Discrete logarithm problem for matrices over finite group rings - - PowerPoint PPT Presentation

discrete logarithm problem for matrices over finite group
SMART_READER_LITE
LIVE PREVIEW

Discrete logarithm problem for matrices over finite group rings - - PowerPoint PPT Presentation

Jun 15, 2023 478 likes •675 views

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

slide-1
SLIDE 1

Discrete logarithm problem for matrices over finite group rings

Alex Myasnikov

Stevens Institute of Technology

slide-2
SLIDE 2

Discrete logarithm problem.

  • The discrete logarithm problem (DLP) in a finite cyclic group

G: for any pair g, h ∈ G find a number n ∈ N satisfying gn = h.

  • Diffie-Hellman (1976) key-exchange protocol is based on the

assumption that DLP is hard in certain groups

  • Shor (1997) showed that DLP can be solved by a quantum

algorithm in polynomial time in any finite field Fps

slide-3
SLIDE 3

Discrete logarithm problem in Mn(Fq[G]).

  • D. Kahrobaei, C. Koupparis, and V. Shpilrain considered

another variation of the DH key-exchange using the ring of 3 × 3 matrices over a group-ring F7[S5]

  • Authors claim that the new scheme can withstand quantum

algorithm attacks

slide-4
SLIDE 4

Discrete logarithm problem in Mn(Fq[G]).

  • G = {g1, . . . , gk} is a finite group and R is a commutative ring.

The group-ring R[G] is the set of formal linear combinations of gi’s:

k

  • i=1

aigi, ai ∈ R

  • Addition:

k

  • i=1

aigi

  • +

k

  • i=1

bigi

  • =

k

  • i=1

(ai + bi)gi

  • Multiplication:

k

  • i=1

aigi

  • ·

k

  • i=1

bigi

  • =

k

  • i=1

 

gjgk=gi

(ajbk)  gi. multiplication is not commutative unless G is commutative.

slide-5
SLIDE 5

Protocol by Kahrobaei et al.

  • Sn - the group of permutations on n elements.
  • Mm(Fp[Sn]) is the ring of m × m matrices over the ring Fp[Sn].
  • 1. Choose a matrix M ∈ M3(F7[S5]).
  • 2. Alice chooses a random secret a and sends Ma to Bob.
  • 3. Bob chooses a random secret b and sends Mb to Alice.
  • 4. Alice receives Mb and computes the shared key as K = (Mb)a.
  • 5. Bob receives Ma and computes the shared key as K = (Ma)b.
slide-6
SLIDE 6

Discrete logarithm problem in Mn(Fq[G]).

  • Theorem. Let G be a finite group and p a prime number. The

discrete logarithm problem in the ring Mn(Fps[G]) can be solved using a quantum algorithm in (expected) polynomial time in n, log2(p), s, |G|.

  • Corollary. Let G be a finite group and p a prime number. The

discrete logarithm problem in the group-ring Fps[G] can be solved using a quantum algorithm in (expected) polynomial time in log2(p), s, |G|.

slide-7
SLIDE 7

Discrete logarithm problem in Mn(Fq[G]).

Sketch of the proof:

  • 1. Reduce DLP in Mn(Fq[G]) to DLP in Mm(Fq)
  • 2. Reduce DLP in Mm(Fq) to DLP in some small extension fields
  • f Fq
  • 3. Apply Shor’s quantum algorithm.
slide-8
SLIDE 8

Reduction Mn(Fq[G]) − → Mm(Fq).

  • G = {g1, . . . , gk} and a commutative ring R.
  • a ∈ R[G] and a =

g∈G ag · g

  • Define a map µ : R[G] → Mk(R) by µ(a) = Ma where:

Ma =    ag1g−1

1

. . . ag1g−1

k

. . . agkg−1

1

. . . agkg−1

k

  

slide-9
SLIDE 9

Reduction Mn(Fq[G]) − → Mm(Fq).

  • Proposition. Map µ : a → Ma is a ring monomorphism.
  • Ma+b = Ma + Mb.
  • Show Ma·b = Ma · Mb:

(Ma·b)ij = (Ma·b)gig −1

j

=

  • gh=gig −1

j

agbh =

k

  • m=1

agig −1

m bgmg −1 j

= (Ma·Mb)ij

  • Map a → Ma is a ring homomorphism.
  • a can be recovered from Ma ⇒ a → Ma is injective.
slide-10
SLIDE 10

Reduction Mn(Fq[G]) − → Mm(Fq).

Define a map ϕ : Mn(R[G]) − → Mkn(R): A =   a11 . . . a1n . . . an1 . . . ann   − →   Ma11 . . . Ma1n . . . Man1 . . . Mann   = A∗

slide-11
SLIDE 11

Reduction Mn(Fq[G]) − → Mm(Fq).

  • Proposition. Map ϕ : Mn(R[G]) → Mnk(R) given by A → A∗ is a

ring monomorphism.

