[PPT] - Search Problems in Groups Pavel Morar Stevens Institute of PowerPoint Presentation

SLIDE 1

Search Problems in Groups

Pavel Morar

Stevens Institute of Technology

Geometric and Asymptotic Group Theory with Applications, May 30, 2013 Joint work with Sasha Ushakov

SLIDE 2

Wagner-Magyarik Public Key Cryptosystem (1984)

Private key: A finite group presentation G′ = X | R ∪ S that

has a polynomial time algorithm A to solve the Word Problem for it.

Public key: A finite group presentation G = X | R with the

hard Word Problem, two words w0, w1 not equivalent in G′.

Encryption of a bit i ∈ {0, 1}: Rewrite wi randomly

applying a number of elementary transformations corresponding to G.

Decryption of w: Run algorithm A to decide which of ww−1

and ww−1

1

is the identity in G.

SLIDE 3

Elementary Transformations of a word w for G ∽ X | R

(T1) Insertion of r ∈ R (or r −1) or a word of the form xix−1

i

(or x−1

i

xi) for xi ∈ X in any position of w. (T2) Deletion of a subword of w of the form r ∈ R (or r −1) or xix−1

i

(or x−1

i

xi) for xi ∈ X from w.

SLIDE 4

Word Problems

Word problem : Decide if a word w ∈ (X ±)∗ represents the identity of G. Word Choice problem : Given two words w0, w1 ∈ (X ±)∗ and a word w ∈ (X ±)∗ equivalent to either w0 or w1, decide if w is equivalent to w0 in G. Wagner-Magyarik PKC is based on the Word Choice problem rather than on the Word Problem. [Birget, Magliveras, Sramka] Word Search problem : Given a word w ∈ (X ±)∗ such that w =G 1 find a witness that it is really the identity in G. Example of a witness for the Word Search Problem is the decomposition w = Πn

i=1u−1 i

r εi

i ui, where ri ∈ R, ui ∈ F(X), and εi ∈ {−1, 1}.

SLIDE 5

Analysis of Wagner-Magyarik PKC

González Vasco, M. I. and Steinwandt R., A Reaction Attack on a Public Key Cryptosystem Based on the Word Problem, Applicable Algebra Engineering, Communication and Computing, 14(5): 335-340, 2004 Birget, J.-C., Magliveras, S. and Sramka, M., On public-key cryptosystems based on combinatorial group theory, Tatra Mountains Mathematical Publications, 33, 2006 Levy-dit-Vehel, F ., Perret L., On the Wagner-Magyarik Cryptosystem, Coding and Cryptography, Lecture Notes in Computer Science, 3969: 316-329, 2006 Levy-dit-Vehel, F ., Perret L., Security analysis of word problem-based cryptosystems, Designs, Codes and Cryptography, 54(1): 29-41, 2010

SLIDE 6

Our Motivation

Question

Given a finite group presentation, how to sample words equivalent to a given one such that it would be hard to check their equivalence?

SLIDE 7

Generation of Random Identities

Fix a finite G = X | R and define I(G) = { xix−1

i

, x−1

i

xi | xi ∈ X } ∪ { r, r −1 | r ∈ R }

Algorithm

Input: an integer N > 0. Output: an identity w.

1: Start with w0 = ε 2: for n = 1 to N do 3:

Insert a uniformly random element of I(G) into a uniformly random position of wn−1 to get wn

4: end for 5: return wN.

SLIDE 8

Example

G =

a, b | a5, b3, b2a
, N = 5.

w0 = ε

SLIDE 9

Example

G =

a, b | a5, b3, b2a
, N = 5.

w1 = aa−1

SLIDE 10

Example

G =

a, b | a5, b3, b2a
, N = 5.

w2 = aa−1bbb

SLIDE 11

Example

G =

a, b | a5, b3, b2a
, N = 5.

w3 = aa−1aaaaabbb

SLIDE 12

Example

G =

a, b | a5, b3, b2a
, N = 5.

w4 = aa−1aaa−1b−1b−1aaabbb

SLIDE 13

Example

G =

a, b | a5, b3, b2a
, N = 5.

w5 = aa−1aaa−1b−1b−1aab−1babbb

SLIDE 14

Example

G =

a, b | a5, b3, b2a
, N = 5.

w = w5 = ab−1b−1a3b3

SLIDE 15

Example

G =

a, b | a5, b3, b2a
, N = 5.

w0 = ε van Kampen Diagram

SLIDE 16

Example

G =

a, b | a5, b3, b2a
, N = 5.

w1 = aa−1 van Kampen Diagram

a

SLIDE 17

Example

G =

a, b | a5, b3, b2a
, N = 5.

w2 = aa−1bbb van Kampen Diagram

a
b
b
b

SLIDE 18

Example

G =

a, b | a5, b3, b2a
, N = 5.

w3 = aa−1aaaaabbb van Kampen Diagram

a
b
b
b
a
a
a
a
a

SLIDE 19

Example

G =

a, b | a5, b3, b2a
, N = 5.

w4 = aa−1aaa−1b−1b−1aaabbb van Kampen Diagram

a
b
b
b
a
a
a
a
a
b
b
a

SLIDE 20

Example

G =

a, b | a5, b3, b2a
, N = 5.

