Public Key Exchange Using Matrices Over Group Rings
Delaram Kahrobaei, Charalambos Koupparis, Vladimir Shpilrain
PPUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS
DELARAM KAHROBAEI, CHARALAMBOS KOUPPARIS, AND VLADIMIR SHPILRAIN
Abstract.
We offer a public key exchange protocol in the spirit of Diffie-Hellman, but weuse (small) matrices over a group ring of a (small) symmetric group as the platform. This“nested structure” of the platform makes computation very efficient for legitimate parties.We discuss security of this scheme by addressing the Decision Diffie-Hellman (DDH) andComputational Diffie-Hellman (CDH) problems for our platform. Introduction
The beginning of public key cryptography can be traced back to the paper by Diffie andHellman [2]. The simplest, and original, implementation of their key exchange protocol uses Z ∗ p , the multiplicative group of integers modulo a prime p , as the platform. There is also apublic element g ∈ Z p , which is a primitive root mod p . The protocol itself is as follows:(1) Alice chooses an integer a , computes A = g a mod p and publishes A (2) Bob picks an integer b and computes B = g b mod p , and publishes B (3) Alice computes K A = B a mod p (4) Bob computes K B = A b mod p Both Alice and Bob are now in possession of a secret shared key K , as g ab mod p = g ba mod p and hence K := K A = K B .The protocol is considered secure provided G and g are chosen properly, see e.g. [5] fordetails. In order to recover the shared secret key, the eavesdropper Eve must be able tosolve the Diffie-Hellman problem (recover g ab from g, g a and g b ). One could solve the Diffie-Hellman problem by solving the discrete logarithm problem, i.e., by recovering a from g and g a . However, it is unknown whether the discrete logarithm problem is equivalent to theDiffie-Hellman problem.We should note that there is still the “brute force” method of solving the discrete logarithmproblem. The eavesdropper can simply start computing successively higher powers of g , untilthey match g a . This requires at most | g | multiplications, where | g | is the order of g in thegroup G . It is usually the case however that | g | ≈ and hence this method is consideredcomputationally infeasible.Initially it may seem that the legitimate parties, Alice and Bob, will also have to performa large number of multiplications, thus facing the same problem as the eavesdropper does.However, as the legitimate parties are in possession of a and b , they can use the “square andmultiply” algorithm that requires O (log a ) multiplications, e.g. g = ((( g ) ) ) · (( g ) ) · g · g . Research of the first author was partially supported by a PSC-CUNY grant from the CUNY researchfoundation, as well as the City Tech foundation.Research of the third author was partially supported by the NSF grants DMS-0914778 and CNS-1117675. a r X i v : . [ c s . CR ] F e b D. KAHROBAEI, C. KOUPPARIS, AND VLADIMIR SHPILRAIN
There is some disadvantage to working with Z p , where p , a , and b are chosen to be fairlylarge. Computation with 300-digit numbers (or 1000-bit binary numbers) is not particularlyefficient, and neither is reducing the result modulo p . This is one of the reasons why the Diffie-Hellman key agreement protocol with recommended parameters is not suitable for deviceswith limited computational resources. Hence, there is an ongoing search for other platformswhere the Diffie-Hellman or a similar key exchange can be carried out more efficiently, inparticular with public and/or private keys of smaller size.The platform that we are proposing here is the semigroup of matrices (of a small size) over agroup ring, with the usual matrix multiplication operation. More specifically, we are workingwith matrices over the group ring Z n [ S m ], where Z n is the ring of integers modulo n and S m isthe symmetric group of degree m . To verify the security of using such a semigroup of matricesas the platform, we address the Computational Diffie-Hellman and
Decision Diffie-Hellman problems (Section 3), along with questions about the structure of this semigroup.Parameters that we suggest (2 × × Z [ S ]) provide for a large keyspace (7 ∼ for 2 × ∼ for 3 × × Z [ S ] takes about 1440 bits, and a single 3 × requires 997 bits). These storage requirements can be reduced by th ifwe do not store polynomial terms which have a 0 as their coefficient, thus bringing the keysize down to about 1230 bits for 2 × × Z p plat-form in the original Diffie-Hellman scheme is that the multiplication of matrices over Z [ S ]is very efficient. In particular, in our setup multiplying elements is faster than multiplyingnumbers in Z p for a large p . This is due to the fact that one can pre-compute the multiplica-tion table for the group S (of order 120), so in order to multiply two elements of Z [ S ] thereis no “actual” multiplication in S involved, but just re-arranging a bit string and multiplyingcoefficients in Z . Also, in our multiplication there is no reduction of the result modulo p that slows down computation in Z p for a large p . Informally speaking, the “nested structure”of our platform ( small matrices over a group ring of a small group S over a small ring Z )provide for more efficient computation than just using Z p with a very large p .From a security standpoint, an advantage of our platform over the group Z p , or ellipticcurves, is that “standard” attacks (baby–step giant–step, Pohlig-Hellman, Pollard’s rho)do not work with our platform, as we show in Section 6. Furthermore, our platform provessecure against Shor’s quantum algorithm which is a common pitfall on classical Diffie-Hellmanalgorithms, see Section 6.3. 2. Group Rings
Definition 2.1.
