last test that is described below. E. Document authentication

Once the matrix S has passed the tests described above, the receiver computes from it the hash value m as follows. First the receiver computes the eigenvalues of NL from F since this matrix is just a similarity transform of NL ( except that this transform is also multiplied by Det(L)Det(R), see Eq.47 ) . Then the receiver feeds the eigenvalues to the function /(£) and obtains >n. Next the receiver compares m with the hash function of the original message. The received document is considered authentic if the value computed from S and the hash function of the document are found equal.

IX. An Intractable Problem

The security of the scheme proposed here relies on the assumption that given a carefully chosen pair of matrices, say A and B, it is a difficult task to simultaneously factor them out over the integers, such that one of the factor matrices of A equals to one of the factor matrices of B provided that these factor matrices are on the same side of the product.

We will assume that the following problem is intractable:

Given N x N integer matrices A and B and integers D_A , D_A , D_B and D_g ^R) , where D⁽ _A and D^{( ]} do not divide at least one entry of A and _D_B and D^ do not divide at least one entry of B, solve for the integer matrices L_A, R_A, L_Q and R_B such that:

L_AR_A = A, L_BR_B = B, Det{L_A) = D_A Det{R_A) = D_A ^{{ ]} , Det(L_B) = D_B ^L) , Det(R_B) = D B and either

or

It is important to note here that this problem is not intractable at all for certain pairs of matrices A and B. However once these matrices are properly chosen, the simultaneous factorization problem described above becomes intractable. The conditions which make this problem intractable, i.e. the criteria for choosing an appropriate pair of matrices such that their simultaneous factorization is indeed intractable, are discussed in the next section.

X. The Matrix Decomposition Attack

In this attack the forger uses a factorization algorithm in order to break the private key. The security assumption of the method of Figs 1-5 is that such an algorithm is nonpolynomial and thus the scheme proposed in the method of Figs 1-5 is protected as long as this assumption is true. However a matrix factorization algorithm which is polynomial in the security parameter does exist and thus the private key is practically protected only when the security parameter is very large. The scheme presented in Sec. VII generalizes the scheme presented in Sec. II, where we assume that this generalized scheme is not vulnerable to the matrix decomposition attack and thus a small security parameter is sufficient to keep the private key secure. Next we discuss first matrix decomposition over the integers and then we describe the conditions which make simultaneous decomposition of two matrices an intractable problem as described in Sec. IX.

A. Matrix Decomposition Over The Integers

Problem: Given two integers / and r and an N x N integer matrix A such that

Det{A) = Ir, (49)

factor matrix A into two integer matrices L and R such that

A = LR (50) where

Det{L) = I (51)

and

Det(R) = r. (52)

Solution: We shall show that there exist unimodular integer matrices _A and T which transform A into a triangular form, i.e. (T ^L A) = 0 for all j > i or for all i > j and similarly {AT_A ) = 0 for all j > i or for all i > j. The product of the diagonal elements of either triangular form specified above equals to the determinant of A. When the triangular form is obtained it may be easily factored into two triangular matrices L' and R' whose diagonal elements satisfy

π A - «^{• (M)}

and

Since T A ^L and T . ^R are unimodular their inverse exists over the integ °ers and thus the solution to the matrix factorization problem is readily obtained

and

where U is an arbitrary unimodular integer matrix. The matrices T^M and T_A are each a product of unimodular integer matrices which are in turn capable of nullifying one nondiagonal element of the product matrix. If, for example ( for i > j ) A_i} 0 and we want to transform A into a matrix whose (i,j) entry is null, then if A_i<t = 0 we first have to multiply A by a unimodular matrix which adds row j to row i. That is

(T^lλDD)N V,3 Α⁾⁾ _k,_m

once A _i ≠ 0 we generate a transformation matrix T (i.j) such that

( ^(L)(z,j)A)^ =0 (58)

where the structure of the transformation matrix is as follows:

where the subscrip "LOWER" denotes the fact that

j) nullifies entries below the main diagonal, where

A =^-, (60)

A' = ^-, (61) 9,<

and where x _j and x_{] x} solve the Diophantine equation

^XA, ^{+ X}^ ^{= 1}- ⁽⁶³⁾

The result of this transformation is

( .6"4*)

ise )

