Public Key Encryption in Non-Abelian Groups
Haibo Hong, Jun Shao, Licheng Wang, Haseeb Ahmad, Yixian Yang
aa r X i v : . [ c s . CR ] M a y Public Key Encryption in Non-Abelian Groups
Haibo Hong ⋆ , Jun Shao , Licheng Wang , Haseeb Ahmad and Yixian Yang School of Computer Science and Information Engineering, Zhejiang GongshangUniversity, Hangzhou, 3100018 P.R. China Information Security Center, State Key Laboratory of Networking and SwitchingTechnology, Beijing University of Posts and Telecommunications, Beijing, 100876P.R. China
Abstract.
In this paper, we propose a brand new public key encryp-tion scheme in the Lie group that is a non-abelian group. In particular,we firstly investigate the intractability assumptions in the Lie group,including the non-abelian factoring assumption and non-abelian insert-ing assumption. After that, by using the FO technique, a CCA securepublic key encryption scheme in the Lie group is proposed. At last, wepresent the security proof in the random oracle based on the non-abelianinserting assumption.
Key words.
Lie groups, exponential mapping, public key encryption,non-abelian factoring assumption, non-abelian inserting assumption
Currently, most asymmetric cryptographic primitives are based on the perceivedintractable problems in number theory, such as the integer factorization prob-lem and discrete logarithm problem. However, due to Shor’s and other quan-tum algorithms [27, 25] for solving the integer factorization problem and discretelogarithm problem, the known public key cryptosystems based on these two as-sumptions would be broken, when quantum computers become practical. Recentadvances in quantum computers shows that the time is coming [24]. Therefore,it is an imminent work to search for more complex mathematical platforms andto design effective cryptographic schemes, which can resist against quantum at-tacks.To deal with the crisis of cryptography in quantum era, cryptographers hasbegan to pay more attention towards non-commutative cryptography based onnon-commutative algebraic structures. One of the outstanding properties of non-commutative cryptography is that it can take the advantage of intractable prob-lems in quantum computing, combinatorial group theory and computationalcomplexity theory to constructing cryptographic platforms. This extension hasa profound background and rich connotation. First, from the viewpoint of theplatforms, non-commutative cryptography extends the research territory of cryp-tography. A large number of non-commutative algebraic structures are now wait-ing to be explored for new public key cryptosystems. Second, due to the ability of ⋆ Corresponding Author: [email protected] esisting against quantum attacks, non-commutative cryptography is expected toachieve a higher strength. It is well known that non-commutative algebraic struc-tures can increase the hardness of some mathematical problems significantly. Forinstance, we already know that how to design efficient quantum algorithms forsolving hidden subgroup problems in any abelian group, but we are still un-able to construct efficient algorithms for dealing hidden subgroup problem innon-abelian groups [26].Most of cryptosystems in non-commutative cryptography are derived fromcombinatorial group theory, but they are mainly theoretical or have certain limi-tations in wider and general practice. This is perhaps due to the lack of appropri-ate description of group elements and operations or the difficulty of implementingcryptosystems in practical domains. The non-abelian group (Lie group) used inthis paper is quite simple with clear description of group elements and operationsand it is easy to implemented.
