Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
A CCA-2 SECURE CRYPTOSYSTEM USING MATRICES
OVER GROUP RINGS
Second Exam of Severin Ngnosse, CUNY Graduare Center, CS
Committee members: D.Kahrobaei (Mentor), B.Khan, V.Shpilrain, X.Zhang
D. Kahrobaei, C. Koupparis, and V. Shpilrain, A CCA secure cryptosystem usingmatrices over group rings, Contemporary Mathematics, American MathematicalSociety, 9 pages, to appear in 2015, http://arxiv.org/abs/1403.3660.
D. Kahrobaei, C. Koupparis, and V. Shpilrain, Public key exchange usingmatrices over group rings, Groups, Complexity, and Cryptology 5 (2013), 97–115.
V. Shoup, Why chosen ciphertext security matters, IBM Research Report RZ3076, November, 1998.
. Cramer, V. Shoup, A practical public key cryptosystem provably secure againstadaptive chosen ciphertext attack, in Proc. Crypto ’98.
September 5th, 2014
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
1 Introduction
2 Platform GroupGroup RingsBenefits
3 DH using semigroupsComputational Diffie-Hellman & Decision Diffie HellmanExperimental results
4 Cramer-Shoup cryptosystemCramer-Shoup CryptosystemClassical
5 Using matrices over group ringsSecurityExperimental ResultsOther Parameters
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
1 Introduction2 Platform Group
Group RingsBenefits
3 DH using semigroupsComputational Diffie-Hellman & Decision Diffie HellmanExperimental results
4 Cramer-Shoup cryptosystemCramer-Shoup CryptosystemClassical
5 Using matrices over group ringsSecurityExperimental ResultsOther Parameters
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
1 Introduction2 Platform Group
Group RingsBenefits
3 DH using semigroupsComputational Diffie-Hellman & Decision Diffie HellmanExperimental results
4 Cramer-Shoup cryptosystemCramer-Shoup CryptosystemClassical
5 Using matrices over group ringsSecurityExperimental ResultsOther Parameters
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
1 Introduction2 Platform Group
Group RingsBenefits
3 DH using semigroupsComputational Diffie-Hellman & Decision Diffie HellmanExperimental results
4 Cramer-Shoup cryptosystemCramer-Shoup CryptosystemClassical
5 Using matrices over group ringsSecurityExperimental ResultsOther Parameters
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
1 Introduction2 Platform Group
Group RingsBenefits
3 DH using semigroupsComputational Diffie-Hellman & Decision Diffie HellmanExperimental results
4 Cramer-Shoup cryptosystemCramer-Shoup CryptosystemClassical
5 Using matrices over group ringsSecurityExperimental ResultsOther Parameters
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
MOTIVATION
Current cryptographic protocols rely heavily on commutativegroups, usually the integers mod n.
Many existing attacks (or proposed new ones) usecommutativity of the platform as a point of weakness for theencryption scheme.
Therefore, proposed new protocols need to be ever moresophisticated/lengthy/clever to survive known attacks.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Group Ring
Definition
Let G be a multiplicative group and let R be a commutative ringwith nonzero unity. The set R[G ] of all formal sums∑
gi∈Grigi
(where ri ∈ R, are almost all equal to zero.) is called group ring
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Operations on a Group Ring
We define the sum of two elements in R[G ] by∑gi∈G
aigi
+
∑gi∈G
bigi
=∑gi∈G
(ai + bi )gi .
Note that ai and bi are almost all equal to zero, hence the abovesum is in R[G ]. Thus (R[G ],+) is an abelian group.Multiplication of two elements of R[G ] is defined as follow:∑
gi∈Gaigi
∑gi∈G
bigi
=∑gi∈G
∑gjgk=gi
ajbk
gi .
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Choice of Platform
The platforms chosen here are that of sets of matrices (of asmall size) over a group ring, with the usual matrixmultiplication operation.
