Cryptographic Protocols Based on Nielsen Transformations

Transcription

1 Jornal of Coper and Concaons hp://wwwscrporg/ornal/cc ISSN Onlne: 7-57 ISSN Prn: 7-59 Crypographc Proocols Based on Nelsen Transforaons Benan Fne Ana I S Moldenhaer Gerhard Rosenberger Deparen of Maheacs Farfeld Unversy Farfeld CT USA Fachberech Maheak Unversä Habrg Habrg Gerany How o ce hs paper: Fne B Moldenhaer AIS and Rosenberger G (06) Crypographc Proocols Based on Nelsen Transforaons Jornal of Coper and Concaons hp://dxdoorg/046/cc Receved: Ags 4 06 Acceped: Ocober 8 06 Pblshed: Ocober 06 Copyrgh 06 by ahors and Scenfc Research Pblshng Inc Ths work s lcensed nder he Creave Coons Arbon Inernaonal Lcense (CC BY 40) hp://creavecoonsorg/lcenses/by/40/ Open Access Absrac We nrodce n hs paper crypographc proocols whch se cobnaoral grop heory Based on a cobnaoral dsrbon of shares we presen secre sharng schees and cryposyses sng Nelsen ransforaons Nelsen ransforaons are a lnear echnqe o sdy free grops and general nfne grops In addon he grop of all aoorphss of a free grop F denoed by A ( F ) s generaed by a reglar Nelsen ransforaon beween wo bass of F and each reglar Nelsen ransforaon beween wo bases of F defnes an aoorphs of F Keywords Nelsen Transforaon Marx Grop SL( ) Key Cryposyse Pblc Key Cryposyse Secre Sharng Proocol Prvae Inrodcon Ths paper s locaed n he area of grop based crypography A crypographc proocol consss of he collecon of rles forlas and ehods o handle a crypographc ask In crypology s coon o call he pares who wan o concae prvaely wh each oher Alce and Bob The radonal crypographc proocols boh syerc key and pblc key sch as he RSA algorh Dffe-Hellan and ellpc crve ehods are nber heory based Hence fro a heorecal pon of vew hey depend on he srcre of abelan grops Alhogh here have been no sccessfl aacks on he sandard proocols here s a feelng ha he srengh of copng achnery has ade he echnqes less secre As a resl of hs here has been an acve lne of research o develop and analyse new crypographc proocols as for exaple cryposyses and key exchange DOI: 046/cc Ocober 06

2 B Fne e al proocols based on non-coave crypographc plafors Up o hs pon he an sorces for non-coave plafors have been nonabelan grops For an overwev abo aheacal crypography see [] and especally for a book abo non-coave grop based crypography see [] Iporan along he lne of crypographc proocols are secre sharng proocols These conss of ehods o dsrbe a secre aong a grop of sers by gvng a share of he secre o each The secre can be recovered only f a sffcen nber of sers (b perhaps no all) cobne her peces There are any dfferen ovaons for he secre sharng proble One of he os poran s he proble of ananng sensve nforaon There are wo crcal sses here: avalably and secrecy If only one person keeps he enre secre hen here s a rsk ha he person gh lose he secre or he person gh no be avalable when he secre s needed Hence s ofen sefl o lze several people n order o access a secre On he oher hand he ore people who can access he secre he hgher he chance he secre wll be leaked By sharng a secre n a hreshold schee he avalably and relably sses can be addressed The paper by C Ch B Fne and X Zhang [] conans a wealh of nforaon on secre sharng schees n general and anagng an access conrol grop Ths paper s organzed as follows We frs descrbe secre sharng proocols and a cobnaoral dsrbons of shares whch are gven by D Panagopolos n [4] Afer nrodcory defnons we sar wh a secre sharng schee sng drecly he cobnaoral dsrbon of shares Based on hs we presen wo schees n whch we apply reglar Nelsen ransforaons n connecons wh fahfl represenaons of free grops and he Nelsen redcon heory We also odfy he secre sharng schees o a prvae key cryposyse and fnally Nelsen ransforaons are sed for a pblc key cryposyse whch s nspred by he ElGaal cryposyse The new crypographc proocols are n he dsseraon of A Moldenhaer [5] nder her spervsor G Rosenb-erger a he Unversy of Habrg Ths pars of hs paper are fro [5] Prelnares for he Newly Developed Crypographc Proocols A ( n ) -secre sharng proocol wh n and n s a ehod o dsrbe a secre aong a grop of n parcpans n sch a way ha can be recovered only f a leas of he cobne her shares Hence any grop of or fewer parcpans canno calclae he secre The nber s called hreshold The person who dsrbes he shares s called dealer One of he frs ( n ) -secre sharng schees s nrodced by A Shar n [6] I has becoe he sandard ehod for solvng he ( n ) -secre sharng proble A Shar ses polynoal nerpolaon for hs ( n ) -secre sharng schee Le be any feld and le ( x y )( x y ) ( x y ) be pons n wh parwse dsnc x We say a polynoal g x over nerpolaes hese pons f 64

3 B Fne e al g x = y A Shar s secre sharng schee s based on he followng heore Theore [7] Le be any feld and le x x x be parwse dsnc eleens of and le y y y be any eleens of Then here exss a nqe polynoal of degree less han or eqal o ha nerpolaes he pons ( x y ) n -secre sharng schee s roghly hs: The dealer chooses a feld A Shar s ( ) The secre S s an eleen n The dealer pcks a polynoal g( x ) of degree wh he secre S as consan er ha s g( x) = S+ ax + ax + + a x a and a 0 He chooses parwse dsnc eleens x x xn wh x 0 for all n and dsrbes o each of he n parcpans a pon ( x g( x ) ) as a share By Theore any parcpans can deerne he polynoal g( x ) (for exaple wh Lagrange nerpolaon see [7]) and hence recover he secre S If less han people cobne her shares any eleen n can be he consan er and hence he secre A Shar sggesed o se = p = p where p s a large pre nber D Panagopolos presens n hs paper [4] a ( n ) -secre sharng schee sng grop presenaons wh solvable word proble For he secre sharng schees n he followng secons we se a cobnaoral dsrbon of he shares whch s explaned n he paper of D Panagopolos Share dsrbon ehod explaned by D Panagopolos To dsrbe he shares n a ( n ) -secre sharng schee he dealer does he follo- wng seps: n ) Calclae = he nber of all eleens for exaple { a a a} he parcpans need o know for he reconsrcon of he secre ) Le A A A be an eneraon of he sbses of { n} wh eleens Defne n sbses R R Rn of he se { a a a} wh he propery a R / A for = and = n () ) The dealer dsrbes o each of he n parcpans one of he ses R R Rn In addon o hs share dsrbon ehod he new proocols n hs paper are based on cobnaoral grop heory and Nelsen ransforaons Therefore we revew soe basc defnons concernng reglar Nelsen ransforaons and Nelsen redced ses (see [8] or [9]) Cobnaoral grop heory s he branch of algebra whch sdes grops wh he help of grop presenaons A grop presenaon for a grop G consss of a se X of generaors and a se R of defnng relaors on X We wre G = X R The grop G s called fnely generaed f boh ses X and R are fne The newly developed crypographc proocols se fnely generaed free grops Le F be a fnely X = x x xq q hen he generaed free grop wh free generang se { } 65