Lie groups have important applications in many branches of physics and mathe-matics such as mathematical analysis, differential geometry, topology and quan-tum mechanics. Lie theory originated from Lie’s idea that extends the Galois the-ory for algebraic equations to the differential equations [6]. From its beginning,Lie theory was inextricably linked with the developments of algebra, analysisand geometry. As the important measure of algebraic properties of Lie groups,Lie algebras play an indispensable tool while studying matrix Lie groups. Onthe one hand, Lie algebras are simpler than Lie groups. On the other hand, theLie algebra of a matrix Lie group contains much information about that group.In Lie theory, matrix Lie groups are important among the types of Lie groupsand have classical matrix forms with their Lie algebras. After exploring cryp-tographic aspects of Lie theory, we extracted an interesting discovery: the ex-ponential mapping between Lie groups and Lie algebras can be viewed as anon-abelian analog of exponent operation in finite fields. While being differentfrom exponent operation in finite fields, the exponential mapping is the usualpower series of Lie algebras, and the image set is indeed Lie groups. Besides,there are different intractable assumptions between them: exponent operation infinite fields is based on DLP in finite fields; the exponential mapping is based onsolving root problem of high degree polynomial equation in one variate, whichcan be viewed as a variant version on matrices. Currently, there are no directformulas to solve this problem rather than degrading the degree of the equa-tion step by step. When the variant is matrix, the complexity increases rapidly.Therefore, combing cryptographic aspects of the exponential mapping, we probesome cryptographic applications based on Lie theory.In this paper, we come up with a series of intractable assumptions basedon the exponential mapping in Lie theory, including the non-abelian factoringassumption and non-abelian inserting assumption. Subsequently, we propose aCCA secure public key encryption scheme by using the FO technique [5]. Wealso give the security proof in the random oracle based on the new assumption. .2 Related Works
It is always the most important thing to study the underlying intractable hy-pothesis of mathematical problems for cryptographic primitives. Regarding thenon-commutative cryptography, this kind of study started from 1980’s whenthe difficult problems in group theory were applied into cryptography. In 1984,Wagner et al.[30] designed a public key cryptosystem based on undecidable wordproblem in groups and semigroups. In 2000, Ko et al. [10] developed braid groupcryptography based on the intractable assumption of conjugate search problemin braid group. In 2004, Eick and Kahrobaei [4] devised a new cryptosystembased on the polycyclic group. In 2005, Shpilrain and Ushakov [29] put forwarda new public key cryptosystem by using Thomsen group. Since 2011, Kahrobaeiet.al [12, 13, 11, 8, 23] devised several new key exchange schemes and public keyencryption schemes based on group ring matrix, corresponding intractable as-sumptions are reported to be DLP and FP in group ring matrix, respectively.Unfortunately, most of the above cryptographic schemes are not secure[23]At the same time, a type of cryptosystems based on the intractable assump-tion in non-abelian group—group factorization problem (GFP) has graduallybecome a typical representative of non-commutative cryptography and achievedrapid development in recent thirty years. The first work in this type of cryptosys-tems is the symmetric cryptosystem—PGM based on a special factorization basisin finite permutation groups—logarithmic signature (LS) proposed by Magliv-eras in 1986[16]. The algebraic properties of PGM were studied more deeply in[18–20, 3], algebraic properties of PGM were discussed in detail. In 2002, In 2002,Magliveras et al. [22] put forward a trapdoor permutation function and two pub-lic key cryptosystems MST1 and MST2 by employing LS in finite non-abeliangroups. In 2009, Magliveras et al. [14] devised a new public key cryptographicsystem—
M ST based on random covers and LS in finite non-abelian groups.Meanwhile, Magliveras et al. proposed a practical platform–Suzuki 2-group forthe first time [7] and devised MST cryptosystems into practice. However, someof the weaknesses are found in MST series cryptosystems [15, 1, 31, 28]. In 2008,Magliveras et al. [15] provided a comprehensive analysis of M ST cryptosystemand stated that transitive LS is not suitable for M ST cryptosystem. In 2009,Blackburn et al. [1] pointed out that amalgamated LS is also not a reasonablechoice for MST cryptosystems. In 2010, Vasco et al. [31] presented a more pro-found analysis of M ST and showed that the intractability assumption GFPdoesn’t always hold for random cover of group G . The authors also discussedthat MST3 cryptosystem cannot achieve one-wayness in chosen plaintext at-tack model, let alone the indistinguishability against adaptive chosen ciphertextattacks. Therefore, in 2010, Svaba et al. [28] constructed a more secure cryptosys-tem eM ST by employing a secret homomorphic map. Moreover, the authorsanalyzed all of the published references about attacking MST cryptosystems anddeveloped a set of weak key test tool for eM ST cryptosystem. It was claimedthat bad LSs can be replaced by employing presented tool. But until now, thereis no valid evidence showing that this method is reasonable and effective.hough there are many non-commutative cryptosystems proposed till now,none of them are proven secure against chosen ciphertext attacks. The remaining paper is organized as follows. In Section 2, we will review therelated results in Lie groups, and propose our new assumptions. In Section 3,we present our CCA public key encryption in Lie groups with along its securityanalysis and efficiency analysis. At last, we conclude the paper in Section 4.
