International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 278

A Study of Non-Abelian Public Key Cryptography

Tzu-Chun Lin Department of Applied Mathematics, Feng Chia University 100, Wenhwa Road, Taichung 40724, Taiwan, R.O.C. (Email: [email protected]) (Received Feb. 12, 2017; revised and accepted June 12, 2017)

Abstract P.W. Shor pointed out that there are polynomial-time algorithms for solving the factorization and discrete log- Nonabelian group-based public key cryptography is a rel- arithmic problems based on abelian groups during the atively new and exciting research field. Rapidly increas- functions of a quantum computer. Research in new cryp- ing computing power and the futurity quantum comput- tographic methods is also imperative, as research on non- ers [52] that have since led to, the security of public key abelian group-based cryptosystems will be one of new re- cryptosystems in use today, will be questioned. Research search priorities. In fact, the pioneering work for non- in new cryptographic methods is also imperative. Re- abelian group-based public key cryptosystem was pro- search on nonabelian group-based cryptosystems will be- posed by N. R. Wagner and M. R. Magyarik [61] in 1985. come one of contemporary research priorities. Many inno- Their idea just is not suitable for practical applications. vative ideas for them have been presented for the past two For nearly two decades, numerous nonabelian groups have decades, and many corresponding problems remain to be been discussed to design efficient cryptographic systems. resolved. The purpose of this paper, is to present a survey The most frequently discussed nonabelian settings include of the nonabelian group-based public key cryptosystems matrix groups, braid groups, semidirect products, loga- with the corresponding problems of security. We hope rithmic signatures and algebraic erasers. that readers can grasp the trend that is examined in this In this paper, we give an overview of known pub- study. lic key cryptography designed by the above mentioned Keywords: Conjugacy Search Problem; Nonabelian nonabelian groups. These proposed nonabelian group- Groups; Public Key Cryptography based public key cryptosystems rely on either encryption- decryption or on key exchange agreement. A standard model for a public key cryptographic scheme is phrased 1 Introduction as two parties, which are referred to as Alice and Bob. Suppose that Alice wants to send a message M to Bob. The development of public key cryptography was a revo- A general model of encryption scheme is the following. lutionary concept that emerged during the twentieth cen- Alice uses the encryption map fk1 to encrypt the mes- tury. The first published study on public key cryptogra- sage C = fk1 (M), where fk1 is a one-way function and is phy was a key agreement scheme that was described by public. After receiving the cipher C, Bob uses the corre-

W. Diffie and M.E. Hellman in 1976 [19]. The most com- sponding decryption map gk2 to decode gk2 (fk1 (M)) = M, mon public key cryptography presently in use, such as the where gk2 should be known only by Bob. Diffie-Hellman cryptosystem, the RSA cryptosystem, the Many non-abelian group-based key establishment pro- ElGamal cryptosystem and the elliptic curve cryptosys- tocols are related to the Diffie-Hellman (DH) protocol, tem are number theory based and hence depend on the and we therefore provide a brief description of the DH- structure of abelian groups. Their security depends on protocol. The Diffie-Hellman (DH) protocol functions as difficulties regarding resolving some hard problems of the follows: Let G be a cyclic group with a generator g. number theory. For instance, the RSA algorithm depends Suppose that Alice and Bob want to generate a shared on integer factorization problem. The Diffie-Hellman, El- secret key K. Alice then randomly selects an integer Gamal and ECC algorithms also depend on discrete log- 1 < a < o(g) and sends A := ga to Bob. Similarly, arithmic problems (DLP). Although there have not been Bob randomly selects an integer 1 < b < o(g) and sends any successful attacks on the above public key cryptosys- B := gb to Alice. Alice computes K = Ba, while Bob tems the security of public key cryptosystems in use today, computes K = Ab. The security of the DH-protocol relies will be questioned due to rapidly increasing computing on the Diffie-Hellman problem (or the Discrete Logarith- power and the futurity quantum computers. In 1997 [52], mic Problem). International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 279

Problem 1. (Diffie-Hellman Problem) Let G be a group. 3) Decryption: From the ciphertext C(X) and Bob’s x y xy If g, g , g ∈ G are known, find the value of g . private key (M, a) the message b1 ··· bn can be re- covered by means of a procedure described in [64]. Problem 2. (Discrete Logarithmic Problem) Let G be a group. If h, g ∈ G such that h = gx and h, g are known. 4) Security Analysis: Find the integer x. The protocol is based on conjugacy search problem Problem 3. (Conjugacy Search Problem) Let G be a and root problems. But, R. Steinwandt [55] in 1992) nonabelian group. Let g, h ∈ G be known such that h = gx pointed out that the Yamamura’s Encryption Scheme for some x ∈ G. Find x. Here gx stands for x−1gx. is insecure. Suppose that an adversary Eve inter- cepted to the cipher C(X). She can compute Nonabelian group-based public key cryptography is a n relative new research field. In contrast to abelian groups Y D(X) := W (X)−1C(X) = (W (X)bi+1W (X)). the conjugacy search problem and its variant versions are 2 1 2 hard problems on some nonabelian groups. The conju- i=1 gacy search problem and its variant versions play an im- The entries of the matrix portant role for the security on nonabelian group-based ((W (X)bi+1W (X))−1D(X) public key cryptography. 1 2 In this paper, we give a survey of the representative should be polynomials over C. Beginning with nonabelian group-based public key cryptosystems so far. the first bit b1, if at least one of the entries of 2 −1 Their algorithms are very different. D1 := ((W1(X) W2(X)) D(X) involves a non- constant denominator then we can conclude b1 = 0; otherwise b1 = 1. Similarly, if the matrix 2 Matrix Groups 2 −1 D2 := ((W1(X) W2(X)) D1(X) contains a non- polynomial entry then we can conclude b = 0; oth- 2.1 Yamamura’s Encryption Scheme 2 erwise b2 = 1. The process continues until all bits At PKC’98, A. Yamamura [64] proposed a public key en- bi, i = 1, ··· , n are recovered. This means that the n cryption scheme based on the modular group SL(2, ZZ). plaintext b1 ··· bn ∈ {0, 1} can be recovered effi- It is well known that SL(2, ZZ) is generated by two ma- ciently from ciphertext C(x) and the public data 0 −1 1 1 alone. trices S = and T = , where the orders 1 0 0 1 of both generators are o(S) = 4 and o(T ) = ∞ and the 2.2 Two Rososhek-Matrix Cryptosys- 0 −1 matrix ST = is of order 6. Also, SL(2, ZZ) is tems 1 1 generated by the matrices S and ST subject to the re- In 2013, S. K. Rososhek [49] proposed a ElGamal-like en- lations S4 = (ST )4 = I and (ST )3 = S2. For a matrix cryption scheme -called BMMC ((Basic Matrix Modular 0 −1 Cryptosystem) - by using matrices over ZZ . N ∈ SL(2, ZZ), the matrices A := N −1 N and n 1 1 1) BMMC: Let n be a large positive integer and let 0 −1 B := N −1 N satisfy the relations A6 = B4 = I G(α, β, γ) be a free subgroup of the general lin- 1 0 ear group GL(2, ZZ ) generated by three generators 3 2 n and A = B . Therefore, the matrices A and B generate A, B and C, where α, β, γ ∈ ZZ with | α |, | β | SL(2, ZZ). 1 0 1 β , | γ |≥ 3, A = , B = and C = 1) Key Generation: Bob α 0 0 1 1 − γ r  i . Let q be the order of the group a. chooses two matrices V1 := (BA) and V2 := −γ γ + 1 (BA2)j ∈ SL(2, ZZ) for some i, j ∈ IN. GL(2, ZZn). All the data above is public. b. chooses matrices M ∈ GL2(C) and a. Key Generation: Bob F1(X),F2(X) ∈ Mat2(C[X]) and a ∈ C such that F1(a) = V1 and F2(a) = V2. i. chooses two random matrices P1 and U in −1 G(α, β, γ) with P1U 6= UP1 and three inte- c. computes W1(X) := M F1(X)M and −1 gers k, s, l with −q ≤ k, s ≤ q and 2 ≤ q. W2(X) := M F2(X)M. −s k s l ii. computes P2 := U P1 U and P3 := U . d. Bob’s public key: W1(X),W2(X). Bob’s private key: M, a. iii. The public key: n, P1,P2,P3. The private key: U, k, s. n 2) Encryption: Let b1 ··· bn ∈ {0, 1} be the message. b. Encryption: Let the message m ∈ Mat(2, ZZ ) Alice computes the ciphertext n be a matrix. Alice chooses integers r, t ∈ ZZn n and then computes the ciphertext Y bi+1 C(X) := W2(X) (W1(X) W2(X)). −r t r r −t −r i=1 (C1,C2) := (P3 P1 P3 , mP3 P2 P3 ). International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 280

c. Decryption: Bob computes m by using his pri- c. Decryption: Bob decrypts the message using his vate key k, s: private key

