See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/328227132

Two general schemes of algebraic cryptography

Article  in  Groups · October 2018

DOI: 10.1515/gcc-2018-0009

CITATIONS READS

11 487

1 author:

Vitaly Roman'kov
Sobolev Institute of Mathematics
188 PUBLICATIONS   1,106 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Cyber and Cipher View project

All content following this page was uploaded by Vitaly Roman'kov on 25 November 2018.

The user has requested enhancement of the downloaded file.

 Groups Complex. Cryptol. 2018; aop

Research Article

Vitaly Roman’kov*

Two general schemes of algebraic

cryptography
https://doi.org/10.1515/gcc-2018-0009
Received March 20, 2018

Abstract: In this paper, we introduce two general schemes of algebraic cryptography. We show that many
of the systems and protocols considered in literature that use two-sided multiplications are specific cases
of the first general scheme. In a similar way, we introduce the second general scheme that joins systems
and protocols based on automorphisms or endomorphisms of algebraic systems. Also, we discuss possible
applications of the membership search problem in algebraic cryptanalysis. We show how an efficient decid-
ability of the underlined membership search problem for an algebraic system chosen as the platform can
be applied to show a vulnerability of both schemes. Our attacks are based on the linear or on the nonlinear
decomposition method, which complete each other. We give a couple of examples of systems and protocols
known in the literature that use one of the two introduced schemes with their cryptanalysis. Mostly, these
protocols simulate classical cryptographic schemes, such as Diffie–Hellman, Massey–Omura and ElGamal
in algebraic setting. Furthermore, we show that, in many cases, one can break the schemes without solving
the algorithmic problems on which the assumptions are based.

Keywords: Algebraic cryptanalysis, linear decomposition method, nonlinear decomposition method

MSC 2010: 20F10, 94A60

1 Introduction
The importance of different algorithmic and corresponding search problems, in particular the membership
(search) problem, and algebraic properties of groups associated with the public data was emphasized in
monographs [32, 33] and many papers (see for instance [25, 31, 35, 36, 48, 49, 52]). In many cases, these
problems can be formulated as questions about solvability of equations in groups (see for instance the
survey [38]).
Most public-key cryptosystems are based on certain intractability assumptions. We will at first review
the so-called nonabelian factorization problem and the computational Diffie–Hellman problem, which play
a central role in many algebraic cryptographic systems. See for instance [2, 3, 17, 18, 23, 32, 33, 52, 57].

Problem (Factorization problem). Let G be any nonabelian group, and let g, h ∈ G be two random elements
so that gp(g) ∩ gp(h) = 1. The factorization problem is to split the given product g i h j into a pair (g i , h j ), where
i and j are arbitrary integers picked at random.

Problem (Computational Diffie–Hellman problem). Let G be a nonabelian group, and let g, h ∈ G be two ran-
dom elements so that gp(g) ∩ gp(h) = 1. The computational Diffie–Hellman problem is to recover g i+k h j+l from
the given pair (g i h j , g k h l ), where i, j, k, l are arbitrary integers picked in random.

*Corresponding author: Vitaly Roman’kov, Institute of Mathematics and Information Technologies, Dostoevsky Omsk State
University, Omsk, Russia, e-mail: romankov48@mail.ru. http://orcid.org/0000-0001-8713-7170

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
2 | V. Roman’kov, Two general schemes of algebraic cryptography

In [40] (see also [30]), we have shown that in many systems where G is a subset in a linear space we can
efficiently solve the computational Diffie–Hellman problem and hence compromise the corresponding cryp-
tographic systems. We elaborated a method that is called the linear decomposition method. Notice that we do
not solve the factorization problem to find g i+k h j+l . This method was applied to many other problems and
cryptosystems too. See for example [30, 40, 41]. A somewhat similar approach was applied by Blackburn
et al. [8]. An in some points similar probabilistic approach working in the case of a matrix group over a finite
field was established by Tsaban et al. [5, 6, 55, 56]. See also [50], where the Stikel protocol was analyzed.
Recall that the membership search problem is:

Problem (Membership search problem). Given an algebraic system (in particular group) G and a subsystem
(subgroup) H generated by h1 , . . . , h r and an element g ∈ H, find an expression (group word) u(x1 , . . . , x r )
such that g = u(h1 , . . . , h r ).

In this paper, we deal with two kinds of algebraic systems, linear spaces and groups. Hence we consider two
versions of the membership search problem.

Problem (Membership search problem, first version). Given a linear space V over a field 𝔽 and a subspace
W, which is given by a basis w1 , . . . , w r , and an element u ∈ W, find the linear representation of the form
u = ∑ri=1 α i w i , α i ∈ 𝔽.

In our applications, we usually need to efficiently construct the basis w1 , . . . , w r too. We assume that all
main operations over 𝔽 can be done efficiently. These assumptions allow to apply the linear decomposition
method to show a vulnerability of the considered protocol. Some examples were given in [30, 40]. See also
[14, 41, 43–46]. Now we introduce the general scheme that uses two-sided multiplications. This scheme
joins several other schemes. We will show that, in the case when this scheme is realized on a platform that
is a part of the linear space, it is vulnerable under some natural assumptions. Hence every specific scheme is
vulnerable too.

Problem (Membership search problem, second version). Given a group G and a subgroup H, given by a gen-
erating set h1 , . . . , h r , and an element g ∈ H, find a group word u(x1 , . . . , x r ) such that g = u(h1 , . . . , h r ).

In our applications, we usually need to efficiently construct the generating h1 , . . . , h r too. We assume that the
membership problem for G with respect to H can be solved efficiently. Under these assumptions, the nonlinear
decomposition attack can be efficiently applied to any key agreement protocol that uses the group G as the
platform.
In particular, the proposed attack works in the case when a finitely generated nilpotent (more gener-
ally, polycyclic) group G is used as platform for the protocol. In [42], we described corresponding algorithms
for protocols based on extensions of (semi)groups by endomorphisms by Kahrobaei et al. [22], or for the
noncommutative Diffie–Hellman protocol by Ko et al. [23].
Note that in [22] polycyclic groups have been proposed as platforms for the protocol based on extensions
of (semi)groups by endomorphisms. Several authors [9, 11, 12] propose polycyclic groups as good platforms
for different cryptographic protocols. Many suggestions proposed as platforms finitely generated nilpotent
groups, that is, a subclass of polycyclic groups.
We note that many algorithmic search problems are efficiently solvable in the class of finitely generated
nilpotent groups. In the paper [26], Myasnikov et al. showed that the basic algorithmic problems (normal
forms, conjugacy of elements, subgroup membership, centralizers, presentation of subgroups, etc.) can be
solved by algorithms running in logarithmic space and quasilinear time. Further, if the problems are consid-
ered in “compressed” form with each input word provided as a straight-line program, they showed that the
problems are solvable in polynomial time. In [34], Myasnikov et al. pushed the complexity of these problems
lower, showing that they may be solved by TC0 circuits. In [13], Myasnikov et al. expanded the list of algo-
rithmic problems for nilpotent groups, which may be solved in these low complexity conditions, to include
several fundamental problems concerning subgroups.
In [42], the author showed that the membership search problem is efficiently decidable in any polycyclic
group.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
 V. Roman’kov, Two general schemes of algebraic cryptography | 3

Any of the protocols considered in theses papers produces a secret shared key. We show that one can
solve the membership search problem for the subgroup of the platform group associated with the particular
protocol to recover the shared key.

2 General Scheme 1 with two-sided multiplication

We show that many known schemes of the public-key exchange protocol in algebraic cryptography that use
two-sided multiplication are specific cases of the general Scheme 1 of such type. In most cases, such schemes
are built on platforms that are subsets of linear spaces, then they can be compromised by the linear decom-
position method introduced by the author. See for instance the monograph [40] and papers [14, 30, 41, 43,
45, 46]. This method allows to compute the exchanged keys without computing the private data and there-
fore without solving the algorithmic problems on which the assumptions are based. We demonstrate that this
method can be successfully applied to Scheme 1. Thus it is in some sense universal.
Some of the schemes under investigation were proposed by Andrecut [1], Gu et al. [17, 18], B. and
T. Hurley [19, 20], Shpilrain and Ushakov [51], Stickel [54] and Wang et al. [58]. Some other schemes were
described in [32, 33]. The schemes that use conjugation, for example the well-known scheme by Ko et al. [23],
which is a noncommutative version of the classical Diffie–Hellman scheme [39], can be treated as schemes
of the investigated type too.

