Non-commutative cryptography

Last updated December 29, 2022

Non-commutative cryptography is the area of cryptology where the cryptographic primitives, methods and systems are based on algebraic structures like semigroups, groups and rings which are non-commutative. One of the earliest applications of a non-commutative algebraic structure for cryptographic purposes was the use of braid groups to develop cryptographic protocols. Later several other non-commutative structures like Thompson groups, polycyclic groups, Grigorchuk groups, and matrix groups have been identified as potential candidates for cryptographic applications. In contrast to non-commutative cryptography, the currently widely used public-key cryptosystems like RSA cryptosystem, Diffie–Hellman key exchange and elliptic curve cryptography are based on number theory and hence depend on commutative algebraic structures.

Some non-commutative cryptographic protocols
Protocols for key exchange
Protocols for encryption and decryption
Protocols for authentication
Security basis of the protocols
Platform groups
Examples of platform groups
Braid groups
Thompson's group
Grigorchuk's group
Artin group
Matrix groups
Semidirect products
See also
References
Further reading

Non-commutative cryptographic protocols have been developed for solving various cryptographic problems like key exchange, encryption-decryption, and authentication. These protocols are very similar to the corresponding protocols in the commutative case.

Some non-commutative cryptographic protocols

In these protocols it would be assumed that G is a non-abelian group. If w and a are elements of G the notation w^a would indicate the element a⁻¹wa.

Protocols for key exchange

Protocol due to Ko, Lee, et al.

The following protocol due to Ko, Lee, et al., establishes a common secret key K for Alice and Bob.

An element w of G is published.
Two subgroups A and B of G such that ab = ba for all a in A and b in B are published.
Alice chooses an element a from A and sends w^a to Bob. Alice keeps a private.
Bob chooses an element b from B and sends w^b to Alice. Bob keeps b private.
Alice computes K = (w^b)^a = w^ba.
Bob computes K' = (w^a)^b=w^ab.
Since ab = ba, K = K'. Alice and Bob share the common secret key K.

Anshel-Anshel-Goldfeld protocol

This a key exchange protocol using a non-abelian group G. It is significant because it does not require two commuting subgroups A and B of G as in the case of the protocol due to Ko, Lee, et al.

Elements a₁, a₂, . . . , a_k, b₁, b₂, . . . , b_m from G are selected and published.
Alice picks a private x in G as a word in a₁, a₂, . . . , a_k; that is, x = x( a₁, a₂, . . . , a_k ).
Alice sends b₁^x, b₂^x, . . . , b_m^x to Bob.
Bob picks a private y in G as a word in b₁, b₂, . . . , b_m; that is y = y ( b₁, b₂, . . . , b_m ).
Bob sends a₁^y, a₂^y, . . . , a_k^y to Alice.
Alice and Bob share the common secret key K = x⁻¹y⁻¹xy.
Alice computes x ( a₁^y, a₂^y, . . . , a_k^y ) = y⁻¹xy. Pre-multiplying it with x⁻¹, Alice gets K.
Bob computes y ( b₁^x, b₂^x, . . . , b_m^x) = x⁻¹yx. Pre-multiplying it with y⁻¹ and then taking the inverse, Bob gets K.

Stickel's key exchange protocol

In the original formulation of this protocol the group used was the group of invertible matrices over a finite field.

Let G be a public non-abelian finite group.
Let a, b be public elements of G such that ab ≠ ba. Let the orders of a and b be N and M respectively.
Alice chooses two random numbers n < N and m < M and sends u = a^mbⁿ to Bob.
Bob picks two random numbers r < N and s < M and sends v = a^rb^s to Alice.
The common key shared by Alice and Bob is K = a^{m + r}b^{n + s}.
Alice computes the key by K = a^mvbⁿ.
Bob computes the key by K = a^rub^s.

Protocols for encryption and decryption

This protocol describes how to encrypt a secret message and then decrypt using a non-commutative group. Let Alice want to send a secret message m to Bob.

Let G be a non-commutative group. Let A and B be public subgroups of G such that ab = ba for all a in A and b in B.
An element x from G is chosen and published.
Bob chooses a secret key b from A and publishes z = x^b as his public key.
Alice chooses a random r from B and computes t = z^r.
The encrypted message is C = (x^r, H(t) $\oplus$ m), where H is some hash function and $\oplus$ denotes the XOR operation. Alice sends C to Bob.
To decrypt C, Bob recovers t as follows: (x^r)^b = x^rb = x^br = (x^b)^r = z^r = t. The plain text message send by Alice is P = ( H(t) $\oplus$ m ) $\oplus$ H(t) = m.

Protocols for authentication

Let Bob want to check whether the sender of a message is really Alice.

