Università degli Studi dell'Aquila Dipartimento di Ingegneria e Scienze dell'Informazione e Matematica
Cryptographic Hierarchies - An Approach
Ankan Pal
work done under the supervision of Prof N Gavioli
BunnyTN 7 Trento, November 16, 2016
Flow
Lattice Based Cryptography
Group Based Cryptography
p-Group Based Cryptography
"Fully Secure Systems do not exist today and they would not Exist in the Future... -Adi Shamir"
Idea[1]
We take an encryption technique and can we achieve different security levels by varying the underlying algebraic structure through the same encryption technique.
• Algebraic Structure 1
• Security Level - High Solve Problem X
• Algebraic Structure 2
• Security Level - Medium Solve Problem X
• Algebraic Structure 3
• Security Level - Low Solve Problem X
A V-Shaped Hierarchy
Along with the varying complexities of the created hierarchy, there is also a difference in the type of attack and encryption-decryption speed. Hence, we propose a V-shaped hierarchy.
• Algebraic Structure 4
• Security Level – High
• Speed - Low
Solve Problem
X
• Algebraic Structure 3
• Security Level – Medium
• Linear Attack is ineffective
Solve Problem
X
• Algebraic Structure 1
• Security Level – Low Solve
Problem X
• Algebraic Structure 2
• Security Level – Medium
• Type of Attack – Linear
Solve Problem
X
• Algebraic Structure 5
• Security Level – High
• Speed - Medium
Solve Problem
X
Lattice Based Cryptography
NTRU
Key Generation
Objective: Alice wants to send a message to Bob, so Bob needs to set up his public key
1) He chooses three integers N,p,q with the requirements that gcd(p, q) = 1 and that p << q.
2) Bob then chooses two secret polynomials f and g.
3) f should be invertible mod p and mod q, which means that ∃ polynomials Fp and Fq of degree less than N such that:
Fp * f = e (mod p) Fq * f = e (mod q)
4) Bob calculates h = Fq * g (mod q)
5) Bob’s public key is (N,p,q,h)
6) Bob’s private key is f
NTRU
Encryption
Alice represents the message, by some prearranged procedure, as a polynomial m of degree less than N. Alice then chooses a polynomial Ф and computes:
c ≡ p Ф * h + m (mod q)
Decryption
Bob decrypts by first computing a ≡ f * c (mod q), then (usually) recovering the message as
m ≡ Fp * a (mod p)
A Short Detour to Algebra using Quaternion and Octonians
# e i j k
e e i j k
i i −e k −j
j j −k −e i
k k j −i −e
* e0 e1 e2 e3 e4 e5 e6 e7
e0 e0 e1 e2 e3 e4 e5 e6 e7
e1 e1 −e0 e3 −e2 e5 −e4 −e7 e6
e2 e2 −e3 −e0 e1 ^e6 e7 −e4 −e5
e3 e3 e2 −e1 −e0 e7 −e6 e5 −e4
e4 e4 −e5 −e6 −e7 −e0 e1 e2 e3
e5 e5 e4 −e7 e6 −e1 −e0 −e3 e2
e6 e6 e7 e4 −e5 −e2 e3 −e0 −e1
e7 e7 −e6 e5 e4 −e3 −e2 e1 −e0
Lattice Methods*
Quantum Resistant but the Encryption-Decryption time can be varied.
If the dimensions of the lattices is kept constant, the speed varies significantly but giving the same security levels.
* [3] , [5]
• OTRU
• Non Associative
• Fast
SVP
• QTRU
• Non Commutative
• Medium Speed
SVP
• NTRU
• Slowest SVP
Proposed Hierarchy for Multivariate Variants of Lattice based Cryptography*
• OTWO
• Non Associative
• Fast
SVP
• QTWO^
• Non Commutative
• Medium Speed
SVP
• NTWO
• Slowest SVP
* [6]
^Possibility of such an hierarchy is asserted but is subjected to ongoing research
Trade-Off
Speed Security
Group Based Cryptography
WSP Hierarchy* For a Word W given in terms of generators of G, find in a finite number of steps whether W = e or not.
Word Search Problem applied to various groups:
* [8] , [9] , [10], [13]
• Burnside Group
• Solvable in specific cases WSP
• Coxeter Group
• Solvable in specific cases WSP
• Braid Groups
• Various stratification can be created if the index of the group 5 ≤ n (Vulnerable for index < 5)
• Linear Attacks are effective
WSP
p-Group Based Cryptography
MOR Cryptosystem
Let G = <g1, g2, . . . , gτ> ; τ ∈ ℕ be a finite group and φ a non-trivial automorphism of G. Alice’s keys are as follows:
Private Key: m ∈ ℕ.