4 B Fne e al grop F s he se of all redced words n { q q } X ± whch s defned as ± X x x x x = x x where a word s called redced f does no conan sbwords of he for x x or xx q The deny s consdered as he epy word whch s The se of relaors for a free grop consss only of rval relaors whch are of he for denoe F by ww F = or X w w wh w a word n X hs we The epy space on he rgh sybolzed ha here are only rval relaors For ore nforaon abo grop heory see for nsance [8] [9] or [0] Le F be a fnely generaed free grop on he free generang se X { x x xq} = q and le U = { } F wh redced words n X Defnon An eleenary Nelsen ransforaon on U = { } F s one of he followng ransforaons (T) replace soe by ; (T) replace soe by where ; (T) delee soe where = In all hree cases he k for k are no changed A (fne) prodc of eleenary Nelsen ransforaons s called a Nelsen ransforaon A Nelsen ransfor- aon s called reglar f s a fne prodc of he ransforaons (T) and (T) oherwse s called snglar The se U s called Nelsen-eqvalen o he se V f here s a reglar Nelsen ransforaon fro U o V Nelsen ransforaons are a lnear echnqe o sdy free grops and general nfne grops In addon he grop of all aoorphss of a free grop F denoed by A ( F ) s generaed by a reglar Nelsen ransforaon beween wo bass of F and each reglar Nelsen ransforaon beween wo bass of F defnes an aoo- rphs of F see ([8] Korollar 0) Defnon A fne se U n F s called Nelsen redced f for any hree eleens ± v v v fro { U = } he followng condons hold: (N0) v ; (N) vv ples vv v v; (N) vv and vv ples vvv > v v+ v Here v denoes he free lengh of v F Proposon 4 ([8] Theore ) or ([9] Proposon ) = n s fne hen U can be carred by a Nelsen ransforaon no soe V sch ha V s Nelsen redced If U { } For he secre sharng schees based on Nelsen ransforaons we wll only se reglar Nelsen ransforaons We agree on soe noaons We wre ( T ) f we replace by and we wre T f we replace If we wan o apply -es one afer he oher he sae Nelsen ransfo T we wre ( T ) and hence replace by In all cases he k are no changed by raon k for Corollary 5 ([8] Korollar 9) 66

5 B Fne e al Le F be a free grop wh bass X and le U be a sbse of X whch s Nelsen redced Then s ± ± ± X U = X U () ± ± Especally f U s also a bass for F hen X = U Theore 6 ([8] Saz 6) Le U be Nelsen redced hen U s free on U For he nex lea we need soe noaons Le w be a freely redced word n X The nal segen s of w whch s a lle ore han half of w (ha s w < s w + ) s called he aor nal segen of w The nor nal segen of w s ha nal segen s whch s a lle less han half of w (ha s w s < w ) Slarly aor and nor ernal segens are defned If he free lengh of he word w s even we call he nal segen s of w wh s = w he lef half of w Analogosly we call he ernal segen s of w wh s = w he rgh half of w Le { w w w } be a se of freely redced words n X whch are no he deny An nal segen of a w-sybol (ha s of eher w or w whch are dfferen w-sybols) s called solaed f does no occr as an nal segen of any oher w-sybol Slarly a ernal segen s solaed f s a ernal segen of a nqe w-sybol Lea 7 ([0] Lea ) Le M = { w w w } be a se of freely redced words n X wh w Then M s Nelsen redced f and only f he followng condons are sasfed: ) Boh he aor nal and aor ernal segens of each w M are solaed ) For each w M of even free lengh eher s lef half or s rgh half s solaed There are dfferen probles known n cobnaoral grop Theory for exaple: Theore 8 ([8] Saz 9) Isoorphs proble n free grops: Le X and Y be wo ses Le G = X and H = Y be wo free grops on X and Y respecvely The free grop G s soorphc o he free grop H f and only f X = Y Proble 9 Word proble: Le G = X R be a presenaon of a grop and g G a gven word n X Deerne algorhcally (n fnely any seps) f g represens he deny or no A frher proble whch s a ore general proble han he word proble and s needed for soe of he developed crypographc proocols based on cobnaoral grop heory s he ebershp proble or also called exended word proble Proble 0 Mebershp proble: Gven a recrsvely presened grop G a sbgrop H of G generaed by h h hk 67

6 B Fne e al and an eleen g G deerne wheher or no g H A relaed proble (o he ebershp proble) s he consrcve ebershp proble Proble Consrcve ebershp proble: Gven a recrsvely presened grop G a sbgrop H of G generaed by h h hk and an eleen h H fnd an expresson of h n ers of h h hk Theore ([8] Saz 9) Isoorphs proble n free grops: Le X and Y be wo ses Le G = X and H = Y be wo free grops on X and Y respecvely The free grop G s soorphc o he free grop H f and only f X = Y Frherore we nrodce a lnear congrence generaor becase s also sed for he cryposyses n hs paper For n le : = n be he rng of negers odlo n The correspondng resde class n Defnon [] n n for an neger β s denoed by β (see also []) Le n and βγ n A becve appng h : n n gven by x βx+ γ s called a lnear congrence generaor Theore 4 [] (Maxal perod lengh for n = ) Le n wh n = and le βγ sch ha h : n n wh x βx+ γ s a lnear congrence generaor Frher le α { 0 n } be gven and x = α x = h( x) x = h( x) Then he seqence x x x s perodc wh axal perodc lengh n = f and only f he followng holds: ) β s odd conseqenly β 0 ) If β od 4 hen ) γ s odd conseqenly γ 0 A Cobnaoral Secre Sharng Schee Now we presen a ( n ) -secre sharng schee whereby he secre s he s of he lplcave nverse of eleens n he naral nbers For he dsrbon of he shares he dealer ses he ehod by D Panagopolos descrbed n Secon The nbers n and are gven whereby n s he nber of parcpans and s he hreshold n ) The dealer frs calclaes he nber = ) He chooses eleens a a a Fro hese eleens he consrcs analogosly as n Secon 0 he ses R R Rn The secre S s he s S : = + a () = ) Each parcpan p ges one share R n If of he n parcpans coe ogeher hey can reconsrc he secre whle hey frs cobne her prvae ses R and ge by consrcon he se R = { a a a} 68

