Using semidirect product of (semi)groups in public key cryptography

Similar documents
Using semidirect product of (semi)groups in public key cryptography

Public key exchange using semidirect product of (semi)groups

A LINEAR ATTACK ON A KEY EXCHANGE PROTOCOL USING EXTENSIONS OF MATRIX SEMIGROUPS

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

TROPICAL CRYPTOGRAPHY II: EXTENSIONS BY HOMOMORPHISMS

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

arxiv: v1 [math.gr] 20 Feb 2018

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture 1: Introduction to Public key cryptography

arxiv: v1 [cs.cr] 1 May 2012

ONE of the requirements of symmetric

CPSC 467b: Cryptography and Computer Security

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

Applications of Combinatorial Group Theory in Modern Cryptography

International Electronic Journal of Pure and Applied Mathematics IEJPAM, Volume 9, No. 1 (2015)

Cryptanalysis of the Algebraic Eraser

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS

AN AUTHENTICATION SCHEME BASED ON THE TWISTED CONJUGACY PROBLEM

A New Key Exchange Protocol Based on DLP and FP in Centralizer Near-Ring

Exploring platform (semi)groups for noncommutative

Math 594. Solutions 5

Frank Moore Algebra 901 Notes Professor: Tom Marley Direct Products of Groups:

Practice Assignment 2 Discussion 24/02/ /02/2018

Lecture Notes, Week 6

arxiv: v3 [cs.cr] 15 Jun 2017

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

8 Elliptic Curve Cryptography

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

14 Diffie-Hellman Key Agreement

Chapter 8 Public-key Cryptography and Digital Signatures

Zero-knowledge authentication schemes from actions on graphs, groups, or rings

EXERCISES. a b = a + b l aq b = ab - (a + b) + 2. a b = a + b + 1 n0i) = oii + ii + fi. A. Examples of Rings. C. Ring of 2 x 2 Matrices

A PROOF OF BURNSIDE S p a q b THEOREM

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Exercises on chapter 1

Lecture 28: Public-key Cryptography. Public-key Cryptography

A REDUCTION OF SEMIGROUP DLP TO CLASSIC DLP

Automorphism Groups Definition. An automorphism of a group G is an isomorphism G G. The set of automorphisms of G is denoted Aut G.

Lecture V : Public Key Cryptography

Introduction to Cryptography. Lecture 8

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture 4.1: Homomorphisms and isomorphisms

MATH 158 FINAL EXAM 20 DECEMBER 2016

Johns Hopkins University, Department of Mathematics Abstract Algebra - Spring 2009 Midterm

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

ENTRY GROUP THEORY. [ENTRY GROUP THEORY] Authors: started Mark Lezama: October 2003 Literature: Algebra by Michael Artin, Mathworld.

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Multiplicative Jordan Decomposition in Integral Group Rings

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Extra exercises for algebra

Sharing a Secret in Plain Sight. Gregory Quenell

Elliptic Curves: Theory and Application

1. Group Theory Permutations.

9 Knapsack Cryptography

MA441: Algebraic Structures I. Lecture 15

Cosets, factor groups, direct products, homomorphisms, isomorphisms

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

The Outer Automorphism of S 6

CRYPTOGRAPHY AND NUMBER THEORY

Elements of solution for Homework 5

Algebra homework 6 Homomorphisms, isomorphisms

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Modular Arithmetic (Read Sections 4.1 thro 4.4)

A gentle introduction to isogeny-based cryptography

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

KEY EXCHANGE IN ELLIPTIC CURVE CRYPTOGRAPHY BASED ON THE DECOMPOSITION PROBLEM

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Assigment 1. 1 a b. 0 1 c A B = (A B) (B A). 3. In each case, determine whether G is a group with the given operation.

Introduction to Modern Cryptography. Benny Chor

Note that a unit is unique: 1 = 11 = 1. Examples: Nonnegative integers under addition; all integers under multiplication.

ALGEBRA QUALIFYING EXAM PROBLEMS

ALGEBRA EXERCISES, PhD EXAMINATION LEVEL

Public Key Cryptography

Introduction to Elliptic Curve Cryptography. Anupam Datta

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Abstract Algebra: Supplementary Lecture Notes

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

1 Fields and vector spaces

Authentication schemes from actions on graphs, groups, or rings

MODEL ANSWERS TO HWK #7. 1. Suppose that F is a field and that a and b are in F. Suppose that. Thus a = 0. It follows that F is an integral domain.

Lecture 22: RSA Encryption. RSA Encryption

Algebra Exam Fall Alexander J. Wertheim Last Updated: October 26, Groups Problem Problem Problem 3...

