Professional Documents
Culture Documents
Rnoti p733
Rnoti p733
Rnoti p733
Cryptographers
Christophe Petit and Jean-Jacques Quisquater
P
resumably hard mathematical problems problems are of course easy for the Rubik’s Cube.
stand at the core of modern cryptog- They are also easy in a few other particular cases,
raphy. A typical security proof for a but they may still be hard in general. In fact,
cryptographic protocol relates its resis- they are strongly connected to famous problems
tance against a particular attack to the in group theory and can be seen as algorithmic
hardness of some mathematical problem. Very few versions of a twenty-year-old conjecture of Babai
problems have survived thorough cryptanalysis, on the diameters of Cayley graphs. Although the
the most established ones being the integer fac- conjecture is now proved for all parameters of
torization problem and the discrete logarithm interest in cryptography, many of the proofs are
problems on finite fields and elliptic curves. nonconstructive, hence useless, to “break” the
Other problems have been suggested, related, functions.
for example, to hyperelliptic curves, lattices [42], In the last twenty years, the cryptography
error-correcting codes [31], or multivariate poly- community (for Cayley hash functions) and the
nomial equations [35] (the so-called postquantum
mathematics community (for Babai’s conjecture)
cryptographic algorithms). They are currently less
have been working independently on very similar
trusted than the three previous ones, but they
problems. The goal of this paper is to bridge the
might join or replace them in the future.
results obtained by the two communities, with the
In this paper we discuss three alternative
cryptographic application in mind. In particular, we
computational problems: namely the balance, rep-
review known results coming from both sides, we
resentation, and factorization problems in finite
non-Abelian groups. Interestingly, these problems provide some general attacks and design principles
can be seen as generalizations of the Rubik’s Cube. for the Cayley hash function construction, and
The famous 3D puzzle is notoriously “hard” [12], finally we propose some parameters that can be
but of course not in a cryptographic sense. Com- considered as “safe” from our current knowledge
puter programs solve it instantaneously, and of these problems.
even human champions need less than ten sec- Notation. In this paper, p will always be a prime
onds. Nevertheless, the “extensions” considered
and n a positive integer. We write Fq for the finite
in this paper were proposed as the core computa-
field with q elements. We identify the finite field
tional problems underlying the security of Cayley
Fpn with Fp [X]/(q(X)), where q is an irreducible
hash functions, an elegant construction of a very
polynomial over Fp . If K is a finite field and m is a
important cryptographic primitive.
positive integer, we write SL(m, K) for the special
For the cryptographic applications to be secure,
linear group of degree m over K, in other words,
the balance, representation, and factorization
problems must be computationally hard. These the group of m-by-m matrices over K with deter-
minant 1. We write P SL(m, K) for the projective
Christophe Petit is a research fellow of the Belgian Fund for special linear group of degree m over K, which is
Scientific Research (F.R.S.-FNRS) at Université catholique de the quotient of SL(m, K) by the set {λI, λ ∈ K}.
Louvain (UCL). His email address is christophe.petit@ Finally, we write Sn for the group of permutations
uclouvain.be.
on n elements.
Jean-Jacques Quisquater is with the UCL Crypto Group. His
email address is jjq@uclouvain.be. Outline. The remainder of this paper is organized
DOI: http://dx.doi.org/10.1090/noti1001 as follows. In the first section we recall the Cayley