Let G be a group written multiplicatively and let R be any commutative ringwith nonzero unity. The group ring R [ G ] is defined to be the set of all formal sums (cid:88) g i ∈ G r i g i where r i ∈ R , and all but a finite number of r i are zero. We define the sum of two elements in R [ G ] by UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 3 (cid:88) g i ∈ G a i g i + (cid:88) g i ∈ G b i g i = (cid:88) g i ∈ G ( a i + b i ) g i . Note that ( a i + b i ) = 0 for all but a finite number of i , hence the above sum is in R [ G ].Thus ( R [ G ] , +) is an abelian group.Multiplication of two elements of R [ G ] is defined by the use of the multiplications in G and R as follows: (cid:88) g i ∈ G a i g i (cid:88) g i ∈ G b i g i = (cid:88) g i ∈ G (cid:88) g j g k = g i a j b k g i . As an example of a group ring, we consider the symmetric group S and the ring Z andform the group ring Z [ S ]. We will write the identity element of S m as e . Sample elementsand operations are a = 5(123) + 2(15)(24) + (153) b = 3(123) + 4(1453) a + b = (123) + 2(15)(24) + (153) + 4(1453) ab = (5(123) + 2(15)(24) + (153))(3(123) + 4(1453))= 15(132) + 20(145)(23) + 6(14235) + 8(124)(35) + 3(12)(35) + 4(1435)= (132) + 6(145)(23) + 6(14235) + (124)(35) + 3(12)(35) + 4(1435) ba = (3(123) + 4(1453))(5(123) + 2(15)(24) + (153))= 15(132) + 6(15243) + 3(15)(23) + 20(12)(345) + 8(13)(254) + 4(1345)= (132) + 6(15243) + 3(15)(23) + 6(12)(345) + (13)(254) + 4(1345)Now that group rings have been defined, it is clear how to define M ( Z n [ S m ]), the ringof 2 × Z n [ S m ]. We are only going to be concerned withmultiplication of matrices in this ring; as an example using the same a and b defined above,we can define M = (cid:20) a ee b (cid:21) , M = (cid:20) b e a (cid:21) . Then M M = (cid:20) ab ab e + ba (cid:21) = (cid:20) ab e + ba (cid:21) , where ab and ba are computed above.3. Computational Diffie-Hellman and Decision Diffie-Hellman
Recall that in the Diffie-Hellman key exchange Alice and Bob want to establish a secretshared key. Alice chooses a finite group G and an element g of the group G . Alice thenpicks a random a and publishes ( g, G, g a ). Bob also picks a random b and publishes ( g b ). D. KAHROBAEI, C. KOUPPARIS, AND VLADIMIR SHPILRAIN
Alice’s and Bob’s secret key is now g ab , which can be computed by both of them since g ab = ( g a ) b = ( g b ) a . The security of the Diffie-Hellman key exchange relies on the assumptionthat it is computationally hard to recover g ab given ( g, G, g a , g b ).A passive eavesdropper, Eve, would try to recover g ab from ( g, G, g a , g b ). One definesthe Diffie-Hellman algorithm by F ( g, G, g a , g b ) = g ab . We say that a group G satisfies theComputational Diffie-Hellman (CDH) assumption if no efficient algorithm exists to compute F ( g, G, g a , g b ) = g ab . More precisely, Definition 3.1.
A CDH algorithm F for a group G is a probabilistic polynomial time algo-rithm satisfying, for some fixed α > and all sufficiently large n , P [ F ( g, G, g a , g b ) = g ab ] > n α . The probability is over a uniformly random choice of a and b . We say that the group G satisfies the CDH assumption if there is no CDH algorithm for G . Even though a group may satisfy the CDH assumption, CDH by itself is not sufficient toprove that the Diffie-Hellman protocol is useful for practical cryptographic purposes. WhileEve may not be able to recover the entire secret, she may still be able to recover valuableinformation about it. For example, even if CDH is true, Eve may still be able to predict 80%of the bits of g ab with reasonable confidence [1].Hence if we are using g ab as the shared secret key, one must be able to bound the informationEve can extract about it given g , g a and g b . This is formally expressed by the much strongerDecision Diffie-Hellman (DDH) assumption. Definition 3.2.
