Luận án tiến sĩ: New results in group theoretic cryptology

We show that such a definition leads to the design of signature schemes and pseudo-random number generators with provablesecurity under a security assumption based on a group theoretic p

NEW RESULTS IN GROUP THEORETIC CRYPTOLOGY

by Michal Sramka

A Dissertation Submitted to the Faculty ofThe Charles E Schmidt College of Science

in Partial Fulfillment of the Requirements for the Degree of

Doctor of Philosophy

Florida Atlantic UniversityBoca Raton, Florida

UMI Number: 3239161

INFORMATION TO USERS

The quality of this reproduction is dependent upon the quality of the copysubmitted Broken or indistinct print, colored or poor quality illustrations andphotographs, print bleed-through, substandard margins, and improperalignment can adversely affect reproduction

In the unlikely event that the author did not send a complete manuscriptand there are missing pages, these will be noted Also, if unauthorizedcopyright material had to be removed, a note will indicate the deletion

®UMI

UMI Microform 3239161Copyright 2007 by ProQuest Information and Learning Company.All rights reserved This microform edition is protected againstunauthorized copying under Title 17, United States Code

ProQuest Information and Learning Company

300 North Zeeb RoadP.O Box 1346Ann Arbor, MI 48106-1346

NEW RESULTS IN GROUP THEORETIC CRYPTOLOGY

by

Michal Sramka

This dissertation was prepared under the direction of the candidate's dissertation advisor,

Dr Spyros S Magliveras, Department of Mathematical Sciences, and has been approved by themembers of his supervisory committee It was submitted to the faculty of The Charles E SchmidtCollege of Science and was accepted in partial fulfillment of the requirements for the degree ofDoctor of Philosophy

My foremost thanks go to my advisor and committee chair, Spyros Magliveras, for hisguidance, encouragement, and support Without him, this dissertation would not havebeen possible I thank him for his kindness and patience that helped during the difficulttimes, and for his insights and suggestions that shaped my academic and research skills

I thank the members of my committee — Professors Frederick Hoffman, Lee C Klingler,and Ronald C Mullin - who have dedicated their time to read and improve my dissertation,and provided invaluable help

It has been a great privilege to spend several years in the Department of MathematicalSciences at Florida Atlantic University It has been a great pleasure working with thefaculty, staff, and fellow graduate students Many of these people have inspired, guided,and helped me during the time I worked on this dissertation

Finally, I would like to thank my family, my friends who are too numerous to mention,and all who trusted and supported me over the years Thank you all; you will always remaindear to me

Author: Michal Sramka

Title: New Results in Group Theoretic Cryptology

Institution: Florida Atlantic University

Dissertation Advisor: Dr Spyros S Magliveras

Degree: Doctor of Philosophy

Year: 2006

With the publication of Shor’s quantum algorithm for solving discrete logarithms infinite cyclic groups, a need for new cryptographic primitives arose; namely, for more secureprimitives that would prevail in the post-quantum era

The aim of this dissertation is to exploit some hard problems arising from group theoryfor use in cryptography Over the years, there have been many such proposals We first look

at two recently proposed schemes based on some form of a generalization of the discretelogarithm problem (DLP), identify their weaknesses, and cryptanalyze them

By applying the expertise gained from the above cryptanalyses, we define our owngeneralization of the DLP to arbitrary finite groups We show that such a definition leads

to the design of signature schemes and pseudo-random number generators with provablesecurity under a security assumption based on a group theoretic problem In particular,our security assumption is based on the hardness of factorizing elements of the projectivespecial linear group over a finite field in some representations We construct a one-wayfunction based on this group theoretic assumption and provide a security proof

3 The Encryption Scheme of Kashyap et al.

43 Summary

5 The Public-Key Cryptosystem of Wagner and Magyarik

5.1 The word choice problem

5.2 The Wagner-Magyarik (WM) cryptosystem and its critique

5.3 Our PKC based on finitely presented transformation groups

5.3.2 Additional observations and proofS

6 A Generalization of the DLP and Construction of OWFs

6.2 The discrete logarithm problem for Sy( -) ee V6.3 A construction of one-way functions 0.0 ee eee so6.4 The projective special linear group PSL¿(fpg) 6.4.1 A concrete instance of OWFs 00 000 ee6.5 Summary and open problems

Bibliography

Ce — Ẽ.-aA

3131323436384143

44444651546365

67

1 Introduction

The word cryptology was formed from the Greek words kryptés (hidden) and /ógos (word)

In today’s information society, cryptology as the science of hidden, disguised informationhas become one of the main tools for secure communication, privacy, trust, access control,electronic payments, electronic voting, and for countless other applications

Cryptology is concerned with three dominant areas: cryptography, the science ofdesigning secure schemes, cryptanalysis, the science of breaking them, and steganography,the science of hiding information by concealing the communications channel

In the past, the use of cryptography was a privilege reserved for armies, governments,and highly skilled specialists This is no longer true Cryptographic schemes have becomeavailable for everyone

The main idea behind cryptanalysis is to find and exploit weaknesses or insecurity

in cryptographic schemes Cryptanalysis might be undertaken by a hostile attacker,attempting to subvert a system, or simply by a system designer wishing to evaluate whetherthe proposed cryptographic scheme is secure The results of cryptanalysis can be (and oftenare) used in cryptography to design more secure schemes

As cryptography evolved over decades and centuries, so did cryptanalysis Oneimportant result from cryptanalysis says that cryptographic schemes based on the integerfactorization problem or the discrete logarithm problem can be easily broken on a quantumcomputer [29]

From this follows one of the motivations to design new cryptographic schemes Inparticular, the result of P Shor [29] and the possibility of existence of quantum computers

motivate the design of schemes that would withstand attacks by a quantum computer, sothat these schemes would survive in the post-quantum era There are two other commonlyaccepted motivations for proposing new cryptographic schemes The first is to propose ascheme that is more efficient in some way, compared to other known schemes The secondmotivation is to propose a scheme that is provably secure.