7 B Fne e al The secre s he s of he nverse eleens n he se R ha s S = a (4) = Ths crypographc proocol s sarzed n Table If he dealer needs a specal secre S he gves every parcpan one ore eleen x n each R wh S x : = (5) S The parcpans ge S by lplyng he reconsrced secre S wh x Secry 5 Each eleen a s exacly conaned n n( ) sbses Hence for each = he eleen a s no conaned n sbses fro { R R Rn} As a conseqence a s n each non of sbses Oherwse f s arbrary ses fro { R R Rn} are cobned here exs a sch ha he eleen a s no nclded n he non of hs ses Table Sary of he cobnaoral ( n ) -secre sharng schee ( n ) -secre sharng schee Dealer Parcpans p p p n n Calclae = Choose a a a Consrc ses R { a a a } wh share dsrbon ehod gven by D Panagopolos; n s R = for = n Dsrbe shares o he parcpans R p R p R n p n parcpans cobne her shares and hs ge a a a he se { } The secre s S = = a 69

8 B Fne e al If s one eleen a s absen he parcpans do no ge he correc s S and hence canno cope he correc secre Reark 6 We realze ha he share dsrbon ehod by D Panagopolos s also gven as a specal case by M Io A Sao and T Nshzek n [] In [5] s shown ha f he ehod n [] s sed o generae a ( n ) -secre sharng schee hen he sae share dsrbon ehod as by D Panagopolos s descrbed M Io A Sao and T Nshzek se a lple assgnen schee whch s a ehod o dsrbe o each parcpan ore han only one share ogeher wh a ( ) -secre sharng schee Ths he share dsrbon ehod by D Panagopolos s a specal case of paper [] In addon n [5] s shown n deal ha he prely cobnaoral secre sharng schee s very slar o a schee whch J Benaloh and J Lecher oban f hey realze a ( n ) -secre sharng schee sng nal CNF-forla descrbed n her paper [] Reark 7 I s poran n ers of praccably ha he dealer calclaes and dsrbes he shares for he parcpans long before he secre s needed by he parcpans Hence he dealer has enogh e o exece he share dsrbon ehod and hs copaonal cos shold be of no conseqence for he crypographc proocol If parcpans reconsrc he secre hey add p only eleens whch s feasble n lnear e Exaple 8 We perfor he seps for a ( 4 ) -secre sharng schee I s n = 4 and = The dealer follows he seps: n 4 ) He frs calclaes = = = 6 ) The dealer chooses he nbers a : = a : = a : = a 4 : = 8 a : = 4 and 5 a : 6 = The secre s S : = a = 8 = (a) The sx sbses wh sze of he se { 4 } are A = { } A = { } A = { } 4 { } { } { } A = A = 4 A = Wh help of he A he dealer ges he ses R R R and R 4 whch conan eleens fro { a a6} He ps he eleen a for whch s no conaned n he se A for = 4 and = 6 no he se R hs s: { } / A A A R = a a a { } / A A A R = a a a 6 6 { } / A A A R = a a a 5 5 { } 4 / A A A R = a a a

9 B Fne e al ) The dealer dsrbes he se R o he parcpan p for = 4 If hree of he for parcpans coe ogeher hey can calclae he secre S For exaple he parcpans p p and p hold he se R : = R R R = a a a a a a a a a = { 4 5 6} { 6} { 5} { a a a a a a } and hence ge he secre 6 S = = wh a R a 8 = 4 A Secre Sharng Schee Usng a Reglar Nelsen Transforaon In hs secon we descrbe a ( n ) -secre sharng schee exends he deas n Secon by sng Nelsen ransforaons We consder free grops as absrac grops b also as sbgrops of he specal lnear grop of all arces over ha s a b SL( ) = a b c d and ad bc = c d We se he specal lnear grop over he raonal nbers becase hese nbers can be sored and coped ore effcenly on a coper han rraonal nbers n Le F be a free grop n SL( ) of rank : = The dealer wans o dsrbe he shares for he parcpans as descrbed n Secon The shares wll be sbses of a free generang se of he grop F (n an absrac and an explc verson) The nbers n and are gven whereby n s he nber of parcpans and s he hreshold The dealer does he followng seps: ) He chooses an absrac free generang se X for he free grop F of rank n : = ha s { } = wh : = (6) F X X x x x He also needs an explc free generang se M ha s and SL( ) { } wh : F = M M = M M M (7) M ) Wh he known arces n he se M he copes he secre + S : = wh a : = r ( M ) (8) = a a b r ( M ) s he race for he arx M : = SL( ) ha s r ( M ) : = a + d c d If he dealer needs a specal secre he can ac as n Secon descrbed 7

10 B Fne e al ) The dealer consrcs he shares for he parcpans n he followng way: (a) He frs apples a reglar Nelsen ransforaon slaneosly for boh ses X and M o ge Nelsen-eqvalen ses U and N o X and M respecvely (see Fgre ) The eleens N SL are words n X and he eleens N are words n M Hence s (b) The dealer now ses he ehod of D Panagopolos o spl U and N and o ge he shares ( ) R S for he parcpans wh R 4) The dealer dsrbes he shares U and S N If of he n parcpans cobne her pars hey oban he ses U and N The secre can be recovered as follows: The parcpans apply reglar Nelsen ransforaons n a Nelsen redcon anner for U and sep by sep slaneosly for N By Proposon 4 hey ge Nelsen redced ses { } X = x x x and { } M = M δ M δ M δ wh δ + see Fgre { } ± Becase of Corollary 5 s X = X ± ± and M = M ± respecvely Hence ( x x x ) dffers o ( x x x ) s n he poson order and nverses Tha eans he se X s he se X p o nverses The sae s re for M and M Ths s { } X = x x x and also { } M = M δ M δ M δ wh δ { } The crypographc proocol s sarzed n Table (page 7) Less han parcpans can neher ge he whole se U whch s Nelsen-eqvalen o X nor he se N whch s Nelsen-eqvalen o M For he calclaon of he secre he parcpans need he se M becase he secre depends on he races of he arces M M The parcpans need boh ses U and N If hey s have one se U or N hey canno ge nforaon abo he se M If he se U s known s only known whch Nelsen ransforaon shold be done o ge he Nelsen-eqvalen se X b s nknown on whch arces hey shold be done slaneosly If only he se N s known hen he arces n SL( ) are known b nobody knows whch Nelsen ransforaon shold be done on N o ge he se M I s also nknown how any Nelsen ransforaons were sed In he book ([] page 47) of J Lehner a ehod s gven o explcly oban a free Fgre Slaneosly reglar Nelsen ransforaons for he dealer 7

11 B Fne e al Fgre Slaneosly reglar Nelsen ransforaons for he parcpans Table Sary of he secre sharng schee sng Nelsen ransforaons and SL( ) ( n ) -secre sharng schee Dealer Parcpans p p p n n Calclae = X : = x x x M : = M M M M SL (all or alos all M SL ( ) ) Apply slaneosly reglar Nelsen ransforaon (NT) on X and M: ( x x x ) ( M M M ) NT NT N N N Choose absrac free generang se { } and explc free generang se { } wh ( ) ( ) : = { } ; N : { N N N } U = Consrc ses R U and S N wh share dsrbon ehod gven by D Panagopolos; n s R = S = for = n Dsrbe shares o he parcpans ( R S ) ( R S ) p p ( Rn Sn) p n parcpans cobne her shares and hs ge he ses U and N Apply slaneosly reglar Nelsen ransforaon (NT) on U and N: ( ) ( N N N ) NT NT ( x x x ) ( M M M ) The secre s + S : = wh a : = r ( M ) = a generang se M for a free grop F on he absrac generang se X { x x x } : = : 7