2.1 Description of the general Scheme 1

Scheme 1 proceeds as follows: Let G be an algebraic system with associative multiplication (for example
a group) chosen as the platform. Further in this subsection, G is a group. We assume that G is a subset of
a finite-dimensional linear space V. Firstly, a set of public elements g1 , . . . , g k ∈ G is established. Then the
correspondents, Alice and Bob, sequentially publish elements of the form ϕ c,c󸀠 (f) = cfc󸀠 , c, c󸀠 ∈ G, where
f ∈ G is a given or previously built element. The parameters c, c󸀠 are private. The exchanged key has the form

K = ϕ c l ,c󸀠l (ϕ c l−1 ,c󸀠l−1 (. . . (ϕ c1 ,c󸀠1 (g)))) = c l c l−1 . . . c1 gc󸀠1 . . . c󸀠l−1 c󸀠l , (2.1)

where g is a given element of G.

We suppose that Alice chooses parameters (c, c󸀠 ) = (a, a󸀠 ) in a given, finitely generated subgroup A of G,
and Bob picks up parameters (c, c󸀠 ) = (b, b󸀠 ) in a finitely generated subgroup B of G to construct their trans-
formations of the form ϕ c,c󸀠 . Then, under some natural assumptions about G, A and B, we show that each
intruder can efficiently calculate the exchanged key K without calculating the transformations used in the
scheme. Note that Alice and Bob calculate the exchanged key K based on the public data and one of the two
parts of the private data. We claim that K, under some natural assumptions, can be efficiently calculated
using only the public data.
Foundations of the linear decomposition method can be found in [40] (see also [30, 41]). It can only be
applied when the platform group G is a part of a finite-dimensional linear space V. For example, G ≤ GLn (𝔽) is
a linear group that is a multiplicative subgroup of the full matrix algebra Mn (𝔽) of n × n-matrices over a field 𝔽.
In many other cases, when the platform group G is not linear or G is linear but the dimension of V is too large,
the linear decomposition method can be changed to the nonlinear decomposition method [42]. It works when
the platform group G is a finitely generated nilpotent group or, more generally, polycyclic group. The class
of polycyclic groups has often been proposed as a source of good platforms for cryptographic schemes and
protocols [9, 11, 16].
The transformations under discussion satisfy the equalities ϕ c,c󸀠 ∘ ϕ d,d󸀠 = ϕ cd,d󸀠 c󸀠 and include the unit
element ϵ = ϕ1,1 . The inverse of ϕ c,c󸀠 is ϕ c−1 ,(c󸀠 )−1 .
Usually, in the schemes considered, there are two finitely generated subgroups A, B ≤ G, where the cor-
respondents pick up their parameters. Alice randomly chooses elements in A, and Bob randomly picks up

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
4 | V. Roman’kov, Two general schemes of algebraic cryptography

parameters in B. In many schemes, all elements of the subgroups A and B are assumed to be pairwise com-
muting, i.e., for every a ∈ A and every b ∈ B, we have ab = ba. Then we have the subgroup S(G, A, B) of G × G
generated by all transformations of the form ϕ a,a󸀠 , where a, a󸀠 ∈ A, or ϕ b,b󸀠 , where b, b󸀠 ∈ B. Note that the
parameters of every transformation ϕ c,c󸀠 ∈ S(G, A, B) can be written as c = ba, c󸀠 = a󸀠 b󸀠 , where a, a󸀠 ∈ A and
b, b󸀠 ∈ B.
To get the exchanged key K in (2.1), we need to apply the transformation ϕ c,c󸀠 ∈ S(G, A, B) to the given
or previously built (and so, public) element g, where c = c l c l−1 . . . c1 , c󸀠 = c󸀠1 . . . c󸀠l−1 c󸀠l . We assume that all
the transformations ϕ c j ,c󸀠j have been used in the public data. In other words, for every pair c j , c󸀠j , the list of
public data contains u and v such that v = ϕ c j ,c󸀠j (u). Then also u = ϕ−1 −1
c j ,c󸀠j (v), and thus ϕ c j ,c󸀠j can be consid-
ered as used transformation too. Alice and Bob compute K using their private data. Alice knows a part of
all transformations ϕ c j ,c󸀠j , and Bob knows the complement of this part. In the following subsections, we will
show how we can efficiently compute K under some natural assumptions on G, A and B without knowing
any of the private data. Note, that we do not compute any pair of elements c j , c󸀠j . It turns out that it does not
matter who of the correspondents chooses the concrete private elements c j , c󸀠j , which are parameters of the
transformation ϕ c j ,c󸀠j . Sometimes, some schemes use sums of elements φ c,c󸀠 (f) (see [19, 20]). A variation of
the method of linear decomposition allows to compute the exchanged key in these cases too (Example 2.3).

2.2 Cryptanalysis of the general Scheme 1

Let G be a platform group in a key exchange scheme. Suppose that G is a subset of a finite-dimensional
linear space V. Two correspondents, Alice and Bob, agree about an element h ∈ G and two finitely generated
subgroups A and B of G given by their finite generating sets. Suppose that each element a ∈ A commutes with
every element b ∈ B. All these data are public.
Then the correspondents, beginning with h, repeatedly publish the elements ϕ a i ,a󸀠i (u) = aua󸀠 , where
a, a󸀠 ∈ A (Alice), and ϕ b,b󸀠 (u) = bub󸀠 , where b, b󸀠 ∈ B (Bob), where u is one of the given or previously con-
structed elements. Alice can publish a number of such elements straight, and Bob can too. The exchanged
key has the form (2.1), where every pair (c t , c󸀠t ) coincides either with a pair of the form (a, a󸀠 ), a, a󸀠 ∈ A, or
with the pair of the form (b, b󸀠 ), b, b󸀠 ∈ B.
The following lemma shows how we can efficiently construct a basis of linear subspaces of V, that are
generated by elements of G of a certain form. Different versions of this lemma have been proved in [30, 40,
41, 44, 46].

Lemma 2.1. Let A = gp(a1 , . . . , a k ) be a finitely generated subgroup of a group G, that is, a subset of a finite-
dimensional linear space V over a field 𝔽, and h is a fixed element of G. Suppose that all main computations over
V, i.e., addition, scalar multiplication, can be efficiently done. Then each finite set of linear equations over 𝔽 can
be efficiently solved. Then we can efficiently construct a basis E = {e1 , . . . , e s } of the linear subspace Lin(AhA)
generated by all elements of the form aha󸀠 , where a, a󸀠 ∈ A.

Proof. Consider the arbitrary, ordered, beginning with h, set of all elements of the form c ϵ hd η , where
ϵ, η ∈ {±1} and c, d are elements of the form a i or 1. This set is called the first list and is denoted as L1 .
The following operations will give a part {e1 , e2 , . . . } of the constructed basis E. This part is a basis of the
linear subspace Lin(L1 ):
(1) Let e1 = h.
(2) Let the elements {e1 , . . . , e t } of the basis E be constructed. We take the following element c ϵ hd η in L1 .
If it is linearly dependent on the already constructed elements, we delete it. If that does not happen, we add
it to the set of constructed elements, i.e., it is included in E.
When L1 is over, we form a new arbitrary, ordered list L2 consisting of all elements of the form c ϵ e j d ν ,
where e j is an element of the part of E that has been constructed after L1 ended (with exception e1 ).
Further, we consequently consider the elements of L2 and operate as in (2). After L2 is over, and we have
the part of E that is a basis of the linear subspace of V generated by L1 and L2 , we construct the third list,
and so on.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
 V. Roman’kov, Two general schemes of algebraic cryptography | 5

(3) The process ends when the operation with a list L i does not add any new element of E.
To explain assertion (3), we note that every new list consists of the elements of the previous list multi-
plied on both sides by the generating elements of A, or by their inverses (one of these factors can be 1). Let
X = {a±1 ±1 2 2
1 , . . . , a k , 1}. Then L 1 ⊆ XhX, L 2 ⊆ X hX , and so on. If, after operations with L i+1 ⊆ X
i+1 hX i+1 , no

element was added to E, then L i+1 lies in the subspace generated by all previously constructed elements of
E, i.e., X i+1 hX i+1 ⊆ Lin(∪ij=1 X j hX j ). Then

X i+2 hX i+2 ⊆ X(Lin(∪ij=1 X j hX j ))X ⊆ Lin(∪i+1 j j i j j

j=1 X hX ) ⊆ Lin(∪j=1 X hX ).

