arXiv:cs.CR/0501017 v2 28 Jan 2005 eiru cin,sml semirings. simple actions, semigroup Keywords: yaflosi rmteCne fApidMteaisa the at Mathematics Applied of Center the from fellowship a by ulcKyCytgah ae nSmgopActions Semigroup on based Public ∗ h uhr eespotdi atb S rn DMS-00-72383 grant NSF by part in supported were authors The rtcl,so o ti eae otegnrlDiffie-Hellma general W the set. to finite related examples. a is some on it exten (G-action) how we action show paper, semigroup protocols, this a a In of such curve. setting that elliptic the suggested an over [10] group Koblitz the and with [21] Miller when depth eeaiaino h rgnlDffi-ela e exchange key Diffie-Hellman original the of generalization A ulckycytgah,Dffi-ela rtcl n-a t one-way protocol, Diffie-Hellman cryptography, key Public itrhrrt 9,C-07Zrc,Switzerland Zurich, CH-8057 190, Winterthurerstr itrhrrt 9,C-07Zrc,Switzerland Zurich, CH-8057 190, Winterthurerstr eateto ahmtc n Statistics and Mathematics of Department ubc,T 90-02 USA 79409-1042, TX Lubbock, e-mail: e-mail: e-mail: oci Rosenthal Joachim ea ehUniversity Tech Texas ahmtc Institute Mathematics ahmtc Institute Mathematics aur 9 2005 19, January nvriyo Zurich of University nvriyo Zurich of University hi Monico Chris G´erard Maze [email protected] [email protected] Abstract [email protected] nvriyo or Dame. Notre of University h eodato a losupported also was author second The . uhagnrlzto to generalization a such d e xhneadgive and exchange key n en hs extended these define e n( in rtclcudb used be could protocol Z /p Z ) ado functions, rapdoor ∗ on new a found ∗ 1 Introduction

The problem is the basic ingredient of many cryptographic protocols. It asks the following question:

Problem 1.1 Let G be a fixed group and let g, h G be arbitrary elements. Find an integer ∈ n N such that gn = h. ∈ Problem 1.1 has a solution if and only if h g , the cyclic group generated by g. If h g ∈h i ∈h i then there is a unique integer n satisfying 1 n ord(g) such that gn = h. We call this ≤ ≤ unique integer the discrete logarithm of h with base g and we denote it by logg h. Protocols where the discrete logarithm problem plays a significant role are the Diffie- Hellman key agreement [4], the ElGamal public key cryptosystem [5], the algorithm (DSA) and ElGamal’s signature scheme [20]. In the sequel we outline two of these protocols and we refer the interested reader to [20] for further details. The Diffie-Hellman protocol [4] allows two parties, say Alice and Bob, to exchange a secret key over some insecure channel. In order to achieve this goal Alice and Bob agree on a group G and a common base g G. Alice chooses a random integer a N and Bob ∈ ∈ chooses a random integer b N. Alice transmits to Bob ga and Bob transmits to Alice gb. ∈ Their common secret key is k := gab. It is one of the open questions in public key cryptography if breaking the Diffie-Hellman protocol is computationally equivalent to solving the underlying discrete logarithm problem. It has been shown by Maurer [17] that such an equivalence exists under additional assump- tions. In either case it is sufficient for breaking the Diffie-Hellman protocol to solve the discrete logarithm problem. The ElGamal public key cryptosystem [5] works in the following way: Alice chooses n N, h, g G, where h = gn. The private key of Alice consists of (g, h, n), the public ∈ ∈ key consists of (g, h). Bob chooses a random integer r N and with this he applies the ∈ function

ε : G G G −→ × m (c ,c ):=(gr, mhr) −→ 1 2

Alice, who knows n = logg h readily computes m from the (c1,c2):

n −1 m = c2(c1 ) .

In order for the protocol to work it is required that multiplication and inversion inside the group G can be efficiently done and it should be computationally infeasible to compute a discrete logarithm with base g G. As in the case of the Diffie-Hellman protocol it is an ∈ open question if the in-feasibility of computing the discrete logarithm n = logg h implies the security of the protocol. In the literature many groups have been proposed as candidates for studying the discrete logarithm problem. Groups which have been implemented in practice are the multiplicative group (Z/nZ)∗ of integers modulo n, the multiplicative group F∗ = F 0 of nonzero \ { } elements inside a finite field F and subgroups [12, 25] of these groups. In recent time there

2 has been intense study of the discrete logarithm problem in the group over an elliptic curve [2, 10, 21, 20] or more generally the group over an abelian variety [6]. In this paper, we show how the discrete logarithm problem over a group can be seen as a special instance of an action by a semigroup. The idea of using (semi)group actions for the purpose of building one-way trapdoor functions is not a new one. Indeed Yamamura [28] has been considering a group action of Sl2(Z) and Blackburn and Galbraith [1] have been investigating the system of [28]. It seems however that the key exchange protocols given in these papers differ from the setting we are presenting in this paper. The interesting thing is that every semigroup action by an abelian semigroup gives rise to a Diffie-Hellman key exchange. With an additional assumption it is also possible to extend the ElGamal protocol. In the next section we explain this in detail.

2 The generalized Diffie-Hellman and ElGamal proto- cols in the context of semigroup actions

Consider a semigroup G, i.e., a set that comes with an associative multiplication ‘ ’. In · particular we do not require that G has either an identity element or that each element has an inverse. However, without loss of generality, we will always assume that the semigroup has an identity. We say that the semigroup is abelian if the multiplication is commutative. · Let S be a finite set and consider the (left) action of G on S:

ϕ : G S S × −→ (g,s) gs 7−→ We will refer to this action as a G-action on the set S. By the definition of a semigroup action we require that (g h)s = g(hs) for all g, h G and s S. A right action is similarly · ∈ ∈ defined. We now the protocols one can define based on semigroup actions:

Protocol 2.1 (Extended Diffie-Hellman Key Exchange) Let S be a finite set, G an abelian semigroup and an action of G on S as defined above. The Extended Diffie-Hellman key exchange, abelian case, is the following protocol:

