A Closer Look at the Multilinear Cryptography using Nilpotent Groups
aa r X i v : . [ m a t h . G R ] F e b A Closer Look at the Multilinear Cryptographyusing Nilpotent Groups
Delaram Kahrobaei, Antonio Tortora, Maria Tota
Abstract
In a previous paper we generalized the definition of a multilinear map to arbitrary groupsand introduced two multiparty key-exchange protocols using nilpotent groups. In this paper wehave a closer look at the protocols and will address some incorrect cryptanalysis which havebeen proposed.
Keywords: multilinear map, nilpotent group, key-exchange protocol
Let n be a positive integer. In [4] we generalized the definition of a multilinear map for cyclic groupsof the same prime order (see [1]) to arbitrary groups G , . . . , G n and G T . Indeed, we defined a map e : G × · · · × G n → G T to be an n -linear map (or a multilinear map) if for any a , . . . , a n ∈ Z and any g i ∈ G i , we have e ( g a , . . . , g a n n ) = e ( g , . . . , g n ) a ··· a n . The map e is symmetric when G = · · · = G n = G , and non-degenerate if there exists g ∈ G suchthat e ( g, n . . ., g ) = 1 . Notice also that e is not necessarily linear in each component.In this paper we have a closer look at two multiparty key-exchange protocols introduced in [4].Also, we will address some incorrect cryptanalysis which have been proposed in [10].The protocols are based on the use of nilpotent group identities. Recall that a group G is nilpotentif it has a finite series of subgroups G = H > H > · · · > H n = { } which is central, that is, each H i is normal in G and H i /H i +1 is contained in the center of G/H i +1 .The length of a shortest central series is the nilpotency class of G . Hence, nilpotent groups of classat most 1 are abelian. A great source of nilpotent groups is the class of finite p -groups, i.e., finitegroups whose orders are powers of a prime p . Let G be a nilpotent group of class n > and let g , . . . , g n +1 be elements of G . Then, by acharacterization of nilpotent groups, we have [ g , . . . , g n +1 ] = 1 [ g , . . . , g n +1 ] is defined recursively by the rules [ g , g ] = g − g − g g and [ g , . . . , g n +1 ] = [[ g , . . . , g n ] , g n +1 ] . According to Proposition 3 of [4], for any i ∈ { , . . . , n } and a i ∈ Z \{ } , it follows that [ g , . . . , g i − , g a i i , g i +1 , . . . , g n ] = [ g , . . . , g i − , g i , g i +1 , . . . , g n ] a i . This allows to construct the multilinear map e : G n → G given by e ( g , . . . , g n ) = [ g , . . . , g n ] . Notice that, for n = 2 , e is the bilinear map which has been mentioned in [8].A group G is said to be n -Engel, with n ≥ , if [ x, n g ] = [ x, g, . . . , g | {z } n ] = 1 for all x, g ∈ G . Of course any nilpotent group of class n is n -Engel. Also, it is well-known that thereexist nilpotent groups of class n + 1 which are not n -Engel (see, for instance, [6, Theorem 6.2]).Thus, if G is such a group and x, g are elements of G such that [ x, n g ] = 1 , one can consider thenon-degenerate multilinear map e ′ : G n → G given by e ′ ( g , . . . , g n ) = [ x, g , . . . , g n ] . In [4] we proposed the following two key exchange protocols based on the multilinear maps e and e ′ , respectively. In both cases, we have n + 1 users A , . . . , A n +1 with private nonzero integers a , . . . , a n +1 , respectively, who want to agree on a shared secret key. Protocol I
Let G be a public nilpotent group of class n > and let g , . . . , g n ∈ G such that [ g , . . . , g n ] = 1 .• The users A and A n +1 transmit in public channel g a and g na n +1 , respectively; the user A j ( j = 2 , . . . , n ) transmits g j − a j and g ja j .• The user A computes [ g a , . . . , g na n +1 ] a .• The user A j ( j = 2 , . . . , n ) computes [ g a , . . . , g j − a j − , g ja j +1 , g j +1 a j +2 , . . . , g na n +1 ] a j . • The user A n +1 computes [ g a , . . . , g na n ] a n +1 .Hence, each user obtains [ g , . . . , g n ] Q n +1 j =1 a j which is the shared key. Protocol II
Let G be a public nilpotent group of class n + 1 which is not n -Engel ( n ≥ ) and let x, g ∈ G such that [ x, n g ] = 1 .• Each user A j computes g a j and sends it to the other users.• The user A computes [ x a , g a , . . . , g a n +1 ] .• The user A j ( j = 2 , . . . , n ) computes [ x a j , g a , . . . , g a j − , g a j +1 , . . . , g a n +1 ] .• The user A n +1 computes [ x a n +1 , g a , . . . , g a n ] .The common key is [ x, n g ] Q n +1 j =1 a j . .1 Platform groups As a basis for the key exchange methods described above, we suggest to consider finitely generatednilpotent groups. These groups are polycyclic, and in particular supersoluble (see, for instance, [9,5.4.6]). Recall that a group G is said to be polycyclic if it has a finite cyclic series, that is, a sequenceof subgroups G = G > G > · · · > G n +1 = { } (1)such that, for ≤ i ≤ n , G i +1 is normal in G i and G i /G i +1 is cyclic. The group G is then supersolublewhen the series is normal, i.e., each G i +1 is normal in G .Let G be a polycyclic group with the cyclic series (1) . Following [3], we say that a sequence X = ( x , . . . , x n ) of elements of G such that G i /G i +1 = h x