Search Problems in Groups Pavel Morar Stevens Institute of - PowerPoint PPT Presentation

Search Problems in Groups Pavel Morar Stevens Institute of Technology Geometric and Asymptotic Group Theory with Applications, May 30, 2013 Joint work with Sasha Ushakov

Wagner-Magyarik Public Key Cryptosystem (1984) Private key: A finite group presentation G ′ = � X | R ∪ S � that has a polynomial time algorithm A to solve the Word Problem for it. Public key: A finite group presentation G = � X | R � with the hard Word Problem, two words w 0 , w 1 not equivalent in G ′ . Encryption of a bit i ∈ { 0 , 1 } : Rewrite w i randomly applying a number of elementary transformations corresponding to G. Decryption of w: Run algorithm A to decide which of ww − 1 0 and ww − 1 is the identity in G. 1

Elementary Transformations of a word w for G ∽ � X | R � (T1) Insertion of r ∈ R (or r − 1 ) or a word of the form x i x − 1 (or x − 1 x i ) for x i ∈ X in any position of w . i i (T2) Deletion of a subword of w of the form r ∈ R (or r − 1 ) or x i x − 1 (or x − 1 x i ) for x i ∈ X from w . i i

Word Problems Word problem : Decide if a word w ∈ ( X ± ) ∗ represents the identity of G . Word Choice problem : Given two words w 0 , w 1 ∈ ( X ± ) ∗ and a word w ∈ ( X ± ) ∗ equivalent to either w 0 or w 1 , decide if w is equivalent to w 0 in G . Wagner-Magyarik PKC is based on the Word Choice problem rather than on the Word Problem. [Birget, Magliveras, Sramka] Word Search problem : Given a word w ∈ ( X ± ) ∗ such that w = G 1 find a witness that it is really the identity in G . Example of a witness for the Word Search Problem is the decomposition w = Π n i = 1 u − 1 r ε i i u i , where r i ∈ R , u i ∈ F ( X ) , and ε i ∈ {− 1 , 1 } . i

Analysis of Wagner-Magyarik PKC González Vasco, M. I. and Steinwandt R., A Reaction Attack on a Public Key Cryptosystem Based on the Word Problem , Applicable Algebra Engineering, Communication and Computing, 14(5): 335-340, 2004 Birget, J.-C., Magliveras, S. and Sramka, M., On public-key cryptosystems based on combinatorial group theory , Tatra Mountains Mathematical Publications, 33, 2006 Levy-dit-Vehel, F ., Perret L., On the Wagner-Magyarik Cryptosystem , Coding and Cryptography, Lecture Notes in Computer Science, 3969: 316-329, 2006 Levy-dit-Vehel, F ., Perret L., Security analysis of word problem-based cryptosystems, Designs, Codes and Cryptography, 54(1): 29-41, 2010

Our Motivation Question Given a finite group presentation, how to sample words equivalent to a given one such that it would be hard to check their equivalence?

Generation of Random Identities Fix a finite G = � X | R � and define x i | x i ∈ X } ∪ { r , r − 1 | r ∈ R } I ( G ) = { x i x − 1 , x − 1 i i Algorithm Input: an integer N > 0 . Output: an identity w . 1: Start with w 0 = ε 2: for n = 1 to N do Insert a uniformly random element of I ( G ) into a uniformly 3: random position of w n − 1 to get w n 4: end for 5: return w N .

Example � a , b | a 5 , b 3 , b 2 a � G = , N = 5. w 0 = ε

Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 1 = aa − 1

Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 2 = aa − 1 bbb

Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 3 = aa − 1 aaaaabbb

Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 4 = aa − 1 aaa − 1 b − 1 b − 1 aaabbb

Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 5 = aa − 1 aaa − 1 b − 1 b − 1 aab − 1 babbb

Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w = w 5 = ab − 1 b − 1 a 3 b 3

� Example � a , b | a 5 , b 3 , b 2 a � G = , N = 5. w 0 = ε van Kampen Diagram •

� � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 1 = aa − 1 van Kampen Diagram a •

� � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 2 = aa − 1 bbb van Kampen Diagram a b • b b

� � � � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 3 = aa − 1 aaaaabbb van Kampen Diagram a b a • a b a b a a

� � � � � � � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 4 = aa − 1 aaa − 1 b − 1 b − 1 aaabbb van Kampen Diagram a b a • a a b a b b a b a

� � � � � � � � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 5 = aa − 1 aaa − 1 b − 1 b − 1 aab − 1 babbb van Kampen Diagram a b a • a a b a b b a b a b

� � � � � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w = w 5 = ab − 1 b − 1 a 3 b 3 van Kampen Diagram b a b • a b a b b a a

� � � � � � � � � � � � � � � � � � � � � � � � � � � Measure of Complexity - Depth a , b | aba − 1 b − 1 � � G = . Depth = 3. a � a � a � a � a � a � Definition (Depth of van Kampen diagram) b b b b b b b a � a � a � a � a � a � The maximum of the b b b b b b b a � a � a � a � a � a � • vertex distances from its b � b b b b b b vertices to its boundary. a � a � a � a � a � a � b b b b b b b a � a � a � a � a � a � • It follows from [1] that if w has a diagram with O ( log N ) depth, then there is a Poly ( N ) algorithm to check that it is the identity, which also provides a witness (a solution to the Word Search Problem). A. Myasnikov, A. Ushakov, Random van Kampen diagrams and algorithmic problems in groups , Groups - Complexity - Cryptology, Volume 3, Issue 1, 2011

� Example � a , b | a 5 , b 3 , b 2 a � G = , N = 5. w 0 = ε van Kampen Diagram Tree • •

� � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 1 = aa − 1 van Kampen Diagram Tree a • •

� � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 2 = aa − 1 bbb van Kampen Diagram Tree a b • • b b

� � � � � � � � � � � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 3 = aa − 1 aaaaabbb van Kampen Diagram Tree a b a • • a b a b a a

� � � � � � � � � � � � � � � � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 4 = aa − 1 aaa − 1 b − 1 b − 1 aaabbb van Kampen Diagram Tree a b a • • a a b a b b a b a

� � � � � � � � � � � � � � � � � � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w 5 = aa − 1 aaa − 1 b − 1 b − 1 aab − 1 babbb van Kampen Diagram Tree a b a • • a a b a b b a b a b

� � � � � � � � � � � � � � � � � � � � � Example a , b | a 5 , b 3 , b 2 a � � G = , N = 5. w = w 5 = ab − 1 b − 1 a 3 b 3 van Kampen Diagram D Tree T b a b • • a b a b b a a

Bound on Diagram Depth Suppose w is the word produced by the algorithm after N steps, D the corresponding diagram, T the corresponding tree. Lemma depth ( D ) ≤ 2 height ( T )

Random Tree Height We use the theory of Crump-Mode-Jagers branching processes and random trees (Crump, Mode, Jagers, Kingman, Biggins, Pittel, Grey, etc) to show that the height of the tree T is O ( log N ) with probability 1 as N → ∞ . Theorem We have depth ( D ) ≤ C < ∞ log N with probability 1 as N → ∞ , where C = C ( G ) .

Result Theorem There is an algorithm that checks that the words generated by the algorithm are identities in G for almost all such words in polynomial in N time as N → ∞ .

Generation of Random Equal Words Just start with a word w ′ instead of the identity. Algorithm Input: an integer N > 0 , a word w ′ . Output: a word w equivalent to w ′ in G . 1: Start with w 0 = w ′ . 2: for n = 1 to N do Insert a uniformly random element of I ( G ) into a uniformly 3: random position of w n − 1 to get w n . 4: end for 5: return w N . Theorem There is an algorithm that checks that the words produced by the equal words generator are equal to w ′ in G for almost all such words in polynomial in N time as N → ∞ .

Other Dehn Problems Conjugacy problem : Decide if given words u , v ∈ ( X ± ) ∗ represent conjugate elements of G , i.e., if there exists x ∈ G such that u = G v x . Uniform Subgroup Membership problem : Given a tuple of words h 1 , . . . , h k , h decide if h represents an element of � h 1 , . . . , h k � , i.e., if h = h ε 1 i 1 . . . h ε m i m for some 1 ≤ i j ≤ k and ε j = ± 1. It is possible to define a conjugacy or membership-based versions of Wagner-Magyarik PKC.

Generation of Random Conjugate Fix a finite group presentaiton G = � X | R � . Algorithm Input: N > 0 , a word w ′ . Output: a word w conjugate to w ′ . 1: Generate u equal to w ′ using the algorithm for equal words. 2: return The cyclic reduction of a random cyclic permutation of u .