1.1 Goals of the dissertation

This dissertation presents results from four research papers that in one way or anothercontribute to the area of group theoretic cryptology Although the four papers do notnecessarily explore cryptographic schemes based on the same underlying mathematicalproblem, the outcome of the research follows the goal of the dissertation — to study andcryptanalyze selected existing proposals in order to gain knowledge about group theoreticproblems suitable for cryptographic purposes

Two major goals of this dissertation are to propose a Wagner-Magyarik-like public-keycryptosystem based on combinatorial group theory, and to define a generalization of thetraditional discrete logarithm problem (DLP) to non-cyclic, preferably non-abelian, groups

As a consequence, we use this definition to build one-way functions that lead to provablysecure cryptographic schemes Finally, a significant aim of this dissertation is to presentselected cryptanalytic attacks which compromise recent cryptographic schemes based ongroup theory

Our motivation follows from the belief that many of the known decision and computationproblems coming from group theory cannot be efficiently solved on a quantum computer.This belief is supported by the fact that some group theoretic decision problems are in factalgorithmically unsolvable (e.g., the word problem, as defined by Max Dehn in 1911)

Our approach to the goals of this dissertation follows the path mentioned in the previousparagraphs In essence, we first study similar proposals by other authors, learn the

advantages and tricks, discover and criticize the drawbacks, and when possible, cryptanalyzethese proposals The knowledge from cryptanalysis provides us with ways to avoid manycommon and trivial problems.

In my first paper [31], I consider a proposed extension of the traditional DLP in acyclic group to two generators of this group A simple cryptanalysis of the proposalreveals the computational triviality of such an extension and an equivalence with a knowncryptographic scheme This paper was accepted for publication in a refereed journal, buthas not yet appeared The research of my cryptanalysis of this scheme was presented atthe 2nd Annual Science Research Symposium & Expo at FAU on September 21, 2006 and

at the Algebra-Crypto Seminar at FAU in Fall 2006

My second paper [32] discusses a key exchange scheme based on a simple extension

of the DLP to two non-commuting elements We provide a cryptanalysis of the scheme

by exhibiting a procedure for significantly reducing the computational effort required tosolve such an extension of the DLP in general abstract groups and also in the proposedmatrix groups My research in this paper was presented at the 20th Midwest Conference onCombinatorics, Cryptography and Computing in Wichita, Kansas on October 5-7, 2006 Thepaper has been submitted to the Journal of Combinatorial Mathematics and CombinatorialComputing which will publish the proceedings of the conference Parts of the research fromthe paper were also presented at the Algebra-Crypto Seminar at FAU in Fall 2006

In my third paper [3], the cryptanalysis of a cryptosystem based on the word problem inabstract groups leads to the design of another, more secure public-key cryptosystem This

is an example of a straightforward application of cryptanalytic results in cryptography Theresearch contained in this paper was presented at the WartaCrypt ’04 conference in Bedlewo,Poland on July 1-3, 2004 Parts of the research were also presented at the SoutheasternWeekend Algebra Meeting in Hammond, Louisiana on November 5-7, 2004; at the 69thFlorida Academy of Sciences Annual Meeting in Tampa, Florida on March 18-19, 2005; and

at the Algebra-Crypto Seminar at FAU in Fall 2004

My fourth paper (not yet submitted for publication) included in this dissertation dealswith the definition of a generalized DLP to finitely generated non-abelian groups, and thenecessary theory to construct a provably secure pseudo-random number generator and aprovably secure signature scheme In particular, the projective special linear group over afinite field of prime order is used, for which the security assumption is believed to hold.This research was presented at the Southeastern Algebra Conference in Auburn, Alabama

1.2 Outline of the dissertation

Today, there is a vast amount of cryptologic research and publications For the purpose

of making this dissertation more self contained, we provide crucial definitions and knownresults in the “Preliminaries” section This includes the definition of the traditional discretelogarithm problem in a cyclic group, its complexity, known attacks, and basic schemes based

on the DLP Some topics from combinatorial group theory and complexity theory related

to cryptography are also presented here

The four sections following the “Preliminaries” section closely follow the four papersmentioned in the previous paragraphs Each research topic is summarized and concluded

at the end of the particular section

e Section 3 contains cryptanalysis of a recently proposed public-key cryptosystem Theencryption scheme is based on a DLP in a cyclic group with two distinct generators:

given + := œ*/” in a cyclic group with a and @ two distinct generators, the problem

is to determine the integers a and b We criticize the usefulness of such an extension

of the DLP and show that the proposed encryption scheme is in fact equivalent to theElGamal encryption scheme

Section 4 presents a way to obtain factorizations of some group elements Theidea for this research comes from a proposed key exchange scheme Specifically, weprovide algorithms to factorize elements of the form œ7, where a and @ are twonon-commuting elements in a group G We establish the complexity of our algorithms

in the worst case, show how they can break the proposed key exchange scheme, andconclude that the complexity of our algorithms is significantly lower compared to thecomplexity of the best known attacks on the scheme

Section 5 deals with a critique and cryptanalysis of a public-key cryptosystem based oncombinatorial group theory The knowledge gained from researching the cryptosystemleads to a proposal of a new encryption scheme based on similar properties to thoseanalyzed In particular, our inspiration comes from the Wagner-Magyarik idea,exploiting the word problem in cryptography, but we also use finitely presentedtransformation groups, i.e., groups acting on words over some alphabet

