3. Description of automorphisms of classical groups

This chapter studies the MOR cryptosystem for orthogonal and symplectic groups over a field of odd characteristics. As we discussed before, MOR cryptosystem is presented as action on generators of the group. Then to use an automorphism on an arbitrary element, one has to solve the word problem in that group with respect to that set of generators.

The generators and the Gaussian elimination algorithm to solve the word problem are described in Appendix A. We will be very brief here.

Let V be a vector space of dimension d over a field K of odd characteristic. Let β : V � V ! K be a bilinear form. By fixing a basis of V, we can associate a matrix to β. We shall abuse the notation slightly and denote the matrix of the bilinear form by <sup>β</sup> itself. Thus <sup>β</sup>ð Þ¼ <sup>x</sup>; <sup>y</sup> Txβy, where x, y are column vectors. We will work with non-degenerate bilinear forms and that means detβ 6¼ 0. A symmetric or skewsymmetric bilinear form <sup>β</sup> satisfies <sup>β</sup>¼<sup>T</sup><sup>β</sup> or <sup>β</sup> ¼ �<sup>T</sup>β, respectively.

Definition 3.1 (Orthogonal group). A square matrix X of size d is called orthogonal if TXβ<sup>X</sup> <sup>¼</sup> <sup>β</sup>, where <sup>β</sup> is symmetric. It is well known that the orthogonal matrices form a group known as the orthogonal group.

Definition 3.2 (Symplectic group). A square matrix X of size d is called symplectic if TXβ<sup>X</sup> <sup>¼</sup> <sup>β</sup>, where <sup>β</sup> is skew-symmetric. And the set of symplectic matrices form a symplectic group.

We write the dimension of V as d ¼ 2l þ 1 or d ¼ 2l for l ≥1. We fix a basis and index it by 0, 1, …, l, � 1, …, � l in the odd dimension, and in the case of even dimension where there are two non-degenerate symmetric bilinear forms up to equivalence, we index the bases by 1, 2, …, l, � 1, � 2, …, � l and 1, � 1, 2, …, l, � 2, …, � l for split and twisted forms, respectively. We consider the non-degenerate bilinear forms β on V given by the following matrices:

a: The odd-orthogonal group. The form β is symmetric with d ¼ 2l þ 1 and

$$
\boldsymbol{\beta} = \begin{pmatrix} 2 & \mathbf{0} & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & I\_l \\ \mathbf{0} & I\_l & \mathbf{0} \end{pmatrix}.
$$

b: The symplectic group. The form β is skew-symmetric with d ¼ 2l and

$$
\boldsymbol{\beta} = \begin{pmatrix} \mathbf{0} & I\_l \\ -I\_l & \mathbf{0} \\ \cdots & \ddots \end{pmatrix}.
$$

c: The split orthogonal group. The form β is symmetric with d ¼ 2l and � �.

$$
\boldsymbol{\beta} = \begin{pmatrix} \mathbf{0} & I\_l \\ I\_l & \mathbf{0} \end{pmatrix}.
$$

c0 : The twisted orthogonal group. The form β is symmetric with d ¼ 2l and β<sup>0</sup> 0 0 0 1

$$
\beta = \begin{pmatrix}
\rho\_0 & \mathbf{0} & \mathbf{0} \\
\mathbf{0} & \mathbf{0} & I\_{l-1} \\
\mathbf{0} & I\_{l-1} & \mathbf{0}
\end{pmatrix},
$$

where I<sup>l</sup> is the identity matrix of size l over K and for a fixed non-square ϵ∈ K, <sup>β</sup><sup>0</sup> <sup>¼</sup> 1 0 0 ϵ � �.

Encryption:

Decryption:

and grm. The ciphertext is g<sup>r</sup>

2.2 The MOR cryptosystem

Let G ¼ g1; g2; …; gs

• Public-key: Let ϕ gi

and ϕrm. The ciphertext is ϕ<sup>r</sup>

Encryption:

Decryption:

easily find ϕmr gi

matter the most.

the public key.

G ¼ g1; g2; …; gs

word problem must be solved.

g1, g2, …, gs

88

system.

After receiving the ciphertext g<sup>r</sup>

defined as actions on those generators.

<sup>s</sup>

• Private-key: The integer m is private.

After receiving the ciphertext ϕ<sup>r</sup>

Diffie-Hellman problem in the group h i ϕ .

public-key and the ciphertext ϕ<sup>r</sup>

So she computes ϕmr from ϕ<sup>r</sup> and then computes M.

<sup>i</sup>¼<sup>1</sup> and <sup>ϕ</sup><sup>m</sup> gi

; <sup>ϕ</sup> ð Þ rmð Þ <sup>M</sup> .

<sup>s</sup>

To encrypt a plaintext <sup>M</sup><sup>∈</sup> <sup>G</sup>, get an arbitrary integer r<sup>∈</sup> ½ � <sup>1</sup>; <sup>j</sup>ϕ<sup>j</sup> and compute <sup>ϕ</sup><sup>r</sup>

Theorem 2.1 The hardness to break the above MOR cryptosystem is equivalent to the

Proof. It is easy to see that if one can break the Diffie-Hellman problem, then one can compute ϕmr from ϕ<sup>m</sup> in the public-key and ϕ<sup>r</sup> in the ciphertext. This breaks the

for <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, s. So we just witnessed that for <sup>ϕ</sup><sup>m</sup> and <sup>ϕ</sup><sup>r</sup>

In a practical implementation of a MOR cryptosystem, there are two things that

a: The number of generators. As we saw that the automorphism ϕ is presented as action on generators. Larger the number of generators, bigger is the size of

and g ∈ G, is there an efficient algorithm to write g as word in

are presented as action on generators, and if one has to compute ϕð Þg , then the