HOMEWORK Graduate Abstract Algebra I May 2, 2004

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Lecture 7 Cyclic groups and subgroups

THE CONJUGACY SEARCH PROBLEM IN PUBLIC KEY CRYPTOGRAPHY: UNNECESSARY AND INSUFFICIENT

Lecture 7: ElGamal and Discrete Logarithms

Thompson s group and public key cryptography

Cryptography and Security Final Exam

School of Mathematics and Statistics. MT5824 Topics in Groups. Problem Sheet I: Revision and Re-Activation

5 Group theory. 5.1 Binary operations

MODEL ANSWERS TO THE FIRST HOMEWORK

Abstract Algebra FINAL EXAM May 23, Name: R. Hammack Score:

Quantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem

Transcription:

Using semidirect product of (semi)groups in public key cryptography Delaram Kahrobaei City University of New York Graduate Center: PhD Program in Computer Science NYCCT: Mathematics Department University of Wisconsin-Madison June 15, 2016

The Diffie-Hellman public key exchange (1976) 1. Alice and Bob agree on a public (finite) cyclic group G and a generating element g in G. We will write the group G multiplicatively. 2. Alice picks a random natural number a and sends g a to Bob. 3. Bob picks a random natural number b and sends g b to Alice. 4. Alice computes K A = (g b ) a = g ba. 5. Bob computes K B = (g a ) b = g ab. Since ab = ba (because Z is commutative), both Alice and Bob are now in possession of the same group element K = K A = K B which can serve as the shared secret key.

Security assumptions To recover g ab from (g, g a, g b ) is hard. To recover a from (g, g a ) (discrete log problem) is hard.

Variations on Diffie-Hellman: why not just multiply them? 1. Alice and Bob agree on a (finite) cyclic group G and a generating element g in G. We will write the group G multiplicatively. 2. Alice picks a random natural number a and sends g a to Bob. 3. Bob picks a random natural number b and sends g b to Alice. 4. Alice computes K A = (g b ) (g a ) = g b+a. 5. Bob computes K B = (g a ) (g b ) = g a+b. Obviously, K A = K B = K, which can serve as the shared secret key. Drawback: anybody can obtain K the same way!

Semidirect product Let G, H be two groups, let Aut(G) be the group of automorphisms of G, and let ρ : H Aut(G) be a homomorphism. Then the semidirect product of G and H is the set Γ = G ρ H = {(g, h) : g G, h H} with the group operation given by (g, h)(g, h ) = (g ρ(h ) g, h h ). Here g ρ(h ) denotes the image of g under the automorphism ρ(h ).

Extensions by automorphisms If H = Aut(G), then the corresponding semidirect product is called the holomorph of the group G. Thus, the holomorph of G, usually denoted by Hol(G), is the set of all pairs (g, φ), where g G, φ Aut(G), with the group operation given by (g, φ) (g, φ ) = (φ (g) g, φ φ ). It is often more practical to use a subgroup of Aut(G) in this construction. Also, if we want the result to be just a semigroup, not necessarily a group, we can consider the semigroup End(G) instead of the group Aut(G) in this construction.

Key exchange using extensions by automorphisms (Habeeb-Kahrobaei-Koupparis-Shpilrain) Let G be a group (or a semigroup). An element g G is chosen and made public as well as an arbitrary automorphism (or an endomorphism) φ of G. Bob chooses a private n N. While Alice chooses a private m N. Both Alice and Bob are going to work with elements of the form (g, φ k ), where g G, k N.

Using semidirect product (cont.) 1. Alice computes (g, φ) m = (φ m 1 (g) φ 2 (g) φ(g) g, φ m ) and sends only the first component of this pair to Bob. Thus, she sends to Bob only the element of the group G. 2. Bob computes a = φ m 1 (g) φ 2 (g) φ(g) g (g, φ) n = (φ n 1 (g) φ 2 (g) φ(g) g, φ n ) and sends only the first component of this pair to Alice: b = φ n 1 (g) φ 2 (g) φ(g) g.

Using semidirect product (cont.) 3. Alice computes Her key is now (b, x) (a, φ m ) = (φ m (b) a, x φ m ). K A = φ m (b) a. Note that she does not actually compute x φ m because she does not know the automorphism x; recall that it was not transmitted to her. But she does not need it to compute K A.

Using semidirect product (cont.) 4. Bob computes His key is now (a, y) (b, φ n ) = (φ n (a) b, y φ n ). K B = φ n (a) b. Again, Bob does not actually compute y φ n because he does not know the automorphism y. 5. Since (b, x) (a, φ m ) = (a, y) (b, φ n ) = (g, φ) m+n, we should have K A = K B = K, the shared secret key.

Special case: Diffie-Hellman G = Z p φ(g) = g k for all g G and a fixed k, 1 < k < p 1, where k is relatively prime to p 1. Then (g, φ) m = (φ m 1 (g) φ(g) φ 2 (g) g, φ m ). The first component is equal to g km 1 +...+k+1 = g km 1 k 1. The shared key K = g km+n 1 k 1.

Special case: Diffie-Hellman The Diffie-Hellman type problem would be to recover the shared key K = g km+n 1 k 1 from the triple (g, g km 1 k n 1 k 1, g k 1 ). Since g and k are public, this is equivalent to recovering g km+n from the triple (g, g km, g kn ), i.e., this is exactly the standard Diffie-Hellman problem.

