Conjugacy Systems Based on Nonabelian Factorization Problems and Their Applications in Cryptography

Gu, Lize; Zheng, Shihui

doi:https://doi.org/10.1155/2014/630607

Journal of Applied Mathematics

On this page

Abstract Introduction Conclusion Appendix Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2014 | Article ID 630607 | https://doi.org/10.1155/2014/630607

Conjugacy Systems Based on Nonabelian Factorization Problems and Their Applications in Cryptography

Lize Gu¹and Shihui Zheng¹

Academic Editor: Javier Oliver

Received02 Feb 2014

Accepted06 Apr 2014

Published28 Apr 2014

Abstract

To resist known quantum algorithm attacks, several nonabelian algebraic structures mounted upon the stage of modern cryptography. Recently, Baba et al. proposed an important analogy from the integer factorization problem to the factorization problem over nonabelian groups. In this paper, we propose several conjugated problems related to the factorization problem over nonabelian groups and then present three constructions of cryptographic primitives based on these newly introduced conjugacy systems: encryption, signature, and signcryption. Sample implementations of our proposal as well as the related performance analysis are also presented.

1. Introduction

Background and Motivation. Although the idea of encryption has made it to the world thousands of years ago, the concept of public key cryptography (PKC) came to us no more than half of a century. To secure communications over insecure channels, the core idea of PKC is to exert a heavy burden, that is, computational cost in general, on eavesdroppers but meanwhile keep the additional workload of legitimate users as light as possible [1]. This idea is always instantiated by certain challenging problems for which the legitimate users know at least one feasible solution, while it is infeasible to find a solution even if the attackers exhaust all available resources. Along this roadmap, the well-known Diffie-Hellman key exchange protocol [2] as well as many public key cryptosystems, such as RSA [3], ElGamal [4], and ECC [5, 6], manifests their great success during the past four decades. However, considering that the famous problem remained open up to now, all these cryptographic protocols/schemes relay their security on assumptions of the intractability of certain problems, say integer factorization problem (IFP), discrete logarithm problem over finite fields (DLP), or elliptic curves (ECDLP).

Intractability assumptions of certain cryptographic problems themselves never mean the security of real systems. Instead, they must be embedded in implementing certain cryptographic primitives. In fact, security is a composite concept and it can be divided into several different properties. Among them, confidentiality, authenticity, and integrity attract a lot of attention in the community of PKC. Although the primitive of encryption is mainly intended to keep confidentiality, when an encryption scheme achieves indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2), the integrity of the ciphertexts is also granted. Similarly, the primitive of signature maintains the authenticity and integrity, simultaneously. Another cryptographic primitive, signcryption, is a data security technology by which confidentiality is protected and authenticity is achieved seamlessly at the same time [7–9]. The primitive of signcryption, invented in 1996 but firstly disclosed to the public at CRYPTO 1997 [7, 8], is now an international standard for data protection (ISO/IEC 29150, Dec 2011). Up-to-date, many constructions of signcryption were proposed, based on the intractability assumptions of IFP [10, 11] or DLP/ECDLP [12, 13]. Some constructions further utilize the bilinear pairing to enhance the functionalities and performance [14, 15], but the security of these constructions was also rooted in the intractability assumption of ECDLP. Unfortunately, IFP and DLP as well as ECDLP could be efficiently solved by Shor’s quantum algorithms [16, 17] and its extensions [18]. Thus, there is an urgent requirement to develop new signcryption schemes that have the potential capability to resist Shor-like quantum attacks. Although two lattice-based signcryption schemes were claimed recently [19, 20] to have the advantages in resisting known quantum algorithm attacks, the parameter size of these constructions is considerably large. Therefore, more efficient designs are expected.

Contribution. In this paper, we made efforts from two aspects. At first, we define several conjugated problems related to the factorization problem over nonabelian groups and we name these problems as conjugacy systems. Next, we explore the usefulness of these conjugacy systems via presenting three constructions of cryptographic primitives: encryption, signature, and signcryption. In addition, sample implementations of our proposal as well as related performance analysis are presented.

