Cryptographic multilinear maps using pro-p groups
aa r X i v : . [ c s . CR ] F e b CRYPTOGRAPHIC MULTILINEAR MAPS USING PRO- p GROUPS
DELARAM KAHROBAEI AND MIMA STANOJKOVSKI
Abstract.
In [KTT20], the authors show how, to any nilpotent group of class n , one can associate anon-interactive key exchange protocol between n +1 users. The multilinear commutator maps associatedto nilpotent groups play a key role in this protocol. In the present paper, we analyze the security ofthis key exchange when applied to finite p -groups, both in the generic case and for explicit families ofgroups. We show, moreover, how infinite pro- p groups can be employed as platforms for any number ofusers. Introduction
In recent years and since the seminal paper by Boneh and Silverberg [BS03], multilinear maps havebecome very popular in cryptography. Their use enables computations on hidden data and generalizesthe ideas behind Diffie-Hellman’s key exchange protocol. Additionally, their applications are numer-ous: multiparty Diffie-Hellman key exchange, functional encryption, indistinguishability obfuscation. Anexcellent survey on the subject is [Tib16].The concept of cryptographic multilinear maps generalizes that of bilinear pairings associated to ellipticcurves: such multilinear maps are efficiently computable and provide secure cryptosystems. In particular,first examples of multilinear maps in cryptography come from geometry, are defined on cyclic groups,and are bilinear. Constructing efficiently computable and cryptographically interesting maps is a hardtask and to the best of our knowledge it is still unclear whether this can be done for every rank.There are three main constructions of cryptographic systems based on bilinear maps: the originalone from Garg, Gentry and Halevi [GGH13], a variant due to Coron, Lepoint and Tibouchi [CLT13],and a “graph-induced” construction by Gentry, Gorbunov and Halevi [GGH15]. Moreover, in a series ofpapers, Huang has presented geometric constructions of trilinear maps with a view towards cryptographicapplications [Hua18a, Hua18b, Hua19, Hua20]. The main difficulty, as already many authors pointed out,is not to construct multilinear maps, but rather to check whether they can be efficiently employed forthe production of secure cryptosystems.In [KTT20], the authors construct a
Non-Interactive Key Exachange protocol (NIKE) employing mul-tilinear maps within the realm of group theory. In particular, they exploit commutator maps in nilpotentgroups to construct key exchange protocols for a number of users equal to one more than the nilpotencyclass of the platform group. In the present paper, we show that, as for the classical Diffie-Hellman proto-col (a special instance of NIKE), the security of the last cryptosystem in the context of p -groups dependson the hardness of the discrete logarithm problem (DLP) in certain cyclic subgroups and quotients of theplatform groups. We recall that, if C = h x i is a finite cyclic group and y is an element of C , then solvingthe discrete logarithm problem for y means to find an integer a (equivalently the class of a mod | C | ) suchthat y = x a . In particular, the larger the order of the p -group C is, the more work is required to solvethe discrete logarithm problem in C .Motivated by the wish of being able to share the secret key between any number of users, we propose,moreover, the employment of infinite pro- p groups in the key exchange system in the following way. If G is an infinite nonnilpotent pro- p group and n ≥ G has a finite quotient G ofnilpotency class n and so, over G , we have a non-interactive key exchange protocol between n + 1 users.In this sense, the group G is a platform for an arbitrary number of users. We also show that groups like G exist, with the additional property that they are “comparably secure” for each number of users, in thesense that the discrete logarithms that have to be computed in an attack are associated to isomorphicgroups. We will compare theoretical security, in terms of existing algorithms for solving the DLP, in thecase of generic groups with the case of some explicitly chosen families. Date : February 10, 2021.
Organization of the paper.
The article is organized in the following way. In Section 2, we givebasic definitions and facts from finite and profinite group theory that will be used throughout the paper.Section 3 is devoted to the discussion of multilinearity in cryptography and algebra (Section 3.1) as wellas the introduction of a key exchange protocol based on multilinear maps in groups (Section 3.2). InSection 4 we discuss the security of the key exchange protocol in the case of generic p -groups, while inSection 5 we discuss some concrete examples. Such examples link to the computational complexity ofan attack (discussion in Section 4.2) and to the idea of using pro- p groups as platform groups for thecryptosystem (Section 4.3). Acknowledgements.
The authors are very thankful to Bernd Sturmfels for putting them in contactand to Pooya Farshim for his useful comments on an early version of this manuscript.2.
Preliminaries and notation
The current section includes definitions of and intuition surrounding the mathematical objects playinga role in this paper. Our exposition will be rather synthetic, but we refer the interested reader to [Isa08]or [Hup67] for more on finite groups and to [Wil98] or [RZ10] for more on profinite groups.Given two groups G and H , we will denote by Maps( G, H ) the collection of all functions G → H equipped with the group structure inherited from H .2.1. Commutators and nilpotency.