? The reason of this importance is immediate—the automorphisms

b: Efficient algorithm to solve the word problem. This means that given

On the other hand, observe that the plaintext is <sup>ϕ</sup>�mr <sup>ϕ</sup>ð Þ mrð Þ <sup>M</sup> . Assume that there is an oracle that can break the MOR cryptosystem, i.e., given ϕ, ϕ<sup>m</sup> and a plaintext <sup>ϕ</sup><sup>r</sup> ð Þ ; <sup>g</sup> will deliver <sup>ϕ</sup>�mrð Þ<sup>g</sup> . Now we query the oracle <sup>s</sup> times with the

; gi

compute ϕmr using the oracle. This solves the Diffie-Hellman problem.

computes gmr from g<sup>r</sup> and then computes M.

Modern Cryptography – Current Challenges and Solutions

the Diffie-Hellman problem ([12], Proposition 2.10).

To encrypt a plaintext <sup>M</sup><sup>∈</sup> <sup>G</sup>, get an arbitrary integer r<sup>∈</sup> ½ � <sup>1</sup>; <sup>j</sup>G<sup>j</sup> and compute <sup>g</sup><sup>r</sup>

It is well known that the hardness of the ElGamal cryptosystem is equivalent to

In the case of the MOR cryptosystem, one works with the automorphism group of a group. An automorphism group can be defined on any algebraic structure, and subsequently a MOR cryptosystem can also be defined on that automorphism group; however, in this chapter we restrict ourselves to finite groups. Furthermore, we look at classical groups defined by generators and automorphisms that are

be a finite group. Let ϕ be a non-identity automorphism.

<sup>i</sup>¼<sup>1</sup> be public.

; <sup>ϕ</sup> ð Þ rmð Þ <sup>M</sup> , the user knows the private-key m.

for <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, s. From the output, one can

, one can

;Mgrm ð Þ, the user uses the private-key m. So she

;Mgrm ð Þ.

We now describe the automorphism group of the orthogonal and symplectic groups. This helps us in picking the right set of automorphisms for the MOR cryptosystem.

Graph automorphisms: A symmetry of Dynkin diagram induces such automorphisms. This way we get automorphisms of order 2 for SLð Þ l þ 1; K and l≥ 2 and

In the case of O(2l, q) for l ≥5, the graph automorphism is given by x↦B�<sup>1</sup>

where B is a permutation matrix obtained from identity matrix of size 2l � 2l

Theorem 3.1 (Dieudonne). Let K be a field of odd characteristic and l ≥2.

central automorphism and ι is a conjugation automorphism by elements of GOþð Þ d; K (this includes the graph automorphism of even-orthogonal groups). 3. For the group O�ð Þ d; K , any automorphism is of the form ιθ, where ι is a

1. For the group SLð Þ l þ 1; K , any automorphism is of the form ιγθ where ι is a conjugation automorphism defined by elements of GLð Þ l þ 1; K and γ is a graph

2. For the group Oþð Þ d; K , any automorphism is of the form c<sup>χ</sup> ιθ where c<sup>χ</sup> is a

4. For the group Sp 2ð Þ l; K , any automorphism is of the form ιθ where ι is a

For a proof of the above theorem, see [26], Theorems 30 and 36. In the above theorem, conjugation automorphisms are given by conjugation by elements of a larger group, and it includes the group of inner automorphisms. We introduce diagonal automorphisms to make it more precise. The conjugation automorphisms ι can be written as a product of ι<sup>g</sup> and η where ι<sup>g</sup> is an inner automorphism and η is a

Diagonal automorphisms: In the definition of the conjugating automorphism, when the conjugating element is from the similitude group but not in the group we get a diagonal automorphism. In the case of special linear groups, diagonal automorphisms are given by conjugation by diagonal elements of PGL(l + 1, q) on PGL(l + 1, q). In the case of symplectic and orthogonal groups, diagonal automorphisms are given by conjugation by corresponding diagonal group elements defined

The purpose of this section is to show that for a secure MOR cryptosystem over the classical Chevalley and twisted orthogonal groups, we have to look at automorphisms that act by conjugation like the inner automorphisms. There are other automorphisms that also act by conjugation, like the diagonal automorphism and the graph automorphism for odd-order orthogonal groups. Then we argue what is

0 ⋯ 0001 0 ⋯ 0 0 �1 0 0 ⋯ 0100 0 ⋯ �10 0 0 ⋮ ⋰⋮⋮⋮⋮ ð Þ �<sup>1</sup> <sup>l</sup>�<sup>1</sup> <sup>⋯</sup> <sup>0000</sup>

1

CCCCCCCCA

th row. This automorphism is a conjugating

xB

Oþð Þ 2l; K and l ≥4. We also get an automorphisms of order 3 for Oþð Þ 4; K . In the case of SL(d, q) for d≥3, the map x↦A�<sup>1</sup>Tx�1A, where

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

A ¼

DOI: http://dx.doi.org/10.5772/intechopen.84663

explicitly describes the graph automorphism.

th row and �<sup>l</sup>

conjugation automorphism by elements of GO�ð Þ d; K .

conjugation automorphism by elements of GSp 2ð Þ l; K . In all cases θ denotes a field automorphism.

4. Security of the proposed MOR cryptosystem

automorphism for the special linear group.

by switching the l

diagonal automorphism.

in Definition 3.5.

91

automorphism.