Finally, Section 6 contains our definition and extension of the traditional DLP tofinitely generated non-abelian groups We explore properties of such a DLP, and itsusage in a generic construction of provably secure pseudo-random number generatorsand provably secure signature schemes We explore PSL2(F,), the 2-dimensionalprojective special linear group over a finite field of prime order, for which our securityassumption appears to hold We conclude that such groups are suitable in theconstruction of cryptographically secure one-way functions and consequently in theconstruction of secure cryptographic tools

Using the well-known notion of a deterministic Turing machine, we define the class P

as the class of languages that can be recognized by a deterministic polynomial-time Turingmachine That is, each language in P can be recognized in deterministic polynomial-time

We will denote by the class of languages for which there exist short proofs, succinctcertificates, of membership that can be efficiently verified By co we mean the class oflanguages that have succinct disqualifications That is, co is the class of problems forwhich efficiently verifiable proofs of “no” instances exist Finally, the class VP NcoNP isthe class of languages where each language has either a succinct certificate, in which case

it is a “yes” instance, or a succinct disqualification, in which case it is a ‘no” instance Nolanguage has both

A crucial class of algorithms in cryptology is the class of randomized algorithms.Randomized algorithms are needed in cryptography in order to allow entities to generaterandom secret parameters, as well as in cryptanalysis, where we allow opponents to havethe same capabilities as legitimate parties A randomized machine can be modeled in twoequivalent ways We will model it as a machine that can make random moves, so-called

“coin tosses.” We view the outcome of the internal coin tosses of the machine as an auxiliaryinput Namely, we consider a deterministic Turing machine with two inputs The first inputplays the role of the usual input, while the second input plays the role of a possible outcomefor a sequence of internal coin tosses We call it a probabilistic polynomial-time Turingmachine Such a machine always halts after a polynomial number of steps in the the length

of the input, independently of the outcome of its internal coin tosses Hence a probabilisticpolynomial-time Turing machine is a realistic model of computation and should not beconfused with the unrealistic model of a non-deterministic Turing machine

The class BPP (bounded-probability polynomial-time) is the class of languages

that can be recognized by a probabilistic polynomial-time Turing machine; i.e, by arandomized algorithm That is, each language in BPP can be recognized in probabilisticpolynomial-time, often shortened to ppt for brevity

A language is V’P-complete if it is in MP and every language in NP is polynomially

reducible to it Analogous definitions hold for coNP-completeness and (VP McoN P)-completeness

We will refer to a computational task (a method/algorithm/etc.) as efficient, easy, or feasible if it can be carried out by a probabilistic polynomial-time Turing machine We will consider as intractable or hard those tasks which cannot be performed by probabilistic

polynomial-time machines

Unless otherwise noted, the complexity of the algorithms is assumed to be based on

an obvious security parameter or on the size of the input z, that is, on |x|, which we will

understand as [loga(z) |

Furthermore, we will be using the following fundamental definitions

Definition A function : Ñ — R is called negligible if for every polynomial p there exists

an integer N such that for all n > N we have p(n) < 1/p(n)

Often we replace the phrase “there exists an N such that for all n > N” with the lesstedious one : “for all sufficiently large n”

Definition A collection of functions {ƒ; : D; — {0,1}*};er is called (strongly) one-way ifthere exist three probabilistic polynomial-time algorithms: (i) The indez selection algorithm

7, (ii) The domain sampling algorithm D, and (iii) The evaluation algorithm F, so thatthe following two conditions hold:

1 Easy to sample and compute: On input 1”, the output of algorithm Z isdistributed over the set IM {0,1}", to be used as an n-bit index ¿ of some function f;

On input ¿ € 7, the output of algorithm D is distributed over the set D;, i.e., over thedomain of function ƒ; On input i € J and z € Dj, algorithm F always outputs ƒ;(z)

2 Hard to invert: For every probabilistic polynomial-time algorithm A, every positivepolynomial p, and all sufficiently large n we have

Pr[A(In; fn„(Xn)) € £7, (ftn(Xn))] < any’

where J, is a random variable describing the output of algorithm Z on input 1", and

Xp, is a random variable describing the output of algorithm D on input Ip

If all the functions f;’s in the previous definition are bijections, we say that {ƒf¿];er is acollection of one-way permutations In addition, if for each f; we have a “trapdoor”, whichenables us to invert the function, we talk about one-way trapdoor permutations

The output of algorithm Z on input 1” does not have to be necessarily distributeduniformly over IM {0,1}" In fact, it is allowed that Z(1") be concentrated on one singlestring Likewise, the output of algorithm D on input ¿ is not necessarily distributed

uniformly over D; Yet the hardness-to-invert condition implies that D(z) cannot be mainlyconcentrated on polynomially many (in |¿|) strings We stress that the collection is hard toinvert with respect to the distribution induced by the algorithms Z and D.