Note that the (j, j) entrv of the last result is x A - _r _4 = q and in particular note that the ⁽i. j) entrv is —A' A + A' A = 0. Also note that in the process of nullifying the elements below the main diagonal we should start from the first column and move to the right to the next column only after all the element in the present column are nullified below the main diagonal. The result of this process is a triangular integer matrix where each diagonal entry is the greatest common divisor gcd({C_t }) where {C_? } includes all the nonzero column elements below the main diagonal ( including the diagonal element of that column ) after the column to the left has been fixed ( i.e. all its entries below the main diagonal has been nullified ). The upper left transformation matrix _{υ rεR} (i. j) for j > i may also be deviced for nullifying entries above the main diagonal. Its structure is exactly as the structure of T UPPER ( \i. J j) ' g Oiven bv " Eq 1.59.

The upper and lower right transformations matrices have the following form

1 k = m, k ₇^ i and A ^ j

—A' k — i and 777, = 7 x k = i and τn — i

(r -,(1)'(ij)γ = { A' k = j and 777, = j (65) a: A; = 7^' and = z

( otherwise ) where the subscripts "LOWER" ( or "UPPER" ) have been omitted because both the "upper" and "lower" transformations have the same structure, their only difference is that they apply respectively for i < j or j < i. Similarly to

Eqs.60 - 62 we have here

A' ____ A, (67)

^'" 9_iti g_ltJ = gcd(A_lt] , A , (68)

where x_ _t and x ₁ solve the Diophantine equation

x A! x A' = 1. (69)

The result of this transformation is

A. A' + A. A A^'' 777, = 7

(^r' (z, j))_fc,m = A_k x_t .Λ, 777, = z (70)

A, ( otherwise )

Note that the (z, j) entry of the last result is A_{t ι}x_{ι τ} + A_,,³"_.,,. ⁼ ,, ^an<^ particular note that the (i, j) entry is -A^A'^ ÷ ., A_,, ⁼ °- ^{Als0 note} that in the process of nullifying the elements below the main diagonal we should start from the last row and move up to the next row only after all the element in the present row are nullified below the main diagonal. The result of this process is a triangular integer matrix where each diagonal entry is the greatest common divisor gcd({C }) where {C includes all the nonzero row elements left to the main diagonal ( including the diagonal element of that row ) after the column above has been fixed ( i.e. all its entries below the main diagonal has been nullified ). The upper right transformation matrix T_uppER(z, j) for j > i may also be deviced for nullifying entries above the main diag Donal. Its structure is exactlv „ as the structure of

j) ' , ' both are given by Eq.65.

Let now B be a lower triangular integer matrix. Then we may decompose B into two lower triangular matrices L' and R' where the diagonal elements of these matrices satisfy Eqs.53_; 54 and the following relations

L' t, l R 1',1 = B_i (71)

R' entries below the main digonal and L 's entries below the main digonal are integers chosen such that for all i and j < i they satisfy the Diophantine equation

Y --- L' ι,kR' k,j = B₄ '^■•,3 (72) ' k=j

If R' are known then L may be computed recursively from the R_τ 's as follows

Alternatively, if L' are known then R' may be computed recursively from the L 's as follows

When B is an upper triangular integer matrix the entries above the main diagonal of R and L are integers chosen such that for all z and j > i they satisfy the Diophantine equation

Y L R = B . (75) k=i and we have again two alternative decomposition schemes. In the first scheme the L 's entries are comp ^ruted from the R ι,3 's recursivelv as follows

B, ~ ∑{Z) L' R'

P 3,3 ^}

and in the second scheme _R''s entries above the main digonal are computed from the R ^'s recursivelv as follows

B. Decomposition Of A 2 x 2 Matrix Over The Integers

Here one transformation matrix is sufficient to triangulating .4 because we either need to nullify the (1, 2) entry or the (2, 1) entry. However the following cases are possible:

where x_2ι2A' + x_,xA' = 1

where x_ltlA[ + x_lt2A'₂₁ = 1

where A₂ ,₂ + x_lt2A_2Λ = 1

Then the obtained triangular matrices are respectively given by:

T^(L) .4 = where g — gcd(A ₂ , _4₁₂

T^w A =

AT^W where <? = gcd(A._Λ,A₁₂)

AT^(R) where g = gcd(A₂₂, A₂₁)

The last matrices decompose into integer matrices as follows:

where the parameters g_r and g_l are computed from

9_τ = 9cd(g, r)- g_t = .a.