Hence operations with L i+2 do not add new elements to E. It is clear that the considering subspace coincides
with the subspace generated by all the lists. It follows that the number of all lists that add new elements to E
does not exceed the dimension of V.

The following lemma is a key statement for the forthcoming cryptanalysis. We suppose that all conditions
given above are satisfied.

Lemma 2.2. Let G be a group that is a subset of a finite-dimensional linear space V over a field 𝔽. Assume that
all assumptions about main operations over V given in the Lemma 2.1 are satisfied. Let v = ϕ a,a󸀠 (u), where
a, a󸀠 ∈ A are Alice’s private parameters.
Then, for every element of the form w = ϕ b,b󸀠 (u), where b, b󸀠 ∈ B (in other words w ∈ BuB), we can effi-
ciently construct z = ϕ a,a󸀠 (w) based on the structure of V.

Proof. Obviously, v ∈ AuA. Let E = {a1 ua󸀠1 , . . . , a r ua󸀠r }, a i , a󸀠i ∈ A, be a basis of Lin(AuA) that is efficiently
obtained by Lemma 2.1. By the Gauss elimination process, we efficiently obtain the unique expression of the
form
r
v = ∑ α i a i ua󸀠i , α i ∈ 𝔽. (2.2)
i=1

All the values on the right-hand side of (2.2) are known now. We substitute w by u on the right-hand side
of (2.2). Since the elements of A and B are pairwise commuting, we obtain
r r r
∑ α i a i wa󸀠i = ∑ α i a i bub󸀠 a󸀠i = b( ∑ α i a i ua󸀠i )b󸀠 = bvb󸀠 = baua󸀠 b󸀠 = a(bub󸀠 )a󸀠 = awa󸀠 = z.
i=1 i=1 i=1

Now, we formulate a mnemonic rule for efficiently constructing a specific element according to Lemmas 2.1
and 2.2:
v = ϕ a,a󸀠 (u) (a, a󸀠 ∈ A) and w ∈ BuB 󳨐⇒ ϕ a,a󸀠 (w),
v = ϕ b,b󸀠 (u) (b, b󸀠 ∈ B) and w ∈ AuA 󳨐⇒ ϕ b,b󸀠 (w).

This means that if we find a basis of the underlying linear subspace by Lemma 2.1, then, from the elements
u and v on the left-hand side of the corresponding part of the rule, we can efficiently construct the image
of w on the right-hand side of the rule. In other words, we efficiently solve the computational Diffie–Hellman
problem.

Cryptanalysis (Scheme 1). We assume that K can be obtained in the form (2.1) in such a way that every
transformation of

K j = ϕ c j ,c󸀠j (ϕ c j−1 ,c󸀠j−1 (. . . (ϕ c1 ,c󸀠1 (g)))) = c j c j−1 . . . c1 gc󸀠1 . . . c󸀠j−1 c󸀠j

by ϕ c j+1 ,c󸀠j+1 , where j = 1, . . . , l − 1, can be done by Lemma 2.2 (by the mnemonic rule). It follows that K can
be efficiently computed by any intruder.

Remark 1. The following examples show how this cryptanalysis can be done in some specific cases. Our
experience in this area shows that a lot of the schemes proposed in literature that use two-sided multiplica-
tion can be treated in such a way. There are specific circumstances in which we need to slightly change our
approach to show a vulnerability of the scheme. But in general our approach works.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
6 | V. Roman’kov, Two general schemes of algebraic cryptography

2.3 Examples

Example 2.1. Now we describe the protocol by Wang et al. [58]. In this protocol, the correspondents choose
an Artin braid group as the platform.
Let B n denote the Artin braid group on n strings, n ∈ ℕ. In 1990, R. Lawrence described a family of
so-called Lawrence representations of B n . Around 2001, S. Bigelow [7] and D. Krammer [24] indepen-
dently proved that all braid groups B n are linear. Their work used the Lawrence–Krammer representations
ρ n : B n → GLn(n−1)/2 (ℤ[t±1 , s±1 ]) that has been proved faithful for every n ∈ ℕ. One can effectively find the
image ρ n (g) for every element g ∈ B n . Moreover, there exists an efficient procedure to recover a braid g ∈ B n
from its image ρ n (g). It was shown in [10] that this can be done in O(2m3 log d t ) multiplications of entries
in ρ n (g). Here m = n(n − 1)/2, and d t is a parameter that can be effectively computed by ρ n (g). See [10] for
details. Thus we can assume that the platform G is a part of a finite-dimensional linear space V.
Alice and Bob agree about a group G and a random element h ∈ G, as well as about two finitely generated
subgroups A and B such that ab = ba for every pair a ∈ A and b ∈ B. These data are public.
The algorithm works as follows:
(1) Alice chooses four elements c1 , c2 , d1 , d2 ∈ A, then computes and publishes x = d1 c1 hc2 d2 for Bob.
(2) Bob chooses six elements f1 , f2 , g1 , g2 , g3 , g4 ∈ B, then computes and publishes y = g1 f1 hf2 g2 and
w = g3 f1 xf2 g4 for Alice.
(3) Alice picks up two elements d3 , d4 ∈ A, then computes and publishes z = d3 c1 yc2 d4 and u = d−1 −1
1 wd 2
for Bob.
(4) Bob computes and publishes v = g1−1 zg2−1 for Alice.
(5) Alice computes the key K A = d−1 −1
3 vd 4 = c 1 f 1 hf 2 c 2 .
(6) Bob computes the key K B = g3−1 ug4−1 = c1 f1 hf2 c2 , which is equal to K A .
(7) Now Alice and Bob have the common secret key K = K A = K B .

Cryptanalysis. The following transformations were used in the protocol:

ϕ d1 c1 ,c2 d2 , ϕ g1 f1 ,f2 g2 , ϕ g3 f1 ,f2 g4 , ϕ d3 c1 ,c2 d4 , ϕ−1

d1 ,d2 , ϕ−1
g1 ,g2 .

By direct computation, we get an expression of K:

K = ϕ c1 f1 ,f2 c2 (h) = ϕ−1 −1

d1 ,d2 (ϕ d1 c1 ,c2 d2 (ϕ g1 ,g2 (ϕ g1 f1 ,f2 g2 (h)))).

We are going to show that the key K can be efficiently obtained by Lemmas 2.1 and 2.2.
(i) The output of the first transformation
y = ϕ g1 f1 ,f2 g2 (h)
is public.
(ii) The output of the second transformation ϕ−1
g1 ,g2 (y) can be efficiently obtained by the mnemonic rule

v = ϕ−1
g1 ,g2 (z) and y ∈ AzA 󳨐⇒ ϕ−1
g1 ,g2 (y) = f 1 hf 2 .

(iii) The output of the third transformation can be efficiently obtained by the mnemonic rule

x = ϕ d1 c1 ,c2 d2 (h) and f1 hf2 ∈ BhB 󳨐⇒ ϕ d1 c1 ,c2 d2 (f1 hf2 ) = d1 c1 f1 hf2 c2 d2 .

(iv) The output of the fourth transformation can be efficiently obtained by the mnemonic rule

u = ϕ−1
d1 ,d2 (w) and d1 c1 f1 hf2 c2 d2 ∈ BwB 󳨐⇒ ϕ−1
d1 ,d2 (d 1 c 1 f 1 hf 2 c 2 d 2 ) = c 1 f 1 hf 2 c 2 = K.

Thus we have K.

Example 2.2. The well-known protocol by Ko et al. [23] is usually called noncommutative analogue of the
Diffie–Hellman protocol. The authors of [23] proposed one of the Artin braid groups B n , n ∈ ℕ, as a platform.
On the matrix representation of B n , see the previous example. The agreements about G = B n , h ∈ G, and A
and B are the same as in the previous example.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
 V. Roman’kov, Two general schemes of algebraic cryptography | 7

Now the algorithm works as follows:

(1) Alice randomly chooses a ∈ A, computes and publishes h a = aha−1 for Bob.
(2) Bob randomly picks up b ∈ B, computes and publishes h b = bhb−1 for Alice.
(3) Alice computes the key K A = (h b )a = h ab .
(4) Bob computes the key K B = (h a )b = h ba .
(5) Since ab = ba, they get the exchanged secret key K = K A = K B .