−s k s −1 C2U C1 U = m. C2 · α β(C1) = m.

d. Security Analysis: d. Security Analysis: If Eve want to break the system, Eve has to The security of the scheme is based on the ”ran- solve the transformation and hybrid problems dom salt” conjugacy search problem. This is for that are more complicated than the discrete log- the given matrices A, B in Mat(2, ZZn) to find arithm problem in the group of the same cardi- an invertible matrix X ∈ GL(2, ZZn) and an in- −1 nality. The both hard problems are described teger 0 < γ < n such that X AX = γB. as follows. If the integer γ in the encryption algorithm is removed, then the system is insecure. This is Problem 4. (The Transformation Problem): because the usual conjugacy search problem on Find all solutions (Z, y) of the equation the general linear group GL(2, ZZ ) is not hard. ZP Z−1 = P y, where Z ∈ GL(2, ZZ ) and n 1 1 n The equation C = Y −1ψ(L−1)Y can be trans- | y |< q is an integer. 1 formed to a system of four linear equations with Problem 5. (The Hybrid Problem): Find all four unknowns. On the other hand, the au- x solutions (Y, x) of the equation Z0 = Y , where thor [50] claimed that the “salt” γ can be found Y ∈ GL(2, ZZn) and | x |< q is an integer. only under brute force attack and for large n this problem becomes intractable. 2) MMMC1: The BMMC requires three matrix mod- ular exponentiations for key generation. There are More about public key cryptosystems based on ma- three exponentiation under encryption and two ex- trices, see for example [9,21,24,27,32,49,50,55–57,64] ponentiations under decryption. In order to speed for an example. the algorithm, S. K. Rososhek [50] gave two modified schemes named MMMC1 (Modified Matrix Modular Cryptosystem one) and MMMC2. The both mod- 3 Braid Groups ified schemes are similar. We only introduced the MMMC1 here. The braid groups were first introduced explicitly by E. Artin in 1925 [4]. There are several ways to represent a. Key Generation: Bob braids, but the most common is through the use of Artin i. computes the integer n, where n may be generators and the fundamental braid [15]. The (Artin’s) either a power of a prime pr or a product braid groups, denoted as Bn, are groups of braids on n n = pq of two distince primes. strands defined by the following presentation

ii. determines two invertible matrices V,W ∈ Bn :=< σ1, ··· , σn−1 | σiσi+1 = σi+1σi, GL(2, ZZ ) in order to define two commut- n σ σ σ = σ σ σ , 1 ≤ i ≤ n − 1 > . ing inner automorphisms α, β of the ring i+1 i i+1 i i+1 i −1 Mat(2, ZZn): α(D) := V DV and β(D) := These are non-abelian torsion-free groups. The precise −1 W DW , for all D ∈ Mat(2, ZZn). description, in particular is the geometric interpretation iii. computes two automorphisms φ := α2β and of Artin braid groups, see e.g. [2,10,17,18,30,36]. Due to ψ := αβ2. their efficient computational quality, Artin’s braid groups

iv. chooses a matrix L ∈ GL(2, ZZn) such that seemed to be a good candidate as a platform group for L 6∈ G. cryptographic applications. v. The public key: n, φ(L), ψ(L−1). At the beginning of the twenty-first century, some The private key: V, W, α, β. braid group-based public key cryptosystems were pro- posed. The pioneering papers for braid group-based cryp- b. Encryption: Let the message m ∈ Mat(2, ZZn) tography include the Anshel-Anshel-Goldfeld scheme [2] be a matrix. Alice in 1999 and the Ko-Lee et al. scheme [36] in 2000. Since i. chooses Y ∈ G and define an inner au- then, braids group-based cryptography has attracted a tomorphism ζ of the ring Mat(2, ZZn) by great deal of attention. The security of the most pro- ζ(D) := Y −1DY . posed braid group cryptographic schemes is based on the ii. computes the matrices ζ(φ(L)), ζ(ψ(L−1)) conjugacy search problem or its variant versions, e.g. the and mζ(φ(L)). membership search problem. iii. chooses a unit γ ∈ ZZn. Problem 6. (Membership Search Problem (or, Mul- iv. computes the ciphertext tiple Conjugacy Search Problem)) Given elements x, a1, a2, ··· , an of a group G, find an expression of x as −1 −1 (C1,C2) = (γ ·ζ(ψ(L ), γ ·m·ζ(φ(L))). a word in a1, a2, ··· , an (if it exists). International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 281

