6. Conclusion

This section is similar to ([6], Section 8). A useful public-key cryptosystem is a delicate dance between speed and the security. So one must talk about speed along with security.

The implementation of the MOR cryptosystem that we have in mind uses the row-column operations. Let g1; g2; …; gs be a set of generators for the orthogonal or symplectic group as described before. As is the custom with a MOR cryptosystem, the automorphisms ϕ and ϕ<sup>m</sup> are presented as action on generators, i.e., we have ϕ gi and <sup>ϕ</sup><sup>m</sup> gi as matrices for <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, s.

To encrypt a message in this MOR cryptosystem, we compute ϕ<sup>r</sup> . We do that by square-and-multiply algorithm. For this implementation, squaring and multiplying is almost the same. So we will refer to both squaring and multiplication as multiplication. Note that multiplication is composed of automorphisms.

The implementation that we describe in this chapter can work in parallel. Each instance computes ϕ<sup>r</sup> gi for <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, s. First thing that we do is write the matrix of ϕ gi as a word in generators. So essentially the map <sup>ϕ</sup> becomes a map gi ↦wi where wi is a word in generators of some fixed length. Then multiplication becomes essentially a replacement, replace all instances of gi by wi. This can be done very fast. However, the length of the replaced word can become very large. The obvious question is how soon are we going to write this word as a matrix. This is a difficult question to answer at this stage and depends on available computational resources.

Once we decide how often we change back to matrices, how are we going to change back to matrices? There can be a fairly easy time-memory trade-offs. Write all words up to a fixed length and the corresponding matrix as a pre-computed table and use this table to compute the matrices. Once we have matrices, we can multiply them together to generate the final output. There are also many obvious relations among the generators of these groups. One can just store and use them. The best strategy for an efficient implementation is yet to be determined. It is clear now that there are many interesting and novel choices.

The benefits of this MOR cryptosystem are:

This can be implemented in parallel easily.

This implementation does not depend on the size of the characteristic of the field. This is an important property in light of Joux's recent improvement of the index-calculus attacks [11].

For parameters and complexity analysis of this cryptosystem, we refer to ([6], Section 8). Assume that we take a prime of size 2160 and we are using two generators presentation of ϕ for the even-orthogonal group. Then the security is the discrete logarithm problem in F pd<sup>2</sup> . Now if we take d ¼ 4, then the security is better than F2<sup>2560</sup> . Our key-size is about 8000 bits. Comparing with Monico ([10], Section 7), where he says an ElGamal will have about 6080 bits, our system is quite comparable. Moreover, the MOR cryptosystem is better suited to handle large primes and can be easily parallelized.

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

#### Acknowledgements

Remark 5.2 Let dð Þ¼ <sup>ζ</sup> <sup>d</sup>iag <sup>1</sup>; <sup>1</sup>; <sup>1</sup>; …; <sup>ζ</sup>; <sup>1</sup>; …; <sup>ζ</sup>�<sup>1</sup> , where <sup>ζ</sup> is non-square in <sup>F</sup>�

Then as a consequence of our Gaussian elimination algorithm in Appendix A, we can see

This section is similar to ([6], Section 8). A useful public-key cryptosystem is a delicate dance between speed and the security. So one must talk about speed along

The implementation of the MOR cryptosystem that we have in mind uses the

or symplectic group as described before. As is the custom with a MOR cryptosystem, the automorphisms ϕ and ϕ<sup>m</sup> are presented as action on generators, i.e., we

square-and-multiply algorithm. For this implementation, squaring and multiplying is almost the same. So we will refer to both squaring and multiplication as multipli-

The implementation that we describe in this chapter can work in parallel. Each

as a word in generators. So essentially the map <sup>ϕ</sup> becomes a map gi

becomes essentially a replacement, replace all instances of gi by wi. This can be done very fast. However, the length of the replaced word can become very large. The obvious question is how soon are we going to write this word as a matrix. This is a difficult question to answer at this stage and depends on available computational

Once we decide how often we change back to matrices, how are we going to change back to matrices? There can be a fairly easy time-memory trade-offs. Write all words up to a fixed length and the corresponding matrix as a pre-computed table and use this table to compute the matrices. Once we have matrices, we can multiply them together to generate the final output. There are also many obvious relations among the generators of these groups. One can just store and use them. The best strategy for an efficient implementation is yet to be determined. It is clear now that

This implementation does not depend on the size of the characteristic of the field. This is an important property in light of Joux's recent improvement of the

For parameters and complexity analysis of this cryptosystem, we refer to ([6], Section 8). Assume that we take a prime of size 2160 and we are using two generators presentation of ϕ for the even-orthogonal group. Then the security is the discrete

F2<sup>2560</sup> . Our key-size is about 8000 bits. Comparing with Monico ([10], Section 7),

where he says an ElGamal will have about 6080 bits, our system is quite comparable. Moreover, the MOR cryptosystem is better suited to handle large

pd<sup>2</sup> . Now if we take d ¼ 4, then the security is better than

where wi is a word in generators of some fixed length. Then multiplication

 as matrices for <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, s. To encrypt a message in this MOR cryptosystem, we compute ϕ<sup>r</sup>

cation. Note that multiplication is composed of automorphisms.

be a set of generators for the orthogonal

for <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, s. First thing that we do is write the matrix

, x1ð Þ t; s , x2,w and wl along with dð Þζ generate the twisted orthogonal group.

that x, x0

6. Conclusion

with security.

have ϕ gi

of ϕ gi

resources.

row-column operations. Let g1; g2; …; gs

Modern Cryptography – Current Challenges and Solutions

there are many interesting and novel choices. The benefits of this MOR cryptosystem are: This can be implemented in parallel easily.

index-calculus attacks [11].

primes and can be easily parallelized.

logarithm problem in F

102

and <sup>ϕ</sup><sup>m</sup> gi

instance computes ϕ<sup>r</sup> gi

p .

. We do that by

↦wi

We are thankful to the editor and referees for their valuable comments which has improved the paper substantially. This work was supported by a SERB research grant. This chapter contains part of the PhD thesis of the first and the third author, directed by the second and the fourth author at IISER Pune.