Cryptanalysis. We see that

K = abha−1 b−1 = ϕ a,a−1 (ϕ b,b−1 (h)).
(i) The output of the first transformation h b = ϕ b,b−1 (h) is public.
(ii) The output of the second transformation can be efficiently obtained by the mnemonic rule

h a = ϕ a,a−1 (h) and h b ∈ BhB 󳨐⇒ ϕ a,a−1 (h b ) = K.

Thus we have K.

Example 2.3. We describe the protocol proposed by B. and T. Hurley [19, 20]. Let G be a finitely generated
commutative subgroup of the general linear group GLn (𝔽) over a field 𝔽. These data are public.
The algorithm works as follows:
(1) Bob randomly chooses y ∈ 𝔽n and b ∈ G, computes and publishes yb.
(2) Alice wants to send a message x ∈ 𝔽n to Bob. She randomly chooses a1 , a ∈ G, then computes and
publishes (xa, yba1 ) for Bob.
(3) Bob randomly chooses b1 , b2 ∈ G, then computes and publishes (xab1 , ya1 b2 ) for Alice.
(4) Alice computes (xb1 , yb2 ) and then publishes xb1 − yb2 for Bob.
(5) Bob computes x − yb2 b−11 and then recovers x.
(6) Bob can use yb in forthcoming sessions.

Cryptanalysis. Since G is commutative, we can assume that the correspondents use arbitrary right-hand-
sided multiplications ρ c = ϕ1,c , c ∈ G, and that A = B = G. The arguments of Lemma 2.1 allow to construct
bases of subspaces of the form Lin(gG), g ∈ G. The assumption w ∈ BuB of Lemma 2.2 is automatically done.
Now the mnemonic rule is simpler. The group G generates a finite-dimensional subspace Lin(G) of GLn (𝔽).
Every ρ c is uniquely extended to Lin(G). It follows that the secret element in the protocol can be efficiently
computed as in the previous examples.
In the protocol, the public elements yb, xa and xb1 − yb2 are given, and the transformations ρ b1 , ρ a1 ,
ρ a1 b2 b−1 have been used. The first transformation corresponds to (xa, xab1 ); the second transformation cor-
responds to (yb, yba1 ); and the third transformation corresponds to (yb, ya1 b2 ).
Then we have
x = ρ−1 −1 −1
b1 (xb 1 − yb 2 ) + ρ b1 (ρ a1 (ya 1 b 2 )).

Both terms are efficiently computed by the mnemonic rule.

2.4 Complexity of the proposed algorithms

The algorithm described in Lemma 2.1 gives a basis of the subspace of the given finite-dimensional linear
space. It can be done by the Gauss elimination process. In every case, we need to only determine the exis-
tence of a solution. Note that the Gauss algorithm runs for a matrix of size (t × s) in O(t2 s) steps. Let r be
the dimension of V. Then r is a number of equations in each of the considered systems of linear equations.
The number of variables does not exceed r because it is equal to the number of previously included basic
elements. Hence, every time we use no more than O(r3 ) operations. The total number of considered lists does
not exceed r because every such list adds at least one new basic elements to the constructed basis. Every list
contains no more than 4k2 r elements. The total number of such elements does not exceed 2k2 r2 . Hence we
have an upper bound (very crude) O(k2 r5 ) of such operations.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
8 | V. Roman’kov, Two general schemes of algebraic cryptography

In some cases, we need to estimate the number of operations given some previous representation of the
platform group G by matrices, as well as the number of operations needed to compute the inverse map of G.
For example, in [10], it was shown that the standard form of any element g of B n can be recovered with
its linear image by no more than O(n3 log2 d t ) operations. Here d t is some efficiently computed parameter
depending on g. Note that the linear image of g is determined in linear time with respect to the length of g.
In the algorithm of Lemma 2.2, we use the Gauss elimination process. In this case, the process finds
a unique solution. Since the total number of constructions is not higher than the total number of computa-
tions in this basis, the estimation keeps its form O(k2 r5 ).

3 General Scheme 2 with endo- or automorphisms

Now we show that some public-key exchange protocols in algebraic cryptography that use automorphisms are
specific cases of the general scheme of such type. In most cases, such schemes are also built on platforms that
are subsets of linear spaces, and then they can be compromised by the linear decomposition method as above.
We give corresponding examples below. To avoid the linear decomposition attack, some authors propose
platform groups that are not subsets of linear spaces, or at least these groups admit faithful representation by
matrices of too big size to apply the linear decomposition attack efficiently. For example, Janusz [21] showed
that a faithful representation of a finite p-group with at least one element of order p n , as a group of matrices
over a finite field of characteristic p, is at least of dimension 1 + p n−1 . It can be too large to launch the linear
decomposition attack provided p itself is large enough. The authors of some papers believed that this new
offer of another platform should make the protocol invulnerable to the linear decomposition attacks.
The nonlinear decomposition attack can be efficiently applied to a key-agreement protocol that uses
a group G for which the membership search problem is efficiently solvable as a platform, and one can effi-
ciently construct finite generating sets for some subgroups associated with the protocol.
Recall that the membership search problem is: Given a group G and a subgroup H generated by h1 , . . . , h r
and an element g ∈ H, find a group word u(x1 , . . . , x r ) such that g = u(h1 , . . . , h r ).
In particular, the proposed attack works in the case when a finitely generated nilpotent (more generally,
polycyclic) group is used as platform for the protocol.

3.1 Description of the general Scheme 2

This subsection gives a description of the general scheme based on endo- or automorphisms. This scheme is
similar to Scheme 1 based on two-sided multiplication, described above. Note that in most cases two-sided
multiplication does not determine automorphisms.
The general scheme proceeds as follows: Let G be an algebraic system with associative multiplication, for
example a group, chosen as the platform. Further in this section, G is a group. Firstly, a set of public elements
g1 , . . . , g k ∈ G is established. Then the correspondents, Alice and Bob, sequentially publish elements of the
form ϕ(f), where f ∈ G is a given or previously built element and ϕ ∈ Aut(G) is a private automorphism. The
exchanged key has the form0.5mm
K = ϕ l (ϕ l−1 (. . . (ϕ1 (g)))), 0.5mm (3.1)
where g is one of the given elements.
We suppose that Alice chooses parameters ϕ i in a given, finitely generated subgroup A of Aut(G), and
Bob picks up automorphisms ϕ j in a finitely generated subgroup B of Aut(G). Then, under some natural
assumptions about G, A and B, we show that each intruder can efficiently calculate the exchanged key K
without calculating the automorphisms used in the scheme. Note that Alice and Bob calculate the exchanged
key K based on the public data and one of the parts of the private data. We claim that K, under some natural
assumptions, can be efficiently calculated by only using the public data.
We propose two different approaches to calculate K.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
 V. Roman’kov, Two general schemes of algebraic cryptography | 9

3.2 Cryptanalysis of the general Scheme 2 by the linear decomposition method

Let G be a platform group in the general key-exchange Scheme 2. In this approach, we suppose that G is
a subset of a finite-dimensional linear space V. Two correspondents, Alice and Bob, agree about an element
h ∈ G and two finitely generated subgroups A and B of Aut(G) given by their finite generating sets. Suppose
that each element φ ∈ A commutes with every element ψ ∈ B. All these data are public.
Then the correspondents, beginning with h, repeatedly publish elements ϕ i (u), where ϕ i ∈ A (Alice),
and ϕ j (u), where ϕ j ∈ B (Bob), and u is one of the given or previously constructed elements. The exchanged
key K has the form (3.1), where every automorphism ϕ i lies in A or in B.
The following lemma shows how we can efficiently construct a basis of a linear subspace of V that is
generated by elements of G of a certain form.

Lemma 3.1. Let A = gp(ϕ1 , . . . , ϕ k ) be a finitely generated subgroup of Aut(G), where G is a subset of a finite-
dimensional linear space V over a field 𝔽, and h is a fixed element of G. Suppose that all main computations over
V, i.e., addition, scalar multiplication, can be efficiently done. Then each finite set of linear equations over 𝔽 can
be efficiently solved. Then we can efficiently construct a basis E = {e1 , . . . , e s } of the linear subspace Lin(A(h)),
generated by all elements of the form ϕ(h), where ϕ ∈ A.

