Discrete logarithm problem for matrices over finite group rings - PowerPoint PPT Presentation

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology

Discrete logarithm problem. • The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h ∈ G find a number n ∈ N satisfying g n = h . • Diffie-Hellman (1976) key-exchange protocol is based on the assumption that DLP is hard in certain groups • Shor (1997) showed that DLP can be solved by a quantum algorithm in polynomial time in any finite field F p s

Discrete logarithm problem in M n ( F q [ G ]). • D. Kahrobaei, C. Koupparis, and V. Shpilrain considered another variation of the DH key-exchange using the ring of 3 × 3 matrices over a group-ring F 7 [ S 5 ] • Authors claim that the new scheme can withstand quantum algorithm attacks

Discrete logarithm problem in M n ( F q [ G ]). • G = { g 1 , . . . , g k } is a finite group and R is a commutative ring. The group-ring R [ G ] is the set of formal linear combinations of g i ’s: k � a i ∈ R a i g i , i =1 • Addition: � k � k � � k � � � + = ( a i + b i ) g i a i g i b i g i i =1 i =1 i =1 • Multiplication: � k � k   � � k � � �  � a i g i · b i g i = ( a j b k )  g i . i =1 i =1 i =1 g j g k = g i multiplication is not commutative unless G is commutative.

Protocol by Kahrobaei et al. • S n - the group of permutations on n elements. • M m ( F p [ S n ]) is the ring of m × m matrices over the ring F p [ S n ]. 1. Choose a matrix M ∈ M 3 ( F 7 [ S 5 ]). 2. Alice chooses a random secret a and sends M a to Bob. 3. Bob chooses a random secret b and sends M b to Alice. 4. Alice receives M b and computes the shared key as K = ( M b ) a . 5. Bob receives M a and computes the shared key as K = ( M a ) b .

Discrete logarithm problem in M n ( F q [ G ]). Theorem. Let G be a finite group and p a prime number. The discrete logarithm problem in the ring M n ( F p s [ G ]) can be solved using a quantum algorithm in (expected) polynomial time in n , log 2 ( p ) , s , | G | . Corollary. Let G be a finite group and p a prime number. The discrete logarithm problem in the group-ring F p s [ G ] can be solved using a quantum algorithm in (expected) polynomial time in log 2 ( p ) , s , | G | .

Discrete logarithm problem in M n ( F q [ G ]). Sketch of the proof: 1. Reduce DLP in M n ( F q [ G ]) to DLP in M m ( F q ) 2. Reduce DLP in M m ( F q ) to DLP in some small extension fields of F q 3. Apply Shor’s quantum algorithm.

Reduction M n ( F q [ G ]) − → M m ( F q ). • G = { g 1 , . . . , g k } and a commutative ring R . • a ∈ R [ G ] and a = � g ∈ G a g · g • Define a map µ : R [ G ] → M k ( R ) by µ ( a ) = M a where:   a g 1 g − 1 a g 1 g − 1 . . . 1 k M a = . . .     a g k g − 1 . . . a g k g − 1 1 k

Reduction M n ( F q [ G ]) − → M m ( F q ). Proposition. Map µ : a �→ M a is a ring monomorphism. • M a + b = M a + M b . • Show M a · b = M a · M b : k � � ( M a · b ) ij = ( M a · b ) g i g − 1 = a g b h = = ( M a · M b ) ij a g i g − 1 m b g m g − 1 j j m =1 gh = g i g − 1 j • Map a �→ M a is a ring homomorphism. • a can be recovered from M a ⇒ a �→ M a is injective.

Reduction M n ( F q [ G ]) − → M m ( F q ). Define a map ϕ : M n ( R [ G ]) − → M kn ( R ):     a 11 a 1 n M a 11 M a 1 n . . . . . .  −  = A ∗ A = . . . → . . .   a n 1 . . . a nn M a n 1 . . . M a nn

Reduction M n ( F q [ G ]) − → M m ( F q ). Proposition. Map ϕ : M n ( R [ G ]) → M nk ( R ) given by A �→ A ∗ is a ring monomorphism. • Let A , B ∈ M n ( R [ G ]). • ( A + B ) ∗ = A ∗ + B ∗ . • Using previous Proposition A ∗ · B ∗ = ( AB ) ∗ : �� � � ϕ ( AB ) ij = µ a ik b kj = µ ( a ik ) µ ( b kj ) = ( ϕ ( A ) ϕ ( B )) ij • ϕ is a homomorphism. • Easy to recover A from ∗ ⇒ ϕ is injective.

