Abstract

In this chapter, we study the MOR cryptosystem with symplectic and orthogonal groups over finite fields of odd characteristics. There are four infinite families of finite classical Chevalley groups. These are special linear groups SL(d, q), orthogonal groups O(d, q), and symplectic groups Sp(d, q). The family O(d, q) splits into two different families of Chevalley groups depending on the parity of d. The MOR cryptosystem over SL(d, q) was studied by the second author. In that case, the hardness of the MOR cryptosystem was found to be equivalent to the discrete logarithm problem in Fqd . In this chapter, we show that the MOR cryptosystem over Sp(d, q) has the security of the discrete logarithm problem in Fqd . However, it seems likely that the security of the MOR cryptosystem for the family of orthogonal groups is F qd<sup>2</sup> . We also develop an analog of row-column operations in symplectic and orthogonal groups which is of independent interest as an appendix.

Keywords: public-key cryptography, MOR cryptosystem, Chevalley groups, Gaussian elimination, 2010 Mathematics Subject Classification: 94A60, 20H30

#### 1. Introduction

Public-key cryptography is the backbone of this modern society. However with recent advances in quantum computers and its possible implication to factoring integers and solving the discrete logarithm problems, it seems that we are left with no secure cryptographic primitive. So it seems prudent that we set out in search for new cryptographic primitives and subsequently new cryptosystems. The obvious question is: how to search and where to look? One can look into several well-known hard problems in Mathematics and hope to create a trap-door function, or one can try to generalize the known, trusted cryptosystems.

This chapter is in the direction of generalizing a known cryptosystem with the hope that something practical and useful will come out of this generalization. A new but arbitrary cryptosystem might not be considered by the community as a secure

cryptosystem for decades. So our approach is conservative but practical. Several such approaches were earlier made by many eminent mathematicians. To name a few, Maze et al. [1, 2] developed SAP and Shpilrain and Zapata developed CAKE, both work in non-abelian structures. There is an interesting cryptosystem in the work of Climent et al. [3]. We further recommend the work of Grogoriev et al. [4] and Roman'kov [5].

implementation of the MOR cryptosystem. These algorithms are also of independent

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

It was bit hard for us to pick notations for this chapter. The notations used by a Lie group theorist is somewhat different from that of a computational group theorist. We tried to preserve the essence of notations as much as possible. For example, a Lie group theorist will use SLlþ1ð Þq to denote what we will denote by SLð Þ l þ 1; q or SLð Þ <sup>d</sup>; <sup>q</sup> . We have used TX to denote the transpose of the matrix <sup>X</sup>. This was necessary to avoid any confusion that might arise when using X�<sup>1</sup> and TX simultaneously. In this chapter, we use K and F<sup>q</sup> interchangeably, while each of them is a

The MOR cryptosystem is a natural generalization of the classic ElGamal cryptosystem. It was first proposed by Paeng et al. [9]. To elaborate the idea behind a MOR cryptosystem, we take a slightly expository route. For the purpose of this exposition, we define the discrete logarithm problem. It is one of the most common cryptographic primitive in use. It works in any cyclic (sub)group G ¼ h ig but

Definition 2.1 (The discrete logarithm problem). The discrete logarithm problem

The word "find" in the above definition is bit vague, in this chapter we mean compute m. The hardness to solve the discrete logarithm problem depends on the presentation of the group and is not an invariant under isomorphism. It is believed that the discrete logarithm problem is secure in the multiplicative group of a finite

A more important cryptographic primitive, related to the discrete logarithm problem, is the Diffie-Hellman problem, also known as the computational Diffie-

Definition 2.2 (Diffie-Hellman problem). Given g, gm1 , and gm2 , find gm1m2 . It is clear; if one solves the discrete logarithm problem, then the Diffie-Hellman

The most prolific cryptosystem in use today is the ElGamal cryptosystem. It uses

finite field of odd characteristic. However, in the appendix the field k is unrestricted. The matrix teij is used to denote the matrix unit with <sup>t</sup> in the ð Þ <sup>i</sup>; <sup>j</sup> th place and zero everywhere else. We will often use xrð Þt as generators, a notation used in the theory of Chevalley groups. Here r is a short hand for ð Þ i; j and xrð Þt are defined in Tables A1, A3, A5, and A7. We often refer to the orthogonal group as Oð Þ d; q , specifically, the split orthogonal group as Oþð Þ 2l; q or Oþð Þ 2l þ 1; q and the twisted orthogonal group as O�ð Þ 2l; q . All other notations used are standard.

interest in computational group theory.

DOI: http://dx.doi.org/10.5772/intechopen.84663

1.2 Notations and terminology

2. The MOR cryptosystem

is not secure in any cyclic group.

in G <sup>¼</sup> h i<sup>g</sup> , given g and gm, find <sup>m</sup>.