Related Work. Our work belongs to the line of the so-called noncommutative cryptography that has become noticeable recently [21]. Considering that Shor’s quantum algorithm and its extension work well over some commutative groups, such as the multiplication group , the multiplication group , and the addition group over elliptic curves on finite field , and we have already known efficient quantum algorithms for hidden group problems (HSP) over all commutative groups, a lot of attempts on developing cryptosystems are based on noncommutative algebraic structures. During the past decade, braid groups [9, 22, 23], inner automorphism groups [24, 25], Thompson’s groups [26], linear groups and classical modular groups [27, 28], random covers and logarithmic signatures [29], and so forth have already mounted upon the stage of modern cryptography. However, this area is considerably immature and at present there are no practical, both in efficiency and security, noncommutative cryptosystems [9]. In particular, finding a secure nonabelian analogy of cryptosystems based on IFP remains open [21] until recently. In 2011, Baba et al. proposed a nonabelian factorization problem and presented associated cryptosystems [30]. Although BKT’s constructions failed to achieve semantic security, the insight embedded in the nonabelian factorization problem opens a new avenue for developing practical nonabelian cryptography [31]. In 2012, Gu et al. [31] proposed an IND-CCA2 secure encryption scheme based on BKT’s idea. Moreover, they gave the first arguments on resisting Shor’s quantum algorithm attacks based on noncommutativity (see Remark 11).

Roadmap. The remaining content is organized as follows. In Section 2, we at first recall the definition of nonabelian factorization problem and related extensions, then define some new cryptographic problems (referred to as conjugacy systems), and finally present analysis on the hardness of these problems; in Section 3, we present new constructions on encryption, signature, and signcryption based on the newly introduced conjugacy systems; in Section 4, we discuss the possible implementation platforms and related performance; finally, concluded remarks are given in Section 5.

2. Conjugacy Systems Based on Nonabelian Factorization Problems

Most public key cryptosystems are based on certain intractability assumptions and thus finding new intractable assumptions is an interesting cryptographic practice. In this section, we will at first review the so-called nonabelian factorization problem that was firstly formulated in [30] and then introduce some new cryptographic problems by coupling related problems with conjugate operations. This idea is in fact enlightened by braid cryptosystems [23] and the CSP-based constructions [32] where conjugacy related problems play center roles. For abbreviation, we refer to these problems as conjugacy systems.

2.1. Nonabelian Factorization Problem and New Cryptographic Problems

Definition 1 (factorization problem, FP [30, 31]). Let be any nonabelian finite group with identity . Let be two random elements so that . The factorization problem with respect to , denoted by , is to split the given product into a pair , where and are arbitrary integers picked at random.

Definition 2 (computational Diffie-Hellman problem, CDH [30, 31]). Let be any nonabelian finite group with identity . Let be two random elements so that . The computational Diffie-Hellman (CDH) problem with respect to , denoted by , is to recover from the given pair , where are arbitrary integers picked at random.

Definition 3 (decisional Diffie-Hellman problem, DDH [31]). Let be any nonabelian finite group with identity . Let be two random elements so that . The decisional Diffie-Hellman (DDH) problem with respect to , denoted by , is to distinguish the distribution and the distribution

Definition 4 (gap computational Diffie-Hellman problem, Gap-CDH [31]). Let be any nonabelian finite group with identity . Let be two random elements so that . The gap computational Diffie-Hellman (Gap-CDH) problem (In [31], this problem is called gap Diffie-Hellman (Gap-DH) problem) with respect to , denoted by , is to solve the problem given access to an oracle that solves the problem.

Definition 5 (subgroup conjugator searching problem, SCSP). Let be any nonabelian finite group with identity . Let be two random elements so that . The subgroup conjugator searching problem (SCSP) with respect to , denoted by , is to recover from the given pair , where are arbitrary integers picked at random.

Definition 6 (subgroup conjugacy deciding problem, SCDP). Let be any nonabelian finite group with identity . Let be two random elements so that . The subgroup conjugacy deciding problem (SCDP) with respect to , denoted by , is to distinguish the distribution and the distribution

Definition 7 (conjugated computational Diffie-Hellman problem, CCDH). Let be any nonabelian finite group with identity . Let be two random elements so that . The conjugated computational Diffie-Hellman (CCDH) problem with respect to , denoted by , is to recover from the given triple where are arbitrary integers picked at random.

Definition 8 (conjugated decisional Diffie-Hellman problem, CDDH). Let be any nonabelian finite group with identity . Let be two random elements so that . The conjugated decisional Diffie-Hellman (CDDH) problem with respect to , denoted by , is to distinguish the distribution (where are drawn at random) and the distribution (where are drawn at random).