In this section, we will review the definitions related to Lie groups, and proposethe non-abelian discrete logarithm (NAF) problem and non-abelian inserting(NAI) problem, as well as the hardness analysis. For clarity, we would like tointroduce the notations used in this paper.
Table 1.
Notations used in this paper. R set of real numbers C set of complex numbers Z set of integers M n ( C ) set of n × n complex matrices GL n ( C ) set of all invertible n × n matrices with complex entries p large prime number M n ( p ) set of n × n matrices with entries in Z p GL n ( p ) set of all invertible n × n matrices with entries in Z p exp natural logrithm In this section, we review several classical conclusions in Lie theory includingmatrix exponential and one-parameter subgroup. Actually, we directly copy theresults from [6].
Definition 1 (Matrix Exponential). [6] Let X ∈ M n ( C ) be an n × n complexmatrix, then the matrix exponential of X is defined as the usual power series exp X = P ∞ m =0 X m m ! . In case when X is a nilpotent matrix, exp X = P ℓm =0 X m m ! ,where ℓ is the nilpotent index of X . It is easy to see that M n ( C ) along with the multiplication operation constructa semigroup. Proposition 1. [6] Let X and Y be arbitrary n × n matrices. Then, we havethe following:. exp = I n .2. exp X is invertible and (exp X ) − = exp − X .3. exp ( α + β ) X = exp αX · exp βX for all α and β in C .4. If XY = Y X , then exp X + Y = exp X · exp Y = exp Y · exp X . Item 3 shows that for an arbitrary matrix X , the power series exp X is an in-vertible matrix and belongs to GL n ( C ). Item 4 describes that the commutativityof exp X and exp Y depends on the matrices X and Y . Definition 2 (One-Parameter Subgroup). [6] A function F : R → GL n ( C ) is called a one-parameter subgroup of GL n ( C ) if1. F is continuous;2. F (0) = I n ;3. F ( t + s ) = F ( t ) F ( s ) for all t, s ∈ R .Property 1. [6] If F is a one-parameter subgroup of GL n ( C ), then there exists aunique n × n complex matrix X ∈ M n ( C ) such that F ( t ) = exp tX In Lie theory, exp tX is the exponential mapping from a Lie algebra X toits Lie group. Meanwhile, when X is given, F ( t ) = exp tX ∈ GL n ( C ) is aninjection and a one-way function. Specially, the injection property is impliedby Proposition 1 (items 1,2,3), and the one-wayness is due to the intractableassumptions of solving high degree root problem of polynomial equation in onevariate [17, 21, 9]. By using the results reviewed above, we can propose two hard problems: non-abelian factoring (NAF) problem and non-abelian inserting (NAI) problem.
Definition 3 (Non-abelian Factoring(NAF) Problem ).