9r ^' (81)

The integers u_t and u_r are computed as follows

u_l — v_t{x₂₂A_2Λ + x₂ A₁ ) - ng_t

(82) u. = V_r(x₂₂A₂ + ₂ A₁ ) + 77,

where υ. and v_r solve the Diophantine equation

^vι — v_rg_t = ι (83) g_r and where n is an arbitrary integer.

g_r A \

T^(L) = (84)

0 r/g_r j where the parameters g_r and g_L are computed from

g_r=gcd{g,r) g_t = £;. (85)

The integers u_t and α_r are computed as follows

^uι = ^U.C^Zi.i A.2 + ^1.2 .₂) ^_ 2<

(86)

A = ^Vr^U^U + ^X1.2 A,₂) + "A' where v_L and υ_r solve the Diophantine equation

^ — + ^9, = 1 (87)

and where n is an arbitrary integer.

where the parameters g_l and g_r are computed from

The integers u_t and u_r are computed as follows

XL _j = U_j ^A, J _CJ _j "T Α₂ 2^_"2 l J ^Α

(90)

A = v_r{A_{2 l}x_1Λ + A_{2 2}x_2Λ) + ng_r, where v_t and . _r solve the Diophantine equation

/ u,. - + *>,&. = 1 (91) 0. and where 77, is an arbitrary integer.

l/g_t u_t \ ( r/g_τ u_r \

AT (92) 0 g_t j v 0 <7_r y where the parameters g_l and g_r are computed from

9_ι = gcd{g, I) g_r = 3ι (93) The integers u_t and u_r are computed as follows

^uι = ^vι (A 2^2 + A_{ι x}x₁ ) - nj-

(94)

A = v_r{A_l<2x_2t2 + A_lΛx_1<2) + ng_r, where v_t and v_r solve the Diophantine equation

v_r- + v_l9r = l (95)

9ι and where n is an arbitrary integer.

C. How To Prevent Simultaneous Decomposition

In the present section we describe how to choose 2 x 2 matrices L. R and R ( where R ^1} R ² ) such that if we generate A = LR and B = LR ^' the problem described in Sec. IX is indeed intractable if the only decomposition scheme used to solve that problem is the decomposition scheme described in last section. Similarly, we describe here how to choose 2 x 2 matrices L , L ( where L = L ^' ) and R such that if we generate A = L R and B = L ^~ R the problem described in Sec. IX is indeed intractable if the only decomposition scheme used to solve that problem is the last decomposition scheme. Since the two problems ( i.e., the problem where L is the common matrix factor of A and B and the problem where R is the common matrix factor of A and B ) are related to one each other, simply by simultaneously factoring .4^' and B^τ ( where the superscript T means "Transpose" ) , we only have to deal with one of the problems. Consider the pair of public key matrices given in Eqs.40 and 41. If those matrices are of rank 2 then we may write

A = K^(L) = WL

and (96)

£ = K ^Λ) = WR.

The motivation of the discussion of simultaneous decomposition stems from these equations.

It seems that the easiest route the forger may take in an attempt to decompose A and B ( where the common matrix factor is on the left ) is using y) ^σ T LOWER or T y) UPPER for triang °ulating ^σ these matrices. The reason not to use T or T ^L is that the last transformations result in a complicated

(R) structure of the "left" common matrix factor of A and B. Using ^σ T LOWER the forger obtains

where the superscripts (A) and (B) respectively denote the "left" common f Ft) factor computed from A and from B. Similarly, if the forger uses T._ppER he obtains

We observe from the last two equations that if we could choose W . L and R such that gcd{A_l , A_1Λ , I) ≠ gcd(B _l , B ₂, 1)

and (99)

gcd{A₂₂,A_2l,l) ψ gcd(B₂₂,B₂₁,ϊ) then the diagonal elements of W ^A would be different from the corresponding

^— (B) diagonal elements of W and the simultaneous decomposition of A and B would be prevented with the present decomposition scheme. The desired properties of A and B, described by the inequalities 99 may be achieved as described next.