Specifically, focus will be given to matrices over the groupring Zn[Sm], where Zn is the ring of integers modulo n andSm is the symmetric group of degree m.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Choice of {k , n,m} for Mk(Zn[Sm])
2× 2 or 3× 3 matrices over Zn[S5] (where n = 3, 5 or 7.)Z7[S5] is preferred , as this provides for a large key space (7480
for 2× 2 matrices and 71080 for 3× 3 matrices over Z7[S5]).
Storing a single 2× 2 matrix over Z7[S5] requires about 1350bits, and a single 3× 3 matrix about 3030 bits. Keys areroughly the same size as in the classical schemes.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Benefits I
The groups are simple to compute with and store, while theirsize increases the security of any scheme.
Multiplication of matrices over Z7[S5] is simpler and possiblyfaster than multiplication in Zp for large p. We can store thesmall multiplication table for S5. Hence, there is no actualmultiplication involved, just re-arranging a bit string of length120.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Benefits II
S5 only admits one non-trivial automorphism, so grouptheoretic attacks don’t reveal much (we can replace S5 withA5).
Our platform proves too large or complicated for standardattacks (baby–step giant–step, Pohlig-Hellman, Pollard’s rhoalgorithm).
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Diffie-Hellman
Diffie-Hellman using matrices over group ring
Alice and Bob want to share a secret key. They both agree ona platform set. (Here it will be a set of matrices over groupring)
Alice chooses a public matrix M ∈ M3(Z7[S5]), and a privatelarge positive integer a.
Alice computes Ma, and publishes (M,Ma).
Bob chooses another large integer b, and computes andpublishes (Mb).
Both Alice and Bob can now compute the same shared secretkey K = (Ma)b = (Mb)a.
As noted, computations in M3(Z7[S5]) are efficient, and, of course, we can usethe “square and multiply algorithm” for exponentiation.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Computational Diffie-Hellman
The security of the Diffie-Hellman key exchange relies on theassumption that it is computationally hard to recover Mab
from the public information (M,Ma,Mb).
For a given group G , one can define aDiffie-Hellmanalgorithm, F , where upon input of (g , ga, gb) the algorithmoutputs gab,ie F (g , ga, gb) = gab. We say that a group Gsatisfies the CDH assumption if no such efficient algorithm(F ) exists for G
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Computational Diffie-Hellman
Definition (Boneh)
A CDH algorithm F for a group G is a probabilistic polynomialtime algorithm satisfying, for some fixed α > 0 and sufficientlylarge n ∈ N,
P[F (g , ga, gb) = gab] >1
nα.
The probability is over a uniformly random choice of a and b.
We say that the group G satisfies the CDH assumption if there is no CDHfunction for G .
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Computational Diffie-Hellman
CDH by itself is not sufficient to prove that the Diffie-Hellmanprotocol is useful for practical cryptographic purposes.
For example, even if CDH is true, one may be able to predict80% of the bits of gab with reasonable confidence.
One must be able to bound the information one can extractabout secret keys from g , ga and gb. This is formallyexpressed by the much stronger Decision Diffie-Hellman(DDH) assumption.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Decision Diffie-Hellman
Definition (Boneh)
A DDH algorithm, F for a group G , is a probabilistic polynomialtime algorithm satisfying, for some fixed α > 0 and sufficientlylarge n∣∣∣P[F (g , g a, gb, g ab) = “True′′]− P[F (g , g a, gb, g c) = “True”]
∣∣∣ > 1
nα
The probability is over a uniformly random choice of a, b and c.