A DDH algorithm F for a group G is a probabilistic polynomial time algo-rithm satisfying, for some fixed α > and all sufficiently large n, (cid:12)(cid:12)(cid:12) P [ F ( g, G, g a , g b , g ab ) = “ T rue ”] − P [ F ( g, G, g a , g b , g c ) = “ T rue ”] (cid:12)(cid:12)(cid:12) > n α . The probability is over a uniformly random choice of a, b and c . We say that the group G satisfies the DDH assumption if there is no DDH algorithm for G . Essentially, the DDH assumption implies that there is no efficient algorithm which candistinguish between the two probability distributions ( g a , g b , g ab ) and ( g a , g b , g c ), where a, b and c are chosen at random.4. Diffie-Hellman key exchange protocol using matrices over Z n [ S m ]While S m is a relatively small group for small m , the size of the group ring Z n [ S m ] growsreasonably fast, even for small values of n and m . This is one reason we chose to look atthe Diffie-Hellman key exchange protocol using these group rings. We propose to work withthe group ring Z [ S ], which has the size 7 = 7 . The next step is to work with matricesover these group rings. Hence, say, the semigroup M ( Z [ S ]) of 3 × ) ≈ . This semigroup of matrices can now serve as the platform for the Diffie-Hellman key exchange protocol. The procedure Alice and Bob carry out is essentially thesame.Alice chooses a public matrix M ∈ M ( Z [ S ]) and a private large positive integer a ,computes M a , and publishes ( M, M a ). Bob chooses another large integer b , and computes UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 5 and publishes ( M b ). Both Alice and Bob can now compute the same shared secret key K = ( M a ) b = ( M b ) a .As we have already mentioned in the Introduction, multiplication of matrices in the semi-group M ( Z [ S ]) is very efficient, and, of course, in this semigroup, as in any other semigroup,we can use the “square and multiply algorithm” for exponentiation.To assess security of our proposal, we should address the two Diffie-Hellman assumptions,CDH and DDH. We investigate the (stronger) DDH assumption experimentally in Section 5.Finally, some of the algebraic properties of M ( Z [ S ]) will be investigated.5. Experimental results
The CDH assumption can only be answered theoretically, but the DDH assumption canbe investigated experimentally. To construct our matrix semigroups we implemented thenecessary group ring procedures in C++. We have the choice of which symmetric groupto use and which ring Z n to use as well. Next we used a standard uniform distributionimplementation to allow for a random selection of an element from our group ring. Finally,we constructed random k × k matrices over our group ring. Experiments were carried outwith various group rings M k ( Z n [ S m ]).We propose the use of S as the group for our experiments since its underlying structureis understood and simple. When constructing the semigroup Z n [ S ], one has the benefits ofusing the group S as a building block. Namely, the group S has the advantage of havingonly one normal subgroup, A , which has index 2 in S . Hence, trying to get some informationabout a from M a by applying a non-trivial group homomorphism is limited only to the signhomomorphism S to Z of a symmetric group.We naturally implemented a “square and multiply” routine to speed up computations forexponentiation. With this procedure we can compute high powers of random matrices fromour matrix semigroups fairly quickly, see Table 1.We note that the computations were carried out on an Intel Core2 Duo 2.26GHz machine,utilizing only one core, with 4GB of memory and the times were computed as an averagetime after 250 such exponentiations. No optimizations were in effect and only one processorwas used. Thus computational time may be reduced significantly by using more than onecore and by implementing any available optimizations for DH using our scheme.As a comparison for computational times, we refer to recent results of [4] claiming newspeed records for DH implementations. In the paper, an implementation of the DH signatureexchange protocol over the elliptic curve P-224 is presented. Without any optimization theycan carry out 1800 operations per second for the DH protocol, on a somewhat more powerfulcomputer than ours. Recall that in P-224 you require approximately 340 operations for asingle “exponentiation”. Hence, they require about 0.2 seconds per DH exponentiation versusour 0.6 seconds in M ( Z [ S ]).One additional thing we noticed was that the speed of computation is independent of thenumber of nonzero terms in the entries of our matrices M . One possible intuitive explanationis based on the fact that any symmetric group can be generated by a set of 2 particularelements. Since we selected 9 (or 4) random group ring elements for each matrix, there isa high probability that we have selected a pair of group elements that will generate all of D. KAHROBAEI, C. KOUPPARIS, AND VLADIMIR SHPILRAIN
Table 1.
Speed of Computation
Matrix Size Z n Exponent Avg. Time (s)2 × × × × × × × × × × × × × × × × × × × × × × × × our symmetric group. Once we have multiplied M by itself a few times we get group ringelements of random length mixing throughout the matrix entries.Random group ring elements from Z [ S ] have coefficients either 0 or 1 for each of the120 elements of S . A simple binomial distribution calculation shows that with probabilityaround 93% a random element of this group ring has a total number of nonzero terms between50 and 70.5.1. Experimental results on the Decision Diffie-Hellman assumption.