There is no proof that a one-way function exists In particular, if VP P = NP then

no one-way functions exist Also, proving the existence of one-way functions is not easierthan proving that P # AP, in fact, the former task seems significantly harder than thelatter [13] However, the existence of one-way functions is assumed and justified by severalwidely believed conjectures

Over the last couple of decades, it has been shown how to use one-way functions andone-way trapdoor permutations to build cryptographic schemes In particular, a one-waytrapdoor permutation is necessary and sufficient to design a secure encryption scheme.Similarly, a one-way function is necessary and sufficient to build a secure pseudo-random

number generator [15] or to build a secure signature scheme [27] Here, by a secure

signature scheme we mean a scheme that is secure against an existential forgery under achosen message attack By a secure pseudo-random number generator we mean a generatorwhose output sequence is indistinguishable from a truly random sequence In fact, there

is an assertion that secure pseudo-random number generators exist if and only if one-wayfunctions exist

2.2 Traditional DLP in cyclic groups

The following definitions [23] present the traditional discrete logarithm and related problems

in a multiplicatively written finite cyclic group In fact, all groups mentioned in this workwill be written multiplicatively unless explicitly stated otherwise

Definition Let G be a finite cyclic group of order n Let a be a generator of G, and letB€G The discrete logarithm (DL) of Ø to the base a, denoted log, Ø, is the unique integer

z withO<x<n-—1 such that Ø8 =a’

The cyclic groups that are of interest in cryptography include the multiplicative group

Fj of a finite field Fy, its particular cases of the multiplicative group Zp of the integersmodulo a prime p, and the multiplicative group F3m of the finite field Fom of characteristictwo, and their subgroups Also of interest are the group of units Z*, where n is a compositeinteger, the group of points on an elliptic curve defined over a finite field, and the Jacobian

of a hyperelliptic curve defined over a finite field

A definition of the discrete logarithm problem in any cyclic group follows

Definition The discrete logarithm problem (DLP) is the following: Given a finite cyclicgroup G of order n, a generator a of G, and an element @ € G; find the integer x with0<2<n-1 such that a* = Ø

Sometimes a generalized formulation of the DLP in a cyclic group is useful

Definition The generalized discrete logarithm problem (GDLP) is the following: Given

a not-necessarily finite group G and elements a, đ € G, determine an integer x such thata” = 8, provided that such an integer exists

The discrete logarithm problem is thought to be an intractable problem, but weshould note that the intractability is not a group theoretic property, but depends on therepresentation of the cyclic group For example, all finite cyclic groups of order n areisomorphic, yet if we consider the instance of Z, as the cyclic group of integers modulo n,under addition modulo n, then DLP is no longer intractable The problem simply becomesthe following: Let a be a generator of (Z„, +), and đ € Z,; find x € Z„ such that œz = 8(mod n) Since gcd(a,n) = 1, we can find z by means of the Euclidean algorithm

More about discrete logarithms and the discrete logarithm problem can be found inHAC [23], in the survey papers [24, 25] by A Odlyzko, or in the survey [30] by M Sramka

2.2.1 Shank?s baby step - giant step method

The Baby step/giant step method [23, 34] was proposed by D Shank to solve the DLPmore efficiently than by simply applying brute force

Let G be a finite cyclic group of order n with generator a, and let 6 € G The task

is to find log, G The idea of Shank’s is to write x := log, 6 as = [vn ]|s +t for some

integers 0 < s,t < [\/n ] Hence, at = B(a7!v" iy’, Now, we can store the “baby steps” a?

for 0 <t < [yn ], and while computing the “giant steps“ G(a~!V" 1)° for 0 < s< [Yn],

we can compare the result against the stored values to obtain the corresponding values of

(a) Compute ø := Ga

(b) Search for ø in the second column of the table T

(c) If found (£,ø) for some ¢ in T, then output ø := ms +¢ and stop

(d) Compute o := op

The time complexity of Algorithm 2.1 is O(,/n) group operations (assuming constanttime table lookup), and the memory requirement for the table is O(,/n) group elements

2.2.2 Schemes of Diffie-Hellman and ElGamal

The first and simplest protocol based on the DLP was the Diffie-Hellman key exchangeprotocol [7] Let G be a finite cyclic group of order n and a a generator of G Then theprotocol between Alice and Bob is described in the following steps:

Scheme 2.1 (Diffie-Hellman key exchange scheme)

1 Alice randomly chooses an integer x (with 0 < z < n), forms Ø := a”, and sends thisvalue Ø to Bob

2 Similarly, Bob randomly chooses an integer y (with 0 < < n), forms 7 := œ#, andsends this value +y to Alice

3 Alice computes the key « := yŸ, and Bob computes the key « as GY

To grasp the exact complexity assumption of this scheme, consider the followingdefinitions For more rigorous definitions see [4]

Definition Let G be a finite cyclic group of order n, œ a generator of G, and z,y € Zp.The Diffie-Hellman function for a is defined as DHa(a*, a¥) := a®¥ We say that the group

G satisfies the Computational Diffie-Hellman assumption (CDH) if there is no efficientalgorithm for computing the function DH„(o#, a) in G

Unfortunately, the CDH by itself if not sufficient to prove that the Diffie-Hellman keyexchange scheme is provably secure A stronger assumption is needed The DecisionDiffie-Hellman assumption says that there is no efficient algorithm that can distinguishbetween the two 3-tuples (a*,a¥,a*¥) and (a*, a¥, a”)

Definition Let G be a finite cyclic group of order + and œ a generator of G Thegroup G satisfies the Decision Diffie-Hellman assumption (DDH) if there is no probabilisticpolynomial-time algorithm in the size of n, that given any triplet (a”, a¥, a7) outputs “true”

if z = zy and “false” otherwise

The frst public-key encryption scheme that takes an advantage of the DLP (moreprecisely the CDH/DDH problems) was the ElGamal encryption scheme [9] A briefdescription follows:

Scheme 2.2 (ElGamal encryption scheme)

Key generation: Let G be a finite cyclic group of order n Let a be a generator of G.Choose a random integer a (0 < a < n) and set Ø := œ* The private key is a, thepublic key consists of G, a, and ổ

Encryption: To encrypt a message z € G, one randomly chooses an integer k (0 < k < n)and computes the ciphertext (yi, y2), where gị := a* and 1; := z6*.