Unfortunately, the conjugacy search problem on lin- Problem 7. (Diffie-Hellman Conjugacy Problem) ear groups is not hard, and braid groups are linear Let A and B be commuting subgroups of a group G groups [11,37]. Although the most proposed braid group- with [A, B] = 1, and let g ∈ G be given. Given a pair based cryptographic schemes are vulnerable to several an- (ga, gb) with a ∈ A and b ∈ B, find gab. nounced attack methods [28], the research of the braid groups for cryptography has not decreased. Apart from The Ko-Lee et al. key agreement scheme can be at- the conjugacy search problem, there are other hard prob- tacked by using the Lawrence-Krammer representa- lems in braid groups that have not been studied exten- tion sively. We therefore present the works of Ko-Lee et al. n(n − 1) ±1 1 and Anshel et al. and the corresponding attacks based K : Bn −→ GL( , ZZ[t , ]). on linear representations of the braid groups. The algo- 2 2 rithms can be applied not only to braid groups, but also The proposed algorithm to solve the braid DH prob- to any nonabelian groups. lem is described roughly as follows. Suppose that Eve can find a matrix A such that 3.1 Two Ko-Lee et al. Schemes K(y1)A = AK(y1), Let LBk and RBn−k be commuting subgroups of the K(σi)A = AK(σi), braid group Bn, where 0 < k < n, consisting of braids −1 made by braiding left k strands and by braiding right for all generators σi ∈ LBk. Then, AK(y2)A = −1 −1 −1 n − k strands among n strands, respectively. For any AK(b)K(x)K(b) A = K(b)K(y1)K(b) = K(K). a ∈ LBk and b ∈ RBn−k, the commutative rule holds: Note that the Lawrence-Krammer representation is ab = ba. faithful and one can effectively find the image K(g) for every g ∈ B . Moreover, one can effectively re- 1) The Key Agreement Scheme [36]: The algorithm is a n cover K ∈ B from its image K(K) by using the Diffie-Hellman like algorithm. n Cheon-Jun inversion algorithm [16, 59]. a. The public key: braids groups Bn, LBk,RBn−k and a braid x ∈ Bn. 3.2 Anshel-Anshel-Goldfeld Scheme b. Alice chooses a random secret braid a ∈ LB k In contrast to Ko-Lee et al. schemes the Anshel-Anshel- and sends y := axa−1 to Bob. 1 Goldfeld key agreement scheme [2] requires no commut- Bob chooses a random secret braid b ∈ RBn−k −1 ing subgroups. Let G be a public nonabelian group and and sends y2 := bxb to Alice. a1, ··· , ak, b1, ··· , bm ∈ G be public. c. Alice receives y2 and computes the shared key −1 K = ay2a . 1) The Algorithm. Bob receives y2 and computes the shared key −1 a. Alice chooses a random secret x = K = by1b . x(a1, ··· , ak) ∈ G as a word in a1, ··· , ak x x 2) The Encryption Scheme [36]: and sends b1 , ··· , bm to Bob. Bob chooses a random secret y = a. Bob’s public key: x, y, where x ∈ Bn, y := y(b1, ··· , bm) ∈ G as a word in b1, ··· , bk axa−1 and the hash function H : B → {0, 1}l. y y n and sends a1, ··· , ak to Alice. Bob’s private key: a ∈ LBk. y y y −1 b. Alice computes x(a1, ··· , ak) = x = y xy b. Encryption: Let m ∈ {0, 1}l be a plaintext. Al- and x−1(y−1xy) = K. ice x x x −1 c. Bob computes y(b1 , ··· , bm) = y = x yx and i. chooses a braid b ∈ RBn−k at random. (y−1(x−1yx))−1 = K. ii. computes the ciphertext (c, d), where 2) Security Analysis: c = bxb−1 , d = H(byb−1) ⊕ m. In the paper [2], braid groups are selected as plat- form groups for the scheme. The security of the AAG c. Decryption: Bob uses the prime key a to recover scheme is based on the multiple conjugacy search the message problem, which is otherwise called the membership search problem. However, for Eve to extract the −1 m = H(aca ) ⊕ d. shared key K out of the public information, it suf- fices to solve the Commutator KE Problem, which 3) Security Analysis: is otherwise called the Anshel-Anshel-Goldfeld Prob- The security of both of these schemes is based on lem, in polynomial time. the conjugacy search problem on braid groups. To break the both schemes, it suffices for Eve to solve Problem 8. (Commutator Key Exchange Problem) the Braid Diffie-Hellman Conjugacy Problem. Let G be a group. Let a1, ··· , ak, b1, ··· , bk ∈ G and International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 282

−1 y −1 b −1 −1 let a ∈< a1, ··· , ak > and b ∈< b1, ··· , bk >. Given g. Compute a a = a a = a b ab. b b a a a1, ··· , ak, b1, ··· , bk, a1, ··· , ak, b1, ··· , bk, compute h. Recover the shared key K from a−1b−1ab by −1 −1 a b ab. using the Cheon-Jun inversion algorithm.

Let S be a subset of Mat(n, IF). The centralizer of For more about braid groups and braid group-based pub- S is the set lic key cryptosystems, see for example [2, 4, 10, 11, 15–18, 23, 28, 30, 36, 37, 39, 44, 45, 47, 53, 59]. C(S) := {c ∈ Mat(n, IF) | cs = sc, ∀ s ∈ S}.

The centralizer C(S) is a subspace of the vector 4 Stickel’s Schemes space Mat(n, IF) over a field IF. The proposed al- gorithm [59] to solve the commutator key exchange In 2003, E. Stickel presented the algorithms based on the problem is described roughly as follows. See [59] for Diffie-Hellman type of nonabelian groups. The algorithms details. cover the key agreement, authentication and digital sig- nature purposes. Let G be a finite nonabelian group and a. Use the method of Cheon and Jun [16] to re- let a, b ∈ G with ab 6= ba and o(a) = N, o(b) = M > 1. duce the commutator key exchange problem in matrix groups over fields. 1) Stickel’s Key Agreement Scheme

K n(n − 1) 1 n(n − 1) a. Alice chooses two random natural number n < B ,→ GL( , ZZ[t±1, ]) GL( , IF), n m n 2 2  2 N, m < M and sends u := a b to Bob. Bob chooses two random natural number r < ±1 1 r s where IF = ZZ[t]/ < p, f(t) >= ZZ[t , 2 ]/ < N, s < M and sends v := a b to Alice. p, f(t) > is a finite field of the order pdeg f(t), p b. Alice computes the shared secret key K = is a prime and f(t) is an irreducible polynomial. anvbm. r s b. Compute a basis for C(C(b1, ··· , bk)). Bob computes the shared secret key K = a ub . c. Find a matrix x (and its inverse x−1) that satis- 2) Security Analysis: fies the following homogeneous system of linear Suppose that Eve wants to break the system and she equations has intercepted the values u and v. In order to get

a the secret shared key K, Eve does not have to find b1 · x = x · b1, a pair of integers (n, m) (or (r, s)), but to solve the . decomposition search problem [45, 54]. . a Problem 9. ( Decomposition Search Problem) bk · x = x · bk. Given a recursively presented (semi)group G, two re- x a −1 Thus, bi = bi and xa ∈ C(b1, ··· , bk). cursively generated sub(semi)groups A, B ∈ G, and −1 two elements u, w ∈ G. Find two elements x ∈ A d. If y ∈ C(C(b1, ··· , bk)), then (xa )y = y(xa−1) and (xa−1)y−1 = y−1(xa−1). and y ∈ B such that x · w · y = u, provided at least Therefore, one such pair of elements exists.

x−1y−1xy = x−1y−1(xa−1)ay Suppose that Eve can find a pair x, y ∈ G which satisfies the system = x−1(xa−1)y−1ay −1 y xa = ax = a a . n yb = by e. Find a matrix y ∈ C(C(b1, ··· , bk)) (and its in- u = xwy verse y−1) that satisfies the following homoge- neous system of linear equations then Eve can use Bob’s transmission v to compute r s r s r s b xvy = xa wb y = a xwyb = a ub = K. a1 · y = y · a1, . . 3) Suggested Platforms: In the paper [56], it was sug- a · y = y · ab . gested that the general linear group GLk(IF2l ) is used k k as the platform group G. Then the above system of f. Let a = a1 ··· am . Then, compute three equations including a nonlinear equation can i1 im be translated to a system of three linear equations ay = (a1 )y ··· (am )y = (ay )1 ··· (ay )m i1 im i1 im x−1a = ax−1 n = (ab )1 ··· (ab )m = (a1 )b ··· (am )b i1 im i1 im yb = by = ab. xu = wy. International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 283

It makes also the protocol vulnerable to linear algebra If Eve wants to break the system, she has to find the attacks. However, the system is worth preserving. The private key a. Eve can try to find an element g0 such a a author of the paper [54] suggested semigroups with a great that Inn(g0) = Inn(g ). Then, it holds that g0 = g z deal of non-invertible elements, and then the linear alge- for some z ∈ Z(Γ). After that Eve has to check −1 bra attack would not work. Whether a semigroup (with a whether g0z ∈< g >. If that is the case, then it lot of non-invertible elements) as the platform makes the goes back to solve the discrete logarithmic problem protocol vulnerable to another attacks is unclear. in the cyclic group < g >. Indeed, if the subgroup Z(Γ) of Γ is large, then it is less efficient to determine whether g z−1 ∈< g >. 5 Semidirect Products 0 On the other hand, Eve considers directly solv- In [47] (2001), S.-H. Paeng et al. described a public ing the discrete logarithmic problem in the group key encryption protocol based on a semidirect product of < Inn(g) >. The most efficient known method- abelian groups connecting with the inner automorphism. the index calculus- cannot applied to the group < Inn(g) >. In general case, the expected run times for √ Definition 5.1. Let G and H be groups and ρ : H −→ solving he discrete logarithmic problem are O( p). Aut(G) be a group homomorphism. The semidirect prod- 5) Suggested Platforms: uct G oρ H is a nonabelian group The Author [47] employ a semi-direct product Γ of G oρ H := {(g, h) | g ∈ G, h ∈ H} groups as the platform group of the system. Let Γ = SL(2, ZZp) oρ ZZp an let ρ := Inn ◦ ρ1 : ZZp → under the group operation Aut(SL)(2, ZZp)) be the automorphism, which is a composition of an inner automorphism Inn with an (g1, h1) · (g2, h2) := (g1ρ(h1)(g2), h1h2). isomorphism ρ1. For the DLP to be a hard prob- lem in < Inn(g) >, we choose 160-bit prime p. Then Definition 5.2. Let G be a nonabelian group. Fix an the security of the system is comparable to 1024-bit element g ∈ G. An automorphism Inn(g): G −→ G RSA. defined by