Definition 9 (gap conjugated computational Diffie-Hellman problem, Gap-CCDH). Let be any nonabelian finite group with identity . Let be two random elements so that . The gap conjugated computational Diffie-Hellman (Gap-CCDH) problem with respect to , denoted by , is to solve the problem, given access to an oracle that solves the problem.

2.2. Hardness Assumptions

Firstly, we should notice that the condition implies that the FP problem is well-defined in the sense that the solution is unique for any given FP instance. In addition, if is abelian and the orders of and are coprime and known, then the FP problem can be reduced to the discrete logarithm problem in according to [30]. However, if the orders of and have common factors or are kept unrevealed or is nonabelian, then the FP problem seems much hard. In this case, the naive method of trying all different pairs is apparently infeasible if the orders of and are large enough. Therefore, we would like to introduce the meta-assumptions as follows:(i) is a nonabelian finite group, where is the identity;(ii)the orders of and are large enough;(iii) and .And then, based on this meta-assumption, our first hardness assumption states that the FP problem is intractable.

Secondly, both the problem and the problem are no harder than the problem. But as far as we know, there is no better solution for the problem and problem other than solving the problem. (Note that if and commute (i.e., ), although the problem is still meaningful, but the problem, the problem, and the problem become trivial, thus, the meta-assumption of noncommutativity of and is one of the crucial factors.) Therefore, our 2nd, 3rd, and 4th hardness assumptions state the intractabilities of the problem, the problem, and the problem, respectively.

Thirdly, the SCDP problem might be tractable for certain nonabelian groups, say matrix groups, considering that the trace of the matrix is the same as the trace of . However, even for matrix groups, it seems that both the CCDH problem and the CDDH problem are still intractable, since we have not found an easier way for solving them than using the naive method of enumerating all possible entries. Intuitively, it is hard to solve the CDDH problem without solving the SCSP problem when is modeled as a generic semigroup model. In 2005, Maurer [33] proved that the discrete logarithm problem (DLP) and the corresponding decisional Diffie-Hellman (DDH) problem are polynomially equivalent in a generic cyclic group. By an analogical manner, we speculate that the SCSP problem and the CDDH problem in a generic noncommutative semigroup are polynomially equivalent. Furthermore, we do not know a better solution for the problem and problem other than solving the problem. Therefore, our 5th, 6rd, 7th, and 8th hardness assumptions state the intractabilities of the problem, the problem, the , and the problem, respectively. Note that in this paper, we do not assume that problem is hard. At present, we have no idea on whether (gap) conjugated computational (resp., decisional) Diffie-Hellman problem is harder than (gap) computational (resp., decisional) Diffie-Hellman problem or vice versa.

Finally, a solution to the problem would imply a solution to all above problems [30]. In addition, is not required to be invertible in all above definitions; thus it is possible to instantiate these problems over nonabelian semigroups (see Figure 1).

Remark 10 (SCSP versus CSP). Note that the subgroup conjugator searching problem (SCSP) and the subgroup conjugacy deciding problem (SCDP) introduced in this paper are in general at least as hard as the conjugator searching problem (CSP) and the conjugacy deciding problem (CDP) given in [21] in the sense that SCSP and SCDP further require the potential conjugator coming from a specified subgroup .

Remark 11 (quantum attack resistant). Note that in [31], we give detailed analysis of the core role of noncommutativity on resisting Shor's quantum algorithm attacks. To make this paper self-contained, we briefly recall some points. We know that the main part of Shor’s quantum algorithm is a quantum algorithm to solve the order-finding problem over the abelian group [16, 17]. Now, suppose that a quantum algorithm to solve the order-finding problem over the underlying group is at hand and we have already worked out ’s order and ’s order . However, the following lifting reductions are blocked by noncommutativity: The above two inequalities are very important in our arguments. Without them, one can reduce the problem to the DLP problems over the cyclic groups and , which are quantumly tractable by using Shor’s algorithm [31]. In this sense, we can see that BKT’s method pins down the true meaning of noncommutativity for resisting Shor’s quantum algorithm attacks (see Section 7.1 of [31] for more details).