12 B Fne e al Theore 9 [] Le F be a free grop wh conably any free generaors x x Correspondng o wh x defne he arx M r + r = r r sch ha he followng neqales hold: (9) r r + and r (0) The grop G generaed by { } We now presen an exaple for hs secre sharng schee Exaple 0 We perfor he seps for a M M s soorphc o F of he coper progra Maple 6 I s n = = and hence Frs he Dealer generaes he shares for he parcpans -secre sharng schee wh he help = = ) The dealer chooses an absrac presenaon for he free grop F of rank He akes an explc presenaon { } F = X wh X : = x x x { } F = M wh M : = M M M M SL as above We frs enon ha he neqales (0) hold for and hence he se of he arces M M 7 5 r = r = r = = = = = 5 5 M 0 = = + s a free generang se for a free grop of rank ) The dealer chooses and hence he secre s a : = r M = 7 a : = r M = 5 a : = r M = 589 S : = = = a 0 ) Consrcon of he shares for he parcpans: 74

13 B Fne e al (a) Frs he dealer apples reglar Nelsen ransforaons (NTs) slaneosly for boh ses X and M o ge Nelsen-eqvalen ses U and N o X and M respecvely These ransforaons are shown n Table (see page 75) and Table 4 (see page 76) The Dealer obans he ses and { } N = N N N { } { : } U = = x x x x x x x x x x x x x : = (b) He ges he shares ( ) follows: R S for he parcpans wh R U and S N as Table Nelsen ransforaons (NTs) of he dealer I NTs heorecal se X explc se M { x x x } ( T ) { x x x } ( T ) { x x x x } ( T ) { x x x x x } ( T ) { xx x xx xx } ( T ) { xx x xx xx } ( T ) { xx x xx x xx xx }

14 B Fne e al Table 4 Nelsen ransforaons (NTs) of he dealer II NTs heorecal se X explc se M ( T ) { x x x x x x x x x x } ( T ) { x x x x x x x x x x x x x } ) I s n = = = ) The dealer chooses he eleens a a a and ges he hree ses { } { } { } 4A = A = A = Wh he help of he A he dealer ges he ses R R and R whch conan eleens fro he se { a a a } He ps he eleen a by whch s no conaned n he se A for = and = no he se R { } / A A R = a a { } / A A R = a a { } / A A R = a a Now we apply hs o U and N o creae he share-ses for he parcpans respec- vely: { } { } R = S = N N { } { } R = S = N N { } { } R = S = N N 4) The Dealer dsrbes o each parcpan a ple ( ) ( ) R S p ges ( ) R S and p ges ( ) R S R S Parcpan p ges Asse he parcpans p and p coe ogeher o reconsrc he secre They U N = N N N The secre can be are able o generae he ses = { } and { } recovered as follows The parcpans apply reglar Nelsen ransforaons sep by sep slaneosly for boh ses U and N o ge X and M The seps are shown n he Table 5 (see page 77) and Table 6 (see page 78) Wh he knowledge of he se 4 M 4 = 7 5 parcpans can reconsrc he secre easly I s he 76

15 B Fne e al Table 5 Nelsen ransforaons (NTs) fro he parcpans I NTs heorecal se U explc se N { x x x x x x x x x x x x x } ( T ) { x x x x x x x x x x x x x } ( T ) { x x x x x x x x x x } ( T ) { x x x x x x x x x x } ( T ) { x x x x x x x x } ( T ) { x x x x x x } a : = r M = 7 a : = r M = 5 a : = r M = and hence s 589 S : = = + + = = a n In general we can se any free arx grop F of rank : = for a ( n ) - secre sharng schee as s descrbed n hs secon The shares can be generaed by he above ehod and are ples ( R S ) wh R U and S N Soe oher deas for he secre S are S : = r ( M ) or S : = r ( M ) or () = = = ( ) ( ) S : = r M or S : = r M or () = = ( ) ( ) S : = r M M f s even or S : = r M () = 77

16 B Fne e al Table 6 Nelsen ransforaons (NTs) fro he parcpans II NTs heorecal se U explc se N ( T ) { xx x x xx } ( T ) { xx x xx } ( T ) { xx x xx } ( T ) { } ( T ) { } x x xx x x xx ( T ) { x x x } Anoher Secre Sharng Schee Based on Nelsen Transforaons We explan anoher secre sharng schee whch arses of he proocol n Secon 4 As n he prevos secon le F be a fnely generaed free grop wh he absrac free = q \{ } generang se X : { x x xq} For a ( ) F = X ha s n -secre sharng schee he dealer chooses a Nelsen redced se n U = { } F wh = The are gven as words n X The secre s he s = S : = (4) wh he lengh of he word The dealer does a reglar Nelsen ransforaon on he se U o ge he Nelsen- eqvalen se V (see Fgre ) Each parcpan p n ges one se R V sharng schee above as n he prevos secre 78

17 B Fne e al Fgre Reglar Nelsen ransforaon If of he n parcpans coe ogeher o reconsrc he secre hey cobne her shares and ge he se V = { v v v} They have o fnd a Nelsen-redced se U : = { } o V They apply Nelsen ransforaons n a Nelsen redcng anner as descrbed n [8] and [9] and ge fro V a Nelsen-redced se U The secre s he s S = wh U (5) = becase for each s = X for soe (see he proof of Corollary n [0]) X Fro U we ge U by peraons and lengh preservng Nelsen ransforaons Ths ( n ) -secre sharng schee s sarzed n Table 7 (page 80) 6 A Syerc Key Cryposyse Usng Nelsen Transforaons In hs secon we nrodce a syerc key cryposyse sng Nelsen ransforaons Before Alce and Bob are able o concae wh each oher hey have o ake soe arrangeens We speak abo pblc paraeers also n prvae key cryposyses becase hese are paraeers whch each person also an eavesdropper Eve ges f she looks a he sen cpherex Pblc paraeers are also eleens whch Alce and Bob concae wh each oher pblcly I s also no a secre whch planex alphabe s sed for he concaon Pblc Paraeers They frs agree on he followng pblc paraeers ) A fnely generaed free grop F wh free generang se X = { x x xq} wh q ) A planex alphabe A= { a a an } wh N ) An absrac free grop H = U wh rank ( H ) = A = N and an absrac free generang se U = { N } wh N absrac leers 4) A sbse A : = { f f f 8 } A ( H ) of aoorphss of H I s 0 8 f : H H and he f = 0 parwse dfferen are generaed wh he help of 0--seqence (of dfferen lengh) and rando nbers see ([5] Secon 44) 79