We shouldnote that for those experiments that were carried out using 2 × × M a , M b , M ab ) and the other generated by ( M a , M b , M c ) for a random c .Ideally, we would like the two distributions to be indistinguishable.To verify that, we have run the following 3 experiments. In the first experiment, we verifythat, as the common sense suggests, M ab has the same distribution as M c . In the secondexperiment, we verify that M a is distributed “uniformly”, i.e., like a randomly selected matrix N . A “randomly selected” matrix here means a matrix whose entries are random elements ofthe platform group ring. In turn, a random element of the group ring is selected by selectingeach coefficient uniformly randomly from the ring of coefficients (in our case, from Z ). UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 7
Combining the results of these two experiments, we see that each component in the triple( M a , M b , M ab ) is uniformly distributed (for random a, b ) in the sense described above. Nowour final experiment verifies that the whole triple ( M a , M b , M ab ) is distributed like a tripleof independently selected random matrices ( N , N , N ), and therefore the distribution isindistinguishable from that of ( M a , M b , M c ) since the latter, too, is distributed like a tripleof independently selected random matrices according to the previous experiments.A more detailed description of the three experiments is below.In the first experiment, we picked a and b randomly from the interval [10 , ], and c randomly from [10 , ], so that c had about the same size as the product ab . To get aclearer picture of how different or similar these final matrices were, we looked at each entryof the matrix. For each choice of a random matrix M and random a, b, and c we computedthe matrices M ab and M c . This was repeated 500 times and we created a table that wasupdated after each run with the distribution of elements of S for each entry of the matrix.We were working with M ( Z [ S ]).After 500 runs we created Q-Q plots of entries of M ab versus entries of M c , where we use thenotation M = ( a a a a ). Q-Q plots (or quantile plots) are a graphical method of comparing thequantiles of the cumulative distribution function (cdf) F versus the corresponding quantilesof the cdf G . The functions are parameterized by p , where p ∈ [0 , F − ( p ) and the other axis represents G − ( p ). If the two cdf’s are identical, then the Q-Qplot will be that of y = x . It will also be a straight line if the distributions are of the sametype, but have different mean and standard deviation, see [3] for more details.As can be seen from Figure 1, it appears that the distributions of each of the matrices M ab and M c are indeed identical, which experimentally confirms what the common sensesuggests.In the second experiment, we verify that M a is distributed “uniformly”, i.e., like a randomlyselected matrix N . We also verify thereby that no information is leaked about a by publishing M a , for a given M . The experimental setup was similar to the previous one, only here wechose two random matrices M and N , and a random integer a ∈ [10 , ]. Again weproduced a Q-Q plot for the two distributions, see Figure 2. From the plot, it is clear that M a is indistinguishable from a random matrix N .Finally, we ran a third experiment to ensure the independence of matrix entries from oneanother in the triple ( M a , M b , M ab ) by comparing its distribution to that of the triple ofindependently selected random matrices ( N , N , N ). This is a valid and important questionto ask as the information contained within the first two elements of the triple, which wereshown to be random previously, may affect M ab in a predictable way. To this end, we ran30 ,
000 experiments four times, where for each element of S we counted the frequency ofcoefficients of Z that occurred in the entries of each of the matrices in ( M a , M b , M ab ). Weused the same M in each experiment, but varied a and b .More specifically, we formed triples (one entry for each entry of the triple of matrices)consisting of the concatenation of the coefficients in the respective entry of the matrices forthe same element of S . For example, if the coefficient at the same element of S in the upperleft corner entry of the first matrix is 0, in the second matrix it is 5, and in the third matrix itis 1, then the concatenated coefficient is 051. Thus, there is a total of 7 = 343 concatenatedcoefficients. D. KAHROBAEI, C. KOUPPARIS, AND VLADIMIR SHPILRAIN
Figure 1.
DDH results for M ab vs. M c We counted the occurrence of such triples throughout the experiments for random choicesof a and b in the same range as in the previous experiments. We hypothesized that thesecoefficient triples would be uniformly distributed over Z , each occurring with probability1 / . Since we performed 30 ,
000 such experiments (four times), we anticipated that eachelement of this distribution would show up approximately 30 , / ∼
87 times.We reproduced a section of these results in the Table 2, where we only used a portionof the table for the a entry of the matrices because of the space constraints. Results forother entries are similar. The columns represent elements of S (i.e., in the full table therewould be 120 columns), the rows represent concatenated coefficients of the triples from Z (i.e., in the full table there would be 7 = 343 rows), and the values in the table show thefrequency of occurrence of the coefficients. All tables have the same “random” structure, andit can be seen that there appears to be no particular skew in the expected uniformity of thedistribution of these coefficients, which allows us to conclude that the distribution of triples ofall respective coefficients in ( M a , M b , M ab ) is, indeed, uniform on Z . Since each componentin the triple is itself uniformity distributed (as evidenced by our first two experiments), itfollows that M ab is distributed independently of ( M a , M b ). UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 9
Figure 2.