We say the group G satisfies the DDH assumption if there is noDDH algorithm for G . Essentially, DDH assumption implies thatthere is no efficient algorithm which can distinguish between twoprobability distributions (g , ga, gb, gab) and (g , ga, gb, g c), wherea, b, c are chosen at random.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Experimental Results
Some experimental results have been obtained using sets ofmatrices over group rings as platform.Specifically, these results
Show the time it takes to compute powers of a given randommatrice inM2×2(Z2[S5]),M3×3(Z2[S5]),M3×3(Z2[S5]),M3×3(Z3[S5]).
show that given an invertible matrix M ∈M3(Z7[S5]) andrandom integers a, b, c in N, it is not possible to distinguishbetween the distribution generated by (Ma,Mb,Mab) and(Ma,Mb,Mc).
show that given an invertible matrix M ∈M3(Z7[S5]) andrandom integers a it is not possible to extract informationabout a from M and Ma. In other words the distributionsgenerated by (Ma) and random matrix (N) areindistinguishable.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Computational Time
Group Ring Exponent Time (s)
M2(Z2[S5]) 1010 0.17M2(Z2[S5]) 10100 1.90M2(Z2[S5]) 101000 16.83
M2(Z3[S5]) 1010 0.15M2(Z3[S5]) 10100 1.63M2(Z3[S5]) 101000 16.60
M3(Z2[S5]) 1010 0.53M3(Z2[S5]) 10100 5.34
M3(Z3[S5]) 1010 0.55M3(Z3[S5]) 10100 5.49
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Experimental DDH Verification
In order to test the DDH assumption two distributions areconsidered: one generated by the tuple Mab and the othergenerated by Mc . a and b are chosen randomly from theinterval [1025, 1026], and c is randomly chosen from[1050, 1052].
To get a clear picture of how elements are distributed in thematrices, we created a table with the distribution of elementsof S5 for each entry of the matrices.
We produced Q-Q plots of entries of Mab versus entries ofMc . (Q-Q plots or Quantile-Quantile plots is a graphicalmethod for comparing 2 probabilty distributions by plottingtheir quantile against each other.)
If these distributions are indistinguishable, then the final Q-Qplots should be straight lines.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Experimental Results
Figure: DDH results
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Experimetal Results
Figure: DDH results
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Experimental Results
Figure: Randomness of Ma
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Cramer Shoup Cryptosystem
Cramer-Shoup cryptosystem is a generalization of ElGamal
Key exchange problems.
It is provably secure against adaptive chosen ciphertext attack.
The proof of security relies on a standard intractability
assumption namely, the hardness of the Diffie-Hellman
decision problem in underlying group.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Provable security against adaptive chosen ciphertext attack
A formal definition of security against active attacks evolved
in a sequence of papers by Naor and Yung, Rackoff and
Simon, Dolev, Dwork and Naor. The notion is called chosen
ciphertext security or, equivalently, non-malleability.
The intuitive idea behind this definition is that even if
an adversary can get arbitrary ciphertexts of his choice
decrypted, he still gets no partial information about
other encrypted messages.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Provable security against adaptive chosen ciphertext attack
We define the following game, which is played by the adversary.
First, we run the encryption scheme’s key generation
algorithm, with the necessary input parameters.
In particular, one can input a binary string in {0, 1}n, which
describes the group G on which the algorithm is based.
The adversary is then allowed to make arbitrary queries to the
decryption oracle, decrypting ciphertexts of his choice, except
the target one.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Provable security against adaptive chosen ciphertext attack
The adversary then chooses two messages, m0 and
m1,submits them to the encryption oracle. The oracle chooses
a random bit b ∈ {0, 1}, encrypts mb and submit the
encrypted message to the adversary.
Upon receipt of the ciphertext, the adversary is allowed to
continue querying the decryption oracle.
At the end of the game, the adversary must output
b′ ∈ {0, 1}, which is the adversary’s best guess as to the value
of b.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Provable security against adaptive chosen ciphertext attack
The probability of success for the adversary is defined by
P(b′ = b) = 1/2 + ε(n)
ε(n) is called the adversary’s advantage, and n ∼ |G |.
We say the cryptosystem is CCA-2 secure if the advantage of
the adversary is negligible.