0

BBBBBBBB@

Definition 3.3 (Orthogonal similitude group). The orthogonal similitude group is defined as the set of matrices X of size d as

$$\mathbf{GO}(d,q) = \left\{ \mathbf{X} \in \mathbf{GL}(d,q) \Big| \, ^T \mathbf{X} \beta \mathbf{X} = \mu \beta, \mu \in \mathbb{F}\_q^\times \right\},$$

where d ¼ 2l þ 1 or 2l and β is of type a, c, or c<sup>0</sup> , respectively.

Definition 3.4 (Symplectic similitude group). The symplectic similitude group is defined as

$$\mathbf{GSp}(2l,q) = \left\{ \mathbf{X} \in \mathbf{GL}(2l,q) \Big| \, ^T \mathbf{X} \boldsymbol{\beta} \mathbf{X} = \mu \boldsymbol{\beta}, \mu \in \mathbb{F}\_q^\times \right\},$$

where β is of type b.

Here μ depends on the matrix X and is called the similitude factor. The similitude factor μ defines a group homomorphism from the similitude group to F� <sup>q</sup> , and the kernel is the orthogonal group Oð Þ d; q when β is symmetric and symplectic group Sp 2ð Þ l; q and when β is skew-symmetric, respectively ([13], Section 12). Note that scalar matrices λI for λ∈F� <sup>q</sup> belong to the center of similitude groups. The similitude groups are analog of what GLð Þ d; q is for SLð Þ d; q . For a discussion of the diagonal automorphisms of Chevalley groups, we need the diagonal subgroups of the similitude groups.

Definition 3.5 (Diagonal group). The diagonal groups are defined to be the group of non-singular diagonal matrices in the corresponding similitude group and are as follows: in the case of GOð Þ 2l þ 1; q , it is

$$\left\{ \text{diag} \left( \alpha, \mathbb{A}\_1, \dots, \mathbb{A}\_l, \mu \mathbb{A}\_1^{-1}, \dots, \mu \mathbb{A}\_l^{-1} \right) \middle| \mathbb{A}\_1, \dots, \mathbb{A}\_l, a^2 = \mu \in \mathbb{F}\_q^\times \right\},$$

and in the case of GO 2ð Þ l; q and GSp 2ð Þ l; q , it is

$$\left\{ \text{diag} \left( \mathbb{A}\_1, \dots, \mathbb{A}\_l, \mu \mathbb{A}\_1^{-1}, \dots, \mu \mathbb{A}\_l^{-1} \right) \middle| \mathbb{A}\_1, \dots, \mathbb{A}\_l, \mu \in \mathbb{F}\_q^\times \right\}.$$

Conjugation by these diagonal elements produces diagonal automorphisms in the respective Chevalley groups. To build a MOR cryptosystem, we need to work with the automorphism group of Chevalley groups. In this section we describe the automorphism group of classical groups following Dieudonne [14].

Conjugation automorphisms: If N is a normal subgroup of a group G, then the conjugation maps n↦gng�<sup>1</sup> for n∈ N and g ∈ G are called conjugation automorphisms of G. In particular, both inner automorphisms and diagonal automorphisms are examples of conjugation automorphisms.

Central automorphisms: Let χ : G ! Zð Þ G be a homomorphism to the center of the group. Then the map g↦χð Þg g is an automorphism of G, known as the central automorphism. There are no nontrivial central automorphisms for perfect groups, for example, the Chevalley groups SLð Þ l þ 1; K and Sp 2ð Þ l; K , ∣K∣ ≥ 4, and l≥ 2. In the case of orthogonal group, the center is of two elements I f g ; �I , where I is the identity matrix. This implies that there are at most four central automorphisms in this case.

Field automorphisms: Let f ∈ Autð Þ K . In terms of matrices, field automorphisms amount to replacing each term of the matrix by its image under f.

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

Graph automorphisms: A symmetry of Dynkin diagram induces such automorphisms. This way we get automorphisms of order 2 for SLð Þ l þ 1; K and l≥ 2 and Oþð Þ 2l; K and l ≥4. We also get an automorphisms of order 3 for Oþð Þ 4; K .

In the case of SL(d, q) for d≥3, the map x↦A�<sup>1</sup>Tx�1A, where

$$A = \begin{pmatrix} \mathbf{0} & \cdots & \mathbf{0} & \mathbf{0} & \mathbf{0} & \mathbf{1} \\ \mathbf{0} & \cdots & \mathbf{0} & \mathbf{0} & -\mathbf{1} & \mathbf{0} \\ \mathbf{0} & \cdots & \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{0} \\ \mathbf{0} & \cdots & -\mathbf{1} & \mathbf{0} & \mathbf{0} & \mathbf{0} \\ \vdots & \ddots & \vdots & \vdots & \vdots & \vdots \\ (-\mathbf{1})^{l-1} & \cdots & \mathbf{0} & \mathbf{0} & \mathbf{0} & \mathbf{0} \end{pmatrix}$$

explicitly describes the graph automorphism.

In the case of O(2l, q) for l ≥5, the graph automorphism is given by x↦B�<sup>1</sup> xB where B is a permutation matrix obtained from identity matrix of size 2l � 2l by switching the l th row and �<sup>l</sup> th row. This automorphism is a conjugating automorphism.

Theorem 3.1 (Dieudonne). Let K be a field of odd characteristic and l ≥2.

1. For the group SLð Þ l þ 1; K , any automorphism is of the form ιγθ where ι is a conjugation automorphism defined by elements of GLð Þ l þ 1; K and γ is a graph automorphism for the special linear group.

2. For the group Oþð Þ d; K , any automorphism is of the form c<sup>χ</sup> ιθ where c<sup>χ</sup> is a central automorphism and ι is a conjugation automorphism by elements of GOþð Þ d; K (this includes the graph automorphism of even-orthogonal groups).