DDH results for N vs. M a Table 2: Distribution of coefficient triples s s s s s s s s s s s s s s s s s s e
87 90 83 90 86 93 85 84 88 88 93 88 85 77 88 94 93 91 e
79 78 90 89 92 74 87 88 87 86 95 93 84 88 92 89 90 87 e
86 86 83 89 95 91 93 90 94 85 82 87 84 84 86 84 89 89 e
94 83 87 91 86 91 86 84 89 94 87 88 87 89 90 89 88 84 e
81 88 82 85 85 94 86 89 92 84 94 90 93 86 83 79 93 85 e
87 81 92 84 85 89 93 83 79 80 95 95 86 83 93 89 88 87 e
87 84 82 91 96 88 88 81 97 89 88 86 90 90 93 85 96 88 e
79 89 89 83 92 87 88 83 92 91 82 90 86 88 89 89 91 87 e
82 79 83 86 88 81 90 93 88 89 87 85 88 91 85 90 87 92 e
79 90 85 81 84 84 84 91 87 90 75 88 95 90 80 87 90 90 e
90 80 96 90 78 89 86 87 91 83 90 88 93 94 92 85 80 90 e
89 91 93 86 86 90 93 94 91 94 87 87 89 85 85 87 82 79 e
90 81 90 87 88 89 89 83 85 87 86 92 93 87 94 81 94 90 e
84 88 89 86 89 98 90 89 88 81 88 85 84 87 82 91 89 90 e
86 86 86 87 94 95 90 88 85 84 86 83 87 90 92 92 88 88 s s s s s s s s s s s s s s s s s s e
86 87 80 81 81 95 88 86 84 88 91 95 92 82 86 89 87 83 e
80 87 86 87 91 80 94 87 86 97 82 85 85 91 91 89 93 89 e
84 89 82 89 91 89 88 92 81 82 92 88 82 87 88 84 87 81 e
78 88 85 83 92 84 86 97 86 89 87 87 80 87 92 87 94 88 e
91 95 85 89 94 86 96 88 88 91 82 89 78 90 88 89 89 87 e
85 89 87 82 88 85 89 94 79 81 86 86 80 86 89 86 90 81 e
85 92 86 83 87 85 84 78 81 85 83 89 92 95 93 90 90 87 e
84 91 86 86 83 88 84 89 88 82 95 90 87 90 84 79 82 81 e
97 83 93 93 90 91 88 95 86 87 88 94 83 88 86 99 94 85 e
88 83 92 88 85 82 90 82 88 86 92 87 86 86 87 83 84 88 e
86 89 78 85 93 87 85 85 84 87 87 94 102 86 93 91 91 92 e
90 83 77 81 94 85 86 83 90 86 87 92 90 82 79 95 83 85 e
85 79 86 83 80 85 88 88 85 86 92 94 88 87 84 92 84 91 e
91 94 86 92 88 82 93 85 88 93 88 92 85 92 77 87 89 88 e
97 91 88 87 88 88 81 87 89 89 82 81 82 94 84 87 87 91 e
89 91 92 87 97 88 89 83 89 92 84 84 78 89 81 101 83 86 e
88 84 81 90 80 91 90 89 89 87 89 83 93 91 100 87 88 87 e
82 90 81 86 94 93 93 91 88 88 85 85 79 92 82 87 84 87 e
87 91 91 92 86 85 94 85 79 94 82 80 87 89 89 86 93 90 e
85 90 88 83 88 82 90 92 88 88 90 91 77 90 91 90 87 91 e
79 90 89 86 95 90 89 87 90 84 93 91 85 84 80 94 93 84 e
90 81 82 97 87 92 89 81 80 88 91 92 94 90 86 81 83 96 e
95 91 91 86 79 91 93 83 82 87 86 92 89 83 94 92 85 85 e
86 87 90 84 96 80 89 82 90 86 91 84 80 79 82 96 98 91 e
92 87 92 80 84 91 90 88 91 92 86 81 86 92 86 90 92 87 e
84 90 90 91 83 86 91 90 88 84 88 86 89 82 83 92 92 90 e
90 90 86 76 96 86 87 80 89 83 87 99 88 89 84 90 89 86 e
81 86 97 83 89 84 88 88 83 84 96 87 87 90 91 82 91 87 e
86 82 90 89 76 87 93 81 83 91 85 88 90 86 90 90 84 90 e
88 95 88 88 95 91 83 92 92 86 82 82 94 87 88 92 83 90 e
93 87 96 80 89 90 86 84 87 100 85 95 89 93 96 84 91 85 e
92 85 85 85 91 91 87 88 83 89 87 85 89 83 89 86 84 83 e
90 87 82 99 76 82 84 82 83 95 83 94 92 87 93 86 86 82 e
93 82 85 86 85 87 91 85 80 91 94 87 92 90 90 87 86 96 e
90 78 85 83 85 88 93 82 84 87 92 82 84 89 85 81 84 88 e
90 90 83 86 97 87 88 90 90 92 88 85 96 86 90 90 88 98 e
88 82 92 92 88 83 94 92 91 92 89 89 87 91 81 81 87 88 e
88 89 89 86 92 86 85 86 90 93 75 90 91 95 87 84 92 83 e
89 91 88 92 82 84 95 84 82 82 85 86 91 93 93 96 84 75 e
88 88 84 88 82 94 100 89 84 88 79 89 90 85 88 83 85 85
Experimental results on low orbits.