Inn(g)(x) := gxg−1, ∀ x ∈ G 5.2 HKKS-Key Exchange Protocol is called the inner automorphism of G by g. In 2013, M. Habeeb et al. [29] proposed a new key agreement protocol (HKKS) by using semidirect prod- Problem 10. (Special Conjugacy Search Problem) Let ucts which is very different from the S.-H. Paeng et al. G be a nonabelian group. Given an element Inn(g) ∈ scheme. Let G be a (semi)group and let Γ = G o H be Inn(G). Find g0 ∈ G such that Inn(g0) = Inn(g). a semidirect product, where H ≤ Aut(G) is a subgroup. Let (g, φ) ∈ Γ be the public key for the protocol. 5.1 The Encryption Scheme 1) The HKKS-Key Exchange Portocol in [29]: Let Γ be a semidirect product of the groups SL(2, ZZp) and ZZ . Inn(Γ) := {Inn(g) | g ∈ Γ} be the inner auto- a. Alice chooses a private number m ∈ IN and com- p m m−1 2 m morphism group of Γ. The encryption scheme in [47]: putes (g, φ) = (φ (g) ··· φ (g)φ(g)g, φ ). Alice sends to Bob the first component 1) Bob’s public key: Inn(g), Inn(ga), g := (x, y) ∈ Γ r Z(Γ). a := φm−1(g) ··· φ2(g)φ(g)g. Bob’s private key: a ∈ ZZ|Γ|. Bob chooses a private number n ∈ IN and com- n n−1 2 n 2) Encryption: Let m := (m1, m2) ∈ Γ r Z(Γ) with putes (g, φ) = (φ (g) ··· φ (g)φ(g)g, φ ). mg 6= gm be a message. Alice Bob sends to Alice the first component

a b a. chooses b ∈ ZZ and computes Inn(g ) . b := φn−1(g) ··· φ2(g)φ(g)g. b. computes E = Inn(gab)(m). b. Alice chooses any x ∈ H and computes c. computes φ = Inn(g)b. (b, x)(a, φm) = (φm(b) · a, x · φm). Alice sends to Bob the cipher (E, φ). Bob chooses any y ∈ H and computes (a, y)(b, φn) = (φn(a) · b, y · φn). 3) Decryption: Bob computes m = φ−a(E). c. The shared secret key K of Alice and Bob 4) Security Analysis: is the first component of (b, x)(a, φm) = The security of the encryption scheme is based on the (a, y)(b, φn) = (g, φ)m+n difficulty of the special conjugacy search problem and n m the discrete logarithmic problem. K = φ (a) · b = φ (b) · a. International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 284

2) Suggested Platforms: b. Suppose that Eve wants to break the protocol. In this paper [29], the authors consider the semigroup She finds two matrices X and Y satisfying the G of 3×3 matrices over the group ring ZZ7[A5], where system of two linear and one nonlinear equations A5 is the alternating group on 5 letters and an exten- Xh = hX, sion of G by an inner automorphism to get a platform n for the protocol. The public map φ is defined as an Y (hg) = (hg)Y, −m m inner automorphism by using a fixed invertible ma- XY = h (hg) . trix h ∈ G If the matrix X is invertible, the system can be

−1 k −k k translated to the system of three linear equa- φ(g) := h gh and φ (g) := h gh tions X−1h = hX−1, for any matrix g ∈ G and any integer k ≥ 1. n Y (hg) = (hg)Y, In order to reduce key size and to speed up compu- Y = X−1h−m(hg)m. tation of the algorithm, the authors of the paper [33] consider the semigroup G of 2 × 2 matrices over the It makes also the protocol vulnerable to a lin- binary field IF2127 and an extension of G by an endo- ear algebra attack, since Eve can thus compute morphism φ, which is a composition of a conjugation the shared secret key by applying the solution by a matrix h ∈ GL(2, IF2127 ) with the endomorphism (X,Y ) ψ as the platform semigroup. The public map φ is −n n −n n thus defined as follows X(h (hg) )Y = h (XY )(hg) = K.

φ(g) := h−1ψ(g)h, and The next key exchange protocol is a modified ver- sion in order to prevent the linear algebra and linear k−1 0 Y Y decomposition attacks. φk(g) := ( ψi(h−1)ψk(g)( ψi(h)), i=0 i=k−1 5.3 Modified HKKS-Key Exchange Pro- for any matrix g ∈ G and any integer k ≥ 1. The tocol [33] change of G reduces the bit complexity of a public matrix g from 1620-bits into 508-bits. All computa- Let the automorphism φ be the inner automorphism φh −1 tion are done by well known methods of fast com- by an invertible matrix h, i.e. φh(x) = hxh and let putation in finite binary fields. However, the choice Ann(hg) := {x | x · (hg) = O} be the annihilator of the of the both platforms makes the protocol unable to matrix hg, where O is denoted as the zero matrix. Alice resist a linear algebra attack and a linear decompo- and Bob agree on public matrices g and h, where h is sition attack. invertible and g is not. 1) The modified version: 3) Security Analysis: We give the linear algebra attack in the original ver- a. Alice chooses a secret number m ∈ IN and a sion. Other attacks referred to [20, 29, 33, 34, 48]. If secret nonzero matrix R ∈ Ann(hg), and then the inner automorphism φh by a matrix h over a field, computes −1 i.e. φh(x) = hxh , is selected as the automorphism m m−1 2 m φ, then the HKKS-key exchange protocol is vulner- (g, φ) = (φ (g) ··· φ (g)φ(g)g, φ ) able to the linear algebra attack. The reason is de- = (h−m(hg)m, φm) = (a, φm). scribed as follows: Alice sends to Bob the matrix a + R. a. Recall that Alice sends the matrix a to Bob Bob chooses a secret number n ∈ IN and a secret nonzero matrix S ∈ Ann(hg), and then com- 1 putes Y a = ( h−ighi) · g = h−m(hg)m, n n−1 2 n i=m−1 (g, φ) = (φ (g) ··· φ (g)φ(g)g, φ ) = (h−n(hg)n, φm) = (b, φn). and Bob sends the matrix b to Alice Bob sends to Alice the matrix b + S. 1 Y b = ( h−ighi) · g = h−n(hg)n. b. Alice chooses any x ∈ H and computes i=n−1 (b + S, x)(a + R, φm) = (φm(b) · a, x · φm).