3. For the group O�ð Þ d; K , any automorphism is of the form ιθ, where ι is a conjugation automorphism by elements of GO�ð Þ d; K .

4. For the group Sp 2ð Þ l; K , any automorphism is of the form ιθ where ι is a conjugation automorphism by elements of GSp 2ð Þ l; K .

In all cases θ denotes a field automorphism.

For a proof of the above theorem, see [26], Theorems 30 and 36. In the above theorem, conjugation automorphisms are given by conjugation by elements of a larger group, and it includes the group of inner automorphisms. We introduce diagonal automorphisms to make it more precise. The conjugation automorphisms ι can be written as a product of ι<sup>g</sup> and η where ι<sup>g</sup> is an inner automorphism and η is a diagonal automorphism.

Diagonal automorphisms: In the definition of the conjugating automorphism, when the conjugating element is from the similitude group but not in the group we get a diagonal automorphism. In the case of special linear groups, diagonal automorphisms are given by conjugation by diagonal elements of PGL(l + 1, q) on PGL(l + 1, q). In the case of symplectic and orthogonal groups, diagonal automorphisms are given by conjugation by corresponding diagonal group elements defined in Definition 3.5.

#### 4. Security of the proposed MOR cryptosystem

The purpose of this section is to show that for a secure MOR cryptosystem over the classical Chevalley and twisted orthogonal groups, we have to look at automorphisms that act by conjugation like the inner automorphisms. There are other automorphisms that also act by conjugation, like the diagonal automorphism and the graph automorphism for odd-order orthogonal groups. Then we argue what is

We now describe the automorphism group of the orthogonal and symplectic groups. This helps us in picking the right set of automorphisms for the MOR

Definition 3.3 (Orthogonal similitude group). The orthogonal similitude group is

Definition 3.4 (Symplectic similitude group). The symplectic similitude group is

Here μ depends on the matrix X and is called the similitude factor. The similitude factor μ defines a group homomorphism from the similitude group to F�

similitude groups are analog of what GLð Þ d; q is for SLð Þ d; q . For a discussion of the diagonal automorphisms of Chevalley groups, we need the diagonal subgroups of

Definition 3.5 (Diagonal group). The diagonal groups are defined to be the group of non-singular diagonal matrices in the corresponding similitude group and are as follows:

the kernel is the orthogonal group Oð Þ d; q when β is symmetric and symplectic group Sp 2ð Þ l; q and when β is skew-symmetric, respectively ([13], Section 12). Note

> <sup>1</sup> ; …; μλ�<sup>1</sup> l � �jλ1; …; <sup>λ</sup>l; <sup>α</sup><sup>2</sup> <sup>¼</sup> <sup>μ</sup>∈F�

n o

<sup>1</sup> ; …; μλ�<sup>1</sup> l � �jλ1; …; <sup>λ</sup>l; <sup>μ</sup>∈F�

n o

Conjugation by these diagonal elements produces diagonal automorphisms in the respective Chevalley groups. To build a MOR cryptosystem, we need to work with the automorphism group of Chevalley groups. In this section we describe the

Conjugation automorphisms: If N is a normal subgroup of a group G, then the

Central automorphisms: Let χ : G ! Zð Þ G be a homomorphism to the center of the group. Then the map g↦χð Þg g is an automorphism of G, known as the central automorphism. There are no nontrivial central automorphisms for perfect groups, for example, the Chevalley groups SLð Þ l þ 1; K and Sp 2ð Þ l; K , ∣K∣ ≥ 4, and l≥ 2. In the case of orthogonal group, the center is of two elements I f g ; �I , where I is the identity matrix. This implies that there are at most four central automorphisms in

Field automorphisms: Let f ∈ Autð Þ K . In terms of matrices, field automor-

phisms amount to replacing each term of the matrix by its image under f.

conjugation maps n↦gng�<sup>1</sup> for n∈ N and g ∈ G are called conjugation automorphisms of G. In particular, both inner automorphisms and diagonal automorphisms

n o

n o

TXβ<sup>X</sup> <sup>¼</sup> μβ; <sup>μ</sup><sup>∈</sup> <sup>F</sup>�

, respectively.

TXβ<sup>X</sup> <sup>¼</sup> μβ; <sup>μ</sup>∈F�

<sup>q</sup> belong to the center of similitude groups. The

q

q

,

q

q

:

,

<sup>q</sup> , and

,

cryptosystem.

defined as

where β is of type b.

the similitude groups.

this case.

90

that scalar matrices λI for λ∈F�

in the case of GOð Þ 2l þ 1; q , it is

defined as the set of matrices X of size d as

GOð Þ¼ d; q X ∈ GLð Þj d; q

GSp 2ð Þ¼ l; q X ∈ GL 2ð Þj l; q

where d ¼ 2l þ 1 or 2l and β is of type a, c, or c<sup>0</sup>

Modern Cryptography – Current Challenges and Solutions

diag α; λ1; …; λl; μλ�<sup>1</sup>

and in the case of GO 2ð Þ l; q and GSp 2ð Þ l; q , it is

are examples of conjugation automorphisms.

diag λ1; …; λl; μλ�<sup>1</sup>

automorphism group of classical groups following Dieudonne [14].

the hardness of our security assumptions. We denote the split orthogonal group by Oþð Þ 2l; q and twisted orthogonal group by O�ð Þ 2l; q . Now onwards O(2l,q) means either split or twisted orthogonal group and we will specify whenever required.