Proof. Consider the arbitrary, ordered, beginning with h = id(h), set of all elements of the form ϕ±1 i (h),
i ∈ {1, . . . , k}. This set is called the first list and is denoted by L1 . The following operations will give a part
{e1 , e2 , . . . } of the constructed basis E. This part is a basis of the linear subspace Lin(L1 ).
(1) Let e1 = h.
(2) Let the elements {e1 , . . . , e t } of the basis E be constructed. We take the following element ϕ i (h) in L1 .
If it is linearly dependent on the already constructed elements, we delete it. If that does not happen, we add
it to the set of constructed elements, i.e., it is included in E.
When L1 is over, we form a new arbitrary, ordered list L2 consisting of all elements of the form ϕ±1 i (e j ),
where e j is an element of the part of E that has been constructed after L1 ended (with exception e1 ).
Further, we consequently consider the elements of L2 and operate as in (2). After L2 is over and we have
the part of E that is a basis of the linear subspace of V generated by L1 and L2 , we construct the third list,
and so on.
(3) The process ends when the operation with a list L i does not add any new element of E.
It can be explained in a similar way as it has been done above in the proof of Lemma 2.1.

The following lemma is a key statement for the forthcoming cryptanalysis. We suppose that all conditions
given above are satisfied.

Lemma 3.2. Let G be a group that is a subset of a finite-dimensional linear space V over a field 𝔽. Assume that
all assumptions about main operations over V given in the Lemma 3.1 are satisfied. Let v = ϕ(u), where ϕ ∈ A
is Alice’s private parameter. Also suppose that every automorphism ψ ∈ B can be lifted to the automorphism of
Lin(A(u)).
Then, for every element of the form w = ψ(u), where ψ ∈ B, we can efficiently construct z = ϕ(w) based on
the structure of V.

Proof. Obviously, v ∈ A(u) ⊆ Lin(A(u)). Let E = {ϕ1 (u), . . . , ϕ r (u)}, ϕ i ∈ A, be a basis of Lin(A(u)), which
is efficiently obtained by Lemma 3.1. By the Gauss elimination process, we efficiently obtain the unique
expression of the form
r
v = ∑ α i ϕ i (u), α i ∈ 𝔽. (3.2)
i=1

All values on the right-hand side of (3.2) are known now. We substitute w by u on the right-hand side of (3.2).
Since the elements of A and B are pairwise commuting, we obtain
r r r
∑ α i ϕ i (w) = ∑ α i ϕ i (ψ(u)) = ψ( ∑ α i ϕ i (u)) = ψ(ϕ(u)) = ϕ(w).
i=1 i=1 i=1

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
10 | V. Roman’kov, Two general schemes of algebraic cryptography

Now we formulate a mnemonic rule for efficiently constructing a specific element according to Lemmas 3.1
and 3.2:
v = ϕ(u), ϕ ∈ A and w ∈ B(u) 󳨐⇒ ϕ(w).
This means that if we find a basis of the underlying linear subspace by Lemma 3.1, then, from the elements u
and v on the left-hand side of the corresponding part of the rule, we can efficiently construct the image of w
on the right-hand side of the rule.

Cryptanalysis (Scheme 2, linear case). We assume that K can be obtained in the form (3.1) in such a way
that every transformation of K j = ϕ j (ϕ j−1 (. . . (ϕ1 (g) . . . )) by ϕ j+1 , where j = 1, . . . , l − 1, can be done by
Lemma 3.2 (by the mnemonic rule). It follows that K can be efficiently computed by any intruder.

Remark 2. The following examples show how the proposed approach can be realized in some specific cases.
We cannot predict all details of other schemes that can also be treated in a similar way. By our experience,
this approach, in other versions, can be applied to a wide set of cryptographic schemes using endo- or auto-
morphisms.

3.3 Examples

Example 3.1. Now we describe the protocol by Rososhek [47]. In this protocol, the correspondents choose
a finite associative ring K with identity such that Aut(K) is noncommutative. Let G be a finite abelian group
such that Aut(G) is also noncommutative. By KG, we denote the corresponding group ring of G with coeffi-
cients in K.
The algorithm works as follows:
(1) Alice randomly chooses an automorphism σ ∈ Aut(K) of sufficiently big order and a random automor-
phism ν ∈ Aut(G) of sufficiently big order too. By C(σ), we denote the centralizer of σ in Aut(K), and, sim-
ilarly, C(ν) denotes the centralizer of ν in Aut(G). We assume that both these centralizers are strictly larger
than the cyclic subgroups gp(σ) and gp(ν), respectively. Then Alice randomly chooses τ ∈ C(σ) \ gp(σ)
and ω ∈ C(ν) \ gp(ν). She determines φ ∈ Aut(KG) as follows: For each h ∈ KG in the canonical form
h = ∑ni=1 a g i g i , where G = {g1 , . . . , g n }, a g i ∈ K, i = 1, . . . , n, Alice puts
n
φ(h) = μ( ∑ τ(a g i )ω(g i )),
i=1

where μ is a random substitution on indexes of summands. This substitution does not change h, but
only its form of expression. The automorphism φ is a private parameter of Alice. Then Alice chooses an
invertible element x ∈ KG and computes x φ ∈ KG. The tuple (σ, ν, x, φ(x)) is a public key.
(2) Bob wants to encrypt a message m represented by an element of KG. He randomly picks up a pair of
positive integers (l, j) and determines ψ ∈ Aut(KG) as follows: For each element h = ∑ni=1 a g i g i , where
a g i ∈ K, he puts
n
ψ(h) = ξ ( ∑ σ l (a g i )ν j (g i )), (3.3)
i=1

where ξ is a random substitution of indexes of summands. Then Bob calculates ψ(x−1 ) using the public
key of Alice and ψ. The tuple (i, j, ψ) is the private session key. The encrypted message m has the form

c = (ψ(x−1 ), m ⋅ ψ(φ(x))). (3.4)

(3) To decrypt the message, Alice computes ((x−1 )ψ )φ = ((x−1 )φ )ψ by (3.4) and commutativity of φ and ψ.
Then she obtains m by multiplication of the right-hand side of this expression by the second element of
the tuple c.

Cryptanalysis. Suppose that K is a finite-dimensional algebra over a finite field 𝔽 of dimension l. Let us
denote by σ i ∧ ν j , i, j ≥ 0, the automorphisms of KG of the form determined in (3.3). Also we assume that

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
 V. Roman’kov, Two general schemes of algebraic cryptography | 11

every automorphism of K is an automorphism of K as an algebra over 𝔽. The last assumption is valid in the
case when 𝔽 is a prime finite field.
In this case, KG is an algebra over 𝔽 of dimension m = l ⋅ |G)|. Every automorphism of the form η = λ ∧ μ,
λ ∈ Aut K, μ ∈ Aut G, is also automorphism of algebra KG over 𝔽.
Let x ∈ KG be Alice’s invertible element. As above, Φ(x) means the set of all elements of KG of the form
η(x), η ∈ Φ; in other words, it is the Φ-orbit generated by x. By V = Lin(𝔽 (Φ(x)), we denote the linear sub-
space of KG over 𝔽 generated by Φ(x).
By Lemma 3.1 we efficiently construct a basis of V. The elements σ l ∧ ν j (x) are taken with lexicographical
order relating to sums l + j between them.
Let B = {σ q i ∧ ν t i (x), i = 1, . . . , s} be the constructed basis. Then we compute
s
ψ(x) = ∑ α i σ q i ∧ ν t i (x), α i ∈ 𝔽, i = 1, . . . , s. (3.5)
i=1

Then we put φ(x) instead of x in the right-hand side of (3.5). Since φ is an automorphism of the linear
algebra KG over 𝔽 and it commutes with every automorphism in Φ, we obtain that
s s
∑ α i σ q i ∧ ν t i (φ(x)) = ∑ α i σ q i ∧ ν t i (φ(x)) = φ(ψ(x)) = ψ(φ(x)).
i=1 i=1

By ψ(φ(x)), we efficiently obtain m.

In a similar way, we can analyze the protocol on loop algebra by Gribov et al. [15] (see also [40]).