Suppose W has the following properties:

Det(W) = I ₃ (100)

where gcd(l„l₂Λ_z) = gcd{W_l ,W₁₂) = gcd{W_2Λ,W₂_₂) = 1. (101)

It is possible to generate a matrix which satisfies these requirements, using the methods described in Sec. II for example.

Using Eq.101 we may define four parameters _ια, α₁₂, _2l and a_2Λ which solve the following equations

and (102)

Then we may define L and R ( See Eq.96 ) as follows:

and (103)

1 , _. , (L) (L) (L) , (L) . . (R) (R) where the parameters n_l . n,₁ , ^ and ,₂ and the parameters n_ιχ. π_l2, 7_₂₁ and 7₂ are integers relatively prime to l₃ and chosen such that l₃ niether divides the determinant (π n, — ^.,77,,, _χ) nor the determinant (π , π₂„ — _: ⁿ _'., _i ) _> ^and where we note that using this form for Z and R we find for A

and (104)

This choice for the public key matrices results with gcd(A_ul , A₁₂ , /) = gcd(A₂₂ , A_2Λ. I) = l_x

and (105)

gcd{B_lΛ .B_l2,l) = gcd{B₂ , B_2Λ ,l) = l₂ ( given that the

}'s are properly chosen ), which means that the inequalities 99 are satisfied and a proper simultaneous decomposition of A and B is prevented.

XL A Simple Example

Here we describe an example which demonstrates the signature scheme. In this example some general parameters of the signature are described first. Next we describe the key generation part, which occurs only once as a preliminary step to signature usage. Then a model for generating AL is described together with the signing process, and finally we describe the signature verification step and the document authentication process.

Consider the simple case in which the order of the matrices involved is N = 2 and the nonlinear function of the eigenvalues is given by

/(λι . λ₂) = λξ + 3λιλ₂ + λ?. (106)

A. Key generation

As described in Sec. X we start with generating W:

I 509 1881 \

W = ^■■ . (107)

V 107 291 /

The determinant of this matrix is Det(W) — —53148 i.e. l_x — 43. Z, = —103 and Z = 12. The matrices L and R are chosen such that it is impossible to simultaneously decompose WL and WR. Thus we use the method proposed in the last section ( See Eqs.96 - 105 in Sec. X-C ) and we generate Z and R

and (108)

The determinants of these matrices are respectively Det(L) = 9116 and Det(R) = 159032. If one simultaneously decomposes WL and WR with the method described in the last section she or he finds

and

65796091 19556095 \ / 103 0 \ 638797 189865 N

WR =

-5459 -1751 / -395 -516 / V -488991 -145339 / (109)

In other words, the signature scheme is protected against the factorization method described above in Sec. X. The public key matrices K^M and K^w may be generated from Eq.109,

and (110)

B. The Signing Process

Here the sender starts from the hash value of the document, which is

m = 14748630620 (111)

From Eq.106 he finds that this number should be computed from a message . matrix l whose trace and determinant satisfy

= (Tr(Λ/))² + Det{M) (112)

Since it is generally required that the eigenvalues of AL are complex he chooses the value of the trace such that

and then he computes the determinant of NL using Eq.lll and 112. Also if he chooses the trace such that |4ττ7, - 5(Tr(NL))²\ is not a square, then the eigenvalues are both irrational and complex. Next the sender generates the message matrix using the following scheme

where t is the chosen value of the trace of M, d is the value of M's determinant and the two integers x and y are free to be chosen at random. In the present case the sender chooses t — 108622, from which he computes, using Eq.lll and 112, d = 2949891736. and chooses the two random integers x = 480, and y = 282. Now the message matrix is -231285038950244 -232105198771360

NL = (115) 230467777328989 231285039058866 and finally the sender signs the document by calculating the signature matrix using Eq.42 -11111772428992607226852821 -3302833328981543725604649 N

5

V 81956618358650958652388835 24360564651170929771943023 /

(116) and sends it over to the receiver along with the plain document.