Note that a negligible function is a function that grows slower
than any inverse polynomial, n−c , for any particular constant
c and large enough n.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Cramer-Shoup Basic Scheme
Secret Key: random x1, x2, y1, y2, z ∈ Zq
Public Key:
g1, g2 in G (but not 1)
c = g1x1g2
x2
d = g1y1g2
y2
h = g1z
H = hash function chosen from a one-way universal family.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Cramer-Shoup Basic Scheme
Encryption of m ∈ G : (u1, u2, e, v), where
u1 = g1r
u2 = g2r
e = hrm
v = c rd rα
r ∈ Zq is random
α = H(u1, u2, e).
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Cramer-Shoup Basic Scheme
Decryption of (u1, u2, e, v):
If v = u1x1+αy1u2
x2+αy2
where α = H(u1, u2, e)
then m = e/u1z
else ”reject”
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Cramer-Shoup Basic Scheme
Theorem
The Cramer-Shoup cryptosystem is secure against adaptive chosen
ciphertext attack assuming that
1 The hash function H is chosen from a universal one-way
family.
2 The Diffie-Hellman decision problem is hard in the group G .
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
A CCA-2 secure cryptosystem using matrices over group
rings
In a paper by Kahrobaei-Koupparis and Shpilrain, the authorsproposed a public key exchange using matrices over group rings.They offer a public key exchange protocol in the spirit ofDiffie-Hellman, but they use matrices over a group ring of a (rathersmall) symmetric group as the platform and discuss security of thisscheme by addressing the Decision Diffie-Hellman (DDH) andComputational Diffie-Hellman (CDH) problems for that platform.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
A CCA-2 secure cryptosystem using matrices over group
rings
Under the proposed platform, they show that an encryptionscheme similar to the Cramer-Shoup scheme is CCA-2 secure. Theprotocol is as follows:Secret Key: random x1, x2, y1, y2, z ∈ Zn
Public Key:
3× 3 non-identity matrices M1,M2 ∈M3×3(Z7[S5]) such that M1
is invertible and M1M2 = M2M1
c = M1x1M2
x2 , d = M1y1M2
y2
h = M1z .
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
A CCA-2 secure cryptosystem using matrices over group
rings
Encryption of a message N ∈ M3×3(Z7[S5]):E (N) = (u1, u2, e, v), where
u1 = M1r , u2 = M2
r , e = hrN, v = c rd rα, r ∈ Zn is random, andα = H(u1, u2, e).
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
A CCA-2 secure cryptosystem using matrices over group
rings
Decryption of (u1, u2, e, v):
If v = u1x1+αy1u2
x2+αy2 , where α = H(u1, u2, e),then N = (u1
z)−1e(Note that u1 is invertible since M1 is chosen to be invertible.)
else ”reject”
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
A CCA-2 secure cryptosystem using matrices over group
rings
Remarks:
M1 must always be chosen to be an invertible matrix, whereas
M2 is just any matrix such that M1M2 = M2M1.
One must also decide what group Zn to use, i.e., n must be
specified.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
A CCA-2 secure cryptosystem using matrices over group
rings
As in the theorem proved by Cramer-Shoup mentioned above, thegoal is to show that for random invertible matrices overM3×3(Z7[S5]) if the DDH problem is hard, then the previouslymentioned cryptosystem is secure against adaptive chosenciphertext attack.More formally the following result is obtained:
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
A CCA-2 secure cryptosystem using matrices over group
rings
Theorem
The Cramer-Shoup cryptosystem using the semigroup
G = M3×3Z7[S5] is secure against adaptive chosen ciphertext
attack assuming that
1 the hash function H is chosen from a universal one-way
family, and
2 the Diffie-Hellman decision problem is hard in the group G .
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Adaptive Chosen Ciphertext Attacks (CCA-2)
CCA-2 Security
Run the encryption scheme’s key generation algorithm.