Group ring Definition (Group ring) Let G be a group written multiplicatively and let R be any commutative ring with nonzero unity. The group ring R[G] is defined to be the set of all formal sums r i g i g i G where r i R, and all but a finite number of r i are zero.

We define the sum of two elements in RG by a i g i + b i g i = i + b i )g i. gi G gi G gi G(a Note that (a i + b i ) = 0 for all but a finite number of i, hence the above sum is in R[G]. Thus (R[G], +) is an abelian group. Multiplication of two elements of R[G] is defined by the use of the multiplications in G and R as follows: a i g i b i g i = a j b k g i. gi G gi G gi G g j g k =g i

Platform: matrices over group rings Our general protocol can be used with any non-commutative group G if φ is selected to be an inner automorphism. Furthermore, it can be used with any non-commutative semigroup G as well, as long as G has some invertible elements; these can be used to produce inner automorphisms. A typical example of such a semigroup would be a semigroup of matrices over some ring.

Platform: matrices over group rings We use the semigroup of 3 3 matrices over the group ring Z 7 [A 5 ], where A 5 is the alternating group on 5 elements. Then the public key consists of two matrices: the (invertible) conjugating matrix H and a (non-invertible) matrix M. The shared secret key then is: K = H (m+n) (HM) m+n.

Here we use an extension of the semigroup G by an inner automorphism ϕ H, which is conjugation by a matrix H GL 3 (Z 7 [A 5 ]). Thus, for any matrix M G and for any integer k 1, we have ϕ H (M) = H 1 MH; ϕ k H (M) = H k MH k.

1. Alice and Bob agree on public matrices M G and H GL 3 (Z 7 [A 5 ]). Alice selects a private positive integer m, and Bob selects a private positive integer n. 2. Alice computes (M, ϕ H ) m = (H m+1 MH m 1 H 2 MH 2 H 1 MH M, ϕ m H ) and sends only the first component of this pair to Bob. Thus, she sends to Bob only the matrix A = H m+1 MH m 1 H 2 MH 2 H 1 MH M = H m (HM) m.

3. Bob computes (M, ϕ H ) n = (H n+1 MH n 1 H 2 MH 2 H 1 MH M, ϕ n H ) and sends only the first component of this pair to Alice. Thus, he sends to Alice only the matrix B = H n+1 MH n 1 H 2 MH 2 H 1 MH M = H n (HM) n.

4. Alice computes (B, x) (A, ϕ m) = (ϕm(b) A, x ϕm ). Her H H H key is now K Alice = ϕ m(b) A = H (m+n) (HM) m+n. Note H that she does not actually compute x ϕ m because she does H not know the automorphism x = ϕ n ; recall that it was not H transmitted to her. But she does not need it to compute K Alice.

5. Bob computes (A, y) (B, ϕ n ) = (ϕn (A) B, y ϕn ). His key H H H is now K Bob = ϕ n (A) B. Again, Bob does not actually H compute y ϕ n because he does not know the H automorphism y = ϕ m. H 6. Since (B, x) (A, ϕ m H ) = (A, y) (B, ϕn H ) = (M, ϕ H )m+n, we should have K Alice = K Bob = K, the shared secret key.

Security assumptions To recover H (m+n) (HM) m+n from (M, H, H m (HM) m, H n (HM) n ) is hard. To recover m from H m (HM) m is hard.

Nilpotent groups and p-groups Definition First we recall that a free group F r on x 1,..., x r is the set of reduced words in the alphabet {x 1,..., x r, x1 1,..., x r 1 }. It is a fact that every group that can be generated by r elements is the factor group of F r by an appropriate normal subgroup. We are now going to define two special normal subgroups of F r. The normal subgroup Fr p is generated (as a group) by all elements of the form g p, g F r. In the factor group F r /Fr p every nontrivial element therefore has order p (if p is a prime).

Nilpotent groups and p-groups (cont.) The other normal subgroup that we need is somewhat less straightforward to define. Let [a, b] denote a 1 b 1 ab. Then, inductively, let [y 1,..., y c+1 ] denote [[y 1,..., y c ], y c+1 ]. For a group G, denote by γ c (G) the (normal) subgroup of G generated (as a group) by all elements of the form [y 1,..., y c ]. If γ c+1 (G) = {1}, we say that the group G is nilpotent of nilpotency class c. The factor group F r /γ c+1 (F r ) is called the free nilpotent group of nilpotency class c. This group is infinite.

Free nilpotent p-group The group G = F r /Fr p2 γ c+1 (F r ) is what we suggest to use as the platform for the key exchange protocol. This group, being a nilpotent p-group, is finite. Its order depends on p, c, and r. For efficiency reasons, it seems better to keep c and r fairly small (in particular, we suggest c = 2 or 3), while p should be large enough to make the dimension of linear representations of G so large that a linear algebra attack would be infeasible. The minimal faithful representation of a finite p-group as a group of matrices over a finite field of characteristic p is in this case of dimension 1 + p. Thus, if p is, say, a 100-bit number, a linear algebra attack is already infeasible.

Thanks Thank You!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback