Università degli Studi dell'Aquila Dipartimento di Ingegneria e Scienze dell'Informazione e Matematica

Cryptographic Hierarchies - An Approach

Ankan Pal

work done under the supervision of Prof N Gavioli

BunnyTN 7 Trento, November 16, 2016

Flow

Lattice Based Cryptography

Group Based Cryptography

p-Group Based Cryptography

"Fully Secure Systems do not exist today and they would not Exist in the Future... -Adi Shamir"

Idea[1]

We take an encryption technique and can we achieve different security levels by varying the underlying algebraic structure through the same encryption technique.

• Algebraic Structure 1

• Security Level - High Solve Problem X

• Algebraic Structure 2

• Security Level - Medium Solve Problem X

• Algebraic Structure 3

• Security Level - Low Solve Problem X

A V-Shaped Hierarchy

Along with the varying complexities of the created hierarchy, there is also a difference in the type of attack and encryption-decryption speed. Hence, we propose a V-shaped hierarchy.

• Algebraic Structure 4

• Security Level – High

• Speed - Low

Solve Problem

X

• Algebraic Structure 3

• Security Level – Medium

• Linear Attack is ineffective

Solve Problem

X

• Algebraic Structure 1

• Security Level – Low Solve

Problem X

• Algebraic Structure 2

• Security Level – Medium

• Type of Attack – Linear

Solve Problem

X

• Algebraic Structure 5

• Security Level – High

• Speed - Medium

Solve Problem

X

Lattice Based Cryptography

NTRU

Key Generation

Objective: Alice wants to send a message to Bob, so Bob needs to set up his public key

1) He chooses three integers N,p,q with the requirements that gcd(p, q) = 1 and that p << q.

2) Bob then chooses two secret polynomials f and g.

3) f should be invertible mod p and mod q, which means that ∃ polynomials Fp and Fq of degree less than N such that:

Fp * f = e (mod p) Fq * f = e (mod q)

4) Bob calculates h = Fq * g (mod q)

5) Bob’s public key is (N,p,q,h)

6) Bob’s private key is f

NTRU

Encryption

Alice represents the message, by some prearranged procedure, as a polynomial m of degree less than N. Alice then chooses a polynomial Ф and computes:

c ≡ p Ф * h + m (mod q)

Decryption

Bob decrypts by first computing a ≡ f * c (mod q), then (usually) recovering the message as

m ≡ Fp * a (mod p)

A Short Detour to Algebra using Quaternion and Octonians

# e i j k

e e i j k

i i −e k −j

j j −k −e i

k k j −i −e

* e0 e1 e2 e3 e4 e5 e6 e7

e0 e0 e1 e2 e3 e4 e5 e6 e7

e1 e1 −e0 e3 −e2 e5 −e4 −e7 e6

e2 e2 −e3 −e0 e1 ^e6 e7 −e4 −e5

e3 e3 e2 −e1 −e0 e7 −e6 e5 −e4

e4 e4 −e5 −e6 −e7 −e0 e1 e2 e3

e5 e5 e4 −e7 e6 −e1 −e0 −e3 e2

e6 e6 e7 e4 −e5 −e2 e3 −e0 −e1

e7 e7 −e6 e5 e4 −e3 −e2 e1 −e0

Lattice Methods*

Quantum Resistant but the Encryption-Decryption time can be varied.

If the dimensions of the lattices is kept constant, the speed varies significantly but giving the same security levels.

* [3] , [5]

• OTRU

• Non Associative

• Fast

SVP

• QTRU

• Non Commutative

• Medium Speed

SVP

• NTRU

• Slowest SVP

Proposed Hierarchy for Multivariate Variants of Lattice based Cryptography*

• OTWO

• Non Associative

• Fast

SVP

• QTWO^

• Non Commutative

• Medium Speed

SVP

• NTWO

• Slowest SVP

* [6]

^Possibility of such an hierarchy is asserted but is subjected to ongoing research

Trade-Off

Speed Security

Group Based Cryptography

WSP Hierarchy* For a Word W given in terms of generators of G, find in a finite number of steps whether W = e or not.

Word Search Problem applied to various groups:

* [8] , [9] , [10], [13]

• Burnside Group

• Solvable in specific cases WSP

• Coxeter Group

• Solvable in specific cases WSP

• Braid Groups

• Various stratification can be created if the index of the group 5 ≤ n (Vulnerable for index < 5)

• Linear Attacks are effective

WSP

p-Group Based Cryptography

MOR Cryptosystem

Let G = <g1, g2, . . . , gτ> ; τ ∈ ℕ be a finite group and φ a non-trivial automorphism of G. Alice’s keys are as follows:

Private Key: m ∈ ℕ.

Public Key:

Encryption

a: To send a message (plaintext) a ∈ G Bob computes φr and φmr for a random r ∈ ℕ

b: The ciphertext is

Decryption

Some Findings*

We will prove that a secure (Secure here implies that it is more secure than the discrete logarithm problem (DLP)) MOR Cryptosystem can't be built using p-automorphisms of p-Groups. Proposition: G is a group with p-Automorphism φ ( = e) having e as the Identity element of the Group. We take a φ-invariant Chief Central Series (e = G0 ⊲ G1 ⊲ ... Gn-1 ⊲ Gn = G) (Every Quotient has order 'p' and terms are normal in G) and There is only one maximal subgroup which is fixed by φ. = e but ≠ e (For the case of 2 maximal subgroups of a p-Group) Why? (If we require that φ has to be the identity on every fixed subgroup) otherwise φ would be the identity on the whole G. We show that the MOR Cryptosystem is equivalent to solving a discrete logarithm problem in the usual sense under these assumptions. * The result was communicated to the author A Mahalanobis, Assistant Professor, IISER Pune, India