Let G be a finite group, X a subset of G , and g an element in G . We will use the standard notations | G | , | g | , h X i , C G ( H ), to denote the order of G , the order of g , thesubgroup of G generated by X , and the centralizer of H in G , respectively. For elements x, y ∈ G , the commutator of x with y is [ x, y ] = xyx − y − implying that xyx − = [ x, y ] y. In particular, conjugation is a left action and, for x , . . . , x n ∈ G , we group commutators in the followingway [ x , . . . , x n ] = [ x , [ x , [ . . . , [ x n − , x n ]] . . . ]] . (1)If H and K are subgroups of G , the commutator of H and K is the subgroup[ H, K ] = h [ h, k ] | h ∈ H, k ∈ K i . We denote, moreover, by ( γ i ( G )) i ≥ the lower central series of G , which is recursively defined by γ ( G ) = G and γ i +1 ( G ) = [ G, γ i ( G )] , and by (Z i ( G )) i ≥ the upper central series of G , which is recursively defined byZ ( G ) = { } and Z i +1 ( G ) / Z i ( G ) = Z( G/ Z i ( G )) . The (nilpotency) class of G is c − c is the smallest index for which γ c ( G ) = 1; equivalently, theclass of G is the smallest index c for which Z c ( G ) = G [Isa08, Ch. 4A]. In some sense, the class of agroup measures “how far the group is from being abelian”. If the class of G is finite, then G is said to be nilpotent ; for a wide overview of nilpotent groups, we refer to [Hup67, Ch. III]. An important subclass ofthat of nilpotent groups is the class of prime power order groups. For a fixed prime p , we will call G a p -group if the order of G is equal to a power of p .2.2. Profinite groups.
Let ( I, ≤ ) be a directed partially ordered set , i.e. ≤ is a partial order on the set I , where the following additional condition is satisfied:for each i, j ∈ I there exists k ∈ I such that i, j ≤ k. An inverse or projective system of finite groups over I consists of the following data: • a collection { G i | i ∈ I } of finite groups equipped with the discrete topology, • for each i, j ∈ I with i ≥ j , a homomorphism φ ij : G i → G j such that, whenever i ≥ j ≥ k in I ,the following diagram commutes G i φ ij ❆❆❆❆❆❆❆❆ φ ik / / G k G j φ jk > > ⑤⑤⑤⑤⑤⑤⑤⑤ RYPTOGRAPHIC MULTILINEAR MAPS USING PRO- p GROUPS 3
The inverse or projective limit of the inverse system ( G i , φ ij ) I is the setlim ←− i ∈ I G i = ( ( g i ) i ∈ I ∈ Y i ∈ I G i | for each i ≥ j one has φ ij ( g i ) = g j ) (2)endowed with the relative product topology. It is not difficult to show that the set in (2) is a group andany such group is called a profinite group . An analogous construction for rings, yields the definition of profinite rings .It is clear from their definition that profinite groups are topological groups and it is a standard factthat they are compact, Hausdorff, and totally disconnected [RZ10, Thm. 2.1.3]. If all the groups in theprojective system are p -groups, then the associated profinite group is called a pro- p group . All finite p -groups are pro- p groups, while an example of an infinite pro- p group is the underlying additive groupin the profinite ring Z p of p -adic integers . Indeed, one has that Z p = lim ←− n ≥ Z / ( p n )where the projective system is indexed by the nonnegative integers and the maps are, for m ≤ n , thenatural projections Z / ( p n ) → Z / ( p m ). In general, if all groups in the projective system satisfy someproperty P , then the resulting profinite group is called a pro- P group : examples are procyclic groups,proabelian groups, pronilpotent groups,. . .We close Section 2.2 with a synthetic collection of properties of profinite groups and their subgroups. Tothis end, for a subset X of a profinite group G , we denote by cl( X ) the closure of X in the profinitetopology of G and we say that G is topologically generated by X if G equals the closure of the abstractsubgroup generated by X , i.e. G = cl( h X i ). It is not difficult to show that, if X is a subgroup of aprofinite group G , then cl( X ) is itself a profinite subgroup of G [RZ10, Prop. 2.2.1(a)]. For this reason,characteristic subgroups in finite groups are defined, in the profinite setting, by taking the closure oftheir finite (abstract) analogues. For example, the lower central series of a profinite group G is definedrecursively by γ ( G ) = G and γ i +1 ( G ) = cl([ G, γ i ( G )]) . In particular, pro- p groups are necessarily pronilpotent (equivalently all of their finite quotients arenilpotent) but not necessarily nilpotent: we refer the reader to Section 4.3 for an application of thisobservation. 3. Multilinearity and a key exchange
Since the seminal paper by Boneh and Silverberg [BS03], multilinear maps have become very popularin cryptography; see for instance [Tib16] for an overview. In this section, we define what multilinearity means in the context of this paper and present a key exchange protocol introduced in [KTT20].3.1.
Multilinearity in algebra and cryptography.