The shared secret key K is Bob chooses any y ∈ H and computes

K = φm(b) · a = φn(a) · b = h−(m+n)(gh)m+n. (a + R, y)(b + S, φn) = (φn(a) · b, y · φn). International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 285

c. The shared secret key K of Alice and Bob is al. [38,41] proposed three public key encryption schemes, then called MTS1, MTS2 and MTS3, based on logarithmic sig- K = φm(b) · a = φn(a) · b. natures for finite groups. Their security relies on the fol- lowing hard factorization problem (Problem 11). 2) Security Analysis: Let G be a finite (nonabelian) group and let Ai := The protocol uses R and S to hide a and b, respec- [ai1, ai2, ··· , air ] be a finite sequence of elements of G, tively. Here, Eve would be looking for matrices X,Y i where ri is called the length of Ai and Ai denotes the and Z of the system of four equations Pri element j=1 aij in the group ring ZZG. An ordered se- quence α := [A ,A , ··· ,A ] of A can be viewed as an Xh = hX, 1 2 s i s × r matrix α = (aij), where r = max{ri} and aij = 0 Y (hg) = (hg)Y, for j > r . Let A ·A ··· A = P a g, where a ∈ ZZ. i 1 2 s ag ∈G g g Z · (hg) = O, Definition 6.1. A sequence α = [A ,A , ··· ,A ] de- XY + Z = h−m(hg)m + R. 1 2 s scribed as above is said to be The last equation is not linear. The linear algebra at- 1) a cover for G if ag > 0 for all g ∈ G. tack does not work against this protocol. However, it is vulnerable against the linear decomposition attack 2) a logarithmic signature for G if ag = 1 for all g ∈ G. which is described as follows [20, 48]. 3)a[ s, r]-mesh cover if α is a cover for G, all Ai have a. First, construct a linear space W generated the same length r and the distribution of the set {ag | by all elements of the form h−k(hg)k, k ∈ g ∈ G} is approximately uniform. IN ∪ {0}, with a basis {e1, ··· , el}, where Note that if α = [A1,A2, ··· ,As] is a logarithmic sig- e = h−ki (hg)ki , k ∈ IN. Choose a basis i i nature for G then for each element y of G there is a unique {f1, ··· , ft} of the linear space Ann(hg) such factorization with qi ∈ Ai, 1 ≤ i ≤ s that {e1, ··· , el, f1, ··· , ft}. This consists of a

basis of the space W + Ann(hg). y = q1 · q2 ··· qs. (1) b. For public data a+R and b+S in W +Ann(hg), In general, it is not the case for covers. we can effectively find one matrix S1 ∈ Ann(hg) and the coefficients η , ν ∈ IF such that A logarithmic signature α is called tame if the com- i j plexity of the factorization of y in (1) is in polynomial b + S = h−n(hg)n + S time. Otherwise, α is called wild. l t Let α = [A1,A2, ··· ,As] be a cover of type Qs X −ki ki X (r , r , ··· , r ) for G and let m = r . Then the cover = ηih (hg) + νjfj, 1 2 s i=1 i i=1 j=1 α induces an efficiently computable surjective mapping

Pt α˘ : ZZm −→ G. (2) where S1 := j=1 νjfj may bot be S. c. Compute the shared secret key If α is a logarithmic signature, then the induced mapping α˘ is bijective. Moreover, if a logarithmic signature α is l tame, then the inverseα ˘−1 is efficiently computable. X −ki ki ηih (a + R)(hg) i=1 Proposition 6.2. If α is a wild logarithmic signature l and β is a tame logarithmic signature for a finite group X −ki+m ki+m ki ki ˘−1 = ηi[h (hg) + h · R · (hg) ] G, then the mappingα ˘β : ZZ|G| −→ ZZ|G| is a one-way i=1 permutation. l m X −ki ki m Let γ : {e} = G < G < ··· < G < G be = h ( ηih (hg) )(hg) 0 1 s−1 s i=1 a sequence of subgroups of G and let Ai be an ordered, −m −n n m complete set of right coset representatives of Gi−1 in Gi. = h (h (hg) + S1)(hg) −(m+n) m+n Then the sequence [A1,A2, ··· ,As] forms a logarithmic = h (hg) = K. signature α for G, and is called exact-transversal with respect to γ. If we set B := g−1 A g , i = 1, ··· , s, where More about public key cryptosystems based on semidirect i i−1 i i g , g , ··· , g ∈ G, then the sequence β :[B ,B , ··· ,B ] products, see [20, 21, 29, 32–35, 42, 48] for an example. 0 1 s 1 2 s is again a logarithmic signature for G. When g0 = gs = 1, then β is said to be a sandwich of α. 6 Logarithmic Signatures Definition 6.3. A logarithmic signature α for a finite group G is called The logarithmic signatures were first used in the cryptog- raphy in order to construct a symmetric key cryptosystem 1) transversal, if α is the sandwich of an exact- PGM [40]. Nearly twenty years later, S.S. Magliveras et transversal logarithmic signature for G. International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 286

2) non-transversal, if it is not transversal. 2) Encryption: Let m ∈ H be a message. Alice

3) totally non-transversal, if none of its blocks is a coset a. chooses R ∈ ZZrs . of a non-trivial subgroup of G. ˘ b. computes y1 =α ˘(R), y2 = β(R), y3 = my2. Problem 11. (Factorization Problem for Logarith- c. Alice transmits the cipher (y1, y3) to Bob. mic Signatures/Covers) Given g ∈ G and α =

[A1,A2, ··· ,As] = (aij). Find aiji ∈ Ai, i = 1, ··· , s, 3) Decryption: Bob such that g = a1j1 a2j2 ··· asjs . a. computes f(y1) = y2, and b. computes m = y y−1. 6.1 MST1- Cryptosystem 3 2 Let G be a finite permutation group with a sequence γ of 4) Security Analysis: subgroups of G. If Eve wants to break the system, she has to find the value y2. There are also two theoretical methods to 1) Key Generation: Bob generates ∗ recover y2. One is to find a value R ∈ ZZrs such that ∗ a. a totally non-transversal logarithmic signature α˘(R ) = y1. If it is the case, then we can compute ˘ ∗ ∗ α, a transversal logarithmic signature β for G β(R ) = y2. In order to effectively compute R such ∗ and . that y1 =α ˘(R ), Eve has to factorize the public data y with respect to α. This means that Eve has to b. a short sequence of exact-transversal logarith- 1 solve the Factorization Problem 11. This problem is mic signatures θ , θ , ··· , θ such that σ := 1 2 k in general an intractable problem for large groups. α˘β˘−1 = θ˘ · θ˘ ··· θ˘ , where k is a small inte- 1 2 k Second, Eve can try to find a homomorphism f ∗ : ger > 1. G → H such that β = f ∗(α). S.S. Magliveras et c. The public key: α, β, G. al. [41] claimed that if the symmetric group Sn is used The private key: θ1, ··· , θk. as the platform group of the scheme MST2 and the private key f : G → G is conjugation by an element 2) Encryption: Let m ∈ ZZ be a message. Alice com- |G| g in S , then the scheme MST is vulnerable to the putes the cipher n 2 second attack. C = σ(m) = (˘αβ˘−1)(m). 6.3 MST3- Cryptosystem 3) Decryption: Bob recovers the message m by comput- ing Let G be a nonabelian group with nontrivial center Z(G). ˘−1 ˘−1 ˘−1 θk (θk−1(··· (θ1 (C) ··· ))) = m. 1) Key Generation: Bob

4) Security Analysis: a. generates a tame logarithmic signature The security of MST1 relies on the hardness of the β = [B1,B2, ··· ,Bs] := (bij) of type factorization problem with respect to wild logarith- (r1, r2, ··· , rs) for Z(G) and a random mic signatures. In [41] the authors assume that to- cover α = [A1,A2, ··· ,As] := (aij) of the same tally non-transversal logarithmic signatures are ”wild type as β for a certain subset F of G such that like”. Unfortunately, J.M. Bohli et al. [14] have A1,A2, ··· ,As ⊆ G r Z(G). proved that totally non-transversal logarithmic sig- natures can be tame. This means that not any totally b. chooses t0, t1, ··· , ts ∈ G r Z(G). non-transversal logarithmic signature is suitable for c. computesα ˘ := [A˜1, A˜2, ··· , A˜s], where A˜i = −1 being used as a key in MST1. In addition to that ti−1Aiti. there are still no practical implementations of MST 1 d. computesγ ˘ = (h ), where h := b a˜ . in sight. ij ij ij ij e. The public key:α, ˘ γ˘. The private key: β, t0, t1, ··· , ts. 6.2 MST2- Cryptosystem