1. Alice and Bob agree on an element s S. ∈ 2. Alice chooses a G and computes as. Alice’s private key is a, her public key is as. ∈ 3. Bob chooses b G and computes bs. Bob’s private key is b, his public key is bs. ∈ 4. Their common secret key is then

a(bs)=(a b)s =(b a)s = b(as) · ·

3 As in the situation of the discrete logarithm problem it is possible to construct ElGamal one-way trapdoor functions which are based on group actions: assume that the set S has in addition some group structure with respect to some binary operation . We would like to ◦ stress that the group structure of S is unrelated with the binary operation on the semigroups. Protocol 2.2 (Extended ElGamal Public Key Cryptosystem) Let S be a finite set, G an abelian semigroup and an action of G on S as defined above. If S is a group with respect to some operation , then the extended ElGamal public key system, abelian case, is ◦ the following protocol: 1. Alice chooses elements s in S and a G. Alice’s public key is (s,as). ∈ 2. Bob chooses a random element b G and encrypts a message m using the encryption ∈ function (m, b) (bs, (b(as)) m)=(c ,c ). 7−→ ◦ 1 2 3. Alice can decrypt the message using m =(b(as))−1 (b(as)) m =(ac )−1 c . ◦ ◦ 1 ◦ 2 One would build a cryptosystem on such a G-action only if the following problem is hard: Problem 2.3 (Semigroup Action Problem (SAP)): Let G be a semigroup acting on a set S. Given elements x S and y Gx, find g G such that gx = y. ∈ ∈ ∈ If an attacker, Eve, can find an α G such that αs = as, then Eve may find the shared ∈ secret by computing α(bs)=(α b)s = b(αs)= b(as). · Although the semigroup G need not be finite, the finiteness of S is sufficient in order to provide a bound for the size of the data during the communication. Nevertheless, if the action preserves the “size” of s with respect to some fixed representation, finiteness of S is not necessary. Remark 2.4 The traditional Diffie-Hellman key exchange and ElGamal protocol are special instances of Protocol 2.1 and Protocol 2.2. For this let: G be the semigroup (Z, ) of integers. • · S be a cyclic group H where the discrete logarithm problem is believed to be difficult. • s is a generator of the group H and the action is defined by • ϕ : Z H H × −→ (n, s) sn. 7−→ The identity sab =(sa)b simply says that ϕ is a commutative G-action and the reader readily verifies that Protocols 2.1 and 2.2 reduce to the traditional protocols in this case. Of course, there is an analogue version of the Diffie-Hellman Problem stated in terms of semigroup. Problem 2.5 (The Diffie-Hellman Semigroup Problem) Let G be a finite abelian semigroup, S a finite set and a semigroup action of G on S. Given x, y, z S with · ∈ y = g x and z = h x for some g, h G, find (gh) x S. · · ∈ · ∈

4 2.1 Generic attacks on the SAP First, we should examine the brute force attack. Suppose Eve intercepts as and bs through an insecure channel and wants to decode the ciphertext a(bs)= b(as). She may want to try the brute force attack to solve Problem 2.3: she computes gs for all possible g G until she ∈ finds some α with αs = as. She is then able to break the system as explained above. To avoid this attack, Bob and Alice must choose G and S sufficiently large and select a good candidate for s. Namely, if G = α G αs = as Eve { ∈ | } then the different parameters G, S, s must be chosen such that the size of GEve is small with respect to the size of G. If G has the structure of a group (and not just a semigroup) then GEve is simply a left coset of the stabilizer group Stab(s)= g G gs = s { ∈ | } and in this case we are requiring that the quotient group G/Stab(s) is large. For a general abelian semigroups G we observe that Stab(s) is still a sub-semigroup of G and every element α a Stab(s) has the property that α G , i.e., a Stab(s) G . ∈ ∈ Eve ⊂ Eve Again in this case we require that Stab(s) is small in comparison to G. Note also that every sub-semigroup H of G gives rise to an equivalence relation on S. If one has the ability to efficiently compute canonical representatives for the equivalence classes (among other things), this could potentially be used to an attacker’s advantage. But as we will see in Section 4, this is not always an easy task. The known generic algorithms for DLP such as Pollard’s rho, Pollard’s lambda or Shank’s baby-step-giant-step all need at some point the existence of inverses in the group where the DLP takes place. In the context of index search, the situation is not different. U. Maurer and S. Wolf [18] considering a Generic Index Search Problem in an indexed set S with S = N | | allow the indices to be added modulo N, which is equivalent to consider the action of the additive group Z/NZ over S and once again the complexity lower bound is O(√N). In [22], the author was able to extend a version of Pollard’s rho to the context of semigroup action if the semigroup is a group. Let us consider the main idea of the algorithm. We want to solve the SAP with a group G, a set S and parameters x and y with y = g x for some · g G. The idea is to find a collision in a random sequence of type a1 x, b1 y, a2 x, b2 y, ... . ∈ { · · −· · } With probability 1/2 the collision will take the form a x = b y and since b 1 exists, the i · j · j collision can be turn into the solution y = (b−1a ) x. Invoking the Birthday paradox [20], j i · the overall average complexity of the algorithm is O( G x ). | · | If the semigroup is not a group, the previous algorithm doesn’t apply; indeed Pollard’s p root attack described in [22] will provide with high probability a collision a x = b y i · j · where bj is non-invertible. However, if the semigroup possesses a “large” sub-group, then a decent upper bound can still be reached. Let G = g G g−1 exists and G = G G . 1 { ∈ | } 0 \ 1 In any case one may try to find a solution of the equation y = g x in G by exhaustive · 0 search. If no solution has been found, then one can restrict the SAP instance in G to the SAP instance in G1, which is a group. We can therefore apply the Pollard’s square root attack described earlier. Clearly this algorithm has an expected running time bounded by G + O( G x ). This gives the next proposition. | 0| | 1 · | p 5 Proposition 2.6 Let G be a semigroup acting on S and consider the SAP instance with parameters x and y = g x. Let G = G G be the partition described above. If G = · 0 ⊔ 1 | 0| O( G x ) then there exists an algorithm to solve the SAP instance in expected running | · | time bounded by O( G x ). p | · | In other words,p if G is not “far” from being a group and the orbit of x is, as expected, relatively large, then there is still a square root attack to the SAP. We believe however that the previous algorithm reaches the lower bound for generic algorithms.