18 B Fne e al Table 7 Sary of he ( n ) -secre sharng schee sng Nelsen ransforaons ogeher wh Nelsen redced ses and free lenghs of ceran words ( n ) n Calclae = Choose absrac free generang se { q} X x x x -secre sharng schee Dealer Parcpans = wh q \{ } and a Nelsen redced se U = { } F words n X Apply reglar Nelsen ransforaon (NT) on U: ( ) ( v v v ) NT V : { v v v } Consrc ses = R V wh share dsrbon ehod gven by D Panagopolos; n s R = for = n Dsrbe shares o he parcpans R R R n p p p n p p pn parcpans cobne her shares and hs ge he se V Apply reglar Nelsen ransforaon (NT) on V: ( v v v ) ( ) NT The secre s S = = X The se A s par of he key space 5) They agree on a lnear congrence generaor h : 8 8 wh a axal perod lengh Prvae Paraeers Now hey agree on he prvae paraeers ) Alce and Bob choose an explc Nelsen redced se U wh N eleens whch are words n X Sch syses U are easly o consrc (see Lea 7 and Theore 6 or also [8] and [9]) Now s FU = U a free sbgrop of F wh rank N I s Nred he se of all nal Nelsen redced ses wh N eleens n F whch s par of he key space 80

19 B Fne e al ) They se a one-o-one correspondence A U a for = N (6) ) Alce and Bob agree on an aoorphs f α A hence α s he coon 8 secre sarng pon α { 0 } wh = α 8 for he lnear congrence generaor Wh hs α hey are able o generae he seqence f f f (wh z he nber of he planex ns whch are leers fro A) of z aoorphss of he se A whch hey need for encrypon and decrypon respecvely Reark If he explc se U : = { N } word n X s sed hen F U s a free sbgrop of F and wh he aoorphs f A wh f : F U FU he se U f = { f f f N } s generaed whch s Nelsen eqvalen o he se U The key space: The se Nred of all nal (wh respec o a lexcographcal order) Nelsen redced se of F wh N eleens The se A of 8 randoly chosen aoorphs of F U Prvae Key Cryposyse Now we explan he prvae key cryposyse and look careflly a he seps for Alce and Bob Pblc knowledge: F = X X = { x x xq} wh q ; planex alphabe A= { a a an } wh N ; he se A ; a lnear congrence generaor h Encrypon and Decrypon Procedre: ) Alce and Bob agree prvaely on he prvae paraeers: a se U Nred and an aoorphs f α A They also know he one-o-one correspondence beween U and A ) Alce wans o rans he essage S= ss sz z (7) wh s A o Bob ) She generaes wh he lnear congrence generaor h and he knowledge of f α he z aoorphss f f f whch she needs for encrypon I s z = α = h z = h( z ) ) The encrypon s as follows f s = a hen s c : = f z N (8) Recall ha he one-o-one correspondence A U wh a for = N holds The cpherex C = f s f s f s wh s = ˆ s = a z z = cc c z (9) s sen o Bob The c are called he cpherex ns and we do no perfor cancellaons beween c and c + and he end of each c s arked z for exaple wh he sybol On he one hand he cpherex n c can be seen as a 8

20 B Fne e al { N } word n U becase he se U f ( ) f ( ) f ( ) = s Nelsen eqvalen f ˆ : = k = for s a k f s f c o U and = s an eleen n U f On he oher hand can be wren as a word n X becase he explc eleens n U are words n X and so are he eleens n he Nelsen eqvalen se ) Bob ges he cpherex U f o U C= cc c z (0) wh c z words n X He knows where each cpherex n c begns and ends Hence he ges he nforaon ha he has o se z aoorphss of F fro he se A for decrypon He has wo possbles for decrypon a) Wh he knowledge of f α he se U = { N } he lnear congrence generaor h and he nber z he copes for each aoorphs f = z he se wh ( ) { ( N) } U = f f f () f f wren as a redced word n X Hence wh he one-o-one correspondence beween U and A he ges a one-o-one correspondence beween he leers n he alphabe A and he words of he cpherex dependng on he aoorphss f Ths s shown n Table 8 (page 8) Wh he knowledge of he Table 8 (page 8) he decrypon s as follows wh f c = f hen c s = a z N () He generaes he planex essage s A fro Alce S= ss s z () b) Bob knows he Nelsen redced se U hence wh an algorh as for exaple explaned n he book ([8] page~) he s able o wre he eleens c as words n U Wh he knowledge of he aoorphs f α he se U = { N } he lnear congrence generaor h and he nber z he ges he aoorphss f whch Alce sed for encrypon of c Becase of he fac ha a one-o-one correspondence beween A and U s sed and he cpherex n c s an age of an eleen n U Bob knows wh he aoorphs f and he nder he aoorphs f cpherex n c wren as word n U he planex leer ponds o he cpherex n c Ths crypographc proocol s sarzed n Table 9 (page 8) Table 8 Planex alphabe A { a a a } dependng on he aoorphss a A whch corres- = N correspondng o cpherex alphabe f f U U f f U U f z a f ( ) f ( ) f ( ) z a f ( ) f ( ) f ( ) f a f ( N ) f ( N ) ( N ) N z z 8

21 B Fne e al Reark As soon as Alce and Bob agree on he sarng seed aoorphs and he Nelsen redced se U Bob s able o calclae he frs colns of Table 8 (page 8) for decrypon (he does no know how any colns he wll need becase he does no know ye how long he planex fro Alce wll be) If he ges he cpherex C fro Alce he only has o do a search n he able o ge he correspondng planex ns o Table 9 Sary of he prvae key cryposyse Pblc Knowledge F = X X = { x x x q} q ; planex alphabe A= { a a a N } N ; absrac free grop H = U U = { N } wh absrac leers; se A A ( H ) ; lnear congrence generaor h of axal perodc lengh Alce Bob Prvae keys Explc se U = { N } wh words n X U F Nelsen redced se U = N ; seed f α one-o-one correspondence A U a A Encrypon Choose essage S= ss s z z wh s A Calclae = α = h ( ) = h( z z) oban f f f z Encrypon procedre: f s = a hen s c : = f ( ) z N Cpherex: C= f ( s ) f ( s ) f ( s ) = cc c z z z wh c wren as words n X C= c c cz Decrypon Cope z aoorphs: = α = h ( ) = h( z z) oban f f f z Two possbles: For each f = z cope U = { f ( ) f ( ) f ( f )} N and ge a able lke Table 8 (page 8) (Decrypon: Search n hs able) f c = f ( ) hen c s = a z N Use Nelsen redced se U and an algorh o wre he cpherex ns c (gven as words n X) as words n U Togeher wh he sed aoorphs he cpherex s decryped correcly Reconsrc planex essage S= ss s z wh s A 8