Let G be a non-commutative group and let A and B be subgroups of G such that ab = ba for all a in A and b in B.
An element w from G is selected and published.
Alice chooses a private s from A and publishes the pair ( w, t ) where t = w^s.
Bob chooses an r from B and sends a challenge w ' = w^r to Alice.
Alice sends the response w ' ' = (w ')^s to Bob.
Bob checks if w ' ' = t^r. If this true, then the identity of Alice is established.

Security basis of the protocols

The basis for the security and strength of the various protocols presented above is the difficulty of the following two problems:

The conjugacy decision problem (also called the conjugacy problem): Given two elements u and v in a group G determine whether there exists an element x in G such that v = u^x, that is, such that v = x⁻¹ux.
The conjugacy search problem: Given two elements u and v in a group G find an element x in G such that v = u^x, that is, such that v = x⁻¹ux.

If no algorithm is known to solve the conjugacy search problem, then the function x → u^x can be considered as a one-way function.

Platform groups

A non-commutative group that is used in a particular cryptographic protocol is called the platform group of that protocol. Only groups having certain properties can be used as the platform groups for the implementation of non-commutative cryptographic protocols. Let G be a group suggested as a platform group for a certain non-commutative cryptographic system. The following is a list of the properties expected of G.

The group G must be well-known and well-studied.
The word problem in G should have a fast solution by a deterministic algorithm. There should be an efficiently computable "normal form" for elements of G.
It should be impossible to recover the factors x and y from the product xy in G.
The number of elements of length n in G should grow faster than any polynomial in n. (Here "length n" is the length of a word representing a group element.)

Examples of platform groups

Braid groups

Let n be a positive integer. The braid group B_n is a group generated by x₁, x₂, . . . , x_n-1 having the following presentation:

B_{n}=\left\langle x_{1},x_{2},\ldots ,x_{n-1}{\big |}x_{i}x_{j}=x_{j}x_{i}{\text{ if }}|i-j|>1{\text{ and }}x_{i}x_{j}x_{i}=x_{j}x_{i}x_{j}{\text{ if }}|i-j|=1\right\rangle

Thompson's group

Thompson's group is an infinite group F having the following infinite presentation:

F=\left\langle x_{0},x_{1},x_{2},\ldots {\big |}x_{k}^{-1}x_{n}x_{k}=x_{n+1}{\text{ for }}k<n\right\rangle

Grigorchuk's group

Let T denote the infinite rooted binary tree. The set V of vertices is the set of all finite binary sequences. Let A(T) denote the set of all automorphisms of T. (An automorphism of T permutes vertices preserving connectedness.) The Grigorchuk's group Γ is the subgroup of A(T) generated by the automorphisms a, b, c, d defined as follows:

$a(b_{1},b_{2},\ldots ,b_{n})=(1-b_{1},b_{2},\ldots ,b_{n})$
$b(b_{1},b_{2},\ldots ,b_{n})={\begin{cases}(b_{1},1-b_{2},\ldots ,b_{n})&{\text{ if }}b_{1}=0\\(b_{1},c(b_{2},\ldots ,b_{n}))&{\text{ if }}b_{1}=1\end{cases}}$
$c(b_{1},b_{2},\ldots ,b_{n})={\begin{cases}(b_{1},1-b_{2},\ldots ,b_{n})&{\text{ if }}b_{1}=0\\(b_{1},d(b_{2},\ldots ,b_{n}))&{\text{ if }}b_{1}=1\end{cases}}$
$d(b_{1},b_{2},\ldots ,b_{n})={\begin{cases}(b_{1},b_{2},\ldots ,b_{n})&{\text{ if }}b_{1}=0\\(b_{1},b(b_{2},\ldots ,b_{n}))&{\text{ if }}b_{1}=1\end{cases}}$

Artin group

An Artin group A(Γ) is a group with the following presentation:

A(\Gamma )=\left\langle a_{1},a_{2},\ldots ,a_{n}|\mu _{ij}=\mu _{ji}{\text{ for }}1\leq i<j\leq n\right\rangle

where $\mu _{ij}=a_{i}a_{j}a_{i}\ldots$ ( $m_{ij}$ factors) and $m_{ij}=m_{ji}$ .

Matrix groups

Let F be a finite field. Groups of matrices over F have been used as the platform groups of certain non-commutative cryptographic protocols.

Semidirect products

^[1]

Related Research Articles

Diffie–Hellman key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

In abstract algebra, a branch of mathematics, a monoid is a set equipped with an associative binary operation and an identity element. For example, the nonnegative integers with addition form a monoid, the identity element being 0.

In mathematics, the tensor product $of two vector spaces V and W is a vector space to which is associated a bilinear map that maps a pair to an element of denoted$

In theoretical computer science, communication complexity studies the amount of communication required to solve a problem when the input to the problem is distributed among two or more parties. The study of communication complexity was first introduced by Andrew Yao in 1979, while studying the problem of computation distributed among several machines. The problem is usually stated as follows: two parties each receive a $-bit string and . The goal is for Alice to compute the value of a certain function,, that depends on both and, with the least amount of communication between them.$

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece has been transferred.