Here we address the following “low orbits”question: we want to make sure that powers of the public matrix M in our semigroup donot end up in an orbit of low order. This means that if Alice chooses a random integer a ,we cannot have M n = M k , for n < k << a (similarly for b chosen by Bob). If this were the UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 11 case, then the eavesdropper Eve could first determine n and k , then she could find the valuesof c and d , where 1 ≤ c, d ≤ k , such that M a = M c and M b = M d . The shared secret keythen could be computed as M ab = ( M a ) b = ( M c ) b = ( M b ) c = ( M d ) c = M cd . This is similar to the problem of finding a generator (i.e., an element of maximum order) inthe multiplicative group of Z p , the original platform for the Diffie-Hellman protocol. Sincewe are dealing with a semigroup (of matrices) where most elements are not invertible andtherefore do not have an “order” in the usual sense, we consider those orbits instead.While it is conceivable that for a random matrix from Z [ S ] the length of such an orbitis going to be huge, we realize that when we are providing Alice and Bob with a matrix M ,we have to at least have some solid lower bound for the length of an orbit for powers of M .Here is one possible approach.The matrix M will be a product of two matrices: M = M · S , where M is a randominvertible matrix from Z [ S ], and S is a “scalar” matrix that has zeros off the diagonal andeach element on the diagonal is s = (3 + g )(3 + g )(3 + g )(3 + g )(3 + g )(3 + g )(5 + h ). Here g i are elements of S that generate different subgroups of order 5, and h is a product of a2-cycle and a 3-cycle. The element s is not invertible because it is a zero divisor. To see this,write (5 + h ) as ( h −
2) and multiply it by (cid:80) i + j =5 h i j to get ( h − ) = 0 since h = 2 = 1in our group ring. Therefore, the matrix S is not invertible either. We have run a computerprogram trying to detect an orbit generated by powers of S . While our program has notterminated in the allotted time (several weeks), we know that there are no orbits up to s .Then, for a random invertible matrix M , we have just computed powers of M up to M ,and none of these powers was the identity matrix (or even a diagonal matrix). We note thatlooking for orbits going through powers of a non-invertible matrix M would consume muchmore resources and was, in fact, infeasible beyond M given our computational resources.This is because once each power of M is computed, it needs to be stored and eventuallycompared to all other powers of M . For an invertible matrix M , on the other hand, we donot need to store any powers to find its order.Now we claim that with overwhelming probability, if we have a random invertible matrix M with the property that the powers of M up to 10 are not diagonal matrices, then thepowers of M · S up to 10 do not have any orbits. To see this, let us assume that the matrices M and S commute; if our claim is valid under this assumption then it is also valid withoutthis assumption since adding a relation M S = SM is like considering a homomorphic image:equalities will be preserved.Suppose now that we have ( M S ) n = ( M S ) n + k for some positive integers n, k , with k < . If M and S commute, this yields M n S n = M n + k S n + k . Since M is invertible, wecan cancel M n and get S n = M k S n + k , and then( M k S k − I ) · S n = O, where I is the identity matrix and O is the zero matrix. While it is possible that the productof two nonzero matrices is the zero matrix, the probability of this to happen is negligible, giventhat the matrix M k S k − I is not even diagonal (with overwhelming probability) if k < ,as our experiments suggest. The matrix S n , on the other hand, is diagonal; therefore, for the displayed equality above to hold, every non-zero element a ij of the matrix ( M k S k − I ) hasto be a zero divisor such that a ij · r = 0 , where r is the element on the diagonal of the matrix S n (the latter is obviously a scalar matrix). This (somewhat informal) argument shows that k > with overwhelming probability. We realize that this lower bound may not be veryimpressive, but more convincing lower bounds may be based on less convincing arguments.We believe that, in fact, k > with overwhelming probability, but at the time of thiswriting we do not have a convincing argument to support that belief.To conclude this section, we say a few words about sampling invertible matrices. Thereare several techniques for doing this; here we give a brief exposition of one of them. We startwith an already “somewhat random” matrix, for which it is easy to compute the inverse. Anexample of such a matrix is a lower/upper triangular matrix, with invertible elements on thediagonal: U = g u u g u g . Here g i are random elements of the group S , and u i are random elements of the group ring Z [ S ]. We then take a random product, with 20 factors, of such random invertible upperand lower triangular matrices, to get our invertible matrix M .6. “Standard” Attacks In this section, we discuss why three “standard” attacks on the “classical” discrete loga-rithm problem do not work with our platform semigroup.6.1.
Baby–step giant–step algorithm.