Let M = M n ( p ) be a semigroup with respect to multiplication operation, and G = GL n ( p ) the gen-eral linear group with respect to multiplication operation. Let R, T ∈ M ( R = T ) be two random nilpotent matrices. The factoring problem with respect to G , R, T ,denoted by NAF G exp R , exp T , is to factor the given product exp xR · exp yT ∈ G into apair (exp xR , exp yT ) ∈ G . Now, let’s analyze the hardness of the NAF problem. Firstly, it is easy to seethat there are many forms for A = exp xR · exp yT . For instance, A = BC = B ′ C ′ .Secondly, from Proposition 1, we get that the map ( x, y ) exp xR · exp yT is aninjection with respect to R and T . Hence, it is with probability 1 / | G | ≈ /p n atmost to find a specific pair ( x, y ) satisfing the maps x exp xR , y exp yT andexp xR · exp yT simultaneously. Note that | G | < | M | = p n and | G | ≈ | M | = p n hen p is large enough. As a result, we believe that the NAF problem is hardwhen | G | is large.Furthermore, if R and T are noncommutative, so from Proposition 1 (items1, 2 and 3), we conclude that exp xR and exp yT are non-commutative. In thispaper, we always assume that R and T are non-commutative, n ≥ p islarge enough.It is quite interesting that solving the problem that given exp tX ∈ G and X ∈ M to compute t does not help to solve the NAF problem. It is because thatonce R = T , there does not exist any operation between exp xR and exp yT orbetween exp R and exp T . Definition 4 (Non-abelian Inserting (NAI) Problem).
Let M = M n ( p ) bea semigroup with respect to multiplication operation, and G = GL n ( p ) the generallinear group with respect to multiplication operation. Let R, T ∈ M ( R = T ) betwo random nilpotent matrices.The non-abelian inserting (NAI) problem withrespect to G , R, T , denoted by NAI G exp R , exp T , is to recover exp ( a + c ) R · exp ( b + d ) T from the given random pair ( exp aR · exp bT , exp cR · exp dT ) ∈ G . It is easy to see that if the NAF problem is easy, then the NAI problem can bealso solved. In particular, the adversary can use the solution of the NAF problemto get exp aR and exp bT with input exp aR · exp bT . After that, the adversary canobtain the NAI solution exp aR · exp cR · exp dT · exp bT .Actually, due to the non-commutability, the best solution for the NAI prob-lem is to split one item of the NAI input into two parts, and then combine all ofthem together. It looks like one item of the NAI input is inserted into the otheritem. Hence, the name is obtained. In this section, we will propose a new public key encryption scheme in Lie groupsby using the FO technique [5]. In particular, our proposal is proven-secure againstchosen ciphertext attacks in the random oracle model assuming the insertingproblem is hard in the underlying Lie group.
There exist three algorithms in our proposal: key pair generation algorithm
KeyGen , encryption algorithm
Enc , and decryption algorithm
Dec . The detailsare as follows.
KeyGen ( κ ) : It takes the security parameters κ , κ , κ , as input, it outputs apublic key pk = ( M , G , S, T, ∆, H , H , H ), and the corresponding privatekey sk = (exp x · S , exp y · T ). The key pair satisfies the following requirements. – M = M n ( p ) is a semigroup with respect to multiplication operations. – G = GL n ( p ) is a non-abelian matrix Lie group with rank n ( n ≥ p is a large prime number with p = Θ (2 κ ), and | G | = Θ ( p n ) = Θ (2 n κ ). – R, T ∈ M are two random nilpotent matrices, and ∆ = exp s · S · exp t · T ,where s ∈ { , } κ and t ∈ { , } κ are random numbers. – H , H , H are three cryptographically secure hash functions: H : { , } κ + ℓ →{ , } κ + κ , H : G → { , } κ , and H : { , } κ → { , } ℓ , where ℓ isthe bit length of the message.At last, s, t should be securely destroyed. Enc ( pk, m ) : It takes a public key pk = ( M , G , S, T, ∆, H , H , H ) and a mes-sage m ∈ { , } ℓ as input, it outputs the corresponding ciphertext C =( C , C , C ) by doing the following steps. – Choose randomly a number σ from { , } κ . – Compute r s || r t = H ( σ || m ). – Compute C = H (exp r s · S · ∆ · exp r t · T ) ⊕ σ . – Compute C = exp r s · S · exp r t · T . – Compute C = H ( σ ) ⊕ m . Dec ( sk, C ) : It takes a private key sk = (exp s · S , exp t · T ) and a ciphertext C =( C , C , C ) as input, it outputs the corresponding message as follows. – Compute σ ′ = C ⊕ H (exp s · S · C · exp t · T ). – Compute m ′ = C ⊕ H ( σ ). – Compute r ′ s || r ′ t = H ( σ ′ || m ′ ). – Check whether both of C = H (exp r ′ s · S · ∆ · exp r ′ t · T ) ⊕ σ ′ and C =exp r ′ s · S · exp r ′ t · T hold. If they both hold, set m = m ′ ; otherwise, set m = ⊥ . – Output m . Correctness of the Proposal.