Make any number of random queries to the decryption oracle.
At some point, submit two messages to the encryption oracle
The oracle will choose one message and will return its
ciphertext.
Eventually, continue with random queries.
Finally, decide which of the two messages has been encrypted.
We say a cryptosystem is CCA-2 secure if the adversary advantage is negligible.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
CCA-2 Security
As a reminder, the original Cramer-Shoup scheme is CCA-2 secure
provided
The hash function is suitably chosen
The Decision Diffie-Hellman problem is hard in the platform
group
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Proof of CCA-2 Security
The proof that DDH problem is hard in this scheme under the
chosen platform employed the same analysis as in the
Diffie-Hellman scheme. The results are similar, i.e. it appears
that this group satisfies the DDH assumption.
The subsequent proof that follows will be similar to the
original one by constructing a Decision Diffie-Hellman
algorithm for our platform, which is in direct contradiction
with our initial assumption that DDH is computationally hard
in our semi-group!
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Description of a DDH Algorithm
1 Assume that there is an adversary A that can break the
cryptosystem and that our hash function is still chosen from a
universal family of one-way hash functions.
2 Consider an algorithm D, which made of
the adversary’s view of the cryptosytem ,
a random bit generator b ∈ {0, 1} unknown to the adversary A
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Description of a DDH Algorithm
Our algorithm D receives as input a tuple (M1,M2,M3,M4)
D will have to determine whether this tuple comes from DH
or it is just a random tuple R
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Description of a DDH Algorithm
Pick random x1, x2, y1, y2, z in Zn and a universal one way
hash function H as mentioned above.
The adversary A receives the public key PK which is:
(M1,M2, c = M1x1M2
x2 , d = M1y1M2
y2 , h = M1z .)
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Description of a DDH Algorithm
A chooses 2 messages m0 and m1 and passes it to D.
D picks b ∈ {0, 1} and passes to A the tuple
(M3,M4,Mz3mb,M
x1+αy13 Mx2+αy2
4 )
where α = H(M3,M4,Mz3mb)
With this information, the adversary tries to determine b and
return its guess b′
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Description of a DDH Algorithm
If advervary’s guess b′ = b then D returns “DH”,
otherwise D returns “R”
As a reminder, inputs that D receives come either from “DH” orfrom “R”
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Claims
We will argue around 2 main points:
1 If the input for D comes from Diffie-Hellman DH, then the
simulation is nearly perfect, i.e the adversary will have a non
negligible advantage in guessing the hidden bit b generated by
the oracle.
2 if the input for D comes from a random distribution R, then
the adversary’s view is independent of b, and therefore the
adversary’s advantage is negligible.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Claim
By doing so, we have mounted a DDH algorithm capable of
distinguishing a DH distribution from R
We need to verify 3 claims
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
General Outline-Claim
|P(D = DH|DH)− P(D = DH|R)| < ε. This claim is trivial
since D is a PPT algorithm and the DDH assumption holds as
verified previously.
P(D = DH|DH) = PA(Success). If we are given a DDH
tuple, then all decryption queries succeed for A. Hence the
output of A will match the choice of b with PA(Success).
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
General Outline - Claims
|P(D = DH|R)− 12 | < ε. Since P(D = DH) = P(A = b), the
proof of this claim relies on the proof of two pieces.
First,we need to show that for all decryption queries where
u1 = M r11 and u2 = M r2
2 with r1 6= r2,the decryption verification
fails with non-negligible probability.
Secondly, we must also show that assuming all invalid
decryptions fail, the adversary A does not learn any additional
information about z .
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
General Outline - Claims
1 The first part of the claim is proved by walking through all
possible cases of invalid decryption queries and showing that
each fails.