In the case of special linear groups, write g ¼ G1; …; Gi ½ � ; …; Gd , where Gi are column vectors of g. Then gei,j ¼ ½ � G1; …; Gd ei,j ¼ 0; …; 0; Gi ½ � ; 0…; 0 where Gi is at

mines Gi up to a scalar multiple di (say). Thus, we know N ¼ gD where

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

th place. Multiplying this with <sup>g</sup>�<sup>1</sup> on the right, i.e., computing gei,j <sup>g</sup>�1, deter-

For the symplectic groups, we do the similar computation with the generators I þ tei,�<sup>i</sup> and I þ te�i,i. Write g in the column form as G1; …Gl; G�1; …; G�<sup>l</sup> ½ �. Now,

1. G1; …Gl; G�1; …; G�<sup>l</sup> ½ �ei,�<sup>i</sup> ¼ 0; …; 0; Gi ½ � ; 0; …; 0 where Gi is at �ith place. Multiplying this further with g�<sup>1</sup> gives us scalar multiple of Gi, say diGi.

2. G1; …Gl; G�1; …; G�<sup>l</sup> ½ �e�i,i ¼ 0; …; 0; G�<sup>i</sup> ½ � ; 0; …; 0 where G�<sup>i</sup> is at ith place. Multiplying this with <sup>g</sup>�<sup>1</sup> gives us scalar multiple of <sup>G</sup>�i, say <sup>d</sup>�iGi.

Thus we get N ¼ gD where D is a diagonal matrix diag d1; …; dl ð Þ ; d�<sup>1</sup>; …; d�<sup>l</sup> .

In the case of special linear groups, we have D a diagonal. Thus by computing

For symplectic groups, we can do similar computation as D is diagonal. First

<sup>i</sup> dj and <sup>d</sup>�<sup>1</sup>

�<sup>1</sup>d�<sup>2</sup>:d�<sup>1</sup>

and multiply it to N ¼ gD to get d1g. Thus we can determine g up to a scalar

solving the discrete logarithm in the matrices using Menezes and Wu's idea [15]. However, if we choose <sup>g</sup> such that <sup>g</sup><sup>q</sup>�<sup>1</sup> <sup>¼</sup> 1, then it seems that we might avoid this line of attack. We can bypass this argument by recovering the scalars a and b, and then to determine m, we compute the discrete logarithm in h ig using Menezes and

Proposition 4.1 Given any g ∈Spð Þ d; q up to scalar multiple ag, a∈ Fq. If gcdð Þ¼ d; q � 1 1, we can determine the scalar a. Otherwise one can find the scalar a by

Proof. We can recover the scalar a as follows: Let f g λ1; …; λ<sup>d</sup> be a set of eigenvalues of g, and then the eigenvalues of ag are f g aλ1; …; aλ<sup>d</sup> . Set α ¼ aλ1⋯aλ<sup>d</sup> and thus <sup>α</sup> <sup>¼</sup> ad as <sup>λ</sup>1⋯λ<sup>d</sup> <sup>¼</sup> det gð Þ¼ 1. Suppose gcdð Þ¼ <sup>d</sup>; <sup>q</sup> � <sup>1</sup> <sup>ζ</sup>, using extended Euclidean algorithm, we find u and v such that ud þ v qð Þ¼ � 1 ζ. Next, computing <sup>α</sup><sup>u</sup>, we get <sup>a</sup>ud <sup>¼</sup> <sup>a</sup><sup>ζ</sup>�v qð Þ �<sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>ζ</sup>. Thus, if gcdð Þ¼ <sup>d</sup>; <sup>q</sup> � <sup>1</sup> 1, then we have recovered the scalar a; otherwise we can recover the scalar by solving the discrete logarithm

Thus, if gcdð Þ¼ d; q � 1 1, then using the above proposition, we can recover the scalars a and b from ag and bgm, respectively. Otherwise one needs to solve discrete logarithm problem in F<sup>q</sup> to recover the scalars. Now, we can recover g and g<sup>m</sup> from

Finally, we recover m using Menezes and Wu's idea. Thus, if we choose g such that

ag and bg<sup>m</sup> just by multiplying with scalar matrices a�<sup>1</sup>I and b�<sup>1</sup>

and multiplying this to N, we get d<sup>1</sup> g. Hence we can determine g up to a scalar

<sup>i</sup> dj for <sup>i</sup> 6¼ <sup>j</sup> and form a matrix diag 1; <sup>d</sup>�<sup>1</sup>

<sup>i</sup> . We form a matrix

�<sup>2</sup>d2:d�<sup>1</sup>

<sup>g</sup>�<sup>1</sup> gxrð Þ<sup>t</sup> <sup>g</sup>�<sup>1</sup> gD <sup>¼</sup> <sup>I</sup> <sup>þ</sup> <sup>D</sup>�<sup>1</sup>

<sup>2</sup> <sup>d</sup>1; …; <sup>d</sup>�<sup>1</sup>

�<sup>i</sup> d�<sup>j</sup> for i 6¼ j. Now compute

�<sup>l</sup> <sup>d</sup>�<sup>1</sup>:d�<sup>1</sup>

<sup>m</sup> up to a scalar multiple say bgm. Now,

, and then we can recover m by

�<sup>1</sup>d<sup>1</sup>

I, respectively.

erD which is

<sup>l</sup> d<sup>1</sup>

<sup>2</sup> <sup>d</sup>1; …; <sup>d</sup>�<sup>1</sup>

,

<sup>ϕ</sup>ð Þ xrð Þ<sup>t</sup> <sup>N</sup> <sup>¼</sup> <sup>D</sup>�<sup>1</sup>

�<sup>i</sup> , d�id�<sup>1</sup>

<sup>l</sup> <sup>d</sup>1; <sup>d</sup>�<sup>1</sup>

erD.