C. Signature Verification

The first verification step taken by the receiver is to check whether the received signature matrix S satisfies Eqs.43 and 44. Let X and Y denote N x N integer matrices and z an integer. Then by Λ^' = (Y mod z) we mean that X_l3 = {Y_l3 mod z) for all 1 < i < N and 1 < j < N. Using this definition the receiver computes the remainder obtained by dividing each entry of S ( or at least some of them ) by Det,(L) and Det(R) and finds

5259 8003

S mod Det(L) =

8639 1219

and (117)

20907 70447 N 5 mod Det(R) =

V 77979 82111 /

Since the entries of S are neither divisible by Det(L) nor by Det(R), the receiver does not reject the signature yet. Next he computes F using Eq.45 in order to compute the eigenvalues of the message matrix once the second and the third verification tests are successful.

/ 84062589711013944386998693792 -627283450582392398376735198688

F =

V 11265272474612570455078241248 -84062589719383329622459797664

(118)

Indeed in the present case she or he finds using Eqs.46

( 2 1 N F mod Det{W) = -17716 (119) 2 l ) and using Eqs.48

( 0 O N

F mod (Det{L)Det{R)) = (120)

V o o ;

In other words, the signature has passed the three verification tests. D. Document Authentication

Now the receiver may compute the trace and determinant of F in order to get 777 :

(Tr(F)γ ₊ Det(F) _{= 1474863062α}

{Det{L)Det{R)Det(W))² Now the receiver compares this value to the hash function of the plain document Eq.lll. Since she ( or he ) finds that the two values are identical, he accepts the document and the signature as authentic.

The references for the descriptions of the preferred techniques useful in implementing the methods of Figs. 1-5 and 6-8 are as follows:

References

[1] W. Diffie and M. Hellman, New directions in cryptography, LEEE Trans. Lnform. Theory, vol. IT-22, no. 6, ( 1976 ), pp. 644-654.

[2] R. L. Rivest, A. Shamir and L. Adelman, A method for obtaining digital signatures and public key cryptosystems, CACM, vol. 21, no. 2, ( 1978 ), pp. 120-126.

[3] T. El Gamal , A public key cryptosystem and a signature scheme based on discrete logarithms, LEEE Trans. Lnfor. Theory, vol IT-31, no. 4, ( 1985 ), pp. 469-472.

[4] A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, in Lecture Notes in Computer Science 263; Advances in Cryptology: Proc. Crypto ^"86, A. M. Odlyzko. Ed., Santa Barbara. CA, Aug. 11-15, 1986, pp. 186-212. Berlin Springer- Verlag, ( 1987 ) .

[5] A. Shamir. A polynomial time algorithm for breaking the basic Merkle- Hellman cryptosystem, LEEE Trans. Lnfor. Theory, vol IT-30, no. 5, ( 1984 ). pp. 699-704.

[6] E. F. Brickell, Breaking iterated knapsacks, in Lecture Notes in Computer Science 196; Advances in Cryptology: Proc. Crypto '84, G. R. Blakley and D Chaum, Eds., Santa Barbara, CA, Aug. 19-22, 1984, pp. 342-358. Berlin Springer- Verlag, ( 1985 ).

[7] R. J. McEliece. A public key cryptosystem based on algebraic coding theory, JPL. DSN Progress Report 42-44, ( 1978 ), pp. 114-116.

[8] V. Miller, Uses of elliptic curves in cryptography, in Lecture Notes in Computer Science 218; Advances in Cryptology: Proc. Crypto '85, H. C. Williams. Ed., Santa Barbara, CA, Aug. 18-22, 1985, pp. 417-426. Berlin Springer- Ver lag, ( 1986 ).

[9] N. Koblitz. Elliptic curve cryptosystems ALath. Comp., vol. 48, ( 1997 ), pp. 203-209.

[10] C. Pomerance. The quadratic sieve factoring algorithm, in Lecture Notes ?77 Comφuter Science 209; Advances %n Cryptology: Proc. Eu- rocrypt '84, T. Beth. N. Cot. and I. Ingemarsson ,Eds., Paris, France, Apr. 9-11. 1984. pp. 169-182. Berlin Springer- Verlag, ( 1985 ).