22 B Fne e al he cpherex ns If colns are ssng o decryp he cpherex he calclaes he ssng colns Ths n Verson a nsead of Verson b for decrypon Bob s able o do calclaons for decrypon even before he knows he cpherex Reark The cryposyse s a polyalphabec syse ha eans a word U and hence a leer a A s encryped dfferenly a dfferen posons n he planex becase dfferen aoorphss are sed drng he encrypon procedre for each cpherex n Ths for he cpherex a sascal freqency aack (see for nsance []) over he freqency of words whch correspond o leers n he planex alphabe or grops of words s seless I follows an exaple n whch for decrypon a able (see Table 8 (page 8)) s sed whch sores he cpherex alphabe U f and s generaed wh he aoorphss Alce ses for encrypon see Exaple 4 Addonally n [5] an exaple s gven n whch Bob knows he Nelsen redced se U hence wh a known algorh he s able o wre he cpherex as a seqence of words n U Wh he aoorphss Alce ses for encrypon he s able o decryp he cpherex correcly Exaple 4 Ths exaple was execed n GAP All deals are gven n Appendx A Frsly Alce and Bob agree on pblc paraeers ) Le F be he free grop on he free generang se X= { xyz } ) Le A = { a a a8} = { LEIOUAVB } be he planex alphabe ) Le H be he absrac free grop of rank A = 8 wh free generang se U = { 8} 4) A se A A ( H ) s deerned In hs exaple we gve he aoorphss whch Alce and Bob se for encrypon and decrypon respecvely s a he oen when hey are needed 5) The lnear congrence generaor wh axal perodc lengh s h : The prvae paraeers for hs exaple are he followng: ) Le F U be he explc fnely generaed free grop whch s generaed wh he U = wh words n X for hs exaple s free generang se { } The sarng aoorphs 8 ha a = for : = xyz : = yzy : = x zx : = y x 4 : = z xyx : = z yx : = x y : = y z f s f hence s 44 = α = 44 I s known U and a A herefore L = ˆ = xyz E= ˆ = yzy I= ˆ = x zx O = ˆ = y x 4 U= ˆ = z xyx A = ˆ = z yx V = ˆ = x y B = ˆ = y z Grops Algorhs and Prograng [4] 84

23 B Fne e al We now look a he encrypon and decrypon procedre for Alce and Bob ) Wh he above agreeens Alce s able o encryp her essage S = LOVE Her essage s of lengh 4 She generaes he cpherex as follows: ) Frs she deernes wh he help of he lnear congrence generaor h : 8 8 wh + 5 and he sarng seed α = 44 he for aoorphss f A 4 whch she needs for encrypon I s = α = 44 = h = 787 h = h = and = = The aoorphss are descrbable wh he help of reglar Nelsen ransforaons s ( N) ( N) ( N) ( N) ( N) ( N) ( N ) f = ˆ N N N N N 4 N N N f : H H ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) f = ˆ N N N N N N N 4 N N f : H H ( N) ( N) ( N) ( N) ( N) ( N ) f = ˆ N N N N N N N N N f : H H

24 B Fne e al ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) ( N ) f = ˆ N N N N N 8 N N N N f : H H he Nelsen ransforaons are appled fro he lef o he rgh ) Secondly she encryps her essage The cpherex s C = f L f O f V f E 4 = f f f f = The cpherex C s wren as words n X s C= = xyzx y zy x yzy x yz yx z xyx x z y x zx yz y xzx ) Bob ges he cpherex C = xyzx y zy x yzy x yz yx z xyx x z y x zx yz y xzx 5 5 fro Alce Ths he knows ha he needs 4 aoorphss for decrypon ) Bob knows he se U he lnear congrence generaor h and he sarng seed aoorphs f For decrypon he ses ables lke Table 8 (page 8) 44 Now he s able o cope for each aoorphs f he se U f 4 and o generae Table 0 (page 86) and Table (page 87) Wh hese ables he s able o reconsrc he planex fro Alce He searches for he planex eleen s he cpherex n c n he coln U f 4 and hence ges he alphabe leer a = s for a { 8} Therefore he decryps he cpherex o he essage Table 0 Correspondence: Planex alphabe o cpherex alphabe I L U f U f xyzx y zy x E yzy xzx ( y x ) xz y x yzy x yz y z yx z xyx I x zx ( y x ) x zx z x ( yx ) O U y x z yx y x zxyzx y x y yzy x yz yx z xyx 5 x y x zxyzx y A z yx zx ( y x ) V B xy zx yx y z z xy z y z yx z xyx z yx z xy zy x x yz yx z xyx 4 y z xyzx y yz x yz y 86

25 B Fne e al Table Correspondence: Planex alphabe o cpherex alphabe II L E U f U f 4 xyzyz y x z xy z yz y x zx y y xzyz x zx yz y xzx I 4 ( x zx z y ) y xzx z xy zy xz x O ( y x z y ) U x y x yx zx A z yx ( z) 5 V B xy x yz xy zy xz x z xy zy xz x z yx yzy xzyz x z y x yx yx zx yz y y x z xy z y z yz y xz x y C = xyzx y zy x yzy x yz yx z xyx x z y x zx yz y xzx 5 5 S = LOVE Secry 5 The cryposyse s a polyalphabec syse ha eans a word U and hence a leer a A s encryped dfferenly a dfferen posons n he planex becase dfferen aoorphss are sed drng he encrypon procedre for each cpherex n Ths for he cpherex a sascal freqency aack (see for nsance []) over he freqency of words whch correspond o leers n he planex alphabe or grops of words s seless The secry depends on he fac ha he se U s prvae Noe ha he cpherex ns c are eleens n F U wh FU = U An eavesdropper Eve knows ha he eleens of he se U whch where sed for he encrypon can be fond n he ball B( F L ) of he Cayley graph fro F wh L = ax c = z (4) { } X and c cpherex ns of an nerceped cpherex C = c c c z (5) The sybol arks he end of each cpherex n c z Le C = { c c cz} (6) be he se of cpherex ns and le C Nred be a Nelsen redced se of C hence he grop FC generaed by C Nred Nred s a free sbgrop of F U and rank ( FC Nred ) z The an secry cerfcaon depends on he fac ha for a sngle sbse V of F U wh K eleens Eve fnds a Nelsen redced se n he rnnng e ( λ K ) wh λ he ax over he free lengh of he eleens n he sbse V wh K prve eleens b she has o es all possble sbses of K eleens for whch she needs exponenal rnnng e becase he nber of prve eleens grows exponenally wh he free lengh here wh L She searches n a ball B( F L ) wh L = ax { c c C } for hese prve eleens A sbse of V s also known s C Nred V b she has o p all oher prve eleens o hs se and proves f V whch s Nelsen redced o V s of order N and 87