w5 = aa−1aaa−1b−1b−1aab−1babbb van Kampen Diagram

a
b
b
b
a
a
a
a
a
b
b
a
b

SLIDE 21

Example

G =

a, b | a5, b3, b2a
, N = 5.

w = w5 = ab−1b−1a3b3 van Kampen Diagram

b
b
b
a
a
a
a
a
b
b

SLIDE 22

Measure of Complexity - Depth

Definition (Depth of van Kampen diagram)

The maximum of the vertex distances from its vertices to its boundary. G =

a, b | aba−1b−1

. Depth = 3.

a a a a a a a b

a

b

a

b

a

b

a

b

a

b

b
a

b

a

b

a

b

a

b

a

b

a

b

b
a

b

a

b

a

b

a

b a b

a

b

b
a

b

a

b

a

b

a

b

a

b

a

b

b
It follows from [1] that if w has a diagram with O(log N) depth,

then there is a Poly(N) algorithm to check that it is the identity, which also provides a witness (a solution to the Word Search Problem).

A. Myasnikov, A. Ushakov, Random van Kampen diagrams

and algorithmic problems in groups, Groups - Complexity - Cryptology, Volume 3, Issue 1, 2011

SLIDE 23

Example

G =

a, b | a5, b3, b2a
, N = 5.

w0 = ε van Kampen Diagram

Tree

SLIDE 24

Example

G =

a, b | a5, b3, b2a
, N = 5.

w1 = aa−1 van Kampen Diagram

a
Tree

SLIDE 25

Example

G =

a, b | a5, b3, b2a
, N = 5.

w2 = aa−1bbb van Kampen Diagram

a
b
b
b
Tree

SLIDE 26

Example

G =

a, b | a5, b3, b2a
, N = 5.

w3 = aa−1aaaaabbb van Kampen Diagram

a
b
b
b
a
a
a
a
a
Tree

SLIDE 27

Example

G =

a, b | a5, b3, b2a
, N = 5.

w4 = aa−1aaa−1b−1b−1aaabbb van Kampen Diagram

a
b
b
b
a
a
a
a
a
b
b
a
Tree

SLIDE 28

Example

G =

a, b | a5, b3, b2a
, N = 5.

w5 = aa−1aaa−1b−1b−1aab−1babbb van Kampen Diagram

a
b
b
b
a
a
a
a
a
b
b
a
b
Tree

SLIDE 29

Example

G =

a, b | a5, b3, b2a
, N = 5.

w = w5 = ab−1b−1a3b3 van Kampen Diagram D

b
b
b
a
a
a
a
a
b
b
Tree T

SLIDE 30

Bound on Diagram Depth

Suppose w is the word produced by the algorithm after N steps, D the corresponding diagram, T the corresponding tree.

Lemma

depth(D) ≤ 2 height(T)

SLIDE 31

Random Tree Height

We use the theory of Crump-Mode-Jagers branching processes and random trees (Crump, Mode, Jagers, Kingman, Biggins, Pittel, Grey, etc) to show that the height of the tree T is O(log N) with probability 1 as N → ∞.

Theorem

We have depth(D) log N ≤ C < ∞ with probability 1 as N → ∞, where C = C(G).

SLIDE 32

Result

Theorem

There is an algorithm that checks that the words generated by the algorithm are identities in G for almost all such words in polynomial in N time as N → ∞.

SLIDE 33

Generation of Random Equal Words

Just start with a word w′ instead of the identity.

Algorithm

Input: an integer N > 0, a word w′. Output: a word w equivalent to w′ in G.

1: Start with w0 = w′. 2: for n = 1 to N do 3:

Insert a uniformly random element of I(G) into a uniformly random position of wn−1 to get wn.

4: end for 5: return wN.

Theorem

There is an algorithm that checks that the words produced by the equal words generator are equal to w′ in G for almost all such words in polynomial in N time as N → ∞.

SLIDE 34

Generation of Random Conjugate

Fix a finite group presentaiton G = X | R.

Algorithm

Input: N > 0, a word w′. Output: a word w conjugate to w′.

1: Generate u equal to w′ using the algorithm for equal words. 2: return The cyclic reduction of a random cyclic permutation of u.

SLIDE 36

Generation of Random Subgroup Word

Fix a finite generating set H = {h1, . . . , hk} of a subgroup H

f a finite group presentation X | R.

Algorithm

Input: N > 0, a probability p. Output: a word w ∈ F(X) representing an element of H.

1: Start with w0 = ε. 2: for n = 1 to N do 3:

With probability p concatenate a random element of H± to the end of wn−1, or otherwise insert a uniformly random element of I(G) into a uniformly random position of wn−1 to get wn.

4: end for 5: return wN.

SLIDE 37

Random Conjugates and Random Subgroup Words

Theorem

There is an algorithm that checks that the words produced by the conjugates generator are conjugate to w′ in G for almost all such words in polynomial in N time as N → ∞.

Theorem

There is an algorithm that checks that the words produced by the subgroup elements generator are elements of H for almost all such words in polynomial in N time as N → ∞.

SLIDE 38