2.1 The ElGamal cryptosystem

A cyclic group G ¼ h ig is public.

• Public-key: Let g and g<sup>m</sup> be public.

• Private-key: The integer m be private.

Hellman problem.

87

field and the group of rational points of an elliptic curve.

problem is solved as well. The other direction is not known.

the cyclic group G ¼ h ig . It is defined as follows:

The cryptosystem that we have in mind is the MOR cryptosystem [6–9]. In Section 2, we describe the MOR cryptosystem in details. It is a simple but powerful generalization of the well-known and classic ElGamal cryptosystem. In this cryptosystem, the discrete logarithm problem works in the automorphism group of a group instead of the group. As a matter of fact, it can work in the automorphism group of most algebraic structures. However, we will limit ourselves to finite groups. One way to look at the MOR cryptosystem is that it generalizes the discrete logarithm problem from a cyclic (sub)group to an arbitrary group.

The MOR cryptosystem over SL(d, q) was studied earlier [6] and cryptanalyzed by Monico [10]. It became clear that working with matrix groups of size d over F<sup>q</sup> and with automorphisms that act by conjugation, like the inner automorphisms, there are two possible reductions of the security to finite fields. It is the security of the discrete logarithm problem in Fqd or F qd<sup>2</sup> ([6], Section 7). This reduction is similar to the embedding of the discrete logarithm problem in the group of rational points of an elliptic curve to a finite field; the degree of the extension of that field over the field of definition of the elliptic curve is called the embedding degree. In the case of SL(d, q), it became the security of Fqd . The reason that we undertook this study is to see if the security in other classical Chevalley groups is Fqd or F qd2 .

In cryptography, it is often hard to come up with theorems about security of a cryptosystem. However, at this moment it seems likely that the security of the MOR cryptosystem in orthogonal groups O(d, q) is F qd<sup>2</sup> . The way we implement this cryptosystem is by solving the word problem in generators. It presents no advantage to small characteristic. In the light of Joux's [11] improvement of the index-calculus attack in small characteristic, this contribution of the MOR cryptosystem is remarkable.

In summary, the proposed MOR cryptosystem is totally different from the known ElGamal cryptosystems from a functional point of view. Its implementation depends on Gaussian elimination and substitutions (substituting a matrix for a word in generators). However, we do have a concrete and tangible understanding of its security. It is clear from this work that the MOR cryptosystem over classical groups is not quantum-secure. However, for other groups like solvable groups, the answer is not known and could be a topic of further research.

#### 1.1 Structure of the chapter

This chapter is an interplay between computational group theory and public-key cryptography, in particular the MOR cryptosystem, and is thus interdisciplinary in nature. In this chapter, we study the MOR cryptosystem using the orthogonal and symplectic groups over finite fields of odd characteristic.

In Section 2, we describe the MOR cryptosystem in some details. We emphasize that the MOR cryptosystem is a natural generalization of the classic ElGamal cryptosystem. In Section 3, we describe the orthogonal and symplectic groups and their automorphisms. In Appendix A, we describe few new algorithms. These algorithms use row-column operations to write an element in classical groups as a word in generators. This is very similar to the Gaussian elimination algorithm for special linear groups. These algorithms are vital to the The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

implementation of the MOR cryptosystem. These algorithms are also of independent interest in computational group theory.

#### 1.2 Notations and terminology

cryptosystem for decades. So our approach is conservative but practical. Several such approaches were earlier made by many eminent mathematicians. To name a few, Maze et al. [1, 2] developed SAP and Shpilrain and Zapata developed CAKE, both work in non-abelian structures. There is an interesting cryptosystem in the work of Climent et al. [3]. We further recommend the work of Grogoriev et al. [4]

problem from a cyclic (sub)group to an arbitrary group.

Modern Cryptography – Current Challenges and Solutions

MOR cryptosystem in orthogonal groups O(d, q) is F

answer is not known and could be a topic of further research.

symplectic groups over finite fields of odd characteristic.

the discrete logarithm problem in Fqd or F

cryptosystem is remarkable.