3. Cryptographic Applications

Let us proceed to demonstrate the usefulness of the conjugacy systems defined above. Suppose that is a nonabelian group. At first, the common setting on the public parameters of the proposed schemes are given by a quintuple , where(i) is a description of . Without loss of generality, we assume the length of is bounded by for finite . When is infinite but admits a finite presentation, say , then the description of is given by the description of and .(ii) are two fixed elements that are picked at random so that(a) and do not commute; that is, ;(b);(c)the order of is large enough. Typically, we assume that the order of is no less than the system security parameter that will be specified later.(iii) and are two cryptographic hash functions that are modeled as random oracles.

3.1. Encryption with IND-CPA Security

Now, as a warming-up, an Elgamal-like encryption scheme, denoted by , is described as follows.(i): this is the key generation algorithm that takes, as input, the system security parameter , picks an integer at random and calculates , and finally outputs as the private/public key pair.(ii): this is the encryption algorithm that takes as inputs the public key and the message and performs the following steps:(a)pick at random,(b)compute and ,(c)output .(iii): this is the decryption algorithm that takes as inputs the private key and the ciphertext pair and then outputs the intended message .

Correctness. The correctness of the scheme is granted by the following calculation:

Security. The security of the above encryption scheme is essentially similar to the security of the well-known Elgamal encryption scheme [4]. That is, it is indistinguishable against chosen plaintext attack (IND-CPA) under the assumption of the intractability of the problem. One can also find similar proofs from either [9] or [32]. In addition, since neither nor are used in this scheme, it is secure in the standard model. By using two random oracles and , one can easily convert it into an IND-CCA2 secure encryption scheme according to the well-known FO transformation theorem [34] (see the proof of Theorem 14).

3.2. Signature with the Lowest Security

Next, let us describe a signature scheme, denoted by , that can be viewed as a simplified variant of the noncommutative signature scheme given in [35].(i): it is the same as in Section 3.1.(ii): this is the signing algorithm that takes as inputs the private key and the message and performs the following steps:(a)pick at random,(b)compute , , and ,(c)output the signature .(iii): this is the verifying algorithm that takes as inputs the public key and the message-signature pair and then performs the following steps:(a)parse into ,(b)compute and verify whether the following equality holds (c)if so, accept this signature; otherwise, reject it.

Correctness. The correctness of the scheme is granted by the following calculation:

Security. On one hand, under the assumptions of the intractability of the problem and being a random oracle, this signature scheme merely achieves unforgeability against no message attacks (UF-NMA)—this is the lowest security level for a signature scheme where adversaries are merely given the public key and asked to output a successful forgery. The arguments are similar to the security analysis given in [35]. On the other hand, taking this scheme as a building block, we can design a signcryption scheme that achieves existential unforgeability against external adaptively chosen message attack (see the next subsection).

3.3. Signcryption with IND-CCA2 Security

Based on the encryption scheme and the signature scheme , let us proceed to present a signcryption scheme, denoted by .(i): it the same as in Section 3.1.(ii): this is the signcryption algorithm that takes as inputs the sender’s private key , the receiver’s public key , and the message and performs the following steps:(a)pick at random,(b)compute where operator “” should be viewed as XOR operation over bit-strings that are encoding results of a pair in ,(c)output .(iii): this is the unsigncryption algorithm that takes as inputs the receiver’s private key , the sender’s public key , and the ciphertext pair and performs the following steps:(a)compute ,(b)let ,(c)output if and otherwise.

Remark 12. The above signcryption scheme inherits the same framework from [9]. However, the construction given here is featured by the following differences. (i)Different platforms with different security bases. In [9], the platform is the braid group and the underlying intractability assumption is the conjugator searching problem (CSP), while in this paper, the platform could be any nonabelian group and the underlying intractability assumption is the subgroup conjugator searching problem (SCSP) that is based on the intractability assumption of the nonabelian factorization problem. In general, we think the SCSP problem is at least as hard as the CSP problem (see Remark 10). In particular, based on nonabelian factorization related problems, noncommutativity plays a core role in resisting Shor’s quantum algorithm attacks.(ii)Different settings with different trade-off in computational/storage cost. As suggested in [9], with the braid group , we need about 4 Kbits to represent a braid with canonical length . This is a bit inefficient in storage. Therefore, instead of keeping a braid as the private key, we merely use a positive integer to indicate the private key. Considering that the braid exponentiation can be finished very efficiently, the real private key can be reconstructed whenever it is required. However in this paper, our proposal could be instantiated over arbitrary nonabelian groups only if the related intractability assumptions remain reasonable. Thus, we directly use as the private key. To deploy our proposal in real systems, the engineers are responsible for making proper trade-off choice between the storage cost and the computational cost.