Conjecture 2.7 Let G be a semigroup acting on a set S and consider the semigroup action problem (SAP) where G acts on S. Let G be the largest sub-group of G and G = G G . 1 0 \ 1 Then any generic algorithm that solve the SAP needs in average at least O( G + G ) | 0| | 1| semigroup operations. p 3 Linear abelian semigroup actions over fields

This section is about linearity in the sense that there is a way to see the semigroup action as a matrix action on some vector space. We show that if the correspondence between the two approaches is computationally feasible, then the Diffie-Hellman semigroup problem and the semigroup action problem may be solved easily. Let us describe the situation more specifically. Let F = Fq be the field with elements. Suppose we are given an action G S S, with G a finite abelian semigroup and S a finite set, a semigroup homomorphism × −→ ρ : G Mat (F) (with multiplication as operation) and an embedding ψ : S Fn such −→ n −→ that for all g G,s S one has ∈ ∈ ψ(g s)= ρ(g)ψ(s). ·

So ρ(G) is a commutative sub-semigroup of Matn(F). Let F[G] be the commutative subal- gebra of Matn(F) generated by the elements of ρ(G). Suppose there exists polynomial time algorithms that compute the values of these maps and polynomial time algorithms that compute ρ−1(M) for each M ρ(G) and ψ−1(v) ∈ for each v ψ(S). The next theorem does not take in consideration the speed of these ∈ algorithms. It only describes what can be done at the level of the linear algebra without taking consideration of the reduction itself.

Theorem 3.1 Let G, S, ρ and ψ be as above and let k = dimF F[G]. Then:

1. There exists a polynomial time reduction of the Diffie-Hellman semigroup problem to a linear algebra problem over F that can be solved in O(k2n + n3) field operations.

2. Let N = F[G] / G . There exists a polynomial time reduction of the SAP to a linear | | | | algebra problem over F that can be solved in O(N(k2n + n3)) field operations.

Proof: Let x, y = g x and z = h x be three elements of S with u,v and w their images in · · Fn. We consider the semigroup action problem instance with parameters x and y and the Diffie-Hellman semigroup problem instance with additional parameter z.

6 1. Suppose we have chosen randomly k different elements M , ..., M in F[G] Mat (F). 1 k ⊂ n This can be done easily via the map ρ. The probability that this family is in fact a basis of the vector space F[G] over F is equal to the probability P that a random matrix chosen in Matk(F) is invertible, which satisfies

P = Prob(M1, ..., Mk is a basis of F[G]) GL (F) = | k | Mat (F) | k | (qk 1)(qk q)...(qk qk−1) = − − 2 − qk 1 1 1 = 1 1 ... 1 − q − q2 − qk       1 > 1 > 0.28 > 1/4. (3.1) − 2n n>1 Y  

See [13] for the cardinality of GLk(F). Suppose for the moment that = M1, ..., Mk F B { } is a basis of [G]. If k > n we extract a sub-family of cardinality n say Mi1 , ..., Min of M1, ..., Mk such that

SpanFn M 1 u, ..., M u = SpanFn M u, ..., M u . { i in } { 1 k } Note that this is always possible and can be done in O(k2n) field operations (see [3]). If k < n then we may simply complete with enough zero matrices to have a family B of cardinality n. Let us consider the following equations with unknown a , ..., a F 1 n ∈ and b , ..., b F: 1 n ∈

(a1Mi1 + ... + anMin ) u = v

and (b1Mi1 + ... + bnMin ) u = w. (3.2)

If is a basis, then both possess at least one solution because of the property of B t t the family Mi1 , ...M1n . If a = [a1, ..., an] and b = [b1, ..., bn] then Equations 3.2 are equivalent to the following :

[M 1 u ... M u] a = v i | | in and [M 1 u ... M u] b = w, i | | in and therefore both possess a solution that can be found by solving an n n system × of linear equations in F. If the previous systems do not each have a solution, then we choose another family M1, ..., Mk and restart the process; the number of trials is expected to be less than 4 by Inequality 3.1. Therefore we can find the vectors a and b in O(n3) field operations. The matrices

Mg = (a1Mi1 + ... + anMin )

and Mh = (b1Mi1 + ... + bnMin )

7 satisfy MgMh = MhMg , Mgu = v and Mhu = w.

Let σ = MgMhu = MhMgu. Since Mgu = ρ(g)u and Mhu = ρ(h)u, we have

σ = M M u = ρ(g)ρ(h)u = ψ((gh) x)= ψ−1(σ)=(gh) x g h · ⇒ · which shows that the Diffie-Hellman semigroup problem instance can be solved after a resolution of a family of problems that take O(k2n + n3) operations over F.

2. The matrix Mg above belongs to ρ(G) with probability 1/N. Therefore the number of trials before reaching this state is O(N). If M ρ(G), theng ˜ = ρ−1(M ) is a solution g ∈ g to the semigroup action problem since ψ(y)= M ψ(x)= ψ(˜g x). g ·

Here are some examples where the previous theorem holds or can be used:

Example 3.2 Let M be a n n matrix with entries in F = F and G = F[M] acting on × q Fn. If the minimal polynomial of M is m(x) then Cayley-Hamilton Theorem shows that F F 6 [M] ∼= [x]/(m(x)) and the latter is a vector space of dimension k = deg m n. In such a situation, both the semigroup action problem and Diffie-Hellman semigroup problem are trivial.

Example 3.3 This example comes from invariant theory (see e.g. [27] for an introduction to this classical subject). We will consider a contragradient matrix action on the ring of polynomials. Fix a finite field F = Fq, an integer d and an abelian sub-semigroup G of Matn(F). Let Vd be the vector space over F of polynomials in F[x1, ..., xn] of total degree less or equal to d. The action we are considering is

G V V × d −→ d (A, f(x)) A f = f((Ax)t) 7−→ · t where x = [x1, ...xn] and Ax is the usual matrix multiplication. This action is linear since N A (f + g)= A f + A g. If N = dimF Vd then we can naturally embed Vd in F after having · · · e1 chosen the basis = x ...xen e 6 d of V . This makes the map ψ easy to compute B { 1 n | i } d and to invert. For sake of clarity, we suppose that = v = x , ..., v = x , v , ..., v . B { 1 1 n n n+1 N } We define the map ρ : G MatP(F) as follows: −→ N N n ek

ρ(A)ij =(A vj)i = aklxl · ! ! Yk=1 Xl=1 i e1 en where vj = x1 ...xn . So ρ gives the matrix representation of the linear map induced by th th the action since the j column of ρ(A) is the image of the j basis vector vj. Since all the polynomials have degree less or equal to d, the right-hand-side can be computed in O(Nnd log d) field operations (see [26, Chapter 1]). Note that if M ρ(G), then we can ∈

8 easily find A such that ρ(A)= M since the ith row of A is contained in the n first components of the ith column of M. Indeed, if 1 6 i 6 n then

n n ith column of M = A v = a x = a v . · i ij j ij j j=1 j=1 X X Once again the previous theorem holds and makes the Diffie-Hellman semigroup problem as hard as the linear algebra problem in FN . However note that in that case the semigroup action problem problem may still be difficult since the ratio G / F[G] may take very small | | | | values because of the big dimension expansion from n to N.