Public Key:
Encryption
a: To send a message (plaintext) a ∈ G Bob computes φr and φmr for a random r ∈ ℕ
b: The ciphertext is
Decryption
Some Findings*
We will prove that a secure (Secure here implies that it is more secure than the discrete logarithm problem (DLP)) MOR Cryptosystem can't be built using p-automorphisms of p-Groups. Proposition: G is a group with p-Automorphism φ ( = e) having e as the Identity element of the Group. We take a φ-invariant Chief Central Series (e = G0 ⊲ G1 ⊲ ... Gn-1 ⊲ Gn = G) (Every Quotient has order 'p' and terms are normal in G) and There is only one maximal subgroup which is fixed by φ. = e but ≠ e (For the case of 2 maximal subgroups of a p-Group) Why? (If we require that φ has to be the identity on every fixed subgroup) otherwise φ would be the identity on the whole G. We show that the MOR Cryptosystem is equivalent to solving a discrete logarithm problem in the usual sense under these assumptions. * The result was communicated to the author A Mahalanobis, Assistant Professor, IISER Pune, India
Some Findings Proof: Since, e = G0 ⊲ G1 ⊲ ... Gn-1 ⊲ Gn = G is the Chief Central Series. Hence, φ is identity on Gn/Gn-1 φ fixes Gn-1 pointwise ( = e ) Now, Let x ∈ Gn -- Gn-1 and φ(x) = x.l such that l ∈ Gn-1 ∴ φ2(x) = φ(φ(xl)) = φ(xl) = φ(x).φ(l) = xl.l = xl2 Continuing till n steps we see that: φn(x) = xln Let us consider: y ∈ G such that y = xkm where m ∈ Gn-1 ∴ φ(y) = φ(xkm) = φ(xk).φ(m) = (φ(x))k.m = (xl)k m = xkm( )m = y ( )m = y.g So, g ∈ Gn-1 and φs(y) = y.gs
Some Findings
So, that finding the exponent s is equivalent to solving the DLP in the maximal subgroup. Hence, we can see that the MOR Cryptosystem on favorable p-groups* for p-automorphisms provides the same security based on solving DLP in the classical sense (In terms of elements of a proper subgroup). *A p-group G is called a favorable p-group, if there is a non-identity p′-automorphism of the
group, such that, if the automorphism fixes a proper subgroup H of G, it is the identity on H.
Proposed Hierarchy
• p’-Automorphism in the extra-special p-Groups MOR
• p-Automorphism MOR
Application Scenarios^
Message Prioritization: We assert that we increase the complexity of the problem. As different part of messages are encrypted on different groups. Hence, it would be more difficult/one needs to decrypt/various decryption techniques are needed to break it.
Hierarchies: Different Security Levels can be maintained for general purposes. At lower levels we assert that the encryption-decryption is not so secure but it is pretty fast. So, there is a trade-off between security and computational speed/power/memory consumption (more generally resources).
Noise: The actual message might be hidden in any arbitrary strata of hierarchies with high level of security. The lower levels of security with breakable encryptions might encapsulate only noise or useless/misleading messages.
Random Allocation of Protocols
^ Assertions
Further Research Questions
Lattice Based Cryptography: Can Non-Associativity provide us with more secure Protocols? But will the Encryption be possible?
Group Based Cryptography: What exponent of Burnside Group would give us a totally secure system?
MOR Cryptosystem: Is it better than the El-Gamal Cryptosystem or the same?
References* Research Papers
[1] Constructions in Pubic Key Cryptography over Matrix Groups by D Grigoriev and I Ponomarenko, June 2005
[2] Anonymity and Rapid Mixing in Cryptographic Protocols by Mirosław Kutyłowski, WARTACRYPT (4th Central European Conference on Cryptology), 2004
[3] NNRU - A non-commutative analogue of NTRU by N Vats, IISc Bangalore, India
[4] Grobner Bases for Public Key Cryptography by M Caboara, F Caruso and C Traverso; University of Pisa
[5] QTRU: Quaternionic Version of the NTRU Public-Key Cryptosystems by E Malekian, A Zakerolhosseini and A Mashatan; ISeCure (International Journal of Information Security), January 2011
[6] A New Non-Associative Cryptosystem Based on NTWO Public Key Cryptosystem and Octonions Algebra by K Bagheri and MR Sadeghi; Amirkabir University of Technology, Iran, 2012
[7] The Conjugacy Search Problem in Public Key Cryptography - Unnecessary and Insufficient by V Shpilrain and A Ushakov, The City College of New York
[8] Hardness of Learning Problems over Burnside Groups of Exponent 3 by N Fazio, K Igay, A Nicolosi, L Perret and WE Skeith III, Design Codes and Cryptography, April 2015
[9] The Generalized Word Problem for Braid Groups by E Feder, Kingsborough Community College
[10] On the Complexity of Braids by Ivan Dynnikov and Bert Wiest, Moscow State University
[11] MOR Cryptosystem and Extra Special p Groups by A Mahalanobis, IISER Pune, India, November 2011
[12] MOR Cryptosystem and Finite p Groups by A Mahalanobis, IISER Pune, India, September 2013
[13] Solving the enumeration and word problems on Coxeter groups by SLP Perez, GBL Morales and FDS Troncoso; 8th International Conference on Electrical Engineering, Computing Science and Automatic Control, Merida, Mexico, October 2011
References* Books
1. Algebraic Aspects of Cryptography by Neal Koblitz, Algorithms and Computation in Mathematics, First Edition, Springer
2. Introduction to Cryptography with Coding Theory by W Trappe and LC Washington, Second Edition, Prentice Education International
3. Linear Algebra by KM Hoffman and R Kunze, Second Edition, Prentice Hall
4. Topics in Theoretical Computer Science: An Algorithmist's Toolkit by Jonathan Kelner (MIT - OCW)
5. Group based Cryptography by A Myasnikov, V Shpilrain and A Ushakov, First Edition, CRM Barcelona, 2008
6. p-automorphisms of finite p-groups by EI Khukhro, First Edition, Cambridge University Press
7. Reflection groups and Coxeter Groups by JE Humphreys, First Edition, Cambridge University Press
8. Braid Groups by C Kassel and V Turaev, First Edition, Springer
9. Abstract Algebra by IN Herstein, Third Edition, Prentice Hall
10. Combinatorial Group Theory by RC Lyndon and PE Schupp, First Edition, Springer Verlag
Thank You
"Quis Custodiet Ipsos Custodes“ - ("Who will watch the watchmen“) - Juvenal (128 AD)
Questions