Correctness. The correctness of the above scheme is given by the following theorem.

Theorem 13. The proposed signcryption is consistent.

Proof. Suppose the sender and the receiver perform honestly and their inputs are well formed. That is, and . Then, since we have that Then, will be output correctly.

Security. As for a signcryption scheme, the security includes two aspects: indistinguishability and unforgeability.

Theorem 14. Suppose that and are random oracles. The proposed signcryption is indistinguishable against adaptive chosen ciphertext attack (IND-CCA2) assuming that the problem is intractable.

Proof (sketch of the proof). The proof threads are similar to what is given in [9]. At first, we can apply the well-known Fujisaki-Okamoto transformation theorem [34] to conclude the IND-CCA2 security of the following encryption scheme, denoted by .(i): it is the same as in Section 3.1.(ii): this is the encryption algorithm that takes as inputs the receiver’s public key and a message and then performs the following steps:(a)pick at random,(b)let , where is the encryption algorithm in Section 3.1,(c)let and ,(d)output .(iii): this is the decryption algorithm that takes as inputs the receiver’s private key and the ciphertext quadruple and then performs the following steps:(a)let , where is the decryption algorithm in Section 3.1,(b)let ,(c)output if and otherwise.Apparently, is an FO-like variant of and its security is enhanced to IND-CCA2 assuming that both and are random oracles [34].
Now, let us show that, with the same random oracles, if there exists a probabilistic polynomial time adversary that can break the IND-CCA2 security of the proposed signcryption scheme , then there also exists another probabilistic polynomial time adversary that can break the IND-CCA2 security of .
In fact, since controls the response of the random oracles and , it can break the IND-CCA2 security of easily: whenever seeing a ciphertext , it can retrieve the message and random salt by looking up the response list of under the reasonable assumption that the probability for different pair with same hash value with the pair is negligible. The thing left is to show how , without knowing the receiver's private key , can simulate the response on decryption queries for by a perfect manner.
Whenever invokes an unsigncryption query by submitting a signcryption pair , responds as follows.(1)Lookup in -list, where indicates a wildcard that can be matched with arbitrary inputs. If there is no matched triple, sends to as the response.(2)For each matched triple , performs the following steps:(a)for each in list, do the following steps:(i)extract a possible according to the following formula: (ii)test whether the equality holds. If so, reply with and end the response; otherwise, continue.(3)If up to now has no output response to yet, then sends to as the response and then end the response.
Finally, without accessing hash queries on random oracles and , ’s probability for submitting a valid signcryption pair is negligible. Thus, whenever invokes hash queries on and for forming a valid signcryption pair, related materials are recorded, and can retrieve them and finally send a perfect response.

Theorem 15. Suppose that and are random oracles. The proposed signcryption scheme is existential unforgeable against external adaptive chosen message attacks (EUF-ext-CMA) assuming that the problem is intractable.

Proof. Here, the term “external” means that the forger is neither the singer, nor the intended receiver. Let us show that whenever an external attacker outputs a successful forgery, then this must mean a contrary against the UF-NMA security of the signature scheme given in Section 3.2. At first, without invoking any query, ’s successful forgery itself means an attack against the UF-NMA security. Next, suppose that invokes many polynomial signcryption queries or unsigncryption queries. Let us show that the responses for these queries have no help to for making a forged signcryption.
Suppose invokes a signcryption query on some message and receives a pair as the response. After then, invokes a random oracle query on with inputs and and then he/she obtains . Now, still has no means to obtain a valid signature from since both and remain unknown. Suppose can get via invoking a random oracle query on with input . Then, its query input gives a solution to the SCSP instance . This is a contrary to the assumption of the intractability of the SCSP problem.
Now, suppose invokes an unsigncryption query on some signcryption pair . Similar to the response of given in the proof of Theorem 14, gets either a symbol or a message . In the former case, ’s query is invalid and rejected. In the latter case, ’s query is valid and there exists a matched entry in list. This in turn implies that there exists a matched entry in list. However, this is impossible since it again means a solution to the SCSP instance .
This concludes the theorem.