4 Linear actions of abelian semirings on semi-modules

In this section we show a way on how to construct abelian semigroup actions on finite sets in a practical algebraic way. The trapdoor function we obtain will rely on a finite version of a difficult control problem, namely the problem of steering the state of some dynamical system from an initial vector to some final location. The setup is general enough that it includes the Diffie-Hellman protocol over a general finite group as a special case. It provides on the other hand the flexibility to construct new protocols where some of the known attacks against the discrete logarithm problem in a finite group do not work anymore. Let R be a semiring, not necessarily finite. This means that R is a semigroup with respect to both addition and multiplication and the distributive laws hold. It is understood that the semiring is commutative with respect to addition. Some authors assume that a semiring has a neutral element with respect to addition. We will not assume that R has either a zero or a one. Let M be a finite semimodule over R. With this we mean that M has the structure of a finite semigroup and there is an action:

R M M × −→ such that r(sm)=(rs)m, (r + s)m = rm + sm and r(m + n)= rm + rn for all r, s R and m, n M. ∈ ∈ Let Mat(R) be the set of all n n matrices with entries in R. The semiring structure on × R induces a semiring structure on Mat(R). Moreover the semimodule structure on M lifts to a semimodule structure on M n via the matrix multiplication:

Mat(R) M n M n (4.1) × −→ (A, x) Ax. 7−→ The action (4.1) forms a group-action of the multiplicative group of Mat(R) on the set M n. In general Mat(R) is not commutative with respect to matrix multiplication. However we can easily define a commutative subgroup as follows:

9 Let C R be the center of R i.e., the subset of R consisting of elements that commute ⊂ with any other elements. Let C[t] be the polynomial ring in the indeterminant t and let A Mat(R) be a fixed matrix. If ∈ p(t)= r + r t + + r tk C[t] 0 1 ··· k ∈ then we define in the usual way p(A) = r I + r A + + r Ak, where r I is the n n 0 n 1 ··· k 0 n × diagonal matrix with entry r0 in each diagonal element. Consider the semigroup

G := C[A] := p(A) p(t) C[t] . { | ∈ } Clearly C[A] has the structure of an abelian semigroup. Protocol 2.1 then simply requires that Alice and Bob agree on a vector s M n. Then Alice chooses a matrix X C[A] and ∈ ∈ sends to Bob the vector Xs, an element of the module M n. Bob chooses a matrix Y C[A] ∈ and sends to Alice the vector Ys. The common key is then the vector XYs which both can compute since X and Y commute. It is possible to give the key exchange a systems theoretic interpretation. For this note that in order to choose X C[A] Alice has to choose r ,...,r R and with this she can ∈ 0 k ∈ compute Xs =(r I + r A + + r Ak)s = r s + r As + + r Aks. 0 n 1 ··· k 0 1 ··· k Consider now the linear time invariant system:

x = Ax + u s, s,x M n,u R. (4.2) t+1 t t t ∈ t ∈

Assume further that x0 = 0. (If M has no zero we can simply assume that the system is initialized through x = u s, x = Ax +u s for t 1.) If Alice chooses the input sequence 1 0 t+1 t t ≥ u0 = rk, u1 = rk−1 ...,uk = r0 then xk+1, the state vector at time k + 1 is exactly Xs, the public vector to be computed by Alice. Once Alice receives from Bob his public key Ys, then she defines b := Ys and by choosing her input sequence u0,...,uk in the system

xt+1 = Axt + utb, (4.3)

she will be able to compute the common secret key XYs. Eve who wants to find an element X˜ C[A] such that Xs˜ = Xs faces the task of finding ∈ a control sequence u0,...,uk which steers the initial state vector x0 into the state vector Xs. This problem is in general very hard and we will see that it contains some of the hardest known discrete logarithm problems as a special case. In the special case when R = M = F, a finite field then the problem is however simply solved by Theorem 3.1 In the following subsection we show that this simple linear algebra procedure breaks down if we with more general rings and modules:

10 4.1 A matrix action on abelian groups In this subsection take as a ring R = Z, the integers and as module any finite abelian group M = H. The group H is a Z module and Mat(Z) operates on S := Hn = H . . . H via × × the formal multiplication:

g1 a11 ... a1n g1 ...... (4.4)   7−→     gn an1 ... ann gn             If l = lcm g ,..., g , and C Mat(Z) is a matrix with all entries congruent to zero {| 1| | n|} ∈ modulo l, then (A + C)g = Ag for all A Mat(Z). Whence, we may simply consider the ∈ action of Mat(Z/lZ) on S.

Remark 4.1 If one writes the group operation in a multiplicative way then the jth com- n ponent in Hn is given as (A g) = gaji . If n = 1 then the action reduces to the action · j i i=1 g ga, i.e. we deal with the usualY discrete logarithm problem in the cyclic subgroup of 7−→ H generated by the element g = g1. In particular when n = 1 Protocols 2.1 and 2.2 reduce to the usual Diffie-Hellman and ElGamal protocol. If n > 1 we do not know however if a reduction of the general case to a small number of discrete logarithm problems can be achieved in polynomial time.

As before, since Mat(Z/lZ) is not commutative and based on the Cayley Hamilton theo- rem we will restrict ourselves to the abelian sub-semigroup (Z/lZ)[A] consisting of all sums n−1 i of the form i=0 aiA . The question now arises of how one can attack this system. E.g. one could imagine that H is the abelianP group over an elliptic curve or the abelian group over a more general abelian variety. As mentioned before if n = 1 we have to deal with the discrete logarithm problem over this group. We therefore believe that the best one can hope for is some polynomial time reduction to a collection of discrete logarithm problems over some cyclic group(s). Such a reduction, while not necessarily fatal to security, would probably make the system less efficient (with respect to /security ratio) than a system based on the corresponding DLP. i.e., it would certainly be less efficient given the equivalence of DHP and DLP. The problem: Given g,Ag Hn, find X˜ (Z/lZ)[A] with Xg˜ = Xg is the instance of ∈ ∈ Problem 2.3 that this system presents. We therefore could try to see if there is once more a linear system of equation which can solve similar to the situation when R = M = F a finite field. n−1 i For this assume once more that X = i=0 aiA . Again we have a system of linear equations, as in equation (1): P

h1 a0 . n−1 .  .  := Xg = g,Ag,...,A g  .  . (4.5) hn an−1          

11 In this system of equations the unknowns are a0,...,an−1 Z/lZ The coefficient matrix n−1 ∈ [g,Ag,...,A g] as well as the entries hi of the vector Xg are elements of the abelian group. The question now arises if there is a chance to reduce this system of equation to solve a regular discrete logarithm problem in a finite group. There are two special case attacks that must be avoided:

Lemma 4.2 Let A Mat(Z/lZ) and g, h Hn and suppose that X (Z/lZ)[A] is un- ∈ ∈ ∈ known. If one can construct, in polynomial time, an invertible matrix S Mat(Z/lZ) such ∈ that SAS−1 is diagonal then solving the equation Xg = h polynomial time reduces to solving n discrete logarithm problems in H.