Let n ≥ crypto-graphic n -multilinear map is a map e : G n −→ T, ( g , . . . , g n ) e ( g , . . . , g n )for which the following are satisfied:(M1) G and T are cyclic groups in which the group action is efficiently computable ,(M2) e is efficiently computable and Z -linear in each component: for each tuple ( a , . . . , a n ) of integersand elements g , . . . , g n ∈ G , one has e ( g a , . . . , g a n n ) = e ( g , . . . , g n ) a ··· a n , (M3) there is no efficient algorithm to compute discrete logarithms in G ,(M4) e is non-degenerate in the sense that, if g is a generator of G , then e ( g, . . . , g ) is a generator of T ;see for example [BS03, § G , . . . , G n , T be groups and, for each i ∈ { , . . . , n } , define G − i = G × . . . × G i − × G i +1 × . . . × G n . A map DELARAM KAHROBAEI AND MIMA STANOJKOVSKI e : G × . . . × G n → T is said to be n -multilinear (or simply multilinear ) if, for each integer i ∈ { , . . . , n } and each tuple x = ( x , . . . , x i − , x i +1 , . . . , x n ) ∈ G − i = G × . . . × G i − × G i +1 × . . . × G n , the map e ( i ) x : G i −→ T, g e ( x , . . . , x i − , g, x i +1 , . . . , x n ) , is a group homomorphism. Equivalently, e is multilinear if it is a homomorphism componentwise. Wecall a map bilinear or trilinear if it is 2-linear or 3-linear, respectively. Observe now that, for each i ∈ { , . . . , n } , a multilinear map e : G × . . . × G n → T has the property that e i : G i −→ Maps( G − i , T ) , defined by (3) g e i ( g ) : x = ( x , . . . , x i − , x i +1 , . . . , x n ) e ( x , . . . , x i − , g, x i +1 , . . . , x n ) , is a group homomorphism. A map e : G × . . . × G n → T is called non-degenerate if it is multilinear and,for each i ∈ { , . . . , n } , the homomorphism e i is injective, equivalently, for each g ∈ G i , one has e ( G × . . . × G i − × { g } × G i +1 × . . . × G n ) = { } = ⇒ g = 1 . For example, if n = 2 and e is non-degenerate, then the induced injective homomorphisms e and e areactually injective homomorphisms G −→ Hom( G , T ) and G −→ Hom( G , T ) , respectively. The following proposition collects a number of classical properties linking nilpotent groupsto multilinear maps. Proposition 3.1.
Let G be a nilpotent group of class n ≥ . Then the following hold: (1) the commutator map G × γ n − ( G ) → γ n ( G ) is bilinear; (2) the commutator map G n → γ n ( G ) is multilinear; (3) if n = 2 , then the map G/ Z( G ) × G/ Z( G ) → γ ( G ) that is defined by ( g Z( G ) , g Z( G )) [ g , g ] is non-degenerate.Proof. It is not difficult to show that, if H and K are subgroups of G , then the map H × K −→ [ H, K ] , ( h, k ) [ h, k ] , is bilinear if and only if [ H, K ] is central in the group h H, K i generated by H and K .(1) This clearly follows from the fact that γ n +1 ( G ) = 1 equivalently γ n ( G ) is central in G .(2) We work by induction on n and write e n for the commutator map G n → γ n ( G ), where commutatorsare grouped as in (1). Now, the base of the induction corresponds to n = 2 and is equivalent to (1).Assume now that n > e n − is multilinear. Observing that, for each ( x, y ) ∈ G × G − , one has e n ( x, y ) = [ x, e n − ( y )] and combining it with (1) yields the claim.(3) This is a combination of (1) and the fact that ker e = ker e = Z( G ). (cid:3) Protocol I: a Diffie-Hellman like key exchange.
Let n ≥ n = 2, Mahalanobisand Schinde gave a way for 3 users to publicly share a secret key in the form of a commutator in a groupof class 2 [MS17]. In [KTT20, Protocol I], the authors generalize the last construction to allow n + 1users to share a key in the form of a commutator of weight n in a group of class n and, in [KTT21], theyaddress the issues of efficiency and security for certain families of groups. We here briefly recall the mainsteps of Protocol I. To this end, let G be a nilpotent group of class n . • Public info: g , . . . , g n ∈ G . • Users: A , . . . , A n +1 , each of which has chosen an element a i ∈ Z . • Private keys: a , . . . , a n +1 . • Publicly shared data: g a j i where i ∈ { , . . . , n } and j ∈ { , . . . , n + 1 } . • Secret key: [ g , . . . , g n ] a ··· a n +1 , which each user can compute from the shared data and its privatekey using multilinearity of the commutator map.For example, A can recover the secret key via computing[ g a n +1 , g a , . . . , g a n n ] a = [ g , . . . , g n ] a a ··· a n +1 . Call now c = [ g , . . . , g n ] and a = a · · · a n +1 . The security of Protocol I relies on the difficulty ofrecovering, from the public information, any of the a j ’s or a . Indeed, for any j ∈ { a , . . . , a n +1 } , aneavesdropper can use the public information to compute RYPTOGRAPHIC MULTILINEAR MAPS USING PRO- p GROUPS 5 (1) c = [ g , . . . , g n ] from g , . . . , g n ,(2) c a/a j for example in the following way: c a/a j = [ g a n +1 , g a , . . . , a a n n ] if j = 1 , [ g a , . . . , g a j − j − , g a n +1 j , g a j +1 j +1 , . . . , a a n n ] if 1 < j < n + 1 , [ g a , g a , . . . , g a n n ] if j = n + 1 . We will, in Section 4, concretize what “recovering a j ” actually means in the context of Protocol I andshow how, in some sense, the choice of j is irrelevant (see Proposition 4.2). The next example shall serveas a first hint in this direction. Example 3.2.