Let G and H be large groups. 2) Encryption: Let m ∈ ZZ|Z(G)| be a message. Alice

1) Key Generation: Bob a. computes y1 :=α ˘(m) and y2 :=γ ˘(m). b. Alice transmits the cipher (y , y ) to Bob. a. generates an epimorphism f : G → H and a 1 2 random [s, r]-mesh cover α = (aij) for G 3) Decryption: Bob b. computes β = (bij) = f(α) = (f(aij)). a. computes y t−1y−1t = β˘(m). c. The public key: α, β. 2 s 1 0 ˘−1 −1 −1 The private key: f. b. computes m = β (y2ts y1 t0). International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 287

4) Security Analysis: termed the E-structure. where Π : M −→ N is a monoid If Eve tries to obtain the private logarithmic signa- homomorphism, E is the function ture β and the pair (t0, ts) of elements of G from the public information (˘α, γ˘), it is sufficient for Eve E :(N × S) × (M o S) −→ N × S to determine a sandwich transform β‘ of β which is given by E((n, s), (m , s )) := (nΠ(sm ), ss ), and A, B equivalent to β, i.e., β˘‘ = β˘. Thus, it is sufficient 1 1 1 1 are submonoids of M S satisfying E-Commuting, i.e., to assume that the first element b of each block o 1j they satisfy the equation Bj, except for the last block Bs of B, is the iden- −1 tity 1 ∈ G. From the equation h11 = t a11t1, Eve 0 E(Π(a), sa, (b, sb)) = E(Π(b), sb, (a, sa)), chooses an element of G \Z(G) as the value of t0. On the other hand, due to the elements ti and tiz for for all (a.sa) ∈ A,(b, sb) ∈ B. For simplicity, the symbol z ∈ Z(G) lie in the same coset tiZ(G). It is then suf- ? will be used to replace the symbol E as follows: ficient to choose one t0 only from each distinct coset of G modulo Z(G). E((n, s), (m1, s1)) = (n, s) ? (m1, s1).

5) Suggested Platforms: The authors [38] of MTS3 em- The operation ? satisfies the associated property as fol- 2 ploy the Suzuki-2-group of the order q as the plat- lows: Given (n, s) ∈ N ×S and (m1, s1), (m2, s2) ∈ M S, m o form group of MTS3, where q = 2 is the order of the center Z(G) and the integer m is not a power ((n, s) ? (m1, s1)) ? (m2, s2) = (n, s) ? ((m1, s1) · (m2, s2)). of 2. Thus, if the Suzuki-2-group is implemented as the platform group of MTS3, then there are (q − 1)q 7.1 The Key Agreement Scheme based on possible choices for the pair (t0, bs1). If q is large, the the Algebraic Eraser type of the attack is in not feasible. The Algebraic Eraser key agreement scheme designed by More about public key cryptosystems based on logarith- Anshel, Anshel, Goldfeld and Lemieaux in [3] is a type of mic signatures see [14, 38, 40, 41, 58, 60] for an example. Diffie-Hellman protocol: Let NA and NB be submonoids of N so that they commute elementwise. 7 Algebraic Eraser 1) Alice selects her private key: na ∈ NA and (ai, sai ) ∈ The Algebraic Eraser is a binary operation consists of A. Bob selects his private key: n ∈ N and (b , s ) ∈ a semidirect product and a homomorphism of monoids b B j bj and an action of a nonabelian group on a monoid. The B. main purpose of building the Algebraic Eraser is to de- 2) Alice computes PA sign lightweight public key cryptosystems. The Algebraic

Eraser key agreement scheme was introduced by Anshel, PA = (na, id) ? (ai, sai ), Anshel, Goldfeld and Lemieaux in 2004; the correspond- ing paper [1] appeared in 2006. The Algebraic Eraser and transmits PA to Bob. and the Algebraic Eraser-based protocol are specially de- Bob computes PB signed for commercial purposes. The company SecureRF P = (n , id) ? (b , s ), owns the trademark of them. It claims a security level B b 1 b1 of 2128 for their preferred parameter sizes. The authors and transmits P to Alice. in the paper [1] gave a concrete realization of the Alge- B braic Eraser key agreement protocol using infinite braid 3) The shared secret key K of Alice and Bob is groups named the colored Burau key agreement proto- col (CBKAP). This Diffie-Hellman-like protocol has been ((na, id) · PB) ? (ai, sai ) = ((nb, id) · PA) ? (bj, sbj ). proposed as a standard in ISO JTC-1/SC-31 (29167-20) to protect various communication protocols like RFID, 7.2 The CBKAP NFC, or Bluetooth for devices associated with ISO-18000 and the Internet of Things [3, 8]. The braid groups is used in order to implement the Let M,N be monoids and let S be a nonabelian group CBKAP. E-multiplication is an action of the braid group which acts on M on the left, and does not act on N. The on pairs of matrices over a field and permutations. Recall that there is a surjective homomorphism from the Artin semidirect product M o S of M and S is then a monoid whose internal binary operation is given by braid group Bn onto the symmetric group Sn. With help of the colored Burau representation of Bn, that is an ex- s1 (m1, s1) · (m2, s2) := (m1 m2, s1s2). tended version of the reduced Burau representation [3,10, 17], the semi-direct product M S is defined as a group The Algebraic Eraser (AE) E is the binary operation spec- o n generated by the set {(x (t), s ), ··· , (x (t), s )}, ified within the 6-tuple 1 1 n−1 n−1 where xi(t) is a colored Burau matrix of Bn and si = (M o S, N, Π, E, A, B) (i i + 1) is a transposition of Sn, for all i = 1, ··· , n − 1. International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 288

−1 The nonabelian group M o Sn is also called the colored matrix m0: Qm0Q = (λ1, ··· , λn), where Q ∈ N. Burau group. The authors of the paper [3] then give an Then, example to concretely realize the above algorithm by us- α −1 α α m0 = Q (λ1 , ··· , λn)Q. ing the colored Burau matrices. The protocol is also called the colored Burau key agreement protocol (CBKAP). On the other hand, by the condition that the Fix an integer n ≥ 7 and a prime p > n. Let M ≤ subgroups NA and NB of N commute, it applies Π(sz A)Π(sz B) = Π(sz B)Π(sz A). Thus, the matri- GL(n, IFp(t)), where t = (t1, ··· , tn), be a subgroup, and X 0 let S = Sn be the symmetric group on n symbols and ces Π(sz A) and Π(sz B) take the forms and 0 I N = GL(n, IFp). Fix n elements τ1, ··· , τn ∈ IFp, and I 0  the homomorphism Π : M −→ N is defined by setting , respectively. τi = ti, i = 1, ··· , n. Let z ∈ M o Sn be a fixed element 0 Y −1 and let A = z ·{(xl1 (t), sl1 ), ··· , (xlµ (t), slµ )}· z and Suppose that z were known. Then, Eve can ob- −1 B = z ·{(xr (t), sr ), ··· , (xr (t), sr )}· z , where | li − α sz 1 1 ν ν tain m0 and recover the matrices Π( A) and rj |≥ 2 for 1 ≥ i, j ≤ n, be two E-commuting subgroups Π(sz sBsA z−1) in polynomial time. Therefore, it re- of M o Sn. mains to ask how to determine the element z. The security of the CBKAP depends on the simultaneous 1) The public key: (M S, N, Π, E, A, B) and a matrix o conjugacy search problem. There are not any suc- m ∈ GL(n, IF ) of order pn − 1 such that two sub- 0 p cessful attacks to solve the simultaneous conjugacy groups N ,N of N consist of linear combinations A B search problem. of powers of m0 over IFp.