Decryption: To decrypt a ciphertext (yi, y2), one computes 1⁄¡ “ya in order to obtain theplaintext

2.3 Logarithmic signatures and covers

This section presents the notation, definitions, and some basic facts about logarithmicsignatures and covers for finite groups For more details see [19] and [20]

Let G be an abstract finite group Denote by GÌ the collection of all finite sequences

of elements in G and view the elements of Gl! as single-row matrices with entries in G If

X := [21,22, , 2,7] € GI?), denote by X the element 3 j=: Zi in the group ring ZG.

Suppose that ` := [Át, Ag, , Az] is a finite sequence, where each A; € GI), such that

>> |4¿| is bounded by a polynomial in the degree of G Here the degree of Œ is thesmallest degree among all faithful permutation representations of G In the group ring ZG,let

Ay: Ag:- Ay = 3 agg;

geG

for some ag € Z depending on g € G Then we say that [ is a cover if ag > 0 for all g € G,and we say that [ is a logarithmic signature for G if ag = 1 for every g € G The t-tuple

(4411, |4a|, , |4¿|) is called the type of T.

Note that if I is a logarithmic signature for Œ, then each element g € G can be uniquelyexpressed as a product of the form

g =htha - he (1)

for some h; € A; (i = 1, ,£) However, if TP is a cover, the factorization is not necessarilyunique Furthermore, the problem of finding such a factorization for a given g € G is ingeneral intractable for both logarithmic signatures and covers We call the cover I’ tame ifthe factorization in the equation (1) for any g € G can be achieved in polynomial-time inthe degree of G If the cover Ï` is not tame, then we call it wild

2.3.1 Traditional DLP and wild covers

There is a connection between the traditional DLP in a finite cyclic group and a cover forthis group

Let G be a finite cyclic group of order n with generator a, and let đ € G Choose s to bethe least positive integer such that 2°~! < n < 2%, and construct I := [Aj, 4a, , As], where

Aj := (1,07°7"] (i =1, ,8) Then Ï is a cover for G The factorization Ø = hịha -h;

with respect to I’, where each h; € Aj, is equivalent to finding the discrete logarithm log, đ

In particular, the DLP in G is intractable if and only if the factorization is intractable

in this particular cover I for G (i-e., [is wild)

2.4 Combinatorial group theory

We give some basic definitions from combinatorial group theory More details and rigor can

be found in books such as [18] or [21]

Let G be a group, defined by a presentation (X, R), where X = {z,z¿, } is a set ofgenerators and R = {ri,r›, } is a set of relators If the set X is finite we say that thegroup G is finitely generated When the sets X and R are both finite we say that the group

G is finitely-presented A word w over X is a finite sequence of elements of the set XU X~1,

A word which defines the identity element in the group G is called a relator The emptyword is the empty sequence, of length 0, and also represents the identity of G We say thattwo words w and w’ are equivalent for the presentation (X,R) if and only if the followingoperations, applied a finite number of times, transform w into w’:

T1) Insertion of one of the relators ?1,r;!,ra,r21, € RU R7}, or of a trivial relator1 2

1

(of the form 2,2; ` or x; ly; with 2; € X) at the beginning of a word, at the end of aword, or between any two consecutive symbols of a word

(T2) Deletion of one of the relators ri, ry 1 ro, T2 1 , or of a trivial relator, if it forms a

block of consecutive symbols in a word

An application of one transformation of the form (T1) or (T2) is called a rewrite step Everyelement g of G = (X, R) can be described by a word over X U X~!, usually in many ways;the length of the shortest word that describes g is called the word length of g For a word

w over some fixed alphabet we denote the length of w by |u|; also, for g € G = (X, R) wedenote the word length of g by |g]

Definition The word problem of a group G = (X, R), as introduced by Max Dehn in 1911,

is the following decision problem: For an arbitrary word w over X U X~!, is w equivalent

to the empty word?

In the 1950’s, Novikov and Boone independently showed that there are finitely presentedgroups with undecidable word problem It is an important fact that the decidability andcomplexity of the word problem of a finitely generated group depend only on the group, andnot on the generators or the presentation chosen, provided that one sticks to finite generating

sets In other words, if G has a decidable word problem for some finite generating set Xthen G has a decidable word problem for every finite generating set Concerning complexity,

a change of the finite generating set changes the complexity only linearly Therefore, weare allowed to talk about “the word problem of a group G” without referring to a specificpresentation

It was proved recently that there are finitely presented groups whose word problem is

NP-complete, or whose word problem is coNP-complete.

By a group with an easy word problem we will understand a group whose word problem

is decidable in deterministic polynomial-time All other groups are said to have a hard wordproblem

3 The Encryption Scheme of Kashyap et al.

In 2006, Sunil Kumar Kashyap, Birendra Kumar Sharma, and Amitabh Banerjee [16]proposed a discrete logarithm problem in cyclic groups based on two generators Theproblem, referred to as 2DL, was then used by the authors in the design of a new public-keyencryption scheme In their proposal, the authors claim that to “break” 2DL it would benecessary to compute two traditional discrete logarithms

In my paper [31], I show that the proposed asymmetric cryptosystem - an encryptionscheme which is a modification of the ElGamal encryption scheme - can in fact be broken

by computing a single traditional discrete logarithm In addition, a careful analysis of theciphertext allows for the selection and computation of particular values that render theproposed encryption scheme equivalent to the ElGamal encryption scheme

A short description of the proposed problem and the encryption scheme is followed below

by our main cryptanalytic results

Clearly there is more to criticize here than grammar and syntax, but we intent to improve

on this initial statement below Based on this 2DL problem in a group G := Zp, where p is

a prime, Kashyap at al propose the following public-key encryption scheme [16] which is amodification of the ElGamal encryption scheme (Scheme 2.2)

Scheme 3.1 (Kashyap at al encryption scheme)

Key generation: Let œ and Ø be two distinct generators of Z5, the multiplicative group in

the field of integers modulo prime p, and let i be an integer such that a # Ø (mod p) Further, select two random integers a and b such that a # b' and 0 < a,b < p—1 Compute + := a and 6 := 6°, all computations modulo p The public key is p, a, B,

+, and 6 The private key is a and bd

Encryption: To encrypt a message x € Z7, one randomly chooses an integer k with 0 <

k < p— 1 and computes the ciphertext (y1,y2,y3), where ị := a*, yo := 6*, and

y3 := ay"6*, again, all computations modulo ø.