Example 3.2. Now we present the protocol over a loop ring by Markov et al. [28].
Recall some definitions that can be found in [4, 37] or [53].
The groupoid G is an algebraic structure on a nonempty set with a binary operator. The quasigroup Q is
a groupoid such that, for all a, b ∈ Q, there exist unique x, y ∈ Q such that ax = b and ya = b. The loop L is
a quasigroup with an identity element e such that xe = x and ex = x for any x ∈ L. A Moufang loop M is a loop
that satisfies the four following identities for all x, y, z ∈ M:

z(x(zy)) = ((zx)z)y, x(z(yz)) = ((xz)y)z, (zx)(yz) = (z(xy))z, (zx)(yz) = z((xy)z).

These identities are known as Moufang identities.

We list some properties of a Moufang loop M (see [4, 37, 53]):
(i) Every two elements of M generate a subgroup of M. In particular, M has associative powers.
(ii) If a(bc) = (ab)c for elements a, b, c ∈ M, then a, b, c generate a subgroup of M.
Let M be a Moufang loop and a, b, c ∈ M. These data are public.
The algorithm proceeds as follows:
(1) Alice randomly chooses a tuple of positive integers (m, k, n), then calculates and publishes a message of
the form (u1 , u2 ) = (a m b k , b k c n ) for Bob.
(2) Then Bob picks up a tuple of random positive integers (r, l, s), calculates and publishes a message of the
form (v1 , v2 ) = (a r b l , b l c s ) for Alice.
(3) Then Alice calculates (a m v1 )b k , (b k v2 )c n .
(4) In a similar way, Bob obtains the elements (a r u1 )b l , (b l u2 )c s .
(5) The common key for Alice and Bob is

K = (a m+r b k+l ) ⋅ (b k+l c n+s ).

To explain the details of this protocol we need some statements.

Proposition 3.3 ([28]). If M is a Moufang loop and a, b ∈ M, then, for all positive integers k, l, m, n, r, s ≥ 0,
the following equalities are valid:

(a m (a r b s ))b n = a m ((a r b s )b n ) = (a r (a m b n ))b s = a r ((a m b m )b s ) = a m+r b n+s .

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
12 | V. Roman’kov, Two general schemes of algebraic cryptography

Alice obtains K by the following calculations:

(a m v1 )b k = a m+r b k+l , (b k v2 )c s = b k+l c n+s , K = (a m+r b k+l ) ⋅ (b k+l c n+s ).

Bob obtains K in a similar way.

Cryptanalysis. Suppose that M contains an algebra over 𝔽 of dimension m. In particular, [28] proposes
to choose a platform in the subclass of finite and prime Paige loops that are subsets of Zorn algebras of
dimension 8 over a finite field.
Let a, b, c be elements from the discussed algorithm. Let m, k, n, r, l, s be the corresponding parameters.
It is sufficient to calculate a m+r b k+l and b k+l c n+s by the public elements

u1 = a m b k , u2 = b k c n , v1 = a r b l , v2 = b l c s .

Firstly, we obtain bases of linear subspaces V1 = Lin(a i b j | i, j ≥ 0) and V2 = Lin(b p c q | p, q ≥ 0), respec-
tively.
We describe the construction of a basis B1 of V1 . A basis B2 of V2 can be constructed in a similar way.
We consider, for each r ≥ 0, on the set {a i b j }, a sphere of radius r by setting 𝕊r = {a i b j | i + j = r} and the
corresponding ball 𝔹r = ∪rt=0 𝕊t . By definition, 𝕊0 = 𝔹0 = {1}. Then we construct a basis as in Lemma 3.1.
Let L0 = {1}.
B = {a p i b q i | i = 1, . . . , t}.
We calculate a decomposition
t
a m b k = ∑ α i a pi b qi , α i ∈ 𝔽, i = 1, . . . , t. (3.6)
i=1

By the right-hand side of (3.6) and a r b l , we obtain that

t t
∑ α i (a p i (a r b l ))b q i = (a r ( ∑ a p i b q i ))b l = (a r (a m b k ))b l = a m+r b k+l .
i=1 i=1

Similarly, we calculate b k+l c n+s . At last, we calculate

K = (a m+r b k+l ) ⋅ (b k+l c n+s ).

3.4 Cryptanalysis of the general Scheme 2 by the nonlinear decomposition method

Let G be a platform in the general key-exchange Scheme 2. Now we suppose that the membership problem
for G is efficiently solvable. Two correspondents, Alice and Bob, agree about an element h ∈ G and two finitely
generated subgroups A and B of G given by their finite generating sets. Suppose that each element a ∈ A
commutes with every element b ∈ B. All these data are public.
Then the correspondents, beginning with h, repeatedly publish elements ϕ i (u), where ϕ i ∈ A (Alice),
and ϕ j (u), where ϕ j ∈ B (Bob), and u is one of the given or previously constructed elements. The exchanged
key K has the form (3.1), where every automorphism ϕ i lies in A or in B.
The following lemma shows how we can efficiently construct a minimal generating set of some specific
subgroup of G.

Lemma 3.4. Let G be a group. Let A = gp(ϕ1 , . . . , ϕ k ) be a finitely generated subgroup of Aut(G), and let h be
a fixed element of G. Suppose that all main computations over G, i.e., multiplication, taking of inverse element
and solving of the word problem, can be efficiently done. Then we can efficiently construct a generating set E of
the subgroup gp(A(h)) generated by all elements of the form ϕ(h), where ϕ ∈ A.

Proof. Consider the arbitrary, ordered, beginning with h = id(h), set of all elements of the form ϕ±1 i (h),
i ∈ {1, . . . , k}. This set is called the first list and is denoted by L1 . The following operations will give a part
{e1 , e2 , . . . } of the constructed generating set E. This part generates subgroup gp(L1 ).

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
 V. Roman’kov, Two general schemes of algebraic cryptography | 13

(1) Let e1 = h.
(2) Let the elements {e1 , . . . , e t } of E be constructed. We take the following element ϕ i (h) in L1 . If it lies
in the subgroup generated by the already constructed elements, we delete it. If that does not happen, we add
it to the set of generating elements, i.e., it is included in E.
When L1 is over, we form a new arbitrary, ordered list L2 consisting of all elements of the form ϕ±1 i (e j ),
where e j is an element of the part of E, that has been constructed after L1 ended (with exception e1 ).
Further, we consequently consider the elements of L2 and operate as in (2). After L2 is over and we have
the part of E that generates gp(L1 , L2 ), we construct the third list, and so on.
(3) The process ends when the operation with a list L i does not add any new element of E.
This can be explained in a similar way as it has been done above in the proof of Lemma 2.1.

The following lemma is a key statement for the forthcoming cryptanalysis.

Lemma 3.5. Let G be a group. Assume that all assumptions about the main operations over G given in the
Lemma 3.4 are satisfied. Let v = ϕ(u), where ϕ ∈ A is Alice’s private parameter.
Then, for every element of the form w = ψ(u), where ψ ∈ B, we can efficiently construct z = ϕ(w).

Proof. Obviously, v ∈ A(u). Let E = {ϕ1 (u), . . . , ϕ r (u)}, ϕ i ∈ A, be a generating set of gp(A(u)), which is effi-
ciently obtained by Lemma 3.4. By our assumptions, we can efficiently find an expression of the form
v = V(ϕ1 (u), . . . , ϕ r (u)), (3.7)
where V is a group word. All the automorphisms on the right-hand side of (3.7) are known now. We substitute
w by u in V. Since the elements of A and B are pairwise commuting, we obtain
V(ϕ1 (w), . . . , ϕ r (w)) = V(ϕ1 (ψ(u)), . . . , ϕ r (ψ(u))) = ψ(V(ϕ1 (u), . . . , ϕ r (u))) = ψ(ϕ(u)) = ϕ(w).
Now we formulate a mnemonic rule for an efficient construction of a specific element according to Lemmas 3.4
and 3.5:
v = ϕ(u), ϕ ∈ A and w ∈ B(u) 󳨐⇒ ϕ(w).
This means that if we find a generating set of gp(A(u)) by Lemma 3.4, then, from the elements u and v on
the left-hand side of the corresponding part of the rule, we can efficiently construct the image of w on the
right-hand side of the rule.