1.1 Structure of the chapter

86

The cryptosystem that we have in mind is the MOR cryptosystem [6–9]. In Section 2, we describe the MOR cryptosystem in details. It is a simple but powerful generalization of the well-known and classic ElGamal cryptosystem. In this cryptosystem, the discrete logarithm problem works in the automorphism group of a group instead of the group. As a matter of fact, it can work in the automorphism group of most algebraic structures. However, we will limit ourselves to finite groups. One way to look at the MOR cryptosystem is that it generalizes the discrete logarithm

The MOR cryptosystem over SL(d, q) was studied earlier [6] and cryptanalyzed by Monico [10]. It became clear that working with matrix groups of size d over F<sup>q</sup> and with automorphisms that act by conjugation, like the inner automorphisms, there are two possible reductions of the security to finite fields. It is the security of

similar to the embedding of the discrete logarithm problem in the group of rational points of an elliptic curve to a finite field; the degree of the extension of that field over the field of definition of the elliptic curve is called the embedding degree. In the case of SL(d, q), it became the security of Fqd . The reason that we undertook this study is to see if the security in other classical Chevalley groups is Fqd or F

In cryptography, it is often hard to come up with theorems about security of a cryptosystem. However, at this moment it seems likely that the security of the

In summary, the proposed MOR cryptosystem is totally different from the known ElGamal cryptosystems from a functional point of view. Its implementation depends on Gaussian elimination and substitutions (substituting a matrix for a word in generators). However, we do have a concrete and tangible understanding of its security. It is clear from this work that the MOR cryptosystem over classical groups is not quantum-secure. However, for other groups like solvable groups, the

This chapter is an interplay between computational group theory and public-key cryptography, in particular the MOR cryptosystem, and is thus interdisciplinary in nature. In this chapter, we study the MOR cryptosystem using the orthogonal and

In Section 2, we describe the MOR cryptosystem in some details. We emphasize that the MOR cryptosystem is a natural generalization of the classic ElGamal cryptosystem. In Section 3, we describe the orthogonal and symplectic

algorithms. These algorithms use row-column operations to write an element in classical groups as a word in generators. This is very similar to the Gaussian elimination algorithm for special linear groups. These algorithms are vital to the

groups and their automorphisms. In Appendix A, we describe few new

cryptosystem is by solving the word problem in generators. It presents no advantage to small characteristic. In the light of Joux's [11] improvement of the index-calculus attack in small characteristic, this contribution of the MOR

qd<sup>2</sup> ([6], Section 7). This reduction is

qd2 .

qd<sup>2</sup> . The way we implement this

and Roman'kov [5].

It was bit hard for us to pick notations for this chapter. The notations used by a Lie group theorist is somewhat different from that of a computational group theorist. We tried to preserve the essence of notations as much as possible. For example, a Lie group theorist will use SLlþ1ð Þq to denote what we will denote by SLð Þ l þ 1; q or SLð Þ <sup>d</sup>; <sup>q</sup> . We have used TX to denote the transpose of the matrix <sup>X</sup>. This was necessary to avoid any confusion that might arise when using X�<sup>1</sup> and TX simultaneously. In this chapter, we use K and F<sup>q</sup> interchangeably, while each of them is a finite field of odd characteristic. However, in the appendix the field k is unrestricted. The matrix teij is used to denote the matrix unit with <sup>t</sup> in the ð Þ <sup>i</sup>; <sup>j</sup> th place and zero everywhere else. We will often use xrð Þt as generators, a notation used in the theory of Chevalley groups. Here r is a short hand for ð Þ i; j and xrð Þt are defined in Tables A1, A3, A5, and A7. We often refer to the orthogonal group as Oð Þ d; q , specifically, the split orthogonal group as Oþð Þ 2l; q or Oþð Þ 2l þ 1; q and the twisted orthogonal group as O�ð Þ 2l; q . All other notations used are standard.

#### 2. The MOR cryptosystem

The MOR cryptosystem is a natural generalization of the classic ElGamal cryptosystem. It was first proposed by Paeng et al. [9]. To elaborate the idea behind a MOR cryptosystem, we take a slightly expository route. For the purpose of this exposition, we define the discrete logarithm problem. It is one of the most common cryptographic primitive in use. It works in any cyclic (sub)group G ¼ h ig but is not secure in any cyclic group.

Definition 2.1 (The discrete logarithm problem). The discrete logarithm problem in G <sup>¼</sup> h i<sup>g</sup> , given g and gm, find <sup>m</sup>.

The word "find" in the above definition is bit vague, in this chapter we mean compute m. The hardness to solve the discrete logarithm problem depends on the presentation of the group and is not an invariant under isomorphism. It is believed that the discrete logarithm problem is secure in the multiplicative group of a finite field and the group of rational points of an elliptic curve.

A more important cryptographic primitive, related to the discrete logarithm problem, is the Diffie-Hellman problem, also known as the computational Diffie-Hellman problem.

Definition 2.2 (Diffie-Hellman problem). Given g, gm1 , and gm2 , find gm1m2 .

It is clear; if one solves the discrete logarithm problem, then the Diffie-Hellman problem is solved as well. The other direction is not known.

The most prolific cryptosystem in use today is the ElGamal cryptosystem. It uses the cyclic group G ¼ h ig . It is defined as follows:

#### 2.1 The ElGamal cryptosystem

A cyclic group G ¼ h ig is public.