Assume n = 2, equivalently G is nilpotent of class 2 and γ ( G ) is central. Then, byProposition 3.1, the commutator map G × G → γ ( G ) is bilinear and induces the non-degenerate map e : G/ Z( G ) × G/ Z( G ) → γ ( G ) , ( x Z( G ) , y Z( G )) [ x, y ] . In particular, if α ∈ Z and g i = g i Z( G ), then we have c α mod | c | = c α = [ g , g ] α = e ( g , g ) α = e ( g α mod | g | , g ) = e ( g , g α mod | g | ) . A consequence of the last series of equalities is that, if j ∈ { , , } and an Eavesdropper can establish a j mod min {| c | , | g | , | g |} , then they can also determine c a .We conclude the present section extending Example 3.2 to the case of trilinear maps, cf. Example 3.4.The following lemma can be found in any standard text in group theory; see e.g. [Isa08, Cor. 4.10]. Lemma 3.3 (Three subgroups lemma) . Let G be a group and let N be a normal subgroup of G . Letmoreover A, B, C be subgroups of G such that [ A, B, C ] and [ B, C, A ] are contained in N . Then [ C, A, B ] is contained in N . Example 3.4.
Assume n = 3, equivalently G is nilpotent of class 3 and γ ( G ) is central. Then thecommutator map G × G × G → γ ( G ) is trilinear and we claim that it induces a non-degenerate map e : G/ C G ( γ ( G )) × G/ Z ( G ) × G/ Z ( G ) → γ ( G ) . For our claim to hold true, we need to show that[C G ( γ ( G )) , [ G, G ]] = [ G, Z ( G ) , G ] = [ G, G, Z ( G )] = 1and that C G ( γ ( G )) and Z ( G ) are maximal with the above properties. The claim is easily settled forC G ( γ ( G )) as, by definition, C G ( γ ( G )) is the largest subgroup of G centralizing γ ( G ) = [ G, G ]. We looknow at Z ( G ) and we call K the second kernel of e , i.e. the largest subgroup of G such that [ G, K, G ] = 1.Note that K = ker e , where e is as in (3). Now, [ G, [ K, G ]] = 1 is equivalent to [
K, G ] being centraland so K is maximal with the property that [ K, G ] ⊆ Z( G ). It follows from the definition of the uppercentral series that K = Z ( G ). Since [ G, Z ( G )] = [Z ( G ) , G ], a symmetric argument yields the claim.We next note that Z ( G ) is contained in C G ( γ ( G )). Indeed, since [ G, [ G, Z ( G )]] = [ G, [Z ( G ) , G ]] = 1 , Lemma 3.3 yields that [Z ( G ) , [ G, G ]] = 1. It follows, in particular and in analogy to Example 3.2, that,if G = G/ C G ( γ ( G )), the determination of the shared key from the public information can be achievedvia the determination of a j mod min {| c | , | g | , | g | , | g |} .We remark that, for any n , the multilinear maps that end up playing the real role in this context aremultilinear maps on abelian groups, i.e. Z -modules; in Example 3.2 the abelian group is G/ Z( G ) and inExample 3.4 it is G/ C G ( γ ( G )).3.3. Degenerations and NIKE.
The key exchange protocol presented in Section 3.2 is non-interactive,i.e. it enables the users, each of which has a private key, to agree on a symmetric shared key without anyinteraction. Probably the most known Non-Interactive Key Exchange scheme, in short NIKE, is the oneby Diffie and Hellman [DH76] over cyclic groups. For more on NIKE, we refer the reader to [FHKP13].Within the context of non-interactive key exchange, we remark that, if G is a finite nilpotent group ofclass n ≥
2, then degenerations of Protocol I yield symmetric key exchange schemes for any number ofusers between 2 and n + 1. Indeed, in the notation of Section 3.2, if B is a subset of {A , . . . , A n +1 } ofcardinality at least 2, then a secret key for the users in B can be computed by each user via assuming { a , . . . , a n +1 } \ { a i | A i ∈ B} = { } . DELARAM KAHROBAEI AND MIMA STANOJKOVSKI
For example, if n = 5 and B = {A , A } , then a secret key for the users in B can be computed in thefollowing way: • A computes [ g a , g , . . . , g ] a while • A computes [ g a , g , . . . , g ] a .We remark that, the security analysis in these degenerate cases is analogous to the one made in Section4 for Protocol I. 4. Security analysis in the generic case
The purpose of this section is to analyze the security of Protocol I from Section 3.2 for generic groups.We will show that, if G is a finite p -group and the element c = [ g , . . . , g n ] has order p α , then recoveringthe secrete key c a from Protocol I from the public data is as hard as solving the DLP in a cyclic groupof order p α . In the second part of this section, we will show how infinite pro- p groups can be used toproduce multilinear maps of any rank and security determined by the cost of solving the DLP in arbitrarylarge cyclic p -groups.4.1. Reduction to cyclic groups.
In the present section, we discuss the security of Protocol I in thecase of generic p -groups, in the sense of [Sut11]; a more detailed reference is [Sut07, Ch. 1]. The mainresult of this section is Proposition 4.2 and the following example shall serve as a warm-up towardsproving it. Example 4.1.