[11] C. Pomerance, Analysis and comparison of some integer factoring algorithms, m Computational Methods in Number Theory, H. W. Lenstra Jr.. and R. Tijdeman, Eds., Centrum Tract, vol. 154. ( 1982 ), pp. 89-139.

[12] A. M. Odlvzko. Discrete logarithm in finite fields and their cryptographic significance, m Lecture Notes Comφuter Science 209; Ad- vances in Cryptology: Proc. Eurocrypt '84, T. Beth, N. Cot. and I. Ingemarsson ,Eds., Paris, France, Apr. 9-11, 1984, pp. 224-314. Berlin Springer- Verlag, ( 1985 ).

[13] A. K. Lenstra, H. W. Lenstra Jr., M. S. Manasse and J. M. Pollard, The number field sieve, Proc. 22nd ACM Symp. Theory of Computing, ( 1990 ), pp. 464-572.

[14] D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two, IEEE Trans. lnfor. Theory, vol IT-30, no. 4, ( 1984 ) , pp. 587-594.

It is appreciated that the software components of the present invention may, if desired, be implemented in ROM (read-only memory) form. The software components may, generally, be implemented in hardware, if desired, using conventional techniques.

It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.

It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention is defined only by the claims that follow:

Claims

1. A method for receiving and authenticating a digital signature on an electronic document received from a sender, the method comprising: receiving a message comprising a sender ID portion, a first message portion and a second message portion m, characterized in that if said message is an authentic message, the first message portion of said message comprises a product L x M x R where M is an integer matrix having eigenvalues characterized in that the second message portion m is a non-linear function f of at least some of said eigenvalues; applying a transformation to the first message portion, including: multiplying the first message portion by a key corresponding to said sender ID portion, thereby to define a product matrix, wherein the key is proportional to a product R x L , wherein R and L are adjoints of integer matrices R and L respectively which are both secrets of the sender; computing eigenvalues of said product matrix; and applying the non-linear function f to the eigenvalues of said product matrix, thereby to generate a transformed first message portion; and authenticating the message by comparing the transformed first message portion to the second message portion.

2. A method according to claim 1 wherein said sender ID portion and first and second message portions are included in a single packet.

3. A method according to claim 1 wherein said sender ID and said first and second message portions are included in at least two different packets.

4. A method for signing and sending a digital signature on a digital document represented by a document derived integer m to a receiver which authenticates the digital signature, the method comprising: applying a secret transformation to the document derived integer m, thereby to generate a transformed document, L x M x R, where L and R are integer matrices which are secrets known only to said sender and M is an integer matrix having eigenvalues characterized in that the document derived integer m is a non-linear function f, known to the sender and to the receiver, of at least some of said eigenvalues; and sending a message comprising a sender ID portion, the transformed document L x M x R and the document derived integer m.

5. A method according to any of the preceding claims wherein said document derived integer represents a compressed document.

6. A method according to claim 4 and wherein said non-linear function f is computable in polynomial time from said eigenvalues.

7. A method according to any of the preceding claims wherein said function f comprises a public function.

8. A method according to any of the preceding claims wherein said key comprises a public key.

9. A method by which a receiver receives and authenticates a digital signature on an electronic document received from a sender, the method comprising: receiving a message comprising a sender ID portion, a first message portion and a second message portion, characterized in that if said message is an authentic message, the second message portion of said message comprises a nonlinear function, known to the sender and to the receiver, of eigenvalues of a matrix representing said first message portion; applying a linear algebraic integer based transformation to the first message portion, thereby to generate a transformed first message portion; and authenticating the message by comparing the transformed first message portion to the second message portion.

10. Apparatus for transmitting a digital signature on an electronic document received from a sender, the apparatus comprising: a linear algebraic key constructing unit operative to construct and distribute at least one key comprising at least one matrix; and a linear algebraic document signing unit operative to perform a linear algebraic document signing procedure including generating a message including a digital document, sender ID and signature matrix.

11. Apparatus according to claim 10 and also comprising a linear algebraic document authenticator operative to authenticate said digital document by applying at least one linear algebraic operation to said digital document.

12. Apparatus according to claim 10 or claim 11 and also comprising a linear algebraic matrix verifier operative to verify the signature matrix.