Proof: By assumption, all arithmetic in H can be done in polynomial time as well as finding n i Z Z an S satisfying the hypothesis. Let X = p(A) with p(t) = i=0 ait ( /l )[t]. Let −1 ′ ′ ∈ S GLn(Z/lZ) with SAS = diag(d1, ..., dn)= D. Set h = Sh and g = Sg, and one has: ∈ P h′ = Sh = SXg = Sp(A)g = p(SAS−1)g′ = p(D)g′

Thus, Xg = h p(d ) g′ = h′ ⇐⇒ i · i i ′ m ′ ′ Solving the n discrete logarithm problems, (g ) = h gives n linear equations p(d ) = log ′ h i i i i gi i with the n unknowns ai, the coefficients of the polynomial p(t).

We would like to stress that a diagonalization of A over some extension ring (Z/lZ)[ζ] ⊃ Z/lZ will help little. Indeed it is not clear how one should interpret the multiplication of an element in H with an element in (Z/lZ)[ζ] in general. The above reduction is therefore easily avoided if one chooses a matrix A whose characteristic polynomial does not factor over Z/lZ. There is another situation where one can show that the problem reduces to a discrete logarithm problem in a cyclic group. This can happen when all elements gi are elements of a cyclic group:

Lemma 4.3 If there exists γ H with g γ for all i then solving the equation Xg = h ∈ i ∈ h i polynomial time reduces to solving 2n discrete logarithm problems in γ . h i Proof: There are n discrete logarithm problems of the form l γ = g . Let l = (l , ..., l ), i · i 1 n then n−1 n−1 h = Xg = a Ai g a Ail = log h i · ⇐⇒ i γ j i=0 ! i=0 ! X X j which gives another n discrete logarithm problems and a system of n linear equations with at most n unknowns as before.

Having described the special cases to be avoided, we present the best known attack and reduction of this system. We will first give a that depends only on l and n. We will then show that a reduction of this system to the case where l = pk, for p prime.

12 Algorithm 4.4 (Birthday Attack) Input: h ,...,h H, D =(g ) Mat(H), l = lcm g . 1 n ∈ ij ∈ {| ij|} Output: r ,...,r Z/lZ such that 1 n ∈

h1 r1 . .  .  = D  .  hn rn         1. Choose random functions ρ : (Z/lZ)n (Z/lZ)n and γ : Z/lZ Z/lZ Choose −→ −→ random starting points: (0) r1 .  .  r(0)  n    and c0 Z/lZ. Set ∈ (i+1) (i) r1 r1 . .  .  = ρ  .  r(i+1) r(i)  n   n      and ci+1 = γ(ci). 2. Use Floyd’s cycle-finding algorithm to find i = j such that c c is invertible modulo 6 i − j l and (i) (j) h1 r1 h1 r1 . . . . ci  .  + D  .  = cj  .  + D  .  (i) (j) hn r hn r    n     n          3. Set

r = (c c )−1(r(j) r(i)) 1 i − j 1 − 1 . . r = (c c )−1(r(j) r(i)) n i − j n − n

And output r1,...,rn.

Note that if the algorithm terminates, the output is clearly correct. If ρ or γ are chosen poorly, the algorithm may not terminate. Some authors insist that an algorithm always terminate, but we can easily add steps to detect this condition and restart with different choices in step 1 or terminate with a failure message. Analysis of Algorithm 1: First we show that for any fixed d Z/lZ and ∈

s1 .  .  sn     13 there exists c Z/lZ and ∈ r1 .  .  r  n  satisfying the termination conditions: d c is invertible and −

h1 s1 h1 r1 . . . . d  .  + D  .  = c  .  + D  .  hn sn hn rn                 For this, note that a solution exists by assumption. Thus, assume t Z/lZ with i ∈

h1 t1 . .  .  = D  .  h t  n   n      Let c be any element of Z/lZ such that d c is invertible. Set −

r1 = s1 +(d c)t1 . − . r = s +(d c)t n n − n and notice that:

h r h s +(d c)t 1 1 1 1 − 1 . . . . c  .  + D  .  = c  .  + D  .  hn rn hn sn +(d c)tn        −          s1 + dt1 h1 s1 . . . = D  .  = d  .  + D  .  s + dt h s  n n   n   n        Note that since there exist exactly φ(l) choices for c, we have actually shown that for any fixed d Z/lZ and ∈ s1 .  .  sn     there exist at least φ(l) distinct (c,r1,...,rn) satisfying the termination condition. In par- ticular, the probability that two randomly chosen points in the sequences terminate the algorithm is at least φ(l)/ln+1. This is greater than the uniform 1/ln+1, so that a lower bound on the asymptotic expected run time is O(l(n+1)/2).

14 Algorithm 4.5 (Pohlig-Hellman Type Reduction) Input: h ,...,h G, D =(g ) Mat(G). Assume that l = lcm g = pks, p prime and 1 n ∈ ij ∈ {| ij|} and gcd(p,s)=1. Output: r ,...,r Z/lZ such that 1 n ∈

h1 r1 . .  .  = D  .  hn rn         1. Use Algorithm 4.4 to find 0 u ,...,u

sh1 u1 . .  .  =(sD)  .  shn un         2. Use Algorithm 4.4 to find 0 v ,...,v

k r1 = u1ys + v1xp . . k rn = unys + vnxp

and output the ri.