Let p be a prime number, α a positive integer, and C a cyclic group of order p α equippedwith a non-degenerate alternating map e : C × C → C . Let G be the group C × C × C where the operationis given by ( x, y, z )( x ′ , y ′ , z ′ ) = ( xx ′ , yy ′ , zz ′ e ( x, y ′ )) . Then G is a group of class 2 satisfying G/ Z( G ) ∼ = C × C and γ ( G ) ∼ = C . Let now g , g ∈ G be suchthat c = [ g , g ] generates γ ( G ) and note that | g | = | g | = | [ g , g ] | = p α . Let A , A , A be three users,each of which has chosen a secret element a i ∈ ( Z / ( p α )) ∗ . The following information is shared publicly: • A shares g a , • A shares g a , • A shares g a and g a .Then each user can compute the secret key [ g , g ] a a a . An eavesdropper can then compute c = [ g , g ] , c a , c a , c a , c a a , c a a , c a a and compute the secret key c a = c a a a via, for instance, solving the discrete logarithm for c a and c a a with respect to c .The following result shows that Example 4.1 is a particular instance of a more general phenomenon. Weinvite the reader to compare Proposition 4.2 also with Examples 3.2 and 3.4. Proposition 4.2.
Let p be a prime number, G a finite generic p -group of class n , and g , . . . , g n elementsof G . Define c = [ g , . . . , g n ] and let p α denote the order of c . Then recovering the key from Protocol Ifrom the public data is as hard as solving the discrete logarithm problem in a cyclic group of order p α .Proof. For each i ∈ { , . . . , n } denote G i = h g i i and, for e : G × . . . × G n → γ n ( G ) denoting therestriction of the commutator map from Proposition 3.1(2), let K i be the kernel of e i as defined in (3). Inparticular, K i ⊆ G i is a subgroup, maximal with the property that [ G , . . . , G i − , K i , G i +1 , . . . , G n ] = 1.Set, moreover, C = h c i and note that | C | = p α . Then e induces a (non-degenerate) multilinear map˜ e : G /K × G /K × . . . × G n /K n −→ C. We now claim that, for each i , one has | G i : K i | = | C | = p α . For this, fix i ∈ { , . . . , n } and m ∈ Z .From the multilinearity of ˜ e it follows that˜ e ( g K , . . . , g i − K i − , g mi K i , g i +1 K i +1 , . . . g n K n ) = [ g , . . . , g n ] m = c m . Choosing m = p α , we derive that g mi ∈ K i and so that | G i : K i | ≤ p α while, choosing m = | G i : K i | , weconclude that c | G i : K i | = 1 and thus p α ≤ | G i : K i | .Let now a , . . . , a n +1 be elements in Z / ( p α ). From the following (publicly shared) information • g , . . . , g n , • g a j i for i ∈ { , . . . , n } , j ∈ { , . . . , n + 1 } , RYPTOGRAPHIC MULTILINEAR MAPS USING PRO- p GROUPS 7 one can, for instance, compute c = [ g , . . . , g n ] and [ g , . . . , g n ] a ··· a n . Solving the DLP in the isomorphicgroups K /G and C yields a n +1 and a · · · a n , respectively. From the last information, one can thencompute c a = [ g , . . . , g n ] a ··· a n a n +1 = ˜ e ( g K , . . . , g n K n ) a ··· a n a n +1 equivalently recover the key. (cid:3) We remark that Proposition 4.2 shows that the key exchange from Protocol I is at least as safe as theclassical Diffie-Hellman key exchange over a group of order p α . Moreover, thanks to the discussion inthe proof of Proposition 4.2 and the fact that p -groups are polycyclic, one sees that Protocol I and itsdegenerations are graded encoding schemes [Tib16, § Example 4.3.
Let p be a prime number and let G be a group of maximal class, equivalently, if theclass of G is n , then the order of G is p n +1 . It is then an easy exercise to show that | γ n ( G ) | = p andthus, thanks to 4.2, breaking Protocol I is as hard as solving the DLP in a cyclic group of order p .We note that, since for each pair ( p, n ), there exists a p -group of maximal class n (for example as aconsequence of [Bla58, Thm. 4.3]), the class of p -groups of maximal class provides platforms for ProtocolI for an arbitrary number of users in which the cost of recovering the key from the public information iscomparable to solving the DLP in a cyclic group of order p .4.2. Algorithms for the discrete logarithm problem.
In this section, we give a short overview ofthe existing algorithms solving the discrete logarithm problem in generic (cyclic and) abelian p -groupsand of their computational costs. To this end, let p be a prime number, α a positive integer and C ageneric cyclic group of order p α .With the Pohlig-Hellman algorithm [PH78], the discrete logarithm problem in C can be solved in O ( α √ p ) group operations. Teske’s algorithm [Tes99] for solving the DLP in abelian groups matchesthe Pohlig-Hellman algortihm in complexity in the case of cyclic groups. An improvement on Teske’salgorithm is given in [Sut11] and, though the computational costs for the case of cyclic groups seem not tobe lower than the ones computed in [PH78], discrete logarithms are computed in a faster way in practicewith Sutherland’s algorithm (see for example [Sut11, § C ∼ = h [ g a , . . . , g n ] i for g , . . . , g n are as in Protocol I, the theoretical cost of breaking Protocol I is O ( α √ p ). Indeed, in generic groups, allmultiplication costs in C or Z / ( p α ) ∗ are negligible compared to solving the DLP in C .4.3. Multilinear maps from profinite groups.