Decryption: To decrypt a ciphertext (1, 2, 03), one obtains the corresponding plaintext

by computing yj “ya byg mod p.

at? = (aTM)2e° — gmat.

Although obtaining the integer m requires a solution to the traditional DL log g @, knowledge

of m is not required to see that the 2DL problem is not well-defined

We now describe an attack against the proposed encryption scheme that needs only onesolution of the traditional DL The attack is described for an abstract finite cyclic group G,since it holds in a general setting, not just for the group Zp.

Suppose an attacker has a ciphertext (y1, y2,y3) Then from the definition of theencryption we have

yiy2 = a Bk = (a8),

therefore we can obtain the integer k by computing a single traditional DL in one of thefollowing three possibilities:

k = logy 1ì = logg yo = logag(yiy2)

Having k, we can then easily proceed to recover the plaintext message as y~"d~*yg3 since +

and 6 are public

Finally, we show that the proposed encryption scheme (Scheme 3.1) is in fact equivalent

to the ElGamal encryption scheme (Scheme 2.2) We show this by reduction: Using thenotation from above, we have yo = G* and

k k

ys = wok = z(a*)R(6È)” = œ((Ø")%)*(0È)” = „gmak+Mk — a(gty*

for some integer ý In reality, t := ma+tb In any case, (a, y3) is exactly the definition ofElGamal encryption of message x using random integer k, private key t, and the public key

8 and 6#.

Note, that even without knowing m, we can obtain ¢ as a traditional single discretelogarithm of yổ to the base @ since

Tổ = ap = (BTM) at = amar? = gt

In addition, the obtained knowledge of ý leads to decryption of every other ciphertextencrypted using the mentioned public key.

3.3 Summary

In other words, our argument shows that the proposed encryption scheme has thesame security as the original ElGamal encryption scheme Hence the known problems,vulnerabilities, and attacks that are valid for ElGamal encryption scheme are valid for thenew scheme, too The proposed encryption scheme requires more computations than theElGamal encryption scheme while providing the same security and this effectively renders

it useless

4 The Key Exchange Scheme of Stickel

In a 2005 paper [33], Eberhard Stickel proposed a variation of the Diffie Hellman key exchange scheme (Scheme 2.1) to non-abelian groups In particular, he described a key exchange protocol that uses exponentiations of two non-commuting group elements The proposal also contains an implementation detail for a specific subgroup of a general linear group of prime degree n Although the proposal lacks a rigorous security analysis, the author claims that a brute-force attack of an instance would require searching through a

space of size (2" — 1)?.

In paper [32], we show that, in fact, the proposed key exchange scheme can be

successfully attacked with a considerably smaller complexity In particular, we show that the scheme can be broken by searching through a space of cardinality 2” — 1 Also, for the general case with two non-commuting elements of order ni and nz (ni > n2), we show that the worst-case time complexity of breaking the scheme is O(n, - logn1) group operations

while requiring storage of O(n2) group elements.

In this chapter, we present a description of Stickel’s key exchange scheme, and the implementation details are followed by our main cryptanalytic results.

4,1 Proposal

We firstly provide a description of the E Stickel’s general scheme [33] for exchanging asecret key between two parties (Scheme 4.1) and then describe some implementation detailsthat lead to Scheme 4.2, a variation of the first scheme

Let G be a non-abelian finite group and a,3 € G be two non-commuting elements

Let mị denote the order of a and no the order of đ Both elements a and Ø are publicinformation.

The key exchange protocol between Alice and Bob can be described in the following

steps:

Scheme 4.1 (Stickel’s key exchange scheme)

1 Bob randomly chooses integers r and s withO <r < mị, 0< s< nạ The integers rand s are kept secret Bob forms y := a" @* and sends + to Alice

2 In a similar way, Alice chooses integers v and w with 0 < u < n; and0 < w < ng,which she keeps secret Alice forms 6 := œ#/đ⁄ and sends 6 to Bob

3 Alice computes the key & := a” 7G”, and similarly, Bob computes the key « as a"68°

Note that an arbitrary element 7 € G known to both parties can be placed in the middle

of the products + and 6, resp., to obtain new + := a’7@* and 6 := arf"

The correctness of the protocol is obvious in both cases

Finally, let F be an extension field of GF(2), and let 7¡ and 72 be arbitrary invertible

nm X n matrices over F; i.e., T1,7¿ € GL,(F) The purpose of these matrices is to rendereigenvalue/eigenvector attacks infeasible See the original proposal [33] for details For ourpurposes it suffices to know that the field F is a finite extension of GF'(2) of degree at least2

Now, both matrices C and D have prime order 2"—1, CD # DC (as long as p(x) # q(z)),

and so the cardinality of the set {C'T,T2D9 | i,j € Z} is (2" — 1).