Remark 16. To proof the unforgeability of a signature scheme, it is reasonable to exclude the signer from forgeries. But just as what was done in [9], the so-called external attacker model enables us to further exclude the intended receiver from the forgeries. Unlike the primitive authenticated encryption, the authenticity embedded in the primitive of signcryption is unidirectional to some extent. That is, it seems that there is no reason for an intended receiver to forge a signature on behalf of some signer and then encrypt the signature for himself/herself, except for planting false evidence against some senders. Otherwise, an existentially unforgeable signature scheme, such as the noncommutative signature scheme in [36], should be embedded therein.

4. Sample Implementations and Performance Evaluation

In [30], the authors suggested to consider the intractability assumption of the problem over three kinds of platforms:(1), that is, the general linear group over finite field,(2), that is, the nonabelian subgroup of consisting of unitriangular matrices,(3)braids set , that is, the set of braids in the braid group with canonical factors.

At first, a braid can be represented by a bit string of size [23] and the complexities of the braid operations such as multiplication, inversion, and canonical form computation are bounded by in the sense of bit operations [9]. Thus, if we follow Maffre’s suggestions by setting and [37], then the number of bit operations for implementing these braid operations is proportional to and the sizes of the system parameters, the private key, the public key, and the ciphertexts are 5650 bits, 80 bits, 2822 bits, and 8466 bits, respectively. More detailed evaluation on the performance of braid-based cryptosystems can be found either in [36] or in [9].

Next, let us pay attention to and . In particular, we mainly focus on two aspects: the time complexity of exponentiation and the related parameter sizes. Since the classical techniques for matrix multiplication/inversion in (resp., ) take about (resp., ) -operations, while each -operation needs bit operations [38], thus by employing the idea of “square-multiply,” the time complexity of calculating an exponentiation with in both and is in sense of bit operations. To represent a matrix in (resp., ), we need (resp., ) -elements, while each -element occupies exactly bits. In practice, need not to be too large. Typically, we set and then collect our analysis in Table 1. From this table, we can see that the computational/storage cost of cryptosystems over is about merely times of those over when . (Note that since both the encryption scheme and the signature scheme are embedded into the signcryption scheme , we merely present performance analysis on .)

5. Conclusion

The booming of quantum algorithm casts distrust on many public key cryptosystems based on integer factorization problem, discrete logarithm, and other assumed intractable problems over certain abelian groups. Some breakthrough in developing new public key cryptography based on nonabelian algebraic structures has been made during the past decade. In particular, Baba et al. made the first step toward construct cryptographic schemes based on nonabelian factorization problems. In this paper, we at first present several conjugacy systems based on the factorization problem over nonabelian groups and then present new construction of encryption, signature, and signcryption based on the newly introduced cryptographic intractable assumptions. Some possible implementation platforms and the related performance analysis are also given. Two possible future perspectives are to investigate more efficient platforms for implementing our proposal and to investigate possible reductions from the hardness of the related conjugated problems to the hardness of the underlying problems.

Appendix

Existential Forgery on the Noncommutative Signature Scheme in [35]

In 2012, Kahrobaei and Koupparis [35] introduced a noncommutative digital signature scheme, denoted by KK12 for short. In KK12, a highly smooth composite number was introduced and the authors claimed it is necessary to use the exponent for resisting existential forgery. The KK12 signature scheme can be summarized as follows.(i): the private key is a pair with and (where are prime and ) while the public key is set to . (For arbitrary and , and represent and , resp. In addition, although neither nor is well-defined, we have that holds without any ambiguity.)(ii): to sign a given message , the signer with private key performs the following steps:(a)pick at random and a random factorization of ,(b)compute (c)output the signature .(iii): where .

Unfortunately, we find that this is not true and the newly introduced exponent did not bring to bear upon existential forgery. In fact, the authors [35] had already realized this problem and suggested to let the signer keep a public list that contains all s, that is, random factors of , he/she has used thus far. But we think this solution is impractical; this would make the signature verification process very inefficient, since one has to check the freshness of This needs to go through all existing s from the list.

Now, let us proceed to describe our cryptanalysis on KK12. Upon obtaining a valid signature triple on message , by reusing the exponent , our existential forgery on arbitrary message is formed as follows: where is picked at random and . The left thing is to show that this forgery can pass the verification. In fact, we have Thus, That is, the above existential forgery attack is successful.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is partially supported by the National Natural Science Foundation of China (NSFC) (no. 61121061, 61370194) and the Fundamental Research Funds for the Central Universities (no. BUPT2012RC0219). Finally, the authors would like to thank the anonymous referees for their very careful and instructive comments.