Cryptanalysis (Scheme 2, nonlinear case). We assume that K can be obtained in the form (3.1) in such a way
that every transformation of K j = ϕ j (ϕ j−1 (. . . (ϕ1 (g) . . . )) by ϕ j+1 , where j = 1, . . . , l − 1, can be done by
Lemma 3.4 (by the mnemonic rule). It follows that K can be efficiently computed by any intruder.

Remark 3. Now we just repeat Remark 2: This approach works in many other cases where schemes use
endo- or automorphisms, and the membership problem can be efficiently solved for the group chosen as
the platform.

3.5 Examples
Example 3.3. We describe the protocol by Mahalanobis [27] simulating the classical Massey–Omura protocol
(see for instance [39]). Alice and Bob agree about group G and two finitely generated subgroups A and B
such that ab = ba for each pair of elements a ∈ A and b ∈ B (in the original protocol, Alice chooses a random
abelian subgroup S of Aut(G) and sets A = B = S). Then Alice chooses a random element h ∈ G that is private.
Suppose that all assumptions of Lemma 3.4 about the main operations over G are satisfied.
The algorithm works as follows:
(1) Alice randomly chooses an automorphism α ∈ A. Then she computes and publishes element α(h) for Bob.
(2) Bob randomly picks up β ∈ B. Then he computes and publishes element β(α(h)) for Alice.
(3) Alice computes α−1 (β(α(h))) = β(h). Alice randomly chooses γ ∈ A. Then she computes and publishes
element γ(β(h)) for Bob.
(4) Bob obtains the exchanged key K = β−1 (γ(α(h))) = γ(h).

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
14 | V. Roman’kov, Two general schemes of algebraic cryptography

Cryptanalysis. Obviously, this protocol is a specific version of the general scheme using automorphisms.
Firstly, we find a generating set of gp(B(u)), where u = β(α(h)) = α(β(h)). Then we have
v = α(h) = β−1 (u) and w = γ(β(h)) = γ(α−1 (u)).
By Lemma 3.5 (see also the mnemonic rule), we can efficiently obtain K = γ(h) = β−1 (w).

Example 3.4. In [29], G. Maze et al. proposed a generalization of the original Diffie–Hellman key-exchange
protocol to the setting of a semigroup action on a finite set. Namely, let S be a finite set and G an abelian
semigroup acting on H. The extended Diffie–Hellman key-exchange protocol works as follows:
(1) Alice and Bob agree on an element h ∈ H.
(2) Alice chooses g ∈ G and computes gh. Alice’s private key is g, her public key is gh.
(3) Bob chooses f ∈ G and computes fh. Bob’s private key is f , his public key is fh.
(4) Their common secret key is then g(fh) = (g ∘ f)h = (f ∘ g)h = f(gh).
Two specific examples were discussed. In the first example, A is an abelian group. The group H = ∑ni=1 A i ,
A i ≃ A, is a ℤ-module, and the matrix semigroup Mn (ℤ, ⋅ ) acts on H via formal multiplication. Let
h = (h1 , . . . , h n ) ∈ H, g = (g ij ) ∈ Mn (ℤ).
Then
n
hg = ((hg)1 , . . . , (hg)n ), where (hg)j = ∑ h i g ij .
i=1
The semigroup operation in Mn (ℤ) is not commutative, so in [29] a commutative subsemigroup G is pro-
posed as follows: Fix a matrix a ∈ Mn (ℤ) and define G := ℤ[a] := {p(a) : p(t) ∈ ℤ[t]}. With respect to matrix
multiplication, G has the structure of an abelian semigroup. The protocol then simply requires that Alice
and Bob agree on a vector h ∈ H. Then Alice chooses a matrix g ∈ ℤ[a] and sends the vector hg to Bob. Bob
chooses a matrix f ∈ ℤ[h] and sends the vector hf to Alice. The common key K is then the element hgf that
both can compute since g and f commute.
In the second example, H is an abelian group, and End(H) the ring of endomorphisms of H. Consider the
natural action of End(H) on H. For a given ϕ ∈ End(H), the subring ℤ[ϕ] is commutative and yields a Diffie–
Hellman protocol.

Cryptanalysis. In the first example, the subgroup hG lies in gp(h1 , . . . , h n ), thus is an abelian group with at
most n generators. These generators can be efficiently computed by Lemma 3.4. Every element of hG can be
efficiently presented as a word in these generators. Lemma 3.5 shows how K can be efficiently obtained by
any intruder. If A is torsion-free, then we can reduce our discussion to the completion ℚH, which is a linear
space over the rationals ℚ. Then the linear decomposition method can be efficiently applied to compute K
(see Subsection 3.2).
The second example can be treated in a similar way. If A (and thus H) is finitely generated, then all
the operations described in Lemma 3.5 can be efficiently done. Hence K can be efficiently recovered by any
intruder.

Acknowledgment: The author is indebted to the reviewer for useful comments.

Funding: This research was supported by Russian Science Foundation, project 16-11-10002.

References
[1] M. Andrecut, A matrix public key cryptosystem, preprint (2015), https://arxiv.org/abs/1506.00277v1.
[2] S. Baba, S. Kotyada and R. Teja, A non-abelian factorization problem and an associated cryptosystem, Cryptology EPrint
Archive Report 2011/048 (2011), https://eprint.iacr.org/2011/048.pdf.
[3] G. Baumslag, T. Camps, B. Fine, G. Rosenberger and X. Xu, Designing key transport protocols using combinatorial group
theory, in: Algebraic Methods in Cryptography, Contemp. Math. 418, American Mathematical Society, Providence (2006),
35–43.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
 V. Roman’kov, Two general schemes of algebraic cryptography | 15