Some Findings Proof: Since, e = G0 ⊲ G1 ⊲ ... Gn-1 ⊲ Gn = G is the Chief Central Series. Hence, φ is identity on Gn/Gn-1 φ fixes Gn-1 pointwise ( = e ) Now, Let x ∈ Gn -- Gn-1 and φ(x) = x.l such that l ∈ Gn-1 ∴ φ2(x) = φ(φ(xl)) = φ(xl) = φ(x).φ(l) = xl.l = xl2 Continuing till n steps we see that: φn(x) = xln Let us consider: y ∈ G such that y = xkm where m ∈ Gn-1 ∴ φ(y) = φ(xkm) = φ(xk).φ(m) = (φ(x))k.m = (xl)k m = xkm( )m = y ( )m = y.g So, g ∈ Gn-1 and φs(y) = y.gs

Some Findings

So, that finding the exponent s is equivalent to solving the DLP in the maximal subgroup. Hence, we can see that the MOR Cryptosystem on favorable p-groups* for p-automorphisms provides the same security based on solving DLP in the classical sense (In terms of elements of a proper subgroup). *A p-group G is called a favorable p-group, if there is a non-identity p′-automorphism of the

group, such that, if the automorphism fixes a proper subgroup H of G, it is the identity on H.

Proposed Hierarchy

• p’-Automorphism in the extra-special p-Groups MOR

• p-Automorphism MOR

Application Scenarios^

Message Prioritization: We assert that we increase the complexity of the problem. As different part of messages are encrypted on different groups. Hence, it would be more difficult/one needs to decrypt/various decryption techniques are needed to break it.

Hierarchies: Different Security Levels can be maintained for general purposes. At lower levels we assert that the encryption-decryption is not so secure but it is pretty fast. So, there is a trade-off between security and computational speed/power/memory consumption (more generally resources).

Noise: The actual message might be hidden in any arbitrary strata of hierarchies with high level of security. The lower levels of security with breakable encryptions might encapsulate only noise or useless/misleading messages.

Random Allocation of Protocols

^ Assertions

Further Research Questions

Lattice Based Cryptography: Can Non-Associativity provide us with more secure Protocols? But will the Encryption be possible?

Group Based Cryptography: What exponent of Burnside Group would give us a totally secure system?

MOR Cryptosystem: Is it better than the El-Gamal Cryptosystem or the same?

References* Research Papers

[1] Constructions in Pubic Key Cryptography over Matrix Groups by D Grigoriev and I Ponomarenko, June 2005

[2] Anonymity and Rapid Mixing in Cryptographic Protocols by Mirosław Kutyłowski, WARTACRYPT (4th Central European Conference on Cryptology), 2004

[3] NNRU - A non-commutative analogue of NTRU by N Vats, IISc Bangalore, India

[4] Grobner Bases for Public Key Cryptography by M Caboara, F Caruso and C Traverso; University of Pisa

[5] QTRU: Quaternionic Version of the NTRU Public-Key Cryptosystems by E Malekian, A Zakerolhosseini and A Mashatan; ISeCure (International Journal of Information Security), January 2011

[6] A New Non-Associative Cryptosystem Based on NTWO Public Key Cryptosystem and Octonions Algebra by K Bagheri and MR Sadeghi; Amirkabir University of Technology, Iran, 2012

[7] The Conjugacy Search Problem in Public Key Cryptography - Unnecessary and Insufficient by V Shpilrain and A Ushakov, The City College of New York

[8] Hardness of Learning Problems over Burnside Groups of Exponent 3 by N Fazio, K Igay, A Nicolosi, L Perret and WE Skeith III, Design Codes and Cryptography, April 2015

[9] The Generalized Word Problem for Braid Groups by E Feder, Kingsborough Community College

[10] On the Complexity of Braids by Ivan Dynnikov and Bert Wiest, Moscow State University

[11] MOR Cryptosystem and Extra Special p Groups by A Mahalanobis, IISER Pune, India, November 2011

[12] MOR Cryptosystem and Finite p Groups by A Mahalanobis, IISER Pune, India, September 2013

[13] Solving the enumeration and word problems on Coxeter groups by SLP Perez, GBL Morales and FDS Troncoso; 8th International Conference on Electrical Engineering, Computing Science and Automatic Control, Merida, Mexico, October 2011

References* Books

1. Algebraic Aspects of Cryptography by Neal Koblitz, Algorithms and Computation in Mathematics, First Edition, Springer

2. Introduction to Cryptography with Coding Theory by W Trappe and LC Washington, Second Edition, Prentice Education International

3. Linear Algebra by KM Hoffman and R Kunze, Second Edition, Prentice Hall

4. Topics in Theoretical Computer Science: An Algorithmist's Toolkit by Jonathan Kelner (MIT - OCW)

5. Group based Cryptography by A Myasnikov, V Shpilrain and A Ushakov, First Edition, CRM Barcelona, 2008

6. p-automorphisms of finite p-groups by EI Khukhro, First Edition, Cambridge University Press

7. Reflection groups and Coxeter Groups by JE Humphreys, First Edition, Cambridge University Press

8. Braid Groups by C Kassel and V Turaev, First Edition, Springer

9. Abstract Algebra by IN Herstein, Third Edition, Prentice Hall

10. Combinatorial Group Theory by RC Lyndon and PE Schupp, First Edition, Springer Verlag

Thank You

"Quis Custodiet Ipsos Custodes“ - ("Who will watch the watchmen“) - Juvenal (128 AD)

Questions