References

R. C. Merkle, “Secure communications over insecure channels,” Communications of the ACM, vol. 21, no. 4, pp. 294–299, 1978.
View at: Publisher Site | Google Scholar
W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
View at: Google Scholar | Zentralblatt MATH | MathSciNet
R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the Association for Computing Machinery, vol. 21, no. 2, pp. 120–126, 1978.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
V. S. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology (CRYPTO '85), vol. 218 of Lecture Notes in Computer Science, pp. 417–426, Springer, Berlin, Germany, 1986.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
A. Dent and Y. Zheng, Practical Signcryption, Information Security and Cryptography, Springer, Berlin, Germany, 2010, http://www.signcryption.org/.
View at: Publisher Site | MathSciNet
Y. Zheng, “Digital signcryption or how to achieve Cost(Signature & Encryption) ≪ Cost(Signature) + Cost(Encryption),” in Advances in Cryptology—Crypto '97, vol. 1294 of Lecture Notes in Computer Science, pp. 165–179, Springer, Berlin, Germany, 1997.
View at: Google Scholar
L. Gu, Y. Pan, M. Dong, and K. Ota, “Noncommutative lightweight signcryption for wireless sensor networks,” International Journal of Distributed Sensor Networks, vol. 2013, Article ID 818917, 10 pages, 2013.
View at: Publisher Site | Google Scholar
R. Steinfeld and Y. Zheng, “A signcryption scheme based on integer factorization,” in Information Security Workshop—ISW '00, vol. 1975 of Lecture Notes in Computer Science, pp. 308–322, Springer, Berlin, Germany, 2000.
View at: Google Scholar
J. Malone-Lee and W. Mao, “Two birds one stone: signcryption using RSA,” in Cryptographers' Track at the RSA Conference—CT-RSA '03, vol. 2612 of Lecture Notes in Computer Science, pp. 211–225, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
Y. Zheng and H. Imai, “How to construct efficient signcryption schemes on elliptic curves,” Information Processing Letters, vol. 68, no. 5, pp. 227–233, 1998.
View at: Publisher Site | Google Scholar | MathSciNet
M. Toorani and A. A. B. Shirazi, “A directly public verifiable signcryption scheme based on elliptic curves,” in Proceedings of the IEEE Symposium on Computers and Communications (ISCC '09), pp. 713–716, Sousse, Tunisia, July 2009.
View at: Publisher Site | Google Scholar
L. Zhang and T. Mo, “A signcryption scheme for WEP in WLAN based on bilinear pairings,” in Proceedings of the International Conference on Computer Application and System Modeling (ICCASM '10), vol. 8, pp. 126–130, IEEE Computer Society, Taiyuan, China, October 2010.
View at: Publisher Site | Google Scholar
J. Zhang, Y. Yang, and X. Niu, “A novel identity-based multi-signcryption scheme,” International Journal of Distributed Sensor Networks, vol. 1, no. 5, pp. 28–28, 2009.
View at: Google Scholar
P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on Foundations of Computer Science (FOCS '94), pp. 124–134, IEEE Computer Society, Santa Fe, NM, USA, November 1994.
View at: Publisher Site | Google Scholar | MathSciNet
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
J. Proos and C. Zalka, “Shor's discrete logarithm quantum algorithm for elliptic curves,” Quantum Information & Computation, vol. 3, no. 4, pp. 317–344, 2003.
View at: Google Scholar | Zentralblatt MATH | MathSciNet
F. Li, F. Muhaya, M. Khan, and T. Takagi, “Lattice-based signcryption,” Concurrency and Computation: Practice and Experience, vol. 25, no. 14, pp. 2112–2122, 2013.
View at: Publisher Site | Google Scholar
F. Wang, Y. Hu, and C. Wang, “Post-quantum secure hybrid signcryption from lattice assumption,” Applied Mathematics & Information Sciences, vol. 6, no. 1, pp. 23–28, 2012.
View at: Google Scholar | MathSciNet
A. Myasnikov, V. Shpilrain, and A. Ushakov, Non-Commutative Cryptography and Complexity of Group-Theoretic Problems, vol. 177 of Mathematical Surveys and Monographs, American Mathematical Society, Providence, RI, USA, 2011.
View at: MathSciNet