The private key: z and (xl1 (t), sl1 ), ··· , (xlµ (t), slµ ), Problem 12. (Simultaneous Conjugacy Search (x (t), s ), ··· , (x (t), s ). −1 −1 r1 r1 rν rν Problem) Let w1 = z a1z, ··· , wk = z akz. If only w , ··· , w are public, find the conjugating ele- 2) Alice selects her secret key: n ∈ N , k ∈ IN and 1 k a A ment z. some (xai (t), sai ) ∈ A, i = 1, ··· , k.

Bob selects his secret key: nb ∈ NB , l ∈ IN and some For more about Algebraic Eraser key agreement scheme, (xb (t), sb ) ∈ B, j = 1, ··· , l. j j see [1, 3, 5–8, 13]. 3) Alice computes PA

PA = (··· ((na, id) ? z ? (xa1 (t), sa1 ) ? (xa2 (t), sa2 )) ? 8 Conclusion −1 ··· ) ? (xak (t), sak ) ? z sz sz sA −1 There are innovative ideas to propose nonabelian group = (n · Π(z) · Π( A) · Π( z ), s s s −1 ), a z A z based-public key cryptography, although, most crypto-

sz sz sz sa1 graphic systems seem to be vulnerable to security. For where Π( A) = Π( xa1 (t))Π( xa2 (t)) ··· sz sa1 ···sak−1 example, the conjugacy search problem on linear groups · Π( xa (t)) and sA = sa ··· sa . k 1 k used in the mentioned protocols, e.g., matrix groups and Alice transmits PA to Bob. Bob computes braid groups, seems to be not be hard. Nevertheless, they still have the value of reference. Some of these systems have some modifications that still have a sufficient secu- PB = (··· ((nb, id) ? z ? (xb1 (t), sb1 ) ? (xb2 (t), sb2 )) ? rity level. On the other hand, the efficiency and security ··· ) ? (x (t), s ) ? z−1 bl bl of a cryptographic system does not only depend on the sz sz sB −1 = (nb · Π(z) · Π( B) · Π( z ), sz sBsz−1 ), design of the algorithm, but also on the choice of platform.

and transmits PB to Alice. 4) The secret shared key K of Alice and Bob is References [1] I. Anshel, M. Anshel, D. Goldfeld, S. Lemieux, “Key K = (··· ((na, id) · PB ? z ? (xa (t), sa ) 1 1 agreement, the algebraic eraserTM , and lightweight ?(x (t), s )) ? ··· ) ? (x (t), s ) ? z−1 a2 a2 ak ak cryptography,” Contemporary Mathematics, vol. 418, = (··· ((n , id) · P ? z ? (x (t), s ) b A b1 b1 pp. 1-34, 2006. −1 ?(xb2 (t), sb2 )) ? ··· ) ? (xbl (t), sbl ) ? z . [2] I. Anshel, M. Anshel, D. Goldfeld, “An algebraic method for public-key cryptography,” Mathematics 5) Security Analysis: Research Letter, vol. 6, pp. 287-291, 1999. α For simplicity, we assume that the matrix na = m0 [3] I. Anshel, D. Atkins, D. Goldfeld, P. Gunnells, “De- for a secret α ∈ ZZ+. If Eve intercepts the public feating the Ben-Zvi, Blackburn, and Tsaban Attack data PA and PB and tries to break the shared key on the Algebraic Eraser,” IACR ePrint 2016/044. α K, it is sufficient to merely solve the matrix m0 and [4] E. Artin, “Theory of braids,” Annal of Mathematics, the element z ∈ M o Sn. First, Eve diagonalizes the vol. 48, pp. 101-126, 1947. International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 289

[5] D. Atkins, Algebraic Eraser: A Lightweight, Effi- [22] B. Fine, M. Habeeb, D. Kahrobaei, G. Rosenberger, cient Asymmetric Key Agreement Protocol for use Aspects of Nonabelian Group Based Cryptography: A in No-Power, Low-Power, and IoT Devices, 2015. Survey and Open Problems, 2011. (https://arXiv: (csrc.nist.gov/groups/ST/lwc-workshop2015/ 1103.4093v2) papers/session8-atkins-paper.pdf) [23] N. Franco, J. Gonz´alez-Meneses,“Conjugacy prob- [6] D. Atkins, D. Goldfeld, Addressing the Algebraic lem for braid groups and garside groups,” Journal of Eraser Diffie-Hellman Over-the Air Protocol, 2015. Algebra, vol. 266, pp. 112-132, 2003. (http://eprint.iacr.org/2016/205.pdf) [24] D. Freeman, The Discrete Logarithm Problem in Ma- [7] D. Atkins, P. E. Gunnells, Algebraic Eraser: trix Groups, 2004. A Lightweight, Efficient Asymmetric Key [25] D. Grigoriev, “Public-key cryptography and in- Agreement Protocol for use in No-Power, variant theory,” Journal of Mathematical Sciences, Low-Power, and IoT Devices, 2015. (http: vol. 126, no. 3, pp. 1152-1157, 2005. //csrc.nist.gov/groups/ST/lwc-workshop2015/ [26] D. Grigoriev, A. Kojevniko, S. Nikolenko, Invariant- presentations/session8-atkins-gunnell.pdf) based Cryptosystem and Their Security Against Prov- [8] A. Ben-Zvi, S. R. Blackburn, B. Tsaban, “A Practical able Worst-Case Break, Technical Report 158, Max- Cryptanalysis of the Algebraic Eraser,” 2016. (https: Planck-Inst, Preprints, 2007. //arXiv:1511.03870v2) [27] D. Grigoriev, I. Ponomarenke, “Constructions in [9] G. Baumslag, B. Fine, X. Xu, “Cryptosystems us- public-key cryptography over matrix groups,” Con- ing Linear Groups,” Applicable Algebra in Engineer- temporary Mathematics: Algebraic Methods in Cryp- ing, Communication and Computing, vol. 17, no. 3-4, tography, vol. 418, pp. 103-120, 2007. pp. 205-217, 2006. [28] S. D. Hasapis, D. Panagopoulos, “A survey of group- [10] G. Baumslag, B. Fine, M. Kreuzer, G. Rosenberger, based cryptogrsphy,” Journal of Applied Mathematics A Course in Mathematical Cryptography, De Gruyter, & Bioinformatics, vol. 5, no. 3, pp. 73-96, 2015. 2015. [29] M. Habeeb, D. Kahrobaei, C. Koupparis, V. Shpil- [11] S. Bigelow, “Braid groups are linear,” Journal of the rain, “Public key exchange using semidirect product American Mathematical, vol. 14, pp. 471-486, 2001. of (semi)groups,” Lecture Notes in Computer Science, [12] S. R. Blackburn, C. Cid, C. Mullan, Group The- vol. 7954, pp. 475-486, 2013. ory in Cryptography, 2010. (https://arxiv.org/ [30] U. Isik, Computational Problems in the Braid Group pdf/0906.5545) with Applications to Cryptography, 2005. [13] S. R. Blackburn, M. J. B. Robshaw, “On the security [31] D. Kahrobaei, M. Anshel, “Decision and search in of the algebraic eraser tag authentication protocol,” in non-abelian Cramer-Shoup public key cryptosystem,” 14th International Conference on Applied Cryptogra- Group Complexity Cryptology, vol. 1, no. 2, pp. 97- phy and Network Security (ACNS’16), Lecture Notes 115, 2009. in Computer Science, vol. 9696, pp. 3-17, 2016. [32] D. Kahrobaei, C. Koupparis, V. Shpilrain, “Public [14] J. M. Bohli, M. I. Gonza´lez Vasco, C. Mart´ınez,R. key exchange using matrices over group rings,” Group Steinwandt, ”Weak keys in MST1,” Design, Code and Complexity Cryptology, vol. 5, pp. 217-225, 2013. Cryptography, vol. 37, pp. 509-524, 2005. [33] D. Kahrobaei, H. T. Lam, V. Shpilrain, Public Key [15] Z. Busser, Braid Group Cryptography, 2009. Exchange using Extensions by Endomorphisms and [16] J. Cheon, B. Jun, “A polynomial time algorithm for Matrices over a Galois Field, Preprint, 2014. the braid Diffie-Hellman conjugacy problem,” in Ad- [34] D. Kahrobaei, V. Shpilrain, Using Semidirect Prod- vances in Cryptography (CRYPTO’03), Lecture Notes uct of (Semi)groups in Public Key Cryptography, 2016. in Computer Science, vol. 2729, pp. 212-224, 2003. (https://arXiv:1604.05542v1) [17] P. Dehornog, “Braid-based cryptography,” American [35] K. H. Ko, D. H. Choi, M. S. Cho, J. W. Lee, New Mathematical Society, vol. 360, pp. 5-33, 2004. Signature Scheme using Conjugacy Problem, 2002. [18] P. Dehornog, “Using shifted conjugacy in braid- (http://eprint.iacr.org/2002/168) based cryptography,” Contemporary Mathematics, [36] K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, vol. 418, pp. 65-94, 2006. J. S. Kang, C. Park, ”New public key cryptosys- [19] W. Diffie, M. E. Hellman, “New directions in cryp- tem using braid groups,” in Advances in Cryptology tography,” IEEE Transactions on Information Theory (CRYPTO’00), pp. 166-184, 2000. IT, vol. 22, pp. 644-654, 1976. [37] D. Krammer, “Braid groups are linear,” Annals of [20] J. Ding, A. Miasnikov, A. Ushakov, A Linear At- Mathematics, vol. 155, pp. 131-156, 2002. tack on a Key Exchange Protocol Using Extensions [38] W. Lempken, T. van Trung, S. S. Magliveras, W. of Matrix Semigroups, 2015. (http;//eprint.iacr. Wei, “A public key cryptosystem based on non-abelian org/2015/018) finite groups,” Journal of Cryptology, vol. 22, pp. 62- [21] M. Eftekhari, Cryptanalysis of Some Protocols using 74, 2009. Matrices over Group Rings, 2015. (http://arxiv. [39] K. Mahlburg, An Overview of Braid Group Cryptog- org) raphy, Preprint, 2004. International Journal of Network Security, Vol.20, No.2, PP.278-290, Mar. 2018 (DOI: 10.6633/IJNS.201803.20(2).09) 290