We have seen, in Section 4.1, that there is a family of p -groups, namely the groups of maximal class, providing multilinear maps of any rank and thus allowinga Diffie-Hellman like key exchange between any number of users. We have, moreover, seen that, in ageneric group of maximal class, the theoretical complexity of breaking Protocol I is O ( √ p ). We nowobserve that, if G is a finite p -group of class n and 1 ≤ m ≤ n is an integer, then G = G/γ m ( G ) is a finite p -group of class m − G can be used for a key exchange protocol between m users. In thissense, a finite p -group of class n can be used in Protocol I for any number of users not exceeding n + 1.It would be convenient if we had, at our disposal, an infinite pro- p group with finite quotients of anynilpotency class. Even better it would be if we could realize such groups in such a way that quotients ofconsecutive elements of the lower central series can achieve arbitrary exponent (yielding increasing levelsof security). Fortunately, such groups exist and, in the next and last section of this paper, we will look atsome concrete examples. We remark that, in such examples, given the intrinsic linearity of the groups inquestion, Protocol I turns out to be much less secure than the expected theoretical complexity discussedin Section 4.2. 5. Non-generic examples
In this section we discuss two concrete families of groups giving rise to key exchange protocols for 3and any number of users, respectively. In the context of (M1)–(M4) from Section 3.1, we will see how,within these families, the linear nature of the groups contributes to the efficiency (M2), but penalizessecurity (M3).
DELARAM KAHROBAEI AND MIMA STANOJKOVSKI
Extraspecial groups.
As mentioned in Section 3.2, Protocol I is a generalization of the key ex-change presented in [MS17] to any nilpotency class and, thus, to any number of users. In the last paper,the authors discuss possibilities for “good platform groups” for their cryptosystem. The outcome of theinvestigation does not yield cryptographic bilinear maps in the sense of [BS03] mainly because of theincompatibily of (M2) and (M3) in the considered examples. In [MS17], a special emphasis is put onextraspecial groups of exponent p ; in the next example we look at extraspecial groups of exponent p (the only other possibility for the exponent of an extraspecial group). For more detail on extraspecialgroups, we refer to [Hup67, Ch. III.13]. Example 5.1.
Let p be an odd prime number and let m be a positive integer. For elements u , v ∈ F mp we write u · v for their (scalar) product, i.e. u · v = uv T . Observe that the last product defines a bilinearmap F mp × F mp → F p . Let G = Heis m +1 ( F p ) be the group with ground set F mp × F mp × F p and multiplicationdefined by ( u , v , z )( u ′ , v ′ , z ′ ) = ( u + u ′ , v + v ′ , z + z ′ + u · v ′ ) . The group G has order p m +1 , class 2 with γ ( G ) ∼ = F p , and exponent p . Moreover, G can also be seenas a group of upper unitriangular matrices in the following sense: G = M ( u , u , z ) = u z T Id m v T | u , u ∈ F mp , z ∈ F p and the multiplication is the naturally expected one. If a is an integer, one can easily compute M ( u , v , z ) a = M (cid:16) a u , a v , (cid:18) a + 12 (cid:19) z (cid:17) and so the secret key from Protocol I can here be computed by any eavesdropper with a cost of at most O (log( p ) ) group operations, which is quite less secure than O ( √ p ). This shows that, in this family ofgroups, similarly to the case of their siblings of exponent p , gaining in computational efficiency with alinear representation results in a loss of security.5.2. Profinite examples.
Until the end of this section, let p > α be apositive integer. Let, moreover, Z p denote the ring of p -adic integers and let t ∈ Z p be a quadraticnonresidue modulo p . Define ∆ p to be the quaternion algebra∆ p = Z p ⊕ Z p i ⊕ Z p j ⊕ Z p k where i = t, j = p, and k = ij = − ji . The quaternion algebra ∆ p is equipped with a bar map, defined by x = a + b i + c j + d k x = a − b i − c j − d k , which is an anti-homomorphism of order 2 and has m = ∆ p j as its unique maximal ideal. It follows thatan element x = a + b i + c j + d k belongs to m if and only if both a and b belong to p Z p . Moreover, foreach k ∈ Z ≥ , the ideal m k is principal generated by j k and therefore, for each s ∈ Z ≥ , one has m s = p s ∆ p and m s +1 = p s m . As a result, for each k ∈ Z ≥ , the quotient m k / m k +1 is a vector space over F p of dimension 2. Now, foreach k ∈ Z ≥ , the set 1 + m k is easily seen to be a subgroup of ∆ ∗ p and the natural map(1 + m k ) / (1 + m k +1 ) → m k / m k +1 is an isomorphism of groups. It follows that 1 + m is a pro- p subgroup of ∆ ∗ p . DefineS(∆ p ) = (1 + m ) ∩ (cid:8) x ∈ ∆ p : x = x − (cid:9) . Then S(∆ p ) is a closed subgroup of 1 + m and thus a pro- p group itself. We have here lightened thenotation from [GSK09], where the group S(∆ p ) is denoted by SL (∆ p ). With the notation of this paper,the following structural results can be found for example in [Sta17]. Lemma 5.2.