Proof: Proof of correctness:

k r1 u1ys + v1xp u1 v1 . . . k . D  .  = D  .  = y(sD)  .  + x(p D)  .  k rn unys + vnxp un vn            k     sh1 p h1 h1 h1 . . k . . = y  .  + x  .  =(ys + xp )  .  =  .  k shn p hn hn hn                

15 Thus, to maximize the difficulty of the problem to be solved relative to the input size and these algorithms, one should choose the g so that l = lcm g ,..., g = pk for some i {| 1| | n|} prime p. The reader may wonder why we have given an algorithm so closely related to Pohlig- Hellman, yet we have no reduction from the pk case to the p case. The difficulty lies in the fact that there is not a unique solution (as long as the gi don’t all lie in one cyclic subgroup, which must be avoided by previous remarks anyway). Pohlig-Hellman reduces the pk case to the p case by essentially finding one digit at a time in the base-p expansion of the solution. However, in this case, there is no obvious way to insure that all digits found come from the same solution. That is, if one tries to apply the Pohlig-Hellman pk reduction in a straightforward way, the output will be, in general, incorrect.

4.2 Summary An implementation of this system should at least satisfy the following: 1. l = lcm g ,..., g = pk for some prime p and k> 1, with pk ‘large’. {| 1| | n|} 2. M is not diagonalizable over Z/lZ. Since diagonalization over extension rings doesn’t seem to help, an easy way to insure this is to require χM (t) to be irreducible over Z/lZ.

3. g1,...,gn do not lie in a common cyclic subgroup of G.

5 A two-sided abelian action based on simple semirings

Let us fix a finite semiring R, not embeddable in a field and not necessarily commutative. Given such a semiring, consider C, the center of R. Let us fix an integer n and denote by Rn the matrix semiring Matn(R). For a fixed element M in Rn, let us denote by C[M] the abelian sub-semiring generated by M, i.e., the semirings of polynomials in M with coefficient in C. Let M , M R and consider the following action: 1 2 ∈ n (C[M ] C[M ]) R R 1 × 2 × n −→ n ((p(M ), q(M )), A) p(M ) A q(M ). 1 2 7−→ 1 · · 2 This action is linear since

p(M ) (A + B) q(M )= p(M ) A q(M )+ p(M ) B q(M ). 1 · · 2 1 · · 2 1 · · 2 Because of this linearity, we avoid the case when R is a finite field (see Theorem 3.1) even if the initial SAP instance related to this semigroup action looks difficult.

Definition 5.1 A congruence relation on a semiring R is an equivalence relation such ∼ that ac bc ∼ ca cb a b =  ∼ ∼ ⇒ a + c b + c  ∼  c + a c + b ∼  16 for all possible choice of a, b and c. A semiring R is congruence-free, or simple, if the only congruence relations are R R and (a, a) a R . × { | ∈ } Any congruence relation gives the set R/ a natural structure of semiring and the ∼ quotient map R R/ becomes a semiring homomorphism. It is also clear that a −→ ∼ congruence relation on R induces a congruence relation on R for any n N. n ∈ For cryptographic purposes it is most important that the involved semirings are simple. This phenomenon leads to a situation that is close to the Pohlig-Hellman reduction for DLP in groups. Indeed any congruence relation on R yields a reduction of the SAP instance in a quotient semiring. As we would prefer to work in groups of prime orders to avoid a Pohlig-Hellman attack, we would like to work in simple semirings to avoid such a reduction. Monico [23] recently provided a partial classification of finite simple semirings. The following theorem gives a basis to build simple semirings. For this we first define:

Definition 5.2 A zero of a semiring R is an element ‘0’ such that a +0=0+ a = a and a 0=0 a = 0 for all a R. A one of a semiring R is an element ‘1’ such that a 1=1 a = a · · ∈ · · for all a R. ∈ Theorem 5.3 Let R be an additively commutative semiring with 1 and 0 and let n N. ∈ Then R is simple if and only if Rn is simple.

The previous theorem is a consequence of the following lemma.

Lemma 5.4 Let R be an additively commutative semiring with 1 and 0 and let be a ∼ congruence relation on Mat (R). Then there exists a congruence relation on R such that n ∼0 A B Mat R a b , 0 6 i, j 6 n. ∼ ∈ n ⇐⇒ ij ∼0 ij ∀ Proof: First, given such a semiring R, and M Mat (R), if M ′ is obtained from M by ∈ n a permutation of rows and columns, we prove there exist two invertible matrices S,P ′ ∈ Matn(R) such that M = SMP . Indeed, the statement is true if one consider matrices with entries in Z and the usual multiplication, i.e., there exist two permutation matrices (therefore with entries in 0, 1 ) such that M ′ = S M P with being the usual matrix multiplication. { } · · · It is then straightforward to verify that the same is true with the operation in R because of the properties of 0 and 1. Let us now prove the stated result. Let f : R Mat (R) −→ n be the map that sends a R to the diagonal matrix with first diagonal element a and ∈ zeros everywhere else. The map f is a semiring homomorphism. Let be the relation ∼0 on R defined by a b in R if and only if f(a) f(b) in Mat (R). Observe that is a ∼0 ∼ n ∼0 congruence relation on R. We prove now that the statement of the lemma is true for . ∼0 Let A, B Mat (R) and J = f(1). Let 0 6 i, j 6 n and S ,P Mat (R) be permutation ∈ n ij ij ∈ n matrices such that (SijAPij)11 = aij and (SijBPij)11 = bij.

Note that the matrices Sij and Pij exists in Matn(R) by the previous remark. Therefore JSijAPijJ = f(aij) and JSijBPijJ = f(bij).

17 Proof of : If A B then JS AP J JS BP J and therefore a b . ⇒ ∼ ij ij ∼ ij ij ij ∼0 ij Proof of : Clearly ⇐ −1 −1 −1 −1 A = Sij f(aij)Pij and B = Sij f(bij)Pij i,j i,j X X and since f(a ) f(b ), A B. ij ∼ ij ∼

The following provides two examples of finite simple semirings which are not rings.

Example 5.5 Consider the set S = 0, 1 with the operation max and min for addition and { } multiplication. One readily verifies that S has the structure of a finite simple semiring.

Note that polynomial time problems over Z, such as polynomial factorization, have been found to be NP-hard when considered over this semiring S [9]. The following example was found by computer search.

Example 5.6 Consider the set S = 0, 1, 2, 3, 4, 5 satisfying the following addition and 6,1 { } multiplication rules. + 0 1 2 3 4 5 0 1 2 3 4 5 · 0 0 1 2 3 4 5 0 0 0 0 0 0 0 1 1 1 1 1 1 5 1 0 1 2 3 4 5 2 2 1 2 1 2 5 2 0 2 2 0 0 5 3 3 1 1 3 3 5 3 0 3 4 3 4 3 4 4 1 2 3 4 5 4 0 4 4 0 0 3 5 5 5 5 5 5 5 5 0 5 2 5 2 5

S6,1 is a finite simple semiring with 6 elements.