D to get d�<sup>1</sup>

<sup>2</sup> <sup>d</sup>1; …; <sup>d</sup>�<sup>1</sup>

<sup>e</sup>�i,iD to get did�<sup>1</sup>

multiple say ag. Similarly we can determine g

compute ð Þ ag <sup>q</sup>�<sup>1</sup> <sup>¼</sup> <sup>g</sup><sup>q</sup>�<sup>1</sup> and bg<sup>m</sup> ð Þ<sup>q</sup>�<sup>1</sup> <sup>¼</sup> <sup>g</sup><sup>m</sup> ð Þ<sup>q</sup>�<sup>1</sup>

Wu's idea. We prove the following proposition.

solving a discrete logarithm problem in Fq.

the j

D�<sup>1</sup>

D�<sup>1</sup>

matrix.

D ¼ diagð Þ d1; …; dlþ<sup>1</sup> .

DOI: http://dx.doi.org/10.5772/intechopen.84663

Step 2: Compute N�<sup>1</sup>

equivalent to computing D�<sup>1</sup>

ei,jD, we determine d�<sup>1</sup>

diag 1; d�<sup>1</sup>

compute <sup>D</sup>�<sup>1</sup> ei,j � <sup>e</sup>�j,�<sup>i</sup>

ei,�iD, D�<sup>1</sup>

problem in Fq.

93

Let ϕ be an automorphism of one of the classical Chevalley groups G: SLð Þ l þ 1; q , O 2ð Þ l þ 1; q , Sp 2ð Þ l; q , or O 2ð Þ l; q . From Theorem 3.1, we know that ϕ ¼ c<sup>χ</sup> ιηγθ where c<sup>χ</sup> is a central automorphism, ι is an inner automorphism, η is a diagonal automorphism, γ is a graph automorphism, and θ is a field automorphism.

The group of central automorphisms are too small and the field automorphisms reduce to a discrete logarithm in the field Fq. So there is no benefit of using these in a MOR cryptosystem. Also there are not many graph automorphisms in classical Chevalley and twisted orthogonal groups other than special linear groups and oddorder orthogonal groups. In the odd-order orthogonal groups, these automorphisms act by conjugation. Recall here that our automorphisms are presented as action on generators. It is clear ([6], Section 7) that if we can recover the conjugating matrix from the action on generators, the security is a discrete logarithm problem in Fqd , or else the security is a discrete logarithm problem in F qd2 .

So from these we conclude that for a secure MOR cryptosystem, we must look at automorphisms that act by conjugation, like the inner automorphisms. Inner automorphisms form a normal subgroup of Autð Þ G and usually constitute the bulk of automorphisms. If ϕ is an inner automorphism, say ι<sup>g</sup> : x↦gxg�1, we would like to determine the conjugating element g. For the special linear group, it was done in [6]. We will follow the steps there for the present situation too. However, before we do that, let us digress briefly to observe that G ! Innð Þ G given by g↦ι<sup>g</sup> is a surjective group homomorphism. Thus if G is generated by g1, g2, …, gs , then Innð Þ G is generated by ι<sup>g</sup><sup>1</sup> , …, ιgs . Let ϕ∈ Innð Þ G . If we can find gj , j∈f g 1; 2; …; s generators, such that <sup>ϕ</sup> <sup>¼</sup> <sup>Q</sup> j ιgj , then <sup>ϕ</sup> <sup>¼</sup> <sup>ι</sup><sup>g</sup> where <sup>g</sup> <sup>¼</sup> <sup>Q</sup> j gj . This implies that our problem is equivalent to solving the word problem in Innð Þ G . Note that solving word problem depends on how the group is presented and it is not invariant under group homomorphisms. Thus the algorithm described earlier to solve the word problem in the classical Chevalley and twisted orthogonal groups does not help us in the present case.

In what follows, we will use generators xrð Þt , where r ¼ ð Þ i; j ; i 6¼ j, 1≤i, j≤d for the special linear group. For symplectic group r ¼ ð Þ i; j ; i, j∈ f g �1; �2; …; �l . For the even-orthogonal group, r ¼ ð Þ i; j ; i, j∈f g �1; �2; …; �l ; � i 6¼ �j. For the oddorthogonal group r ¼ ð Þ i; j ; � l≤ i≤l and j∈ f g �1; �2; … � l ; � i 6¼ �j. These are the Chevalley generators for the Chevalley groups we are dealing with and are described in details in Tables A1, A5, A3, and A7 in the Appendix.

#### 4.1 Reduction of security

In this subsection, we show that for special linear and symplectic groups, the security of the MOR cryptosystem is the hardness of the discrete logarithm problem in Fqd . This is the same as saying that we can find the conjugating matrix up to a scalar multiple. We further show that the method that works for special linear and symplectic groups does not work for orthogonal groups.

Let ϕ be an automorphism that works by conjugation, i.e., ϕ ¼ ι<sup>g</sup> , for some g, and we try to determine g.

Step 1: The automorphism ϕ is presented as action on generators xrð Þt .

Thus <sup>ϕ</sup>ð Þ¼ xrð Þ<sup>t</sup> g Ið Þ <sup>þ</sup> ter <sup>g</sup>�<sup>1</sup> <sup>¼</sup> <sup>I</sup> <sup>þ</sup> tger <sup>g</sup>�1. This implies that we know ger <sup>g</sup>�<sup>1</sup> for all possible r. We first claim that we can determine N = gD where D is sparse, in fact, diagonal in the case of special linear and symplectic groups.