i G i +1 i , for ≤ i ≤ n , is a polycyclicsequence for G ; hence, each G i is generated by x i , . . . , x n . Defining r i = | G i : G i +1 | ∈ N ∪ {∞} ,the sequence R ( X ) = ( r , . . . , r n ) is called the sequence of relative orders for X . The set { i ∈{ , . . . , n } | r i is finite } is usually denoted by I ( X ) . If X is a polycyclic sequence for G with therelative orders R ( X ) = ( r , . . . , r n ) , then for any g ∈ G there exists a unique sequence ( e , . . . , e n ) of integers, with ≤ e i < r i if i ∈ I ( X ) , such that g = x e . . . x e n n (see [3, Lemma 8.3]). This latter expression is the normal form of g with respect to X , and ( e , . . . , e n ) is the exponent vector of g with respect to X .A group presentation h x , . . . , x n | R i is called a nilpotent presentation if there exists a sequence S = ( s , . . . , s n ) , with s i ∈ N ∪{∞} , and integers a i,k , b i,j,k , c i,j,k such that R consists of the followingrelations: x s i i = x a i,i +1 i +1 . . . x a i,n n for 1 ≤ i ≤ n with s i ∈ N ,x − j x i x j = x i x b i,j,i +1 i +1 . . . x b i,j,n n for 1 ≤ j < i ≤ n,x j x i x − j = x i x c i,j,i +1 i +1 . . . x c i,j,n n for 1 ≤ j < i ≤ n. Every finitely generated nilpotent group has a polycyclic sequence X which induces a consistentnilpotent presentation, where consistent means that R ( X ) = S ; conversely, every consistent nilpotentpresentation defines a finitely generated nilpotent group (see [3, Lemma 8.23]). Furthermore, for agroup G given by a consistent nilpotent presentation h x , . . . , x n | R i , there exists a method thatallows to determine the normal form of any g ∈ G with respect to X = ( x , . . . , x n ) (see [3,Subsection 8.1.3]). This is the so-called collection algorithm, which is implemented in GAP [12]and MAGMA [2], and it has proved to be practical for finite and infinite groups.In the context of Protocol II (and similarly for Protocol I), assuming that h x , . . . , x n | R i is aconsistent nilpotent presentation of G and that x e . . . x e n n is the normal form of g , we can makepublic the exponent vector ( e , . . . , e n ) and require the following: each user A j computes the normalform x a j . . . x a jn n of g a j and sends the exponent vector ( a j , . . . , a jn ) to the other users. The security of our protocols is based on the Power Search Problem (PSP): given a group G andelements g, h ∈ G , find an integer a such that g a = h . This is actually equivalent to the DiscreteLogarithm Problem (DLP) in the cyclic group generated by g .Recently, for a finite nilpotent group, an algorithm to solve the PSP has been introduced in[10]. However, we point out that it is not practical. To this end, assume that G is a finite p -group.Also, let G = G and for i ≥ define recursively G i +1 = G pi G ′ i , where G pi = h g pi | g i ∈ G i i and ′ i = h [ g i , g i ] | g i , g i ∈ G i i . Since the order of G is a power of p , one can consider in G the normalseries G = G > G > · · · > G n = { } . (2)Notice that each factor G i /G i +1 is an abelian group of exponent p . Therefore g p k ∈ G k for any g ∈ G and any k ∈ { , . . . , n } .Now suppose g a = h , for some g, h ∈ G , and write a = a + a p + · · · + a n − p n − where ≤ a i < p .Then ( gG ) a = hG . (3)The first step of the algorithm in [10] consists in finding a . In particular, when g, h G , theauthor affirms that the “exponent a is uniquely computed by usual computation with vectors in G/G ”. After examining the case ( g G , h ∈ G ) , the process continues until all the integers a i areobtained.Actually it could be very difficult to find a when the prime p is big enough. For example, let p be a safe prime, i.e, p = 2 q + 1 with q prime. Assume further that G = h g i , where g is a generatorof the multiplicative group of integers modulo p . Thus the series (2) becomes G = G > G = { } .Hence, finding a from (3) essentially means to solve the DLP of h with respect to g . However G has order q and, when q is very large, it is well-known that the DLP is hard in G (without the useof a quantum algorithm [11]). Let R be a commutative ring with identity and denote by U T ( n, R ) , where n > , the group ofall n × n (upper) unitriangular matrices over R , that is (upper) triangular matrices with on thediagonal. Then U T ( n, R ) is a nilpotent group of class n − , which is generated by finitely manyelements when R = Z m or Z (see, for instance, [9, Section 5.4]). Moreover every finite p -group canbe embedded in U T ( n, F p ) , for a finite field F p of characteristic p (see [9, Exercise 5.1.11]), and everyfinitely generated torsion-free group can be embedded in U T ( n, Z ) (see [5, 3.3.4]).In [10] the above mentioned algorithm has been applied to solve the PSP in U T ( n, F p ) . Inaddition, a “similar algorithm” (but without details) has been proposed for the same purpose in U T ( n, Z ) . On the other hand, in [7, Subsection 2.2], for a finite field K , it has been shown that thePSP for a matrix in U T (4 , K ) (provided that the entries of the superdiagonal are not all zero!) canbe reduced to the PSP in the additive group of K . This can be generalized as follows. Proposition 3.1.