The correctness of the proposal can be easily ob-tained by the following equalities.exp r s · S · ∆ · exp r t · T = exp r s · S · exp t · S · exp t · T · exp r t · T = exp s · S · exp r t · S · exp r t · T · exp t · T = exp s · S · C · exp t · T By the techniques used in [5], we can prove that our proposal is secure againstthe chosen chiphertext attacks in the random oracle model assuming that theinserting problem in the Lie group is hard.
Theorem 1.
The proposal is secure against the chosen chiphertext attacks inthe random oracle model based on the NAI assumption in the Lie group.Proof.
If there exists an adversary A can break the CCA security of the pro-posal, then we can build another algorithm B solving the non-abelian insert-ing problem in the Lie group. That is, given ∆ = exp s · S · exp t · T ∈ G , ∆ =exp s · S · exp t · T ∈ G , and S, T ∈ M , it aims to output ∆ = exp ( s + s ) · S · exp ( t + t ) · T .The details are as follows. etup: B sets the public values S, T, ∆ as S, T, ∆ = exp s · S · exp t · T , respec-tively. Clearly, B has no idea about the corresponding private key sk =(exp s · S , exp t · T ). Phase 1: B builds the following oracles. – Random Oracle O H : A sends σ || m ∈ { , } κ + ℓ to this oracle, B firstlysearches whether ( σ || m, α ) exists in Table T H that is empty at thebeginning. If it exists, B returns α to A ; otherwise, B chooses a randomnumber α from { , } κ + κ , records ( σ || m, α ) into Table T H , and sends α to A . – Random Oracle O H : A sends R ∈ G to this oracle, B firstly searcheswhether ( R, β ) exists in Table T H that is empty at the beginning. If itexists, B returns β to A ; otherwise, B chooses a random number β from { , } κ , records ( R, β ) into Table T H , and sends β to A . – Random Oracle O H : A sends σ ∈ { , } κ to this oracle, B firstlysearches whether ( σ, γ ) exists in Table T H that is empty at the be-ginning. If it exists, B returns γ to A ; otherwise, B chooses a randomnumber γ from { , } ℓ , records ( σ, γ ) into Table T H , and sends γ to A . – Decryption Oracle O dec : A sends a ciphertext C = ( C , C , C ) ∈ { , } κ × G × { , } ℓ to this oracle, B firstly searches ( σ, m, α, β, γ ) in tables T H , T H and T H , where α s || α t = α = H ( σ || m ), C = β ⊕ σ , C =exp α x · S · exp α t · T , and C = γ ⊕ m . It it exists, B sends m to A ; oth-erwise, B sends ⊥ to A . Challenge: A sends B two messages m , m ∈ { , } ℓ with equal bit length. B computes C ∗ = ( C ∗ , C ∗ , C ∗ ) as follows. – Choose random σ ∗ , β ∗ from { , } κ , and compute C ∗ = σ ∗ ⊕ β ∗ . – Set C ∗ = ∆ . – Compute C ∗ = H ( σ ) ⊕ m b , where b is a random number from { , } .At last, B sends C ∗ to A as the challenge ciphertext. Phase 2:
It is almost the same as Phase 1, except that A cannot directly send C ∗ to the decryption oracle O dec . Guess: A outputs the guess b ′ on b . B randomly chooses R from Table T H ,and sets ∆ as R . If A can output a correct guess, then R is the right ∆ withprobability 1 /q H at least, where q H is the maximum number of queries tothe random oracle O H by A .Similar with the analysis in [5], we can conclude that our proposal is secureagainst chosen ciphertext attacks based on the NAI assumption. ⊓⊔ Since the publication of Shor’s quantum algorithm for solving IFP and DLP [27],many mathematicians devote into developing secure public key cryptosystemsbased on non-abelian algebra. It is unclear that how to use Shors quantumalgorithm to break the intractability assumption of the