[40] S. S. Magliveras, “A cryptosystem from logarithmic [55] R. Steinwandt, “Loopholes in two public key cryp- signatures of finite groups,” in Proceeding of the 29th tosystems using the modular group,” Lecture Notes Midwest Symposium on Circuils and Systems, Elsevier in Computer Science, vol. 1992, pp. 180-189, 2002. Publishing Company, pp. 972-975, 1986. [56] E. Stickel, A New Public-Key Cryptosys- [41] S. S. Magliveras, D. R. Stinson, T. van Trung, “New tem in Non-Abelian Groups, 2003. (https: approaches to designing public key cryptosystems us- //www.semanticscholar.org) ing one-way functions and trapdoors in finite groups,” [57] E. Stickel, “A new method for exchanging secret Journal of Cryptology, vol. 15, pp. 285-297, 2002. keys,” in Proceedings of the Third International Con- [42] C. Monico, M. Neusel, “Cryptanalysis of a system ference on Information Technology and Applications using matrices over group rings,” Group Complexity (ICITA’05), pp. 426-430, 2005. Cryptology, vol. 7, no. 2, pp. 175-182, 2015. [58] P. Svaba, Covers and Logarithmic Signatures of finite [43] A. Myasnikov, V. Shpilrain, “A linear decomposition Groups in Cryptography, Dissertation, 2011. attack,” Group Complexity Cryptology, vol. 7, pp. 81- [59] B. Tsaban, “Polynomial-time solutions of computa- 94, 2015. tional problems in noncommutative-algebraic cryptog- [44] A. Myasnikov, V. Shpilrain, A. Ushakov, “A prac- raphy,” Journal of Cryptology, vol. 28, pp. 601-622, tical attack on a braid group based cryptographic 2015. protocol,” in Advances in Cryptology (CRYPTO’05), [60] M. I. G. Vasco, D. Hofheinz, C. Martinez, R. Stein- pp. 86-96, 2005. wandt, “On the security of two public key cryptosys- [45] A. Myasnikov, V. Shpilrain, A. Ushakov, Group- tems using non-abelian groups,” Designs, codes and based Cryptography, Birkh¨auserVerlag, 2008. Cryptography, vol. 32, pp. 207-216, 2004. [46] A. D. Myasnikov, A. Ushakov, “Quantum algorithm [61] N. R. Wagner, M. R. Magyarik, “A public key cryp- for the discrete logarithm problem for matrices over tosystem based on the word problem,” in Advances finite group rings,” Group Complexity Cryptology, in Cryptology (CRYPTO’84), Lecture Notes in Com- vol. 6, pp. 31-36, 2014. puter Science, vol. 196, pp. 19-36, 1985. [47] S. H. Paeng, K. C. Ha, J. H. Kim, S. Chee, [62] L. Wang, L. Wang, Z. Cao, E. Okamoto, J. Shao, C. Park, “New public key cryptosystem using fi- “New constructions of public-key encryption schemes nite non-abelian groups,” in Advance in Cryptology from conjugacy search problems,” in Information Se- (CRYPTO’01), Lecture Notes in Computer Science, curity and Cryptology, Lecture Notes in Computer Sci- vol. 2139, pp. 470-485, 2001. ence, vol. 6584, pp. 1-17, 2010. [48] V. Roman’kov, Linear Decomposition Attack on Pub- [63] X. Wang, C. Xu, G. Li, H. Lin, W. Wang, “Double lic Key Exchange Protocols using Semidirect Prod- shielded public key cryptosystems,” Cryptology ePrint ucts of (Semi)Groups, 2015. (https://arXiv:1501. Archive Report 2014/588, pp. 1-14, 2014. 01152v1) [64] A. Yamamura, “Public-key cryptosystems using [49] S. K. Rososhek, “New practical algebraic public-key the modular group,” in 1st Internationa Workshop cryptosystem and Some related algebraic and compu- on Practice and Theory in Public Key Cryptogra- tational aspects,” Applied Mathematics, vol. 4, no, 7, phy (PKC’98), Lecture Notes in Computer Science, pp. 1043-1049, 2013. vol. 1431, pp. 203-216, 1998. [50] S. K. Rososhek, “Modified matrix modular cryp- tosystems,” Britsh Journal of Mathematics & Com- puter Science, vol. 5, no. 5, pp. 613-636, 2015. Biography [51] P. Svaba, Covers and Logarithmic Signatures of Fi- nite Groups in Cryptography, Dissertation, 2011. Tzu-Chun Lin received the PhD in Mathematics from [52] P. Shor, “Polynomial-time algorithms for prime fac- the Faculties for Mathematics and Science of the Georg- torization and discrete logarithm problems,” SIAM August-University at G¨ottingen in Germany. She is an Journal on Computing, vol. 26, pp. 1484-1509, 1997. associate professor in the Department of Applied Math- [53] V. Shpilrain, A. Ushakov, The Conjugacy Search ematics of Feng Chia University in Taiwan, R.O.C.. Her Problem in Public Key Cryptography: Unneces- current research interests include commutative algebras, sary and Insufficient, 2004. (https://arXiv:math/ invariant theory of finite groups and public-key cryptog- 0411644v1) raphy. [54] V. Shpilrain, “Cryptanalysis of stickel’s key ex- change scheme,” Lecture Notes in Computer Science, vol. 5010, pp. 283-288, 2008.