DPL Reduction M n ( F q ) → F q ( λ ). • Menezes-Wu (1997) reduced DLP in GL n ( F q ) to DLP in some small extension of F q • We need reduction for M n ( F q ) (i.e. include singular matrices) • There is a gap in the proposed reduction. It neglects computation of the order of ceratin elements in a finite field for which there is no deterministic polynomial time solution.

DPL Reduction M n ( F q ) → F q ( λ ). Goal: given A ∈ GL n ( F q ) and B = A k find l ∈ N such that A l = B • Let λ 1 , . . . , λ s be eigenvalues of A • Q − 1 AQ = J A = J ( λ 1 ) ⊕ · · · ⊕ J ( λ s ) - Jordan form Menezes-Wu: ord( A ) = lcm (ord( λ 1 ) , . . . , ord( λ s )) · p { t } , where t is the size of the largest Jordan block J ( λ i ) • A l = QJ l A Q − 1 = QJ l ( λ 1 ) ⊕ · · · ⊕ J l ( λ s ) Q − 1 s • Note that the first diagonal element of J l ( λ i ) is λ l i • If we know λ i and J l ( λ i ) then we can use DLP in F q ( λ i ) to find l i ≡ l mod ord( λ i ) • We compute l mod ord( A ) (which uniquely defines l ) using the generalized Chinese remainder theorem Need to know ord( λ i )!

DPL Reduction M n ( F q ) → F q ( λ ). 1. Compute p A ( x ) = f e 1 1 ( x ) . . . f e s s ( x ) 2. Use small extensions F q ( λ i ) to find λ i separately. 3. Describe the structure of the Jordan form for A . 4. Use quantum computer to factor numbers q ( λ i ) | = q deg( f λ i ) − 1 . | F ∗ Given the factorization of q deg( f λ i ) − 1 compute ord( λ i ). 5. Use quantum computer to solve the DLP in F q ( λ i ) for ( λ l i , λ i ) This gives l i ≡ l mod ord( λ i ) . 6. Compute j = l mod p { t } as described by Menezes and Wu 7. Compute l mod ord( A ) by solving:  l ≡ l 1 mod ord( λ 1 ) ,   . . .  l ≡ l s mod ord( λ s ) ,   l = j mod p { t } , 

DPL Reduction M n ( F q ) → F q ( λ ). If A is singular then J A = N ⊕ Z , where N is non-singular block and Z is a singular block. Easy to see that Z r = 0, where r is the size of a largest singular Jordan block in Z . Then A r = S − 1 ( N ⊕ Z ) r S = S − 1 ( N r ⊕ 0) S = S − 1 ( N r + ord ( N ) ⊕ 0) S ord( N ) can be computed as in Menezes-Wu r is the size of a largest singular Jordan block.

DPL Reduction M n ( F q ) → F q ( λ ). To solve an instance ( A , B ) of DLP in M n ( F q ): 1. Describe the Jordan normal forms for A and B . 2. N A , N B are non-singular blocks and Z A , Z B are singular blocks. All described as direct sums of their Jordan blocks. 3. Solve the DLP for ( N A , N B ) and obtain the number l ′ s.t. A and l ′ ≤ ord( N A ) . N B = N l ′ 4. If l ′ ≥ r , then l ′ is the solution because Z l ′ A = Z l ′ B = 0. B = S − 1 ( N B ⊕ Z B ) S = S − 1 ( N l ′ A ⊕ 0) S = S − 1 ( N l ′ A ⊕ Z l ′ A ) S = A l ′ 5. If l ′ < r , then the solution must belong to the set { l ′ + c · ord( N A ) | c ∈ N ∪ { 0 } , l ′ + ( c − 1) · ord( N A ) ≤ r } . which contains no more then n numbers.

Protocol by Kahrobaei et l. • Let M ∈ M 3 ( F 7 [ S 5 ]) and a is secret • To solve DLP instance ( M , M a ): 1 Reduce DLP in M 3 ( F 7 [ S 5 ]) to DLP in M 360 ( F 7 ): ( M , M a ) → ( ϕ ( M ) , ϕ ( M a )) 2 Further reduce DLP ( ϕ ( M ) , ϕ ( M a )) to a problem in some extension of F 7 3 Apply quantum algorithm

Protocol by Kahrobaei et l. • 30% of randomly uniformly generated matrices M ∈ M 3 ( F 7 [ S 5 ]) have M ∗ ∈ GL 360 ( F 7 ). • This means that 30% of instances of DLP in M 3 ( F 7 [ S 5 ]) reduce to an invertible matrix over F 7 and the fixed Meneses-Wu reduction works for them. • 70% of the instances require the generalized technique