NAI exp R , exp T problem.Recall that Shor’s algorithm [27] consists of two parts: a quantum algorithmto solve the order-finding problem over Z ∗ n and a classical reduction of factoring to the problem of order finding. Now, let us show that even if a quantumalgorithm for solving the order-finding problem over a non-abelian group G is athand, at present we still have no reductions, either classical or quantum for un-derlying problem. In fact, the exponential mapping is completely different fromexponential operation in finite fields. Moreover, since R and T are both nilpotentmatrices, there is no order of a nilpotent matrix. Hence, Shor’s algorithm cannotwork for this case.On the other hand, in order to obtain the pair (exp xR , exp yT ), we have tofactorize exp xR · exp yT ∈ G . But until now, there is no efficient classical algo-rithms or quantum algorithms for factoring a general matrix into two specificmatrices.Consequently, our scheme is secure against known classical and quantumalgorithms. In this section, we would like to analyze the efficiency of our proposal and howto choose the security parameters. In particular, we have the followings.1. Key generation algorithm requires two exponential mappings of two nilpo-tent matrices S and T , and the core parameters of the public key (pk) and thesecret key (sk) are the triple ( S, T, exp sS · exp tT ) and the pair (exp sS , exp tT ),respectively. They are 3 | p n | and 2 | p n | bit length respectively. Here, we ig-nore the part of the parameters to describe M , G , H , H , H .2. Encryption algorithm requires two exponential mappings to compute exp r s S and exp r t T and additional three multiplications to get the final ciphertext.Similarly, the cost for evaluating H , H and H is ignored without loss ofgenerality. The bit length of one ciphertext is κ + | p n | + ℓ .3. Decryption algorithm does not need any exponential mappings but only twomultiplications to get the message, while it needs two exponential mappingsand three multiplications to check the validity of the ciphertext. The cost ofevaluating hash functions are still ignored.4. According the results in Section 2, the ranges of s, r s , t, r t could be extendedto Z . In order to easy implementation, we set the ranges as { , } κ and { , } κ in the description of our proposal. On the other hand, κ and κ should be large enough to resist against the brute force attack. Recall theanalysis of the NAF problem, the hardness is related to | G | ≈ p n . Hence, κ = | p | and n should be large enough to make —G— large. At last, κ could be set as that in [5]. The invention of Shor’s quantum algorithm for solving integer factorization prob-lem and discrete logarithm problem casts distrust on many public key cryptosys-tems used today. This urges us to develop secure public key cryptosystems basedn variety platforms, such as non-abelian algebra. In this paper, we at first pre-sented two new intractable assumptions by using the exponential mapping in Liegroup. Subsequently, we proposed a new public key encryption schemes basedon Lie groups and Lie algebras. Our proposals are proved to be CCA secure inthe random oracle model.
Acknowledgements
This work is partially supported by the National Natural Science Foundation ofChina (NSFC) (Nos.61502048, 61370194) and the NSFC A3 Foresight Program(No.61411146001).
References
1. Blackburn S R, Cid C, Mullan C. Cryptanalysis of the
MST MST MST3