One known method of attacking the “classical”discrete logarithm problem, due to Shanks [8], is the baby-step giant-step algorithm. The al-gorithm computes discrete logarithms in a group of order q in O (cid:0) √ q polylog( q ) (cid:1) time, wherepolylog( q ) is O ((log( q )) c ) for some constant c . If adapted to our situation, this algorithmwould look as follows. Baby-step giant-step algorithmInput:
M, A ∈ M ( Z [ S ]), n = | M ( Z [ S ]) | Output: x ∈ N , (cid:51) M x = A Set s := (cid:100)√ n (cid:101) Set t := (cid:100) n/s (cid:101) for i = 0 to s compute and store ( i, AM i ) for j = 0 to t compute M j = M js if M j = AM i , for some i , return js − i There are a couple of points that have to be made about this algorithm. The first is thatwe need to produce a good method of storing the matrices. This could be possible with ahash function, in which case insertion and lookup is constant in time. However, our matrices
UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 13 are fairly complex objects, and we need to take into account the storage requirements of thealgorithm.Furthermore, we should note that the order of our chosen random matrix M is muchsmaller than that of the whole group ring. Hence, it may be possible to use a smaller valueof n as an input. However, this requires knowledge of the order of M . As little is knownabout the structure of this group ring, we are not guaranteed that the order exists in theusual sense. We are basically back to looking for orbit collisions as in our Section 5.2.Each entry in the matrix can be represented by a sequence of 120 (three-bit) coefficients.We can use a 360 bit string where we encode each three-bit sequence with the value of thecoefficient of that polynomial term in Z [ S ]. Hence each matrix will need 360 × (cid:112) | M ( Z [ S ]) | = √ ∼ suchmatrices. In order to store all these matrices we would need 1440 × bits of space.This works out to about 10 T B of (memory or hard drive) space. Thus, it looks likethis algorithm is infeasible already in terms of space. Of course, storing the arrays canbe optimized, e.g. we do not need to store entries with zeroes. However, the amount ofinformation that we need to store, 10 matrices, is still too big even if we only store thenumber of non-zero terms in the polynomials.One approach often suggested to decrease space requirements is to decrease s , hence in-creasing t . In this case the algorithm instead of running in O ( √ n ) time will run in O ( n/t )time. Every time we reduce by half the storage requirements, we end up doubling the runningtime of the algorithm. However, regardless of what s and t are chosen to be we still need toperform s + t group operations in the two loops. Given our constraints, the number of groupoperations is minimized when s = t = √ n . Hence, we need at least 10 group operationsto run this algorithm, which is again computationally infeasible.6.2. Other attacks.
There are two other algorithms that have been suggested for solvingthe “classical” discrete logarithm problem. The first is the Pohlig-Hellman algorithm [6].This algorithm relies on the order of a group element and the generalized Chinese remaindertheorem to break the problem into smaller subproblems.Specifically, suppose the order of the element g ∈ G is q . In the Diffie-Hellman scheme wewish to find an x such that g x = y . Suppose we know a factorization q = n (cid:89) i =1 q i , where the q i are relatively prime. Then we have (cid:16) g q/q i (cid:17) x = ( g x ) q/q i = y q/q i , for i = 1 , ..., n. By the Chinese remainder theorem we can write Z q ∼ = Z q × · · · × Z q n and we are left to solve n instances of the discrete logarithm problem in the smaller groups,i.e., defining g i = g q/q i , we must find the solutions { x i } ni =1 for which g x i i = y q/q i = g x .However, in our situation the order of matrices in M ( Z [ S ]) does not relate to the size ofthe whole ring M ( Z [ S ]). Again, under multiplication this ring is a semigroup, not a group,and the proportion of invertible elements in this semigroup is very small. Additionally, the size of this ring is 7 , so the Chinese remainder theorem does not really help in breaking thisproblem into smaller parts. If, however, there was a way to break the problem into smallersubproblems, we would still need to solve the discrete logarithm problem in our setting, whichso far as we know can only be done via brute force.The second algorithm proposed for solving the “classical” discrete logarithm problem isPollard’s rho algorithm [7]. The inputs are group elements M and N , and the output is aninteger n such that M n = N . The algorithm first looks for an orbit, which has the generalform M a N b = M c N d , for a, b, c and d ∈ N . This is done by using Floyd’s cycle-findingalgorithm. As long as b (cid:54) = d , one can take the logarithm with base M to determine n : M a N b = M c N d ⇒ a + b log M N = c + d log M N ⇒ a − cd − b = log M N ⇒ M a − cd − b = N However, in applying Floyd’s cycle-finding algorithm in Pollard’s rho attack, the knowledgeof the order of the cyclic group generated by M is essential. In our situation, not only is theorder of M unknown, but more importantly, since a random M is not going to be invertiblewith overwhelming probability, order considerations are not applicable, and therefore neitheris Pollard’s rho attack, at least in its standard form.6.3. Quantum Algorithm Attacks.