In order that the two-sided semigroup action in the beginning of this section is difficult we would like that the sets C[M1] and C[M2] are large with regard to the matrix size n. The orders of the matrices M1 and M2 chosen to act on the matrix A on the left and on the right are of prime importance. Indeed the cardinality of the commutative semiring C[M] directly depends on the order of M. We study the “sizes” of the orbit of powers of elements in S where S = 0, 1 , max, min . We will see that these orders gives lower bounds for n {{ } } the maximum orders of elements in any semiring with 0 and 1. Note that since the semiring k Rn is finite any sequence M k∈N will eventually repeat, i.e., create a collision of the form ′ { } ′ M k = M k such that M k+t = M k +t for all t N. ∈ Definition 5.7 Let a be a sequence in a finite set such that a = a = a = a . The n m ⇒ n+1 m+1 order ord(a) of a is the least positive integer m such that there exists k 6 m with ak = am. The preperiod pr(a) of a is the largest non-negative integer m such that for all k > m we have a = a . The period p(a) of a is the least positive integer m such that there exists an k 6 m integer N with am+k = ak for all k > N. If g is an element of a semi-group, then we set n n n ord(g) = ord( g ∈N), p(g)= p( g ∈N) and p (g)= p ( g ∈N). { }n { }n r r { }n 18 Clearly ord(a)= p(a)+ pr(a). Returning to the situation of the multiplicative semigroup of S , we study the question “How large can the order of M S be?”. There already exist n ∈ n some results in this direction. To describe them, we recall that for a given oriented graph G, a strongly connected component (written SCC) of G is a sub-graph H of G inside which any two vertices i and j belong to a same oriented cycle and H is a maximal sub-graph with this property. Such a SCC is written H G. The period of a strongly connected component ⊆SCC is the maximum between the gcd of the length of its cycles and 1. We refer the reader to [14] for the details.

Proposition 5.8 Let M S and G be the directed graph whose adjacency matrix is M. ∈ n Then

1. p(M) = lcm period of H H is a SCC of G , { | } 3 2. The numbers p(M),pr(M) and ord(M) can be computed in O(n ) time.

This proposition is essentially in [7]. The algorithm given there computes p(M) in O(n3) time and an easy modification of it allows to computes pr(M) and therefore ord(M). We introduce now a function that play a crucial role: Landau’s function g. It is defined by

g(n) = max ordσ σ S { | ∈ n} = max lcm a , ..., a a > 0, a + ... + a = n . { { 1 m}| i 1 m } It was first studied by Landau [11] in 1903 who proved that

ln(g(n)) n ln(n) as n . (5.1) ∼ −→ ∞ In 1984, Massias [15] showed that for sufficientlyp large n,

ln ln(n) n ln(n) 6 ln(g(n)) 6 n ln(n) 1+ , (5.2) 2 ln(n)   p p the second inequality in 5.2 being true for all n. Clearly, the function g is increasing. In any case, we have

max lcm a , .., a , a + ... + a = n = exp (1 + o(1))√n ln n . { { 1 m} | 1| | m| }   On the other hand, the period of any SCC H G is less or equal to H and ⊂ | | H 6 n. | | H⊆ G XSCC Since the function g is increasing, Proposition 5.8 and Equation (5.1) give

p(M) 6 g H 6 g(n) = exp (1 + o(1))n1/2 ln1/2 n . | | H⊆ G ! XSCC   19 Further, it is not difficult to see that there always exists an oriented graph G with period g(n). Indeed if g(n) is reached by a partition a1 + ... + am = n, then a graph G built out of cyclic SCCs of order a satisfies p(M) = g(n). Such a matrix M S that reaches this i ∈ n bound is in fact a permutation matrix, and as such, it can be seen as an element of any semirings with 0 and 1. In other words, in any such semiring, the previous bound is reached:

Proposition 5.9 Let n N and R be a semiring with 0 and 1. Then ∈ max p(M) M R g(n) = exp (1 + o(1))n1/2 ln1/2 n . { | ∈ n} ≥   If R = S = 0, 1 , max, min , then the above inequality is an equality. {{ } }

The exact computation of g(n), or more precisely, of the partition a1 + ... + am = n that yield the maximum g(n), is necessary in order to build explicitly a matrix M S such ∈ n that p(M) = g(n). Indeed, the integer g(n) is always a product of primes less or equal to 2.86 n ln(n), c.f. [16]. Therefore the factorization of g(n) can be found in polynomial time in n. It is also known that the partition of n that gives the maximum lcm has parts that are p all prime powers, c.f. [8], and therefore the factorization of g(n) gives the expected partition directly. The algorithm given in [24] allows one to compute g(n) for large integers n, up to n = 32, 000, so the exact determination of the matrix M is not a problem. See Table 5.1 for a list of values of g(n) with the associated partition.

Table 1: Some values of Landau’s function g

n g(n) Associated partition 256 4243057729190280 8, 9, 5, 7, 11, 13, 17, 19, 23, 29, 31, 41, 43 512 70373028815644182 1, 1, 1, 4, 9, 5, 7, 11, 13, 17, \ 5899620 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61 1024 855674708268439827 1, 1, 1, 16, 27, 25, 7, 11, 13, \ 7434193536488991600 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89

k For a given matrix M S , since S[M] M ∈N, we have ∈ n ⊃{ }k S[M] > ord(M) > p(M), | | and the last inequality can give S[M] > g(n) for a wisely chosen M. | | The following corollary shows that the size of the sets C[M] grows exponentially in n for suitable matrices M as soon as the center C contains the elements 0, 1 of a semiring. Such matrices can even be constructed in an efficient way.

20 Corollary 5.10 Let n N and R be a semiring with 0 and 1 and center C. Then there ∈ is an n n matrix M with entries in R such that the order of M is larger than g(n) in × particular the size of C[M] is larger than g(n) as well.

Example 5.11 Consider the semiring R = S as defined above. The elements 0, 1 are 6,1 { } in the center C of R. We will consider the matrix ring Rn with n = 20. In this situation the key size is 400 lg 6 = 1033 bits and the value of Laudau’s g function is g(20) = 1 4 3 5 7. · ∼ · · · · The matrices M1 and M2 below are based on the construction previously described, and the sparse matrix A has been chosen randomly. The matrix K corresponds to the equation K = p(M ) A q(M ) 1 · · 2 with unknown p and q in C[x].