2 The second part is proved by appealing to the fact that the
distributions of a random matrix N and matrices A receives of
the form Ma are indistinguishable.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Experimetal Results
Figure: DDH results
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Experimental Results
Figure: Randomness of Ma
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Parameters for the Cramer-Shoup-like scheme using
matrices over group rings
Two problems relevant to key generation in the scheme are
addressed
1 How to sample invertible matrices
2 How to sample commuting matrices.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
Sampling invertible matrices can be done using various techniques.The first method is to construct a matrix which is a product ofelementary matrices,
M =n∏
i=1
Ei ,
where Ei is any elementary matrix from M3×3(Z7[S5]). Elementarymatrices can be of one of the three types below. In the matrixTi (u), the element u should be invertible in Z7[S5].
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
Ti,j =
1
. . .
0 1
. . .
1 0
. . .
1
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
Ti (u) =
1
. . .
1
u
1
. . .
1
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
Ti,j (v) =
1
. . .
1
. . .
v 1
. . .
1
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
With such a choice, it is easy to compute M−1 as
M−1 =n∏
i=1
E−1n−i+1
The drawback of generating an invertible matrix this
way is that we do not have a good grasp of the randomness
embedded in this process.
In particular, how large must n be to generate a truly random
matrix?
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
Instead of the previously mentioned method of sampling
random matrices,an alternative solution has been proposed.
Start with an already “somewhat random” matrix, for which it
is easy to compute the inverse.
An example of such a matrix is a lower/upper triangular matrix,with invertible elements on the diagonal:
M =
u1 g1 g20 u2 g30 0 u3
.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
Constructing the inverse of this matrix involves solving a matrix equation,
M ·M−1 = I
⇒
u1 g1 g2
0 u2 g3
0 0 u3
·u−11 g4 g5
0 u−12 g6
0 0 u−13
=
1 0 0
0 1 0
0 0 1
⇒ g4 = −u−1
1 g1u−12
g5 = u−11 g1u
−12 g3u
−13 − u−1
1 g2u−13
g6 = −u−12 g3u
−13 .
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
One can therefore consider random products of such invertible
upper and lower triangular matrices.
Since these matrices are more complex than elementary
matrices, it seems reasonable to assume that we arrive at a
more uniform distribution sooner than by simply using
elementary matrices.
In experiments product of 20 random matrices were used and
each term of the product was chosen randomly as either a
random invertible upper or lower triangular matrix.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
As mentioned previously, the benefits of this method are that
inverses are easy to compute and that the chosen matrix
already has a large degree of randomness built in.
In particular, any element of Z7[S5] can be used off the
diagonal, and any invertible elements of the group ring can be
used on the diagonal. These of course include elements such
as λu ∈ Z7[S5], where u ∈ S5 and λ ∈ Z7.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Invertible matrices
Finally, it isimportant to notice that the order of the group
GL3Z7[S5] of invertible 3× 3 matrices over Z7[S5] is at least
10313.
Indeed, if we only count invertible upper and lower triangular
matrices that we described above, then we already have
(7 · 120)3(7120)3 ∼ 10313 matrices.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Commuting matrices
Now that sampled of invertible matrices are obtained, (M1 in
our notation), to sample an arbitrary (i.e., not necessarily
invertible) matrix M2 that would commute with M1 it suffices
to operate as follow:
Given a matrix M1 ∈ G , define M2 =∑k
i=1 aiMi1, where
ai ∈ Z7 are selected randomly.
Clearly M1M2 = M2M1.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Commuting matrices
A reasonable choice for k is about 100 as this would yield
7100 ∼ 1085 choices for M2, which is a sufficiently large key
space.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Other parameters
As mentioned in the introduction of the Cramer-Shoup
algorithm adapted to the chosen platform (i.e group rings), it
is important to to specify the value of n for Zn.
Based on experiments it has been suggested that n ∼ 10100.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
Other parameters
This seemed a reasonable choice of exponent since it both
allowed quick computations and ensured that the power a
matrix was raised to could not be figured out by brute force
methods alone.
Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings
The End! Thank you!