  • Let A, B ∈ Mn(R[G]).
  • (A + B)∗ = A∗ + B∗.
  • Using previous Proposition A∗ · B∗ = (AB)∗:

ϕ(AB)ij = µ

  • aikbkj
  • =
  • µ(aik)µ(bkj) = (ϕ(A)ϕ(B))ij
  • ϕ is a homomorphism.
  • Easy to recover A from ∗ ⇒ ϕ is injective.
slide-12
SLIDE 12

DPL Reduction Mn(Fq) → Fq(λ).

  • Menezes-Wu (1997) reduced DLP in GLn(Fq) to DLP in some

small extension of Fq

  • We need reduction for Mn(Fq) (i.e. include singular matrices)
  • There is a gap in the proposed reduction. It neglects

computation of the order of ceratin elements in a finite field for which there is no deterministic polynomial time solution.

slide-13
SLIDE 13

DPL Reduction Mn(Fq) → Fq(λ).

Goal: given A ∈ GLn(Fq) and B = Ak find l ∈ N such that Al = B

  • Let λ1, . . . , λs be eigenvalues of A
  • Q−1AQ = JA = J(λ1) ⊕ · · · ⊕ J(λs) - Jordan form

Menezes-Wu: ord(A) = lcm(ord(λ1), . . . , ord(λs)) · p{t}, where t is the size of the largest Jordan block J(λi)

  • Al = QJl

AQ−1 = QJl(λ1) ⊕ · · · ⊕ Jl(λs)Q−1 s

  • Note that the first diagonal element of Jl(λi) is λl

i

  • If we know λi and Jl(λi) then we can use DLP in Fq(λi) to

find li ≡ l mod ord(λi)

  • We compute l mod ord(A) (which uniquely defines l) using

the generalized Chinese remainder theorem Need to know ord(λi)!

slide-14
SLIDE 14

DPL Reduction Mn(Fq) → Fq(λ).

  • 1. Compute pA(x) = f e1

1 (x) . . . f es s (x)

  • 2. Use small extensions Fq(λi) to find λi separately.
  • 3. Describe the structure of the Jordan form for A.
  • 4. Use quantum computer to factor numbers

|F∗

q(λi)| = qdeg(fλi ) − 1.

Given the factorization of qdeg(fλi ) − 1 compute ord(λi).

  • 5. Use quantum computer to solve the DLP in Fq(λi) for (λl

i, λi) This

gives li ≡ l mod ord(λi).

  • 6. Compute j = l mod p{t} as described by Menezes and Wu
  • 7. Compute l mod ord(A) by solving:

       l ≡ l1 mod ord(λ1), . . . l ≡ ls mod ord(λs), l = j mod p{t},

slide-15
SLIDE 15

DPL Reduction Mn(Fq) → Fq(λ).

If A is singular then JA = N ⊕ Z, where N is non-singular block and Z is a singular block. Easy to see that Z r = 0, where r is the size of a largest singular Jordan block in Z. Then Ar = S−1(N ⊕ Z)rS = S−1(Nr ⊕ 0)S = S−1(Nr+ord(N) ⊕ 0)S

  • rd(N) can be computed as in Menezes-Wu

r is the size of a largest singular Jordan block.

slide-16
SLIDE 16

DPL Reduction Mn(Fq) → Fq(λ).

To solve an instance (A, B) of DLP in Mn(Fq):

  • 1. Describe the Jordan normal forms for A and B.
  • 2. NA, NB are non-singular blocks and ZA, ZB are singular blocks.

All described as direct sums of their Jordan blocks.

  • 3. Solve the DLP for (NA, NB) and obtain the number l′ s.t.

NB = Nl′

A and l′ ≤ ord(NA).

  • 4. If l′ ≥ r, then l′ is the solution because Z l′

A = Z l′ B = 0.

B = S−1(NB ⊕ ZB)S = S−1(Nl′

A ⊕ 0)S = S−1(Nl′ A ⊕ Z l′ A )S = Al′

  • 5. If l′ < r, then the solution must belong to the set

{l′ + c · ord(NA) | c ∈ N ∪ {0}, l′ + (c − 1) · ord(NA) ≤ r}. which contains no more then n numbers.

slide-17
SLIDE 17

Protocol by Kahrobaei et l.

  • Let M ∈ M3(F7[S5]) and a is secret
  • To solve DLP instance (M, Ma):

1 Reduce DLP in M3(F7[S5]) to DLP in M360(F7): (M, Ma) → (ϕ(M), ϕ(Ma)) 2 Further reduce DLP (ϕ(M), ϕ(Ma)) to a problem in some extension of F7 3 Apply quantum algorithm

slide-18
SLIDE 18

Protocol by Kahrobaei et l.

  • 30% of randomly uniformly generated matrices

M ∈ M3(F7[S5]) have M∗ ∈ GL360(F7).

  • This means that 30% of instances of DLP in M3(F7[S5])

reduce to an invertible matrix over F7 and the fixed Meneses-Wu reduction works for them.

  • 70% of the instances require the generalized technique