An adaptation of Scheme 4.1 to these settings is straightforward: Πand D play the role

of œ and Ø, resp (with mị = nạ = 2” — 1), and 717; plays the role of r However, a slightlydifferent variant of Scheme 4.1 was proposed in [33] by E Stickel Namely, two additionalsecret scalars a and b were added:

Scheme 4.2 (Stickel’s key exchange scheme (2))

1 Bob randomly chooses integers r and s with 0 < r,s < 2” — 1, and a scalar be F.The parameters r,s, and b are kept secret Bob computes F := 6C"T,T2D* and sendsthis matrix F' to Alice

2 Similarly, Alice randomly chooses secret integers v and w with 0 < 0, < 2" — 1, and

a secret scalar a € F Alice forms H := aC’T,T)D” and sends H to Bob

ở Alice computes the key (matrix) K := aC’ FD”, and similarly, Bob computes the key

K as 0C°HD®

4.2 Cryptanalysis

The security of Scheme 4.1, that is, the security of the final exchanged key x, is based on

the fact that an opponent is unable to factorize +y or ổ into a’s and (’s (Here we are usingnotation as in Section 4.1.)

However, a factorization of y or 6 can be successfully obtained by knowing only one out

of the four secret parameters 7, s,u, or w: Without loss of generality, suppose an opponentlearns the value of r Then, the opponent can compute the key « from r and the publicvalues as a”da~"y Similarly, knowledge of any one of the remaining three yields the key.Therefore, the security of the 5 scheme is depends on the knowledge of just one of the four

secret parameters.

Let Q := (a) (8) be a subgroup of G Then, from elementary theory of cyclic groups[28], it follows that t := nỊ/|Q| is the smallest positive exponent such that a’ € Q, orequivalently ý is the smallest positive exponent such that a’ € (8) Now, consider the

element p := œ~?y = a” ~*G* for some integer i It is easy to see that € (đ) if and only if

—¿ =0 (mod t) And so, r is one of the |Q| numbers ¿ + kt, where k = 0,1,2, , |Q| — 1.The correct r can be then obtained by constructing a key «’ for each possibility ¿ + kt andverifying whether x’ is the correct key

The following algorithm implements these ideas:

Algorithm 4.1.

Input: a, 6,y and nz

Output: (i,¢,m) such that r = ¿ + kt for some k € {0,1, ,rm — 1}

1 Set m := |(a) N )| and ‡ := mị/m

2 Fort = 1,2, , do

(a) If a~*y € (Ø) then output (i,t,m) and stop.

4.2.1 The worst-case complexity analysis

The worst case complexity of Algorithm 4.1 occurs when the subgroups generated by aand Ø intersect trivially (¡.e., |(œ) n (@)| = 1) or if it is too costly to compute the order of(a) 1 (8) In either case, the value of ý in Algorithm 4.1 becomes 7)

On the other hand, group membership testing can be a hard problem For the worst-caseanalysis, we will assume that the subgroup (3) must be stored as a list (possibly as a sortedlist, so that we can test for membership using binary search)

Consider the following algorithm, equivalent to Algorithm 4.1, but rewritten for thepurpose of complexity estimation

Algorithm 4.2 (The worst-case complexity of Algorithm 4.1)

(a) Set o :=wo (ie, ơ = T12).

(b) Using binary search, determine if ø is in table T If it is, set r := ¿ and stop

Steps 1 and 4 are assignments and are negligible from the complexity point of view.The computation of the inverse of a, in Step 3, is an exponentiation which can beperformed using the square-and-multiply method by doing at most 2n;/log,(n1)] groupmultiplications Each iteration of step 2 consists of a binary search which requires atmost 2[loga(mna)| group element comparisons, one group element multiplication, and twonegligible insertions/assignments In total, step 2 performs at most n2(2[loga(na)| + 1)operations (from here-on defined as group element comparisons or multiplications) Finally,each iteration of step 5 consists of one group element multiplication, the binary searchrequiring at most 2/logg(n2)| group element comparisons, and some negligible assignments.

In total, step 5 performs at most nj(2[logg(n2)] + 1) operations

Concerning the space complexity, table T requires storage of nạ group elements Theother steps require negligible (constant) storage

Without loss of generality we can assume that n| > nạ We then see that Algorithm 4.2

is dominated by Step 5, which requires at most n1(2[logo(n2)| + 1) < ni (2[logg(ni)] + 1)

operations Therefore the worst-case time complexity of Algorithm 4.2, and hence also ofAlgorithm 4.1, is O(n; -log m1) operations and the space complexity is O(n2) group elements

4.2.2 The case of Scheme 4.2

Of course, the generic attack described in the previous section applies to any implementation

of Scheme 4.1 However, Scheme 4.2 is a slight variation of Scheme 4.1, and the structuresused in the implementation allow for further reduction in the complexity of the attack Inparticular, the need for storage space is minimal, because group membership testing is easy

In terms of the notation of Section 4.1.1, an opponent needs to obtain one of the fourpairs (b,r), (b,s), (a,v), or (a, w) to factor F or H; that is, to obtain the key K Again,without loss of generality, suppose the opponent has obtained the scalar b € F and theinteger r Then the opponent can obtain the key K from 6, r, and the public values as

K =C°HT;'T, ‘Cb! F.