[4] V. D. Belousov, Foundations of the Quasigroups and Loops Theory (in Russian), Nauka, Moscow, 1967.
[5] A. Ben-Zvi, A. Kalka and B. Tsaban, Cryptanalysis via algebraic spans, Cryptology ePrint Archive Report 2014/041 (2014),
https://eprint.iacr.org/2014/041.pdf.
[6] A. Ben-Zvi, A. Kalka and B. Tsaban, Cryptanalysis via algebraic spans, in: Advances in Cryptology—CRYPTO 2018, Lecture
Notes in Comput. Sci. 10991, Springer, Berlin (2018), 1–20.
[7] S. J. Bigelow, Braid groups are linear, J. Amer. Math. Soc. 14 (2001), no. 2, 471–486.
[8] S. R. Blackburn, C. Cid and C. Mullan, Cryptanalysis of three matrix-based key establishment protocols, J. Math. Cryptol. 5
(2011), no. 2, 159–168.
[9] B. Cavallo and D. Kahrobaei, A family of polycyclic groups over which the uniform conjugacy problem is NP-complete,
Internat. J. Algebra Comput. 24 (2014), no. 4, 515–530.
[10] J. H. Cheon and B. Jun, A polynomial time algorithm for the braid Diffie–Hellman conjugacy problem, in: Advances in
Cryptology—CRYPTO 2003, Lecture Notes in Comput. Sci. 2729, Springer, Berlin (2003), 212–225.
[11] B. Eick and D. Kahrobaei, Polycyclic groups: A new platform for cryptology?, preprint (2004),
https://arxiv.org/abs/math/0411077v1.
[12] D. Garber, D. Kahrobaei and H. T. Lam, Length-based attacks in polycyclic groups, J. Math. Cryptol. 9 (2015), no. 1, 33–43.
[13] A. Garreta, A. Miasnikov and D. Ovchinnikov, Random nilpotent groups, polycyclic presentations, and Diophantine
problems, Groups Complex. Cryptol. 9 (2017), no. 2, 99–115.
[14] M. N. Gornova, E. G. Kukina and V. A. Roman’kov, Cryptanalysis of Ushakov–Shpilrain’s authentication protocol based on
the twisted conjugacy problem (in Russian), Prikl. Diskr. Mat. (2015), no. 2(28), 46–53.
[15] A. B. Gribov, P. A. Zolotykh and A. V. Mikhalev, A construction of algebraic cryptosystem over the quasigroup ring
(in Russian), Mat. Vopr. Kriptogr. 1 (2010), no. 4, 23–32.
[16] J. Gryak and D. Kahrobaei, The status of polycyclic group-based cryptography: A survey and open problems, Groups
Complex. Cryptol. 8 (2016), no. 2, 171–186.
[17] L. Gu, L. Wang, K. Ota, M. Dong, Z. Cao and Y. Yang, New public key cryptosystems based on non-abelian factorization
problems, Secur. Commun. Netw. 6 (2013), no. 7, 912–922.
[18] L. Gu and S. Zheng, Conjugacy systems based on nonabelian factorization problems and their applications in
cryptography, J. Appl. Math. 2014 (2014), Article ID 630607.
[19] B. Hurley and T. Hurley, Group ring cryptography, Int. J. Pure Appl. Math. 69 (2011), no. 1, 67–86.
[20] T. Hurley, Cryptographic schemes, key exchange, public key, preprint (2013), https://arxiv.org/abs/1305.4063v1.
[21] G. J. Janusz, Faithful representations of p groups at characteristic p. I, J. Algebra 15 (1970), 335–351.
[22] D. Kahrobaei and V. Shpilrain, Using semidirect product of (semi)groups in public key cryptography, in: Pursuit of the
Universal, Lecture Notes in Comput. Sci. 9709, Springer, Cham (2016), 132–141.
[23] K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, J.-S. Kang and C. Park, New public-key cryptosystem using braid groups, in:
Advances in Cryptology—CRYPTO 2000 (Santa Barbara 2000), Lecture Notes in Comput. Sci. 1880, Springer, Berlin (2000),
166–183.
[24] D. Krammer, Braid groups are linear, Ann. of Math. (2) 155 (2002), no. 1, 131–156.
[25] M. Kreuzer, A. D. Myasnikov and A. Ushakov, A linear algebra attack to group-ring-based key exchange protocols, in:
Applied Cryptography and Network Security, Lecture Notes in Comput. Sci. 8479, Springer, Cham (2014), 37–43.
[26] J. Macdonald, A. Miasnikov, A. Nikolaev and S. Vassileva, Logspace and compressed-word computations in nilpotent
groups, preprint (2015), https://arxiv.org/abs/1503.03888.
[27] A. Mahalanobis, The Diffie–Hellman key exchange protocol and non-abelian nilpotent groups, Israel J. Math. 165 (2008),
161–187.
[28] V. T. Markov, A. V. Mikhalev, A. V. Gribov, P. A. Zolotykh and S. S. Skazhenik, Quasigroups and rings in coding theory and
cryptography (in Russian), Appl. Discrete Math. (2012), no. 4(18), 31–52.
[29] G. Maze, C. Monico and J. Roshental, Diffie–Hellman a public key cryptosystem based on actions by semigroups, in:
IEEE International Symposium on Information Theory (Lausanne 2002), IEEE Press, Piscataway (2012), DOI
10.1109/ISIT.2002.1023538.
[30] A. Myasnikov and V. Roman’kov, A linear decomposition attack, Groups Complex. Cryptol. 7 (2015), no. 1, 81–94.
[31] A. Myasnikov, V. Shpilrain and A. Ushakov, Random subgroups of braid groups: An approach to cryptanalysis of a braid
group based cryptographic protocol, in: Public Key Cryptography—PKC 2006, Lecture Notes in Comput. Sci. 3958,
Springer, Berlin (2006), 302–314.
[32] A. Myasnikov, V. Shpilrain and A. Ushakov, Group-based Cryptography, Adv. Courses Math. CRM Barcelona, Birkhäuser,
Basel, 2008.
[33] A. Myasnikov, V. Shpilrain and A. Ushakov, Non-commutative Cryptography and Complexity of Group-theoretic Problems,
Math. Surveys Monogr. 177, American Mathematical Society, Providence, 2011.
[34] A. Myasnikov and A. Weiß, TC0 circuits for algorithmic problems in nilpotent groups, in: 42nd International Symposium on
Mathematical Foundations of Computer Science, LIPIcs. Leibniz Int. Proc. Inform. 83, Leibniz-Zentrum für Informatik,
Wadern (2017), Article ID 23.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM
 16 | V. Roman’kov, Two general schemes of algebraic cryptography

[35] A. D. Myasnikov and A. Ushakov, Length based attack and braid groups: Cryptanalysis of Anshel–Anshel–Goldfeld key
exchange protocol, in: Public Key Cryptography—PKC 2007, Lecture Notes in Comput. Sci. 4450, Springer, Berlin (2007),
76–88.
[36] A. G. Myasnikov and A. Ushakov, Random subgroups and analysis of the length-based and quotient attacks, J. Math.
Cryptol. 2 (2008), no. 1, 29–61.
[37] H. O. Pflugfelder, Quasigroups and Loops: Introduction, Sigma Ser. Pure Math. 7, Heldermann, Berlin, 1990.
[38] V. Roman’kov, Equations over groups, Groups Complex. Cryptol. 4 (2012), no. 2, 191–239.
[39] V. Roman’kov, Introduction to Cryptography (in Russian), Moscow, Forum, 2012.
[40] V. Roman’kov, Algebraic cryptography (in Russian), Omsk, Omsk State University, 2013.
[41] V. A. Roman’kov, Cryptanalysis of some schemes applying automorphisms (in Russian), Prikl. Diskr. Mat. (2013), no. 3(21),
35–51.
[42] V. Roman’kov, A nonlinear decomposition attack, Groups Complex. Cryptol. 8 (2016), no. 2, 197–207.
[43] V. Roman’kov, A polynomial time algorithm for the braid double shielded public key cryptosystems, Bull. Karaganda Univ.
Math. Ser. 84 (2016), no. 4, 110–115.
[44] V. A. Roman’kov, A general encryption scheme using two-sided multiplications with its cryptanalysis, preprint (2017),
https://arxiv.org/abs/1709.06282v1.
[45] V. Roman’kov, Cryptanalysis of a combinatorial public key cryptosystem, Groups Complex. Cryptol. 9 (2017), no. 2,
125–135.
[46] V. A. Roman’kov and A. A. Obzor, A general algebraic cryptographic key exchange scheme and its cryptanalysis, Prikl.
Diskr. Mat. (2017), no. 37, 52–61.
[47] S. K. Rososhek, Cryptosystems in automorphism groups of group rings of Abelian groups, J. Math. Sci. (N.Y.) 154 (2008),
no. 3, 386–391.
[48] V. Shpilrain, Cryptanalysis of Stickel’s key exchange scheme, in: Computer Science – Theory and Applications—CSR 2008,
Lecture Notes in Comput. Sci. 4296, Springer, Berlin (2008), 283–288.
[49] V. Shpilrain, Search and witness problems in group theory, Groups Complex. Cryptol. 2 (2010), no. 2, 231–246.
[50] V. Shpilrain, Problems in group theory motivated by cryptography, preprint (2018), https://arxiv.org/abs/1802.07300.
[51] V. Shpilrain and A. Ushakov, A new key exchange protocol based on the decomposition problem, in: Algebraic Methods in
Cryptography, Contemp. Math. 418, American Mathematical Society, Providence (2006), 161–167.
[52] V. Shpilrain and G. Zapata, Using the subgroup membership search problem in public key cryptography, in: Algebraic
Methods in Cryptography, Contemp. Math. 418, American Mathematical Society, Providence (2006), 169–178.
[53] J. D. H. Smith, An Introduction to Quasigroups and Their Representations, Stud. Adv. Math, Chapman & Hall/CRC, Boca
Raton, 2007.
[54] E. Stickel, A new method for exchanging secret keys, in: Third International Conference on Information Technology and
Applications—ICITA’05, IEEE Press, Piscataway (2005), 426–430.
[55] B. Tsaban, Practical polynomial time solutions of several major problems in noncommutative-algebraic cryptography
(preliminary announcement), IACR eprint (2014).
[56] B. Tsaban, Polynomial-time solutions of computational problems in noncommutative-algebraic cryptography, J. Cryptology
28 (2015), no. 3, 601–622.
[57] L. Wang, L. Wang, Z. Cao, E. Okamoto and J. Shao, New constructions of public-key encryption schemes from conjugacy
search problems, in: Information Security and Cryptology, Lecture Notes in Comput. Sci. 6584, Springer, Heidelberg
(2011), 1–17.
[58] X. Wang, C. Xu, G. Li, H. Lin and W. Wang, Double shielded public key cryptosystems, Cryptology ePrint Archive Report
2014/558 (2014), https://eprint.iacr.org/2014/558.

Authenticated | romankov48@mail.ru author's copy

Download Date | 10/12/18 11:44 AM

View publication stats