I. Anshel, M. Anshel, and D. Goldfeld, “An algebraic method for public-key cryptography,” Mathematical Research Letters, vol. 6, no. 3-4, pp. 287–291, 1999.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, J.-s. Kang, and C. Park, “New public-key cryptosystem using braid groups,” in Advances in Cryptology (CRYPTO '00), M. Bellare, Ed., vol. 1880 of Lecture Notes in Computer Science, pp. 166–183, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
S. H. Paeng, K. C. Ha, J. H. Kim, S. Chee, and C. Park, “New public key cryptosystem using finite nonabelian groups,” in Advances in Cryptology (CRYPTO '01), vol. 2139 of Lecture Notes in Computer Science, pp. 470–485, Springer, Berlin, Germany, 2001.
View at: Publisher Site | Google Scholar | MathSciNet
A. Mahalanobis, “A simple generalization of the ElGamal cryptosystem to non-abelian groups,” Communications in Algebra, vol. 36, no. 10, pp. 3878–3889, 2008.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
V. Shpilrain and A. Ushakov, “Thompson's group and public key cryptography,” in Applied Cryptography and Network Security (ACNS '05), vol. 3531 of Lecture Notes in Computer Science, pp. 151–163, Springer, Berlin, Germany, 2005.
View at: Google Scholar
G. Baumslag, B. Fine, and X. Xu, “A proposed public key cryptosystem using the modular group,” in Combinatorial Group Theory, Discrete Groups, and Number Theory, vol. 421 of Contemporary Mathematics, pp. 35–44, American Mathematical Society, Providence, RI, USA, 2006.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
G. Baumslag, B. Fine, and X. Xu, “Cryptosystems using linear groups,” Applicable Algebra in Engineering, Communication and Computing, vol. 17, no. 3-4, pp. 205–217, 2006.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
S. S. Magliveras, D. R. Stinson, and T. van Trung, “New approaches to designing public key cryptosystems using one-way functions and trapdoors in finite groups,” Journal of Cryptology, vol. 15, no. 4, pp. 285–297, 2002.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
S. Baba, S. Kotyada, and R. Teja, “A non-abelian factorization problem and an associated cryptosystem,” Cryptology EPrint Archive Report 2011/048, 2011.
View at: Google Scholar
L. Gu, L. Wang, K. Ota, M. Dong, Z. Cao, and Y. Yang, “New public key cryptosystems based on non-abelian factorization problems,” Security and Communication Networks, vol. 6, no. 7, pp. 912–922, 2013.
View at: Publisher Site | Google Scholar
L. Wang, L. Wang, Z. Cao, E. Okamoto, and J. Shao, “New constructions of public-key encryption schemes from conjugacy search problems,” in Information Security and Cryptology (Inscrypt '10), vol. 6584 of Lecture Notes in Computer Science, pp. 1–17, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
U. Maurer, “Abstract models of computation in cryptography,” in Cryptography and Coding, N. P. Smart, Ed., vol. 3796 of Lecture Notes in Computer Science, pp. 1–12, Springer, Heidelberg, Germany, 2005.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
E. Fujisaki and T. Okamoto, “How to enhance the security of public key encryption at minimum cost,” in Public Key Cryptography (PKC '99), vol. 1560 of Lecture Notes in Computer Science, pp. 53–68, Springer, Berlin, Germany, 1999.
View at: Google Scholar
D. Kahrobaei and C. Koupparis, “Non-commutative digital signatures,” Groups Complexity Cryptology, vol. 4, no. 2, pp. 377–384, 2012.
View at: Google Scholar | Zentralblatt MATH | MathSciNet
L. Wang, L. Wang, Z. Cao, Y. Yang, and X. Niu, “Conjugate adjoining problem in braid groups and new design of braid-based signatures,” Science China—Information Sciences, vol. 53, no. 3, pp. 524–536, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
S. Maffre, “A weak key test for braid based cryptography,” Designs, Codes and Cryptography, vol. 39, no. 3, pp. 347–373, 2006.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
A. J. Menezes and Y.-H. Wu, “The discrete logarithm problem in $GL (n, q)$ ,” Ars Combinatoria, vol. 47, pp. 23–32, 1997.
View at: Google Scholar | Zentralblatt MATH | MathSciNet

Copyright

Copyright © 2014 Lize Gu and Shihui Zheng. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1549

Downloads

1177

Citations