Let k and ℓ be positive integers. Then the following hold: (1) one has γ k (S(∆ p )) = (1 + m k ) ∩ S (∆ p ) and | γ k (S(∆ p )) : γ k +1 (S(∆ p )) | ∈ (cid:8) p, p (cid:9) . (2) the map x x p on S(∆ p ) induces an isomorphism ρ k : γ k (S(∆ p )) /γ k +1 (S(∆ p )) → γ k +2 (S(∆ p )) /γ k +3 (S(∆ p )) . (3) if k is odd, then cl([ γ k (S(∆ p ) , γ ℓ (S(∆ p )))]) = γ k + ℓ (S(∆ p )) . RYPTOGRAPHIC MULTILINEAR MAPS USING PRO- p GROUPS 9
Proof. (1) The first claim is [Sta17, Lem. 438] while the second follows from the fact that | m k : m k +1 | = p .(2) This is [Sta17, Lem. 439]. (3) This follows from combining Lemmas 441 and 328(2) from [Sta17]. (cid:3) Proposition 5.3.
Denote G = S(∆ p ) . Let i = 2 α − and set H = γ i ( G ) . Then, for each positive integer k , the subgroup γ k ( H ) is open of finite index in G and the exponent of γ k ( H ) /γ k +1 ( H ) is p α . Proof.
Let k be a positive integer. As a consequence of Lemma 5.2(3), one has γ k ( H ) = γ ki ( G ) and γ k +1 ( H ) = γ ( k +1) i ( G ) = γ ki +2 α − ( G ) . Now, it follows from Lemma 5.2(2) that the exponent of γ k ( H ) /γ k +1 ( H ) is equal to p ǫ where ǫ = ( ki + 2 α −
1) + 1 − ki α. The fact that γ k ( H ) is open of finite index in G follows from Lemma 5.2(1). (cid:3) Proposition 5.4.
Denote G = S(∆ p ) and let k, m be positive integers. Let i = 2 α − and set H = γ i ( G ) .Let x = a + b i + c j + d k be an element of γ k ( H ) . Then one has x m ≡ a m + mb i + mc j + md k mod m ( k +1) i . (4) Proof.
Thanks to the combination of Lemma 3.3(1) and (3), we have γ k ( H ) = γ ki ( G ) = (1 + m ki ) ∩ G and so we have control on the p -adic valuations of the coefficients of x . More in detail, three cases canoccur:(1) ki is odd, in which case ( k + 1) i is even. In this case we have( a, b, c, d ) ≡ (1 , , ,
0) mod ( p ( ki +1) / , p ( ki +1) / , p ( ki − / , p ( ki − / )work mod ( p ( ki + i ) / , p ( ki + i ) / , p ( ki + i ) / , p ( ki + i ) / ) , (2) ki and ( k + 1) i are both even. In this case we have( a, b, c, d ) ≡ (1 , , ,
0) mod ( p ki/ , p ki/ , p ki/ , p ki/ )work mod ( p ( ki + i ) / , p ( ki + i ) / , p ( ki + i ) / , p ( ki + i ) / ) , (3) ki is even and ( k + 1) i is odd, implying that k is even and i odd. In this case we have( a, b, c, d ) ≡ (1 , , ,
0) mod ( p ki/ , p ki/ , p ki/ , p ki/ )work mod ( p ( ki + i +1) / , p ( ki + i +1) / , p ( ki + i − / , p ( ki + i − / ) . The equivalences we will write in this proof all follow from the analysis of the different possibilities(1)-(2)-(3), so we will not explicitly write all computations. The equivalences we will use are: b ≡ , pc ≡ , pd ≡ , ab ≡ b, ac ≡ c, ad ≡ d mod m ( k +1) i . We work by induction on m . If m = 1, the statement is clearly true, so we assume that m > m −
1. Defining y = a m − + ( m − b i + ( m − c j + ( m − d k , we have that x m − ≡ y mod m ( k +1) i . Write xy = A + B i + C j + D k. Modulo m ( k +1) i , we then compute A = a m + t ( m − b + p ( m − c − pt ( m − d ≡ a m ,B = ( m − ab + a m − b ≡ mb,C = ( m − ac + a m − c ≡ mc,D = ( m − ad + a m − d ≡ md. We conclude by observing that x m = xx m − ≡ xy ≡ A + B i + C j + D k mod m ( k +1) i . (cid:3) We close the article with a discussion of the implications of Proposition 5.4 on Protocol I. For this, set i = 2 α − H = γ i (S(∆ p )). Choose a number of users n + 1. Then Proposition 5.3 ensures that H = H/γ n +1 ( H ) is a finite p -group of class n satisfying exp( γ n ( H )) = p α . In other words H is a platformgroup for Protocol I on n + 1 users. Note now that, thanks to Proposition 5.3 and Lemma 5.2(1), wehave γ n ( H ) = (1 + m ni ) ∩ S(∆ p ) and γ n +1 ( H ) = (1 + m ( n +1) i ) ∩ S(∆ p ) , so the powers of an element x in γ n ( H ) are described exactly by the formula from Proposition 5.4. Inparticular, the cost an eavesdropper has to pay to recover the secret key is at most O ( α (log p ) ) groupoperations, against the generic O ( α √ p ) group operations predicted by the Pohlig-Hellman algorithm. References [Bla58] N. Blackburn,
