Cayley-Purser Algorithm

The Cayley-Purser algorithm is a public-key cryptography algorithm that relies on the fact that matrix multiplication is not commutative. It was devised by Sarah Flannery (then age 16), inspired by ideas of Michael Purser, for a Young Scientist competition in 1998. Flannery named the algorithm after Purser and Arthur Cayley (the inventor of matrices).

The Cayley-Purser algorithm uses only modular matrix multiplication instead of modular exponentiation, and is much faster than other public-key algorithms for large moduli (e.g., about 20 times faster than RSA encryption for a 200-digit modulus). While the algorithm at first seemed to be as secure as RSA, it was subsequently shown that messages encrypted with this algorithm can be readily decrypted by knowledge of public data alone.

Setup for the Cayley-Purser algorithm proceeds as follows.

1. Choose two large primes p and q, and let n=pq. The primes p and q should both be of the form 2p_1+1, where p_1 is also prime.

2. Choose matrices C and A at random from GL_2(Z_n) (the general linear group of 2×2 invertible matrices whose entries are integers modulo n) so that CA!=AC.

3. Choose r in N and let G=C^r.

4. Let B=C^(-1)A^(-1)C.

5. Publish A, B, G, and n. Keep secret the matrix C, which is needed for decryption.

To encrypt, use the following procedure.

1. Represent the message as a 2×2 matrix mu with entries in Z_n.

2. Choose s in N at random.

3. Let E=G^(-s)AG^s.

4. Let K=G^(-s)BG^s.

5. Encrypt mu as gamma=KmuK.

6. Transmit the pair (gamma,E).

Decryption is performed as follows.

1. Let L=C^(-1)EC.

2. Then mu=LgammaL. Since G and C commute, we have


Because n is the product of two large, unknown primes, it is computationally difficult to determine the original matrix C via G=C^r. In addition, solving


for C is intractable since, as a result of the way p and q are chosen, the order of the center of A in GL(Z_n) will be at least (p-1)(q-1)/4 with probability 1-(p-1)/2-(q-1)/2+(p-1)(q-1)/4.

However, it is not necessary to know C to decrypt messages; knowledge of a multiple of C is sufficient, since if H=aC, it follows that


If the matrix G is derogatory, (that is, if G is reduced modulo p or modulo q, the result is a scalar multiple of the identity), then n can be factored as GCD(g_(11)-g_(22),g_(12),g_(21),n). With a factorization of n in hand, determining the solution to C=G^r in GL_2(Z_n) is not difficult.

If G is nonderogatory, then a multiple of H of C can be determined as follows. Since G=C^r, then by the Cayley-Hamilton theorem, there are integers u and v so that C=uI+vG. Consequently, there is a matrix H=v^(-1)C=hI+G for some as yet unknown value of h.

Also observe that






This allows h, and hence H, to be determined. The matrix H can be used in place of C in the decryption step.

See also

Public-Key Cryptography, RSA Encryption

This entry contributed by Scott Sutherland

Explore with Wolfram|Alpha


Flannery, S. and Flannery, D. In Code: A Mathematical Journey. London: Profile Books, 2000.

Referenced on Wolfram|Alpha

Cayley-Purser Algorithm

Cite this as:

Sutherland, Scott. "Cayley-Purser Algorithm." From MathWorld--A Wolfram Web Resource, created by Eric W. Weisstein.

Subject classifications