26 B Fne e al hence a canddae for U Frherore he secry depends on he way how Alce and Bob choose he aoorphss of he se A To verfy wheher a canddae se V s very lkely he se U sed by Alce and Bob s lkely ha Eve wres he cpherex ns c wh leers of her canddae se V ± Ths s possble becase he consrcve ebershp proble (see Proble ) s solvable n absrac free grops and Nelsen redced ses Ths she cold ge hns for he aoorphss sed for encrypon and s no only a bre force search hrogh he se A A ore dealed crypographcal analyss can be fond n [5] and here are also hree odfcaons gven whch are sarzed as follows: ) We presen a odfcaon where he cpherex s only one redced word n X nsead of a seqence of words n hs case s possble ha addonal nforaon s needed for decrypon hs hese are sen wh he cpherex f reqred The cpherex can be nerpreed as words n X and as words n U hs he addonal nforaon cold be gven abo he cpherex wren as a word n U or as a word n X Secry: The secry cerfcaon s exended o he fac ha Eve s n general no able o denfy he begnnng and end of a cpherex n c = z There cold also be cancellaons whch she s no able o recognze Eve s neher able o deerne he nber L becase she does no know wha he cpherex ns c exacly look lke nor s she able o generae he se C Nred Ths worsens her aacks of he nodfed crypographc proocol above ) We presen a odfcaon whch ses a fahfl represenaon fro F no he specal lnear grop SL( ) sch ha he cpherex s a seqence of arces n SL( ) Frherore a varaon can be sed where he cpherex s no a seqence of arces b a seqence of enres of arces Ths redces he space for he cpherex and he eory space for he decrypon able Secry: The secry cerfcaon s exended o he fac ha here s no algorh known o solve he (consrcve) ebershp proble for (dscree) free sbgrops of SL( ) whch are of rank greaer han or eqal o and no sbgrops of SL( ) see [5] Therefore he aack whch ses a Cayley graph and aoorphss of A n he nodfed crypographc proocol s no realzable n hs odfcaon ) We presen a odfcaon whch lzes he negave solon of Hlber's Tenh Proble Insead of a presenaon of he cpherex as a seqence of arces n SL( ) he cpherex s represened as a seqence of arces n GL( R ) wh R: = [ y y yn ] he negral polynoal rng n n varables Here we ge wo sbcases he frs apples he odfcaon wh Hlber's Tenh Proble on a ex gven as a seqence of words n X and he second apples o a ex gven as a seqence of words n U Secry: The secry cerfcaon s exended o Hlber s Tenh Proble In addon he secry s proved by he fac ha for each encrypon Alce and Bob can ake prvaely epheeral arces n GL ( R ) R = [ y y yn ] wh he n propery ha he coon prvae pon D generaes he correc arces n 88

27 B Fne e al PSL( ) Ths gves randoness o cpherexs whch coplcaes aacks for Eve The aack whch ses a Cayley graph and aoorphss of A n he nodfed crypographc proocol s no realzable n hs odfcaon Reark 6 In [5] are wo ore prvae key cryposyses gven whch se fnely generaed free grops Nelsen ransforaons and aoorphss on fnely generaed free grop The frs one ses aoorphss on F nsead of a sbgrop of F as n he above descrbed prvae key cryposyse I also has hree odfcaons whch se he deas for he odfcaons above The second proocol ses aoo- rphss on planex ns and n addon randoly chosen epheeral keys (arces of ( ) ) whch gve randoness o he cpherexs 7 Cryposyse wh Nelsen Transforaon Inspred by he ElGaal Cryposyse Now we descrbe a pblc key cryposyse for Alce and Bob whch s nspred by he ElGaal cryposyse (see [6] or ([] Secon )) based on dscree logarhs ha s: ) Alce and Bob agree on a fne cyclc grop G and a generang eleen g G a ) Alce pcks a rando naral nber a and pblshes he eleen c: = g ) Bob who wans o send a essage G o Alce pcks a rando naral b b b ab nber b and sends he wo eleens c and g o Alce Noe ha c = g a b b 4) Alce recovers ( c ) ( g ) = = N N be he free generang se of he fnely generaed free grop F = X I s ± * * X = X X The essage s an eleen S S denoes he se of all freely redced words wh leers n X ± Pblc are he free grop F s free generang se X * and an eleen a S The aoorphs f gven as a Nelsen ransforaon or a Whehead-Aoorphs (see for nsance he book [7]) shold be chosen randoly an approach s gven n ([5] Secon 44) An ElGaal lke pblc key cryposyse wh pblc paraeers deerned by Alce s now as follows: Pblc paraeers: The fnely generaed free grop F = X a freely redced For he new pblc key cryposyse n hs secon le X { x x x } word a n he free grop F and an aoorphs f : F F of nfne order Encrypon and Decrypon Procedre: ) Alce chooses prvaely a naral nber n and pblshes he eleen n * f ( a) = : c S * ) Bob pcks prvaely a rando and hs essage S The nber s an epheeral key for hs essage he changes for each essage becase of Reark 7 He calclaes he freely redced eleens f c = : c S and f a = : c S (7) He sends he cpherex * * ) Alce calclaes * * c c S S o Alce 89

28 B Fne e al n n ( ) ( ) ( ) n ( ) c f c = f c f c = = n n f f a f f a = + n + f a f a (8) and ges he essage The ElGaal lke pblc key cryposyse s sarzed n Table (page 90) Reark 7 I s poran ha dfferen rando epheeral keys are sed o encryp dfferen essages As s for he sandard ElGaal cryposyse (see [8]) Sppose ha Bob ses he sae epheeral key o encryp wo essages and and asse ha s known The cpherex pars are ( c c ) and ( c c ) wh c = c c = f ( c) and c = f ( c) Eve only has o calclae c c o ge he essage Secry 8 A possble aacker Eve can see he eleens cc c no know he free lengh of and he cancellaons beween and cold be possble ha s copleely canceled by he frs leers of f she canno deerne fro he gven S * She does f c n c I c Hence n c Eve s sees words f ( a ) and f a Table Sary of he ElGaal lke pblc key cryposyse sng aoorphss on a fnely generaed free grop F Choose prvae key n Cope n * f a = : c S Free grop F Pblc Paraeers = X a freely redced word a n F and an aoorphs f : F F of nfne order Alce Key Creaon * ( S denoes he se of all freely redced words wh leers n X ± ) Pblsh c Cope n n c f c = f c f c ( ) ( ) n n = f ( f ( a) ) f ( f ( a) ) + n n+ = f ( a) ( f ( a) ) = whch s he essage fro Bob Encrypon Bob * Choose planex S Choose rando epheeral key Cope ( c c) Decrypon * * f c = : c S and f a = : c S Send cpherex * * c c S S o Alce 90