Let R be a commutative ring with identity. Then solving the PSP in U T ( n, R ) isequivalent to solve the PSP in the additive group of R .Proof. Let g ∈ U T ( n, R ) and suppose that g = ( b ij ) is not the identity matrix. It is enough to provethat for any m ≥ , if g a = ( c ij ) , then there exists k ≥ such that = c i ( i + k ) = ab i ( i + k ) . Thisfollows by induction on m . In fact, if b i ( i +1) = 0 for some i , then c i ( i +1) = ab i ( i +1) ; if b i ( i + l ) = 0 and b i ( i + k ) = 0 for some k, l such that ≤ l < k ≤ n − i , then c i ( i + k ) = ab i ( i + k ) .Since the DLP in the additive group of Z m or Z is easy, Proposition 3.1 implies that the groups U T ( n, Z m ) and U T ( n, Z ) are not suitable for Protocols I and II.Finally notice that, in contrast with [10], solving the PSP in finite p -groups does not guaranteethat this is possible for a finite nilpotent group of order n , because the decomposition of n in primefactors could be unknown. A similar argument holds for the torsion subgroup of a finitely generatedinfinite nilpotent group. Acknowledgments . The last two authors are members of the “National Group for Algebraic andGeometric Structures, and their Applications” (GNSAGA – INdAM) and they would like to thankthe Department of Computer Science of the University of York for the excellent hospitality whilepart of this paper was being written. Their research is supported by a grant of the University ofCampania “Luigi Vanvitelli”, in the framework of Programma V:ALERE 2019. eferences [1] Boneh, D., Silverberg, A. (2003). Applications of multilinear forms to cryptography.
Contempo-rary Mathematics , 324, 71–90.[2] Bosma, W., Cannon, J., Playoust, C. (1997). The Magma algebra system I: The user language.
J. Symbolic Comput. , 24, 235 – 265.[3] Holt, D. F., Eick, B., O’Brien, E. A. (2005).
Handbook of Computational Group Theory , Chapman& Hall/CRC Press.[4] Kahrobaei, D., Tortora, A., Tota, M. (2018, November 1-2). Multilinear cryptography usingnilpotent groups. De Gruyter.
Proceedings of Elementary Theory of Groups and Group Rings,and Related Topics conference . Conference held at Fairfield University and at the GraduateCenter, CUNY, New York, (NY, USA), 127–133.[5] Lennox, J. C., Robinson, D. J. S. (2004).
The theory of infinite soluble groups , Oxford: ClarendonPress.[6] Liebeck, H.(1962). Concerning nilpotent wreath products.
Mathematical Proceedings of the Cam-bridge Philosophical Society , 58, 443–451.[7] Mahalanobis, A. (2012). A simple generalization of El-Gamal cryptosystem to non-abeliangroups.
Comm. Algebra , 40, no. 9, 3583–3596.[8] Mahalanobis, A., Shinde, P. (2017, December 12-14). Bilinear cryptography using groups of nilpo-tency class . Cryptography and Coding, Proceedings of the 16th IMA International Conference .(Oxford, UK), 127–134.[9] Robinson, D. J. S. (1996).
A course in the Theory of Groups (2nd ed.), New York: Springer-Verlag.[10] Roman’kov, V. A. (2019). Discrete logarithm for nilpotent groups and cryptanalysis of polylinearcryptographic system.
Prikladnaya Diskretnaya Matematika Supplement , no. 12, 154–160.[11] Shor, P. W. (1994). Algorithms for quantum computation: discrete logarithms and factoring.
Proceedings of the th Annual Symposium on Foundations of Computer Scienceth Annual Symposium on Foundations of Computer Science