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

In the case of special linear groups, write g ¼ G1; …; Gi ½ � ; …; Gd , where Gi are column vectors of g. Then gei,j ¼ ½ � G1; …; Gd ei,j ¼ 0; …; 0; Gi ½ � ; 0…; 0 where Gi is at the j th place. Multiplying this with <sup>g</sup>�<sup>1</sup> on the right, i.e., computing gei,j <sup>g</sup>�1, determines Gi up to a scalar multiple di (say). Thus, we know N ¼ gD where D ¼ diagð Þ d1; …; dlþ<sup>1</sup> .

For the symplectic groups, we do the similar computation with the generators I þ tei,�<sup>i</sup> and I þ te�i,i. Write g in the column form as G1; …Gl; G�1; …; G�<sup>l</sup> ½ �. Now,


Thus we get N ¼ gD where D is a diagonal matrix diag d1; …; dl ð Þ ; d�<sup>1</sup>; …; d�<sup>l</sup> . Step 2: Compute N�<sup>1</sup> <sup>ϕ</sup>ð Þ xrð Þ<sup>t</sup> <sup>N</sup> <sup>¼</sup> <sup>D</sup>�<sup>1</sup> <sup>g</sup>�<sup>1</sup> gxrð Þ<sup>t</sup> <sup>g</sup>�<sup>1</sup> gD <sup>¼</sup> <sup>I</sup> <sup>þ</sup> <sup>D</sup>�<sup>1</sup> erD which is equivalent to computing D�<sup>1</sup> erD.

In the case of special linear groups, we have D a diagonal. Thus by computing D�<sup>1</sup> ei,jD, we determine d�<sup>1</sup> <sup>i</sup> dj for <sup>i</sup> 6¼ <sup>j</sup> and form a matrix diag 1; <sup>d</sup>�<sup>1</sup> <sup>2</sup> <sup>d</sup>1; …; <sup>d</sup>�<sup>1</sup> <sup>l</sup> d<sup>1</sup> , and multiplying this to N, we get d<sup>1</sup> g. Hence we can determine g up to a scalar matrix.

For symplectic groups, we can do similar computation as D is diagonal. First compute <sup>D</sup>�<sup>1</sup> ei,j � <sup>e</sup>�j,�<sup>i</sup> D to get d�<sup>1</sup> <sup>i</sup> dj and <sup>d</sup>�<sup>1</sup> �<sup>i</sup> d�<sup>j</sup> for i 6¼ j. Now compute D�<sup>1</sup> ei,�iD, D�<sup>1</sup> <sup>e</sup>�i,iD to get did�<sup>1</sup> �<sup>i</sup> , d�id�<sup>1</sup> <sup>i</sup> . We form a matrix

$$\text{diag}\left(\mathbf{1}, d\_2^{-1}d\_1, \dots, d\_l^{-1}d\_1, d\_{-1}^{-1}d\_{-2}, d\_{-2}^{-1}d\_2, d\_2^{-1}d\_1, \dots, d\_{-l}^{-1}d\_{-1}, d\_{-1}^{-1}d\_1\right)$$

and multiply it to N ¼ gD to get d1g. Thus we can determine g up to a scalar multiple say ag. Similarly we can determine g <sup>m</sup> up to a scalar multiple say bgm. Now, compute ð Þ ag <sup>q</sup>�<sup>1</sup> <sup>¼</sup> <sup>g</sup><sup>q</sup>�<sup>1</sup> and bg<sup>m</sup> ð Þ<sup>q</sup>�<sup>1</sup> <sup>¼</sup> <sup>g</sup><sup>m</sup> ð Þ<sup>q</sup>�<sup>1</sup> , and then we can recover m by solving the discrete logarithm in the matrices using Menezes and Wu's idea [15]. However, if we choose <sup>g</sup> such that <sup>g</sup><sup>q</sup>�<sup>1</sup> <sup>¼</sup> 1, then it seems that we might avoid this line of attack. We can bypass this argument by recovering the scalars a and b, and then to determine m, we compute the discrete logarithm in h ig using Menezes and Wu's idea. We prove the following proposition.

Proposition 4.1 Given any g ∈Spð Þ d; q up to scalar multiple ag, a∈ Fq. If gcdð Þ¼ d; q � 1 1, we can determine the scalar a. Otherwise one can find the scalar a by solving a discrete logarithm problem in Fq.

Proof. We can recover the scalar a as follows: Let f g λ1; …; λ<sup>d</sup> be a set of eigenvalues of g, and then the eigenvalues of ag are f g aλ1; …; aλ<sup>d</sup> . Set α ¼ aλ1⋯aλ<sup>d</sup> and thus <sup>α</sup> <sup>¼</sup> ad as <sup>λ</sup>1⋯λ<sup>d</sup> <sup>¼</sup> det gð Þ¼ 1. Suppose gcdð Þ¼ <sup>d</sup>; <sup>q</sup> � <sup>1</sup> <sup>ζ</sup>, using extended Euclidean algorithm, we find u and v such that ud þ v qð Þ¼ � 1 ζ. Next, computing <sup>α</sup><sup>u</sup>, we get <sup>a</sup>ud <sup>¼</sup> <sup>a</sup><sup>ζ</sup>�v qð Þ �<sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>ζ</sup>. Thus, if gcdð Þ¼ <sup>d</sup>; <sup>q</sup> � <sup>1</sup> 1, then we have recovered the scalar a; otherwise we can recover the scalar by solving the discrete logarithm problem in Fq.