Consider the matrix M := Tạ ÌTỊ ÌŒ~!Ƒ' = 1; }T[}Œ~!CTbT(TạD3 for any integer0<i< 2" Ifi=r, then M = b2$, and since D € GL, (GF(2)), the entries of M willconsist of elements b and 0 only On the other hand, if ¿ # r, and since Œ and D arenon-commuting elements of prime order, from elementary group theory [28], it follows thatC’-* ø (D), and so M # bD? for any j Moreover, because of statistical reasons, for thevast majority of fixed matrices 7 and 7¿ over F, the entries of matrix M would consist ofmore than two elements from F

We have made some implicit assumptions here:

1 Although Scheme 4.2 did not specify it, the scalars a,b € F should be chosen asnon-zero elements We assumed that b # 0

2 For practical implementations, the field F is an extension over GF'(2) of degree morethan 1 This follows from the fact that 7ì and 72 are matrices that are supposed tomake eigenvalue/eigenvector attacks infeasible [33] We assumed that |F| > 2

3 Finally, we have assumed that the matrices T, and Ty are known to the opponent It

is not clear from the original specification [33] whether these matrices (or the element

7 in the case of Scheme 4.1) are pre-shared secrets The other reason we believethat 7¡ and 7¿ are public is that they are not chosen randomly in GL,(F), but areconstructed in a specific way to help make eigenvalue/eigenvector attacks infeasible

The following algorithm implements these ideas:

Algorithm 4.3

Input: n,C, 717, and F

Output: candidates for b andr

1 Eorj=1,2, ,2” — 1 do

(a) Compute M := (TLT;)~1@~†F.

(b) If M consists of just two elements 0 and m,

output b:=m and r := ¿ (as candidates) and continue

An alternative algorithm for the same task, but described by means of generic groupmembership testing is:

i If m~-1M € (D) then output b := m, r := i, and stop.

For n = 31, which was considered a safe security parameter [33], an opponent had tosearch through the set {C*T, TDI | i,j € Z} that is known to have cardinality of (2" — 1)? =

282 (infeasible with current technology) However, if an opponent uses Algorithm 4.3, he/she will need to perform only 2” — 1 œ 2! operations to break the scheme, and this can be

performed on present day personal computers in a reasonable time

In addition, all algorithms mentioned are highly parallelizable (linear parallelization).This follows from the fact that each iteration can be run independently In particular, if nprocessors are used, then the speedup is by a factor of n

4.2.3 Experimental results

Assume the following scenario: Alice and Bob will be using Scheme 4.2 with parameters as

in Section 4.1.1 Let n = 31, C the companion matrix for p(z) = z*4+2+1 € GF(2)[z], D the companion matrix for g(x) = #3! + z3! +z2# + z3+ 1 € GF(2)[z], and Tì, T› € GL31(F) chosen at random, where F = GF(2)(z]/(z° + z* + z3 + z2 + 1) An attacker was able to

obtain the value of H sent over a public network from Alice to Bob, and the value of #' sentfrom Bob to Alice

We implemented Algorithm 4.3 in the C-language Each of the field operations wasperformed as a table lookup and ordinary “textbook” matrix multiplication was used Nofurther speedups or optimizations were used, as opposed to the proposition in [33] Finally

we used the Intel C-compiler v9.0

A single Intel Pentium-IV, 2.5 GHz computer running Linux OS could performapproximately 750 iterations of Algorithm 4.3 in 1 second Forty-four such computers (thecurrent BOCA4 beowulf supercomputer cluster) finished the search in less than 31 hours,while some of the nodes were running other scientific computations at the same time Thesearch resulted in a single possibility for b and r which was correct

The computed values together with H and F can be used directly to obtain the keyexchanged between Alice and Bob, as described in the Section 4.2.2

The program returned only one candidate for b and r Hence, this experiment also showsthat even for a relatively small field F consisting of 256 elements, it is unlikely that in thecase 1 # r the matrix M would consist of only 2 distinct elements

4.3 Summary

We have shown that there is a difference between obtaining the integers r and s from a’ 8°using a brute-force attack and the computational effort to obtain either r or s, which is

needed in order to break the scheme and obtain the exchanged key.

We argued why only one out of the four secret exponents is needed in order to completelybreak the key exchange scheme We proposed algorithms to obtain one of the exponents r

or s and estimated their complexity The time and space complexities of such algorithmscan be directly used for the estimation of security parameters in the case of Stickel’s scheme

as well as any other cryptographic scheme (not necessary a key exchange scheme) based onsimilar security assumptions

It should also be noted that once we have obtained one exponent using our proposedalgorithms, we can use the known methods for solving traditional discrete logarithms incyclic groups to obtain the other exponent if we wish to do so

Finally, Algorithm 4.1 can be naturally extended to factorize a group element đ intomore than two predefined “basis” elements a1, a2, ,a¢ such that

— n*1 7,22 +¿

B= 0` 027 +++ ap",

for some integers Z;`s

5 The Public-Key Cryptosystem of Wagner and Magyarik

A number of public-key cryptosystems based on combinatorial group theory have beenproposed since the early 1980s, the first of which was probably the outline of Wagner andMagyarik [37]

In our paper [3], we have analyzed and provided a critique of the public-keycryptosystem, based on combinatorial group theory (CGT), that was proposed in 1984

by Wagner and Magyarik Their idea is actually not based on the word problem but

on another, generally easier, premise problem Moreover, the idea of the Wagner-Magyariksystem is vague, and it is difficult to find a secure realization of this idea We have published

a public-key cryptosystem inspired in part by the Wagner-Magyarik idea, but we also usegroup actions on words In particular, our proposed public-key cryptosystem is based onfinitely presented groups with hard word problem which are also transformation groups

Here, we provide the details from the paper Note that many references have beenomitted and can be found in the original paper [3]

5.1 The word choice problem

The word problem, as defined by Max Dehn in 1911, was summarized in Section 2.4 Here,

we define the “word choice problem,” a variant of the word problem

Definition Consider a group G with a finite generating set X, and fix two words wo and

w, over XU X~!, The word choice problem is the following decision problem.