Post-Quantum Cryptography Online Seminar

Post-Quantum Cryptography Online Seminar

Post-Quantum Cryptography online seminar Vladimir Shpilrain The City College of New York Public key exchange using semidirect product of (semi)groups November 15, 2012 Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 1 / 17 The Di±e-Hellman public key exchange (1976) 1. Alice and Bob agree on a public (¯nite) cyclic group G and a generating element g in G. We will write the group G multiplicatively. 2. Alice picks a random natural number a and sends g a to Bob. 3. Bob picks a random natural number b and sends g b to Alice. b a ba 4. Alice computes KA = (g ) = g . a b ab 5. Bob computes KB = (g ) = g . Since ab = ba (because Z is commutative), both Alice and Bob are now in possession of the same group element K = KA = KB which can serve as the shared secret key. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 2 / 17 E±ciency for legitimate parties Exponentiation by \square-and-multiply": g 22 = (((g 2)2)2)2 ¢ (g 2)2 ¢ g 2 Complexity of computing g n is therefore O(log n), times complexity of reducing mod p (more generally, reducing to a \normal form"). Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 3 / 17 E±ciency for legitimate parties Exponentiation by \square-and-multiply": g 22 = (((g 2)2)2)2 ¢ (g 2)2 ¢ g 2 Complexity of computing g n is therefore O(log n), times complexity of reducing mod p (more generally, reducing to a \normal form"). Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 3 / 17 E±ciency for legitimate parties Exponentiation by \square-and-multiply": g 22 = (((g 2)2)2)2 ¢ (g 2)2 ¢ g 2 Complexity of computing g n is therefore O(log n), times complexity of reducing mod p (more generally, reducing to a \normal form"). Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 3 / 17 Security assumptions To recover g ab from (g; g a; g b) is hard. To recover a from (g; g a) (discrete log problem) is hard. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 4 / 17 Security assumptions To recover g ab from (g; g a; g b) is hard. To recover a from (g; g a) (discrete log problem) is hard. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 4 / 17 Variations on Di±e-Hellman: why not just multiply them? 1. Alice and Bob agree on a (¯nite) cyclic group G and a generating element g in G. We will write the group G multiplicatively. 2. Alice picks a random natural number a and sends g a to Bob. 3. Bob picks a random natural number b and sends g b to Alice. b a b+a 4. Alice computes KA = (g ) ¢ (g ) = g . a b a+b 5. Bob computes KB = (g ) ¢ (g ) = g . Obviously, KA = KB = K, which can serve as the shared secret key. Drawback: anybody can obtain K the same way! Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 5 / 17 Variations on Di±e-Hellman: why not just multiply them? 1. Alice and Bob agree on a (¯nite) cyclic group G and a generating element g in G. We will write the group G multiplicatively. 2. Alice picks a random natural number a and sends g a to Bob. 3. Bob picks a random natural number b and sends g b to Alice. b a b+a 4. Alice computes KA = (g ) ¢ (g ) = g . a b a+b 5. Bob computes KB = (g ) ¢ (g ) = g . Obviously, KA = KB = K, which can serve as the shared secret key. Drawback: anybody can obtain K the same way! Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 5 / 17 Using matrices Stickel 2005, Maze-Monico-Rosenthal 2007 There is a public ring (or a semiring) R and public n £ n matrices S, M1, and M2 over R. The ring R should have a non-trivial commutative subring C. One way to guarantee that would be for R to be an algebra over a ¯eld K; then, of course, C = K will be a commutative subring of R. 1. Alice chooses polynomials pA (x); qA (x) 2 C[x] and sends the matrix U = pA (M1) ¢ S ¢ qA (M2) to Bob. 2. Bob chooses polynomials pB (x); qB (x) 2 C[x] and sends the matrix V = pB (M1) ¢ S ¢ qB (M2) to Alice. 3. Alice computes KA = pA (M1) ¢ V ¢ qA (M2) = pA (M1) ¢ pB (M1) ¢ S ¢ qB (M2) ¢ qA (M2). 4. Bob computes KB = pB (M1) ¢ U ¢ qB (M2) = pB (M1) ¢ pA (M1) ¢ S ¢ qA (M2) ¢ qB (M2). Since any two polynomials in the same matrix commute, one has K = KA = KB , the shared secret key. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 6 / 17 Using matrices Stickel 2005, Maze-Monico-Rosenthal 2007 There is a public ring (or a semiring) R and public n £ n matrices S, M1, and M2 over R. The ring R should have a non-trivial commutative subring C. One way to guarantee that would be for R to be an algebra over a ¯eld K; then, of course, C = K will be a commutative subring of R. 1. Alice chooses polynomials pA (x); qA (x) 2 C[x] and sends the matrix U = pA (M1) ¢ S ¢ qA (M2) to Bob. 2. Bob chooses polynomials pB (x); qB (x) 2 C[x] and sends the matrix V = pB (M1) ¢ S ¢ qB (M2) to Alice. 3. Alice computes KA = pA (M1) ¢ V ¢ qA (M2) = pA (M1) ¢ pB (M1) ¢ S ¢ qB (M2) ¢ qA (M2). 4. Bob computes KB = pB (M1) ¢ U ¢ qB (M2) = pB (M1) ¢ pA (M1) ¢ S ¢ qA (M2) ¢ qB (M2). Since any two polynomials in the same matrix commute, one has K = KA = KB , the shared secret key. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 6 / 17 Cayley-Hamilton Note: The whole ring R should not be commutative because otherwise, the Cayley-Hamilton theorem kills large powers of a matrix. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 7 / 17 Semidirect product Let G; H be two groups, let Aut(G) be the group of automorphisms of G, and let ½ : H ! Aut(G) be a homomorphism. Then the semidirect product of G and H is the set ¡ = G o½ H = f(g; h): g 2 G; h 2 Hg with the group operation given by (g; h)(g 0; h0) = (g ½(h) ¢ g 0; h ¢ h0): Here g ½(h) denotes the image of g under the automorphism ½(h). Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 8 / 17 Extensions by automorphisms If H = Aut(G), then the corresponding semidirect product is called the holomorph of the group G. Thus, the holomorph of G, usually denoted by Hol(G), is the set of all pairs (g;Á), where g 2 G;Á 2 Aut(G), with the group operation given by (g;Á) ¢ (g 0;Á0) = (Á0(g) ¢ g 0;Á ¢ Á0): It is often more practical to use a subgroup of Aut(G) in this construction. Also, if we want the result to be just a semigroup, not necessarily a group, we can consider the semigroup End(G) instead of the group Aut(G) in this construction. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 9 / 17 Extensions by automorphisms If H = Aut(G), then the corresponding semidirect product is called the holomorph of the group G. Thus, the holomorph of G, usually denoted by Hol(G), is the set of all pairs (g;Á), where g 2 G;Á 2 Aut(G), with the group operation given by (g;Á) ¢ (g 0;Á0) = (Á0(g) ¢ g 0;Á ¢ Á0): It is often more practical to use a subgroup of Aut(G) in this construction. Also, if we want the result to be just a semigroup, not necessarily a group, we can consider the semigroup End(G) instead of the group Aut(G) in this construction. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 9 / 17 Extensions by automorphisms If H = Aut(G), then the corresponding semidirect product is called the holomorph of the group G. Thus, the holomorph of G, usually denoted by Hol(G), is the set of all pairs (g;Á), where g 2 G;Á 2 Aut(G), with the group operation given by (g;Á) ¢ (g 0;Á0) = (Á0(g) ¢ g 0;Á ¢ Á0): It is often more practical to use a subgroup of Aut(G) in this construction. Also, if we want the result to be just a semigroup, not necessarily a group, we can consider the semigroup End(G) instead of the group Aut(G) in this construction. Vladimir Shpilrain () Post-Quantum Cryptography online seminar November 15, 2012 9 / 17 Key exchange using extensions by automorphisms (Habeeb-Kahrobaei-Koupparis-Shpilrain) Let G be a group (or a semigroup). An element g 2 G is chosen and made public as well as an arbitrary automorphism (or an endomorphism) Á of G. Bob chooses a private n 2 N, while Alice chooses a private m 2 N. Both Alice and Bob are going to work with elements of the form (g;Ák ), where g 2 G; k 2 N. 1. Alice computes (g;Á)m = (Ám¡1(g) ¢ ¢ ¢ Á2(g) ¢ Á(g) ¢ g;Ám) and sends only the ¯rst component of this pair to Bob. Thus, she sends to Bob only the element a = Ám¡1(g) ¢ ¢ ¢ Á2(g) ¢ Á(g) ¢ g of the group G.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    32 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us