Thus, if gcdð Þ¼ d; q � 1 1, then using the above proposition, we can recover the scalars a and b from ag and bgm, respectively. Otherwise one needs to solve discrete logarithm problem in F<sup>q</sup> to recover the scalars. Now, we can recover g and g<sup>m</sup> from ag and bg<sup>m</sup> just by multiplying with scalar matrices a�<sup>1</sup>I and b�<sup>1</sup> I, respectively. Finally, we recover m using Menezes and Wu's idea. Thus, if we choose g such that

the hardness of our security assumptions. We denote the split orthogonal group by Oþð Þ 2l; q and twisted orthogonal group by O�ð Þ 2l; q . Now onwards O(2l,q) means either split or twisted orthogonal group and we will specify whenever required. Let ϕ be an automorphism of one of the classical Chevalley groups G: SLð Þ l þ 1; q , O 2ð Þ l þ 1; q , Sp 2ð Þ l; q , or O 2ð Þ l; q . From Theorem 3.1, we know that ϕ ¼ c<sup>χ</sup> ιηγθ where c<sup>χ</sup> is a central automorphism, ι is an inner automorphism, η is a diagonal automorphism, γ is a graph automorphism, and θ is a field automorphism. The group of central automorphisms are too small and the field automorphisms reduce to a discrete logarithm in the field Fq. So there is no benefit of using these in a MOR cryptosystem. Also there are not many graph automorphisms in classical Chevalley and twisted orthogonal groups other than special linear groups and oddorder orthogonal groups. In the odd-order orthogonal groups, these automorphisms act by conjugation. Recall here that our automorphisms are presented as action on generators. It is clear ([6], Section 7) that if we can recover the conjugating matrix from the action on generators, the security is a discrete logarithm problem in Fqd , or

qd2 .

, then Innð Þ G is gener-

, j∈f g 1; 2; …; s generators, such

. This implies that our problem is equiv-

So from these we conclude that for a secure MOR cryptosystem, we must look at automorphisms that act by conjugation, like the inner automorphisms. Inner automorphisms form a normal subgroup of Autð Þ G and usually constitute the bulk of automorphisms. If ϕ is an inner automorphism, say ι<sup>g</sup> : x↦gxg�1, we would like to determine the conjugating element g. For the special linear group, it was done in [6]. We will follow the steps there for the present situation too. However, before we do that, let us digress briefly to observe that G ! Innð Þ G given by g↦ι<sup>g</sup> is a surjective

j gj

In what follows, we will use generators xrð Þt , where r ¼ ð Þ i; j ; i 6¼ j, 1≤i, j≤d for the special linear group. For symplectic group r ¼ ð Þ i; j ; i, j∈ f g �1; �2; …; �l . For the even-orthogonal group, r ¼ ð Þ i; j ; i, j∈f g �1; �2; …; �l ; � i 6¼ �j. For the oddorthogonal group r ¼ ð Þ i; j ; � l≤ i≤l and j∈ f g �1; �2; … � l ; � i 6¼ �j. These are the Chevalley generators for the Chevalley groups we are dealing with and are

In this subsection, we show that for special linear and symplectic groups, the security of the MOR cryptosystem is the hardness of the discrete logarithm problem in Fqd . This is the same as saying that we can find the conjugating matrix up to a scalar multiple. We further show that the method that works for special linear and

Let ϕ be an automorphism that works by conjugation, i.e., ϕ ¼ ι<sup>g</sup> , for some g, and

Thus <sup>ϕ</sup>ð Þ¼ xrð Þ<sup>t</sup> g Ið Þ <sup>þ</sup> ter <sup>g</sup>�<sup>1</sup> <sup>¼</sup> <sup>I</sup> <sup>þ</sup> tger <sup>g</sup>�1. This implies that we know ger <sup>g</sup>�<sup>1</sup> for all possible r. We first claim that we can determine N = gD where D is sparse, in fact,

Step 1: The automorphism ϕ is presented as action on generators xrð Þt .

alent to solving the word problem in Innð Þ G . Note that solving word problem depends on how the group is presented and it is not invariant under group homomorphisms. Thus the algorithm described earlier to solve the word problem in the classical Chevalley and twisted orthogonal groups does not help us in the present

else the security is a discrete logarithm problem in F

Modern Cryptography – Current Challenges and Solutions

group homomorphism. Thus if G is generated by g1, g2, …, gs

, then <sup>ϕ</sup> <sup>¼</sup> <sup>ι</sup><sup>g</sup> where <sup>g</sup> <sup>¼</sup> <sup>Q</sup>

. Let ϕ∈ Innð Þ G . If we can find gj

described in details in Tables A1, A5, A3, and A7 in the Appendix.

symplectic groups does not work for orthogonal groups.

diagonal in the case of special linear and symplectic groups.

ated by ι<sup>g</sup><sup>1</sup>

case.

that <sup>ϕ</sup> <sup>¼</sup> <sup>Q</sup>

, …, ιgs

j ιgj

4.1 Reduction of security

we try to determine g.

92

<sup>g</sup>q�<sup>1</sup> <sup>¼</sup> 1 and gcdð Þ <sup>d</sup>; <sup>q</sup> � <sup>1</sup> 6¼ 1, then to solve the discrete logarithm in h i <sup>ϕ</sup> , one needs to solve the discrete logarithm in F<sup>q</sup> and Fqd .

We construct a matrix N as follows: For each i ¼ 1, …, l � 1, compute

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

 <sup>g</sup>�<sup>1</sup> � <sup>I</sup> whose each column is a linear combination of Ci and C�ð Þ <sup>i</sup>þ<sup>1</sup> . Choose one of its column say riCi þ siC�ð Þ <sup>i</sup>þ<sup>1</sup> for each i ¼ 1, …, l � 1. Simi-

<sup>i</sup> <sup>¼</sup> <sup>1</sup>, …, l � 1. Further, we compute g Ið Þ <sup>þ</sup> <sup>e</sup>1,�<sup>l</sup> � el