29 B Fne e al n he free generang se X fro whch s nlkely o realze he exponens n and ha s he prvae keys fro Alce and Bob respecvely The secry s based on he Dffe-Hellan proble and dscree logarh proble n cyclc sbgrops of aoorphss n free grops Varaon 9 We gve soe deas o enhance he secry hey can also be cobned: * ) The eleen a S cold be aken as a coon prvae secre beween Alce and Bob They cold se for exaple he Anshel-Anshel-Goldfeld key exchange proocol (see for nsance []) o agree on he eleen a ) Alce and Bob agree on a fahfl represenaon fro F no he specal lnear grop * of all g: F SL Now S and arces wh enres n ha s Bob sends he eleen g( ) g( f ( c) ) : c SL ( ) * f ( c) = : c S ; c and n c g f ( c) = g and hence he essage ( ) ( ) = nsead of c rean he sae Therefore Alce calclaes g g S * = Ths varaon n addon exends he secry cerfcaon o he consrcve ebershp proble n he arx grop SL( ) (see [5]) We now explan hs varaon n ore deals In addon o X = { x x xn } Alce chooses a second absrac se Y = { y y yn } wh X Y = whch generaes a free grop F = Y of rank N The aoorphs f fro Alce s an aoorphs on a free grop of rank X f we denfy x wh y for = N hen f s also an aoorphs of F becase X = Y and hence F s soorphc o F see Theore Alce needs a fahfl represenaon of X Y no SL( ) sch ha g: X Y SL x M wh = N and M SL (9) y W wh = N and W SL and W SL (0) Ths each W has a leas one enry whch s an eleen n \ n * (a) The pblc eleen fro Alce s as before c = f ( a) S wh prvae key n * (b) Bob chooses prvaely a essage S a rando and calclaes n + n c f a S f c = f f a = f a S * = as before Afer hs he copes * and wres as a word n Y whereby he sed he assgnen x = y for N We denoe f ( c ) as fy ( c ) when f ( c ) s wren as a word n Y The eleen fy ( c ) s a redced word n Y Bob s eleen c = fy ( c) s now a redced word n X Y He apples he fahfl represenaon g on hs eleen I s ( Y ) ( ) Y SL( ) SL( ) g f c = g g f c = : c SL () * * * Insead of ( c c) S S he sends ( c c ) S SL( ) o Alce n (c) Frsly Alce calclaes f ( c ) and hence ges he sae eleen f c as 9

30 B Fne e al Bob becase + + ( ) f c = f f a = f a = f a = f f a = f c () n n n n n n Secondly she wres f ( c ) as a word n Y hs she ges fy he fahfl represenaon g o calclae of g( fy c ) and ogeher wh ( ( )) ( )( ( )) Y Y Y c Thrdly she ses c she ges c g f c = g g f c g f c = g SL () She ges a arx n SL( ) and she knows ha hs arx s a word n he leers hence here s an algorh (see for nsance [8]) o wre g( ) as M N g X and herefore as a word n X Ths she s able o recon-src a word n An eavesdropper Eve ges a arx c SL and she s no able o wre as a word n he se X Y (becase here s no algorh known o solve he consrcve ebershp proble n a (dscree) free sbgrop of SL( ) of rank greaer han or eqal o (see [5]) whch s no n SL( ) ) Ths she canno ge he saon as n he cryposyse who he fahfl represenaon g no SL( ) There s no hn for he essage nsead of he syse above n whch s possble ha an nal segen of s vsble whereby Eve does no know how long hs nal segen s and f s relay vsble Ths hs varaon exends he secry cerfcaon o he consrcve ebershp proble n he arx grop SL( ) We now end hs secon wh an exaple Exaple 0 Ths exaple s a very sall one and s s gven for llsraon prposes The calclaons were done wh GAP see Appendx B Bob wans o send a essage o Alce The pblc paraeers are he free grop F of rank wh free generang se X= { xyz } he freely redced word a F wh a : = x yz y and he aoorphs f : F F whch s gven for hs exaple by he reglar Nelsen ransfor- aon: ( N) ( N) ( N) ( N) hs s: f : F F x xy y z z y z ) Alce s prvae key s n = 7 Ths she ges he aoorphs Her pblc key s f 7 : F F x xy z y ( yz) ( zyz y) zy ( ) ( ) y y z y z y z z y z z y z z y z y z y z z 9

31 and 7 c : = f a = xy z y yz zyz y zy z y zyz yz zyz yz ) Bob prvaely pcks he epheeral key = 5 and ges he aoorphs Hs essage for Alce s 5 c = f c f 5 : F F x xyz yz zy ( ) y y z y z z z y z z y z z y zx y x = He calclaes = z y zx yz z y z y z y z y z z y ( ) (( z y z y ) z y ) ( z y z ) z xy z y z ( ( z y z y ) z y ) ( z y z ) z y ( z y z ) z y z y z z y z y z z y z y z y z ( ) ( ) y z z y z y z y z y z y z z y z y z y z y z y z y 5 c : = f a = xy z y z zy z y zyz zyz The cpherex for Alce s he ple ( ) ) Alce frs copes and ges by 7 ( ( )) c c f c = y ( zy z) zyz zy ( zyz) zy (( zyz) yz) zyz ( ) zy zyz yz zyzyz zyz y z y ( ( z y) zy) z yzy z ( zyz y) zy z ( zyz y) z y ( ) zyz yz zyzyz zyz y z zy y x B Fne e al 9

32 B Fne e al ( ) = c f c = z y zx y x 7 8 Conclsons A Shar s secre sharng proocol (see [6]) has becoe he sandard ehod for solvng he ( n ) -secre sharng proble The nrodced secre sharng schees are of aheacal neres In conras o oher secre sharng schees he par for he parcpans a he cobnaoral secre sharng schee see Secon s very easy hey only have o add p eleens The (e) expensve par s he par of he dealer who has o generae he ses R for he parcpans In conras o Shar's schee where he par of he dealer s he easer one and he parcpans have o do polynoal nerpolaon o reconsrc he secre The secre sharng schee of Secon 4 ses cobnaoral grop heory especally Nelsen ransforaons and fnely generaed free grops I s aheacally a very neresng crypographc proocol whch serves very good as a bass o develop oher crypographc proocol In addon he secre sharng schee of Secon 5 s also a aheacally very neresng crypographc proocol Boh secre sharng schees are he bass for he newly developed cryposyses In coparson o he sandard cryposyses whch are osly based on nber heory we explaned wo cryposyses whch se cobnaoral grop heory The frs cryposyse n Secon 6 s a knd of a one-e pad whch choce of he rando seqence for encrypon s no nber-heorec Especally he odfcaons wh arces are of neres for crypography If he syerc key cryposyse s sed ogeher wh he second odfcaon whch ses a fahfl represenaon no SL( ) hen he syse s secre and he secry depends on he nknown solon of he (consrcve) ebershp proble n he sed arx grops If s sed ogeher wh he hrd odfcaon whch ses arces n GL( R ) R = [ y y y ] n hen he syse s secre and he secry depends n n addon on he negave solon of Hlber s Tenh Proble Moreover we ge also randoness o each cpherex by he epheeral arces whch he encryper sed for encrypon To generae hese epheeral arces he only needs he coon secre n pon D hs proves also he secry Alogeher we ge neresng new prvae key cryposyses whch se non-coave grops and are based on cobnaoral grop heory and no only on nber heory They provde oher opons for prvae key cryposyses whch are based on cobnaoral grop heory The second cryposyse n Secon 7 s slar o he ElGaal cryposyse (see [6]) whch s easer o handle The ElGaal cryposyse s based on he dscree logarh proble over a fne feld If hs proble shold evenally be solved we nrodced here an alernave syse whch s no based on nber heory For frher research one cold search for oher crypographc proocols whch can be based on Nelsen ransforaons for exaple a pblc key cryposyse whch s no ElGaal lke or a key exchange proocol There s no algorh known o solve he 94