On a special class of p -groups , Acta Math. (1958), 45–92.[BS03] D. Boneh and A. Silverberg, Applications of multilinear forms to cryptography , Topics in algebraic and noncom-mutative geometry (Luminy/Annapolis, MD, 2001), Contemp. Math., vol. 324, Amer. Math. Soc., Providence,RI, 2003, pp. 71–90.[CLT13] J.-S. Coron, T. Lepoint, and M. Tibouchi,
Practical multilinear maps over the integers , Advances in cryptology—CRYPTO 2013. Part I, Lecture Notes in Comput. Sci., vol. 8042, Springer, Heidelberg, 2013, pp. 476–493.[DH76] W. Diffie and M. E. Hellman,
New directions in cryptography , IEEE Trans. Inform. Theory
IT-22 (1976), no. 6,644–654.[FHKP13] E. S. V. Freire, D. Hofheinz, E. Kiltz, and K. G. Paterson,
Non-interactive key exchange , Public-Key Cryptogra-phy – PKC 2013 (Berlin, Heidelberg) (Kaoru Kurosawa and Goichiro Hanaoka, eds.), Springer Berlin Heidelberg,2013, pp. 254–271.[GGH13] S. Garg, C. Gentry, and S. Halevi,
Candidate multilinear maps from ideal lattices , Advances in cryptology—EUROCRYPT 2013, Lecture Notes in Comput. Sci., vol. 7881, Springer, Heidelberg, 2013, pp. 1–17.[GGH15] C. Gentry, S. Gorbunov, and S. Halevi,
Graph-induced multilinear maps from lattices , Theory of cryptography.Part II, Lecture Notes in Comput. Sci., vol. 9015, Springer, Heidelberg, 2015, pp. 498–527.[GSK09] Jon Gonz´alez-S´anchez and Benjamin Klopsch,
Analytic pro- p groups of small dimensions , J. Group Theory (2009), no. 5, 711–734.[Hua18a] Huang, M.-D., Trilinear maps for cryptography , arXiv e-prints (2018), arXiv:1803.10325.[Hua18b] ,
Trilinear maps for cryptography II , arXiv e-prints (2018), arXiv:1810.03646.[Hua19] ,
Weil descent and cryptographic trilinear maps , arXiv e-prints (2019), arXiv:1908.06891.[Hua20] Ming-Deh A. Huang,
Algebraic blinding and cryptographic trilinear maps , arXiv e-prints (2020), arXiv:2002.07923.[Hup67] B. Huppert,
Endliche Gruppen. I , Die Grundlehren der Mathematischen Wissenschaften, Band 134, Springer-Verlag, Berlin-New York, 1967.[Isa08] I. M. Isaacs,
Finite group theory , Graduate Studies in Mathematics, vol. 92, American Mathematical Society,Providence, RI, 2008.[KTT20] D. Kahrobaei, A. Tortora, and M. Tota,
Multilinear cryptography using nilpotent groups. , Elementary theory ofgroups and group rings, and related topics. Proceedings of the conference held at Fairfield University and at theGraduate Center, CUNY, New York, NY, USA, November 1–2, 2018, Berlin: De Gruyter, 2020, pp. 127–134(English).[KTT21] ,
A closer look at multilinear cryptography using nilpotent groups. , Submitted, 2021.[MS17] A. Mahalanobis and P. Shinde,
Bilinear cryptography using groups of nilpotency class 2 , Cryptography andcoding, Lecture Notes in Comput. Sci., vol. 10655, Springer, Cham, 2017, pp. 127–134.[PH78] Stephen C. Pohlig and Martin E. Hellman,
An improved algorithm for computing logarithms over
GF( p ) and itscryptographic significance , IEEE Trans. Inform. Theory IT-24 (1978), no. 1, 106–110.[RZ10] Luis Ribes and Pavel Zalesskii,
Profinite groups , second ed., Ergebnisse der Mathematik und ihrer Grenzgebiete.3. Folge. A Series of Modern Surveys in Mathematics [Results in Mathematics and Related Areas. 3rd Series. ASeries of Modern Surveys in Mathematics], vol. 40, Springer-Verlag, Berlin, 2010.[Sta17] M. Stanojkovski,
Intense automorphisms of finite groups , arXiv:1710.08979, https://arxiv.org/abs/1710.08979 ,to appear in the Memoirs of the AMS.[Sut07] A. Sutherland,
Order computations in generic groups , Ph.D. thesis, Massachusetts Institute of Technology, 2007,retrieved from https://math.mit.edu/~drew/ .[Sut11] A. V. Sutherland,
Structure computation and discrete logarithms in finite abelian p -groups , Math. Comp. (2011), no. 273, 477–500. MR 2728991[Tes99] Edlyn Teske, The Pohlig-Hellman method generalized for group structure computation , J. Symbolic Comput. (1999), no. 6, 521–534.[Tib16] M. Tibouchi, Cryptographic multilinear maps: a status report , CRYPTREC Technical Report, vol. 2603, 2016,pp. 1–54.[Wil98] John S. Wilson,