10000000000000000000 00000000000000000010 00100000000000000000 00000000000100000000 00010000000000000000 00000010000000000000 00001000000000000000 00100000000000000000 01000000000000000000 00000000000000000004 00000010000000000000 00000000000000010000 00000002000000000010 01000000000000000000     00000100000000000000 00000000000000000100 00000000010000000000 00010000100000000000 00000000001000000000 00000000000310000000 M1 = 00000000000200000000 M2 = 00000000000000200000     00000000000010000000 00010000000000000100 00000000100000000000 00000000001000000000 00000000000000100000 00000100000000000000 00000000000000010000 00000000010000000000     00000000000000001000 00000001000000000000 00000000000000000100 10000000000000000000 00000000000000000010 00001000000000000000 00000000000000000001 00000000000000001000     00000000000001000000 00000000000001000000     00200000000000000100 02020000000204000200 01000000010001000000 00111411002100241114 00000001000000000030 30111011002000240134 20020000000010000000 12000020020200202034 00000010000000001000 22111424020100201110 00000005000100000001 12222020022220222212 00000000200010000001 11111014222124211122     01000000030000000003 21111014222124222124 00000002000000010001 00222020022022200200 01000100000010000000 00002000022020220000 A = 00000000000050100000 K = 00222020020000200200     00000000000004000000 00000000022022200000 00000000000000100500 00002000000000020200 00300000002000100000 03333404021324040300 00001000000200001000 02202420020020001010     00000002000000000100 01111014000104040104 00002000001000000000 32000020020220000034 00100000000100000000 11111014020104211104 00020001000000000030 31333424021124040334     10000001000010000001 12202420020000211014     We have chosen the parameters for illustration purposes. Although the task of finding the polynomials p, q could be formidable a brute force search is in the range of a modern PC.

21 References

[1] S.R. Blackburn and S.D. Galbraith. of two cryptosystems based on group actions. In Advances in Cryptology – ASIACRYPT ’99, volume 1716 of Lecture Notes in Computer Science, pages 52–61. Springer Verlag, Berlin, 1999.

[2] I. Blake, G. Seroussi, and N. Smart. Elliptic Curves in Cryptography. Lecture Note Series 265. London Mathematical Society, 1999.

[3] H. Cohen. A course in computational algebraic number theory, volume 138 of Graduate Texts in Mathematics. Springer-Verlag, Berlin, 1993.

[4] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, IT-22(6):644–654, 1976.

[5] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31(4):469–472, 1985.

[6] G. Frey and M. M¨uller. Arithmetic of modular curves and applications. In Algorithmic algebra and number theory (Heidelberg, 1997), pages 11–48. Springer, Berlin, 1999.

[7] M. Gavalec. Computing matrix period in max-min algebra. Discrete Appl. Math., 75(1):63–70, 1997.

[8] J. Grantham. The largest prime dividing the maximal order of an element of Sn. Math. Comp., 64(209):407–410, 1995.

[9] K.H. Kim and F.W. Roush. Factorization of polynomials in one variable over the tropical semiring. Preprint available at arXiv:math.CO/0501167 v1 11 Jan 2005.

[10] N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, 1987.

[11] E. Landau. Uber¨ die Maximalordnung der Permutationen gegebenen Grades. Archiv der Math. und Phys., pages 92–103, 1903.

[12] A. K. Lenstra and E. R. Verheul. The XTR public key system. In Advances in cryptology—CRYPTO 2000 (Santa Barbara, CA), volume 1880 of Lecture Notes in Comput. Sci., pages 1–19. Springer, Berlin, 2000.

[13] R. Lidl and H. Niederreiter. Introduction to Finite Fields and their Applications. Cam- bridge University Press, Cambridge, London, 1986.

[14] D. Lind and B. Marcus. An Introduction to Symbolic Dynamics and Coding. Cambridge University Press, 1995.

[15] J.-P. Massias. Majoration explicite de l’ordre maximum d’un ´el´ement du groupe sym´etrique. Ann. Fac. Sci. Toulouse Math. (5), 6(3-4):269–281 (1985), 1984.

[16] J.-P. Massias, J.-L. Nicolas, and G. Robin. Effective bounds for the maximal order of an element in the symmetric group. Math. Comp., 53(188):665–678, 1989.

22 [17] U.M. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and com- puting discrete logarithms. In Advances in cryptology—CRYPTO ’94 (Santa Barbara, CA, 1994), pages 271–281. Springer, Berlin, 1994.

[18] U.M. Maurer and S. Wolf. The relationship between Breaking the Diffie-Hellman pro- tocol and computing discrete logarithms. SIAM J. Comput., 5(28):1689–1721, 1999.

[19] G. Maze. Algebraic Methods for Constructing One-Way Trapdoor Functions. PhD thesis, University of Notre Dame, May 2003.

[20] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryp- tography. CRC Press Series on Discrete Mathematics and its Applications. CRC Press, Boca Raton, FL, 1997. With a foreword by Ronald L. Rivest.

[21] V. S. Miller. Use of elliptic curves in cryptography. In Advances in cryptology—CRYPTO ’85 (Santa Barbara, Calif., 1985), pages 417–426. Springer, Berlin, 1986.

[22] C. Monico. Semirings and Semigroup Actions in Public-Key Cryptography. PhD thesis, University of Notre Dame, May 2002.

[23] C. Monico. On finite congruence-simple semirings. J. Algebra, 271(2):846–854, 2004.

[24] J.-L. Nicolas. Calcul de l’ordre maximum d’un ´el´ement du groupe sym´etrique Sn. Rev. Francaise Informat. Recherche Op´erationnelle, 3(Ser. R-2):43–50, 1969.

[25] K. Rubin and A. Silverberg. Using primitive subgroups to do more with fewer bits. In Algorithmic Number Theory (ANTS VI), volume 3076 of Lecture Notes in Comput. Sci., pages 18–41. Springer, Berlin, 2004.

[26] I. E. Shparlinski. Computational and algorithmic problems in finite fields, volume 88 of Mathematics and its Applications (Soviet Series). Kluwer Academic Publishers Group, Dordrecht, 1992.

[27] B. Sturmfels. Algorithms in Invariant Theory. Texts and Monographs in Symbolic Computation. Springer-Verlag, Vienna, 1993.

[28] A. Yamamura. Public-key cryptosystems using the modular group. In Public Key Cryp- tography, volume 1431 of Lecture Notes in Computer Science, pages 203–216. Springer, Berlin, 1998.

23