The Cramer–Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the computational intractability of the decisional Diffie–Hellman assumption. Developed by Ronald Cramer and Victor Shoup in 1998, it is an extension of the ElGamal cryptosystem. In contrast to ElGamal, which is extremely malleable, Cramer–Shoup adds other elements to ensure non-malleability even against a resourceful attacker. This non-malleability is achieved through the use of a universal one-way hash function and additional computations, resulting in a ciphertext which is twice as large as in ElGamal.

In cryptography, a Lamport signature or Lamport one-time signature scheme is a method for constructing a digital signature. Lamport signatures can be built from any cryptographically secure one-way function; usually a cryptographic hash function is used.

Elliptic-curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties, each having an elliptic-curve public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or to derive another key. The key, or the derived key, can then be used to encrypt subsequent communications using a symmetric-key cipher. It is a variant of the Diffie–Hellman protocol using elliptic-curve cryptography.

Integrated Encryption Scheme (IES) is a hybrid encryption scheme which provides semantic security against an adversary who is able to use chosen-plaintext or chosen-ciphertext attacks. The security of the scheme is based on the computational Diffie–Hellman problem.
Two variants of IES are specified: Discrete Logarithm Integrated Encryption Scheme (DLIES) and Elliptic Curve Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two variants are identical up to the change of an underlying group.

In cryptography, XTR is an algorithm for public-key encryption. XTR stands for 'ECSTR', which is an abbreviation for Efficient and Compact Subgroup Trace Representation. It is a method to represent elements of a subgroup of a multiplicative group of a finite field. To do so, it uses the trace over $to represent elements of a subgroup of .$

The Password Authenticated Key Exchange by Juggling is a password-authenticated key agreement protocol, proposed by Feng Hao and Peter Ryan. This protocol allows two parties to establish private and authenticated communication solely based on their shared (low-entropy) password without requiring a Public Key Infrastructure. It provides mutual authentication to the key exchange, a feature that is lacking in the Diffie–Hellman key exchange protocol.

Learning with errors (LWE) is the computational problem of inferring a linear $-ary function over a finite ring from given samples some of which may be erroneous. The LWE problem is conjectured to be hard to solve, and thus to be useful in cryptography.$

Anshel–Anshel–Goldfeld protocol, also known as a commutator key exchange, is a key-exchange protocol using nonabelian groups. It was invented by Drs. Michael Anshel, Iris Anshel, and Dorian Goldfeld. Unlike other group-based protocols, it does not employ any commuting or commutative subgroups of a given platform group and can use any nonabelian group with efficiently computable normal forms. It is often discussed specifically in application of braid groups, which notably are infinite. The computed shared secret is an element of the group, so in practice this scheme must be accompanied with a sufficiently secure compressive hash function to normalize the group element to a usable bitstring.

Yao's Millionaires' problem is a secure multi-party computation problem introduced in 1982 by computer scientist and computational theorist Andrew Yao. The problem discusses two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth.

The YAK is a public-key authenticated key-agreement protocol, proposed by Feng Hao in 2010. It is claimed to be the simplest authenticated key exchange protocol among the related schemes, including MQV, HMQV, Station-to-Station protocol, SSL/TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a Public Key Infrastructure to distribute authentic public keys to the communicating parties. The security of YAK is disputed.

Algebraic Eraser (AE) is an anonymous key agreement protocol that allows two parties, each having an AE public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or to derive another key that can then be used to encrypt subsequent communications using a symmetric key cipher. Algebraic Eraser was developed by Iris Anshel, Michael Anshel, Dorian Goldfeld and Stephane Lemieux. SecureRF owns patents covering the protocol and unsuccessfully attempted to standardize the protocol as part of ISO/IEC 29167-20, a standard for securing radio-frequency identification devices and wireless sensor networks.

Consider two remote players, connected by a channel, that don't trust each other. The problem of them agreeing on a random bit by exchanging messages over this channel, without relying on any trusted third party, is called the coin flipping problem in cryptography. Quantum coin flipping uses the principles of quantum mechanics to encrypt messages for secure communication. It is a cryptographic primitive which can be used to construct more complex and useful cryptographic protocols, e.g. Quantum Byzantine agreement.

References

↑ Habeeb, M.; Kahrobaei, D.; Koupparis, C.; Shpilrain, V. (2013). "Public Key Exchange Using Semidirect Product of (Semi)Groups". Applied Cryptography and Network Security. ACNS 2013. Lecture Notes in Computer Science. Vol. 7954. Springer. pp. 475–486. arXiv: 1304.6572 . CiteSeerX 10.1.1.769.1289 . doi:10.1007/978-3-642-38980-1_30. ISBN 978-3-642-38980-1.