It is well known that many cryptographic protocolsare vulnerable to quantum algorithm attacks [9]. In particular, the Diffie-Hellman proto-col can be attacked using Shor’s algorithm. This algorithm basically recasts the discretelogarithm problem as a hidden subgroup problem (HSP) and uses the quantum algorithmsdeveloped for HSP to recover the exponent.We believe that our protocal is secure against such attacks. The HSP relies on the existenceof a function f : G → S , for some set S , such that f is constanct on cosets of the unknownsubgroup H ≤ G and also takes on distinct values for each coset. For the discrete log wedefine f : Z N × Z N → G , such that f ( a, b ) = g a x b , where a, b ∈ Z N , g, x ∈ G , g α = x and | g | = N . We can rewrite this as f ( a, b ) = g a + b · log g x , and hence f is constant on the sets L c = { ( a, b ) | a + b log g x = c } .In this setup the hidden subgroup we are seeking is H = L = { (0 , , (log g x, − , (2 log g x, − , · · · , ( N log g x, − N ) } . To be able to apply this algorithm one would need to know the order of a matrix. However,this is not known a priori and it is also the case that invertible matrices are sparse in oursetup. Hence in our setup the function f is ill-defined.Furthermore, given a random non-invertible matrix it is unlikely that the function f willbe distinct on cosets of the subgroup H or even constant on the different cosets. To see thisassume M is a non-invertible matrix, then powers of M will either end up in an orbit or willeventually become the zero matrix. If we are in an orbit, assume for example that M = M and the exponent we are seeking is α = 12. The subgroup we are trying to identify is H = { (0 , , (12 , − , (24 , − , (36 , − , · · · } . From the setup we note that (36 , − ∼ (18 , − , − / ∈ H , for if it were then (36 , − − (18 , −
3) = (18 , ∈ H , which is a contradiction. On UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 15 the other hand, assume some power of M is the zero matrix, say M = 0, and again α = 12.In this case f is no longer constant on the subgroup H as 0 = f (24 , − (cid:54) = f (12 , −
1) = I .7. Conclusions
Our contribution here is proposing the semigroup of matrices (of a small size, 2 × × Z [ S ], with the usual matrix multiplication operation, as the platformfor the Diffie-Hellman key exchange scheme. What we believe is the main advantage of ourplatform over the standard Z ∗ p platform in the original Diffie-Hellman scheme is that themultiplication of matrices over Z [ S ] is very efficient. In particular, in our setup multiplyingelements is faster than multiplying numbers in Z p for a large p . This is due to the factthat one can pre-compute the multiplication table for the group S (of order 120), so inorder to multiply two elements of Z [ S ] there is no “actual” multiplication involved, butjust re-arrangement of a bit string of length 3 × p isinvolved.To verify the security of using such a semigroup of matrices as the platform, we haveexperimentally addressed the Decision Diffie-Hellman assumption (Section 5) and showed,by using Q-Q plots (or quantile plots) that after 500 runs of the experiment, two distributions,one generated by M ab and the other generated by M c for a random c , are indistinguishable,thereby experimentally confirming the DDH assumption for our platform. Furthermore, noinformation is leaked from M a by comparing it to a random matrix N .From the security point of view, the advantages of our platform over Z p also include thefact that neither “standard” attacks (baby–step giant–step, Pohlig-Hellman, Pollard’s rho)nor quantum algorithm attacks work with our platform, as we showed in Section 6. References [1] D. Boneh,
The Decision Diffie-Hellman Problem , ANTS 1998, pp. 48–63.[2] W. Diffie and M. E. Hellman,
New Directions in Cryptography , IEEE Transactions on Information Theory
IT-22
Nonparametric Statistical Inference , CRC Press, 1992.[4] E. Kasper,
Fast Elliptic Curve Cryptography in OpenSSL , Financial Cryptography and Data Security, 2011.[5] A. Menezes, P. van Oorschot, and S. Vanstone,
Handbook of Applied Cryptography , CRC Press 1996.[6] S. Pohlig and M. Hellman,
An Improved Algorithm for Computing Logarithms over GF(p) and its Cryp-tographic Significance , IEEE Transactions on Information Theory
IT-24 , 1978, 106–110.[7] J. Pollard,
Monte Carlo methods for index computation mod p , Mathematics of Computation , 1978,331-334.[8] D. Shanks, Class number, a theory of factorization and genera , Analytic Number Theory, Proceedings ofSymposia on Pure Mathematics, , American Mathematical Society, 1971, pp. 415–440.[9] P. Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring , Proc. 35th AnnualSymposium on Foundations of Computer Science (1994). IEEE Comput. Soc. Press, pp. 124–134. Appendix: a challenge
Here we present a challenge relevant to our Diffie-Hellman-like scheme: given explicit 3 × M , M a , and M b over the group ring Z [ S ], recover the matrix M ab . Note that ourrecommended platform ring is actually Z [ S ], but we believe that breaking our challenge iscurrently infeasible even for Z [ S ]. B e l o w a r e t h ee n t r i e s f o r M : a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) a = ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) a = ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) a = ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) a = ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 17 a = (cid:15) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) a = (cid:15) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) B e l o w a r e t h ee n t r i e s f o r M a : a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) a = ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) a = ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) a = ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) a = ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) a = ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) a = ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) B e l o w a r e t h ee n t r i e s f o r M b : a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 19 ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) a = ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) a = ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) a = ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) a = ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( )( ) a = ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) a = (cid:15) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) a = ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( ) + ( )( ) + ( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( ) + ( )( ) + ( )( ) + ( )( ) + ( ) + ( )( ) + ( )( ) UBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS 21
CUNY Graduate Center and City Tech, City University of New York
E-mail address : [email protected]
CUNY Graduate Center, City University of New York
E-mail address : [email protected] The City College of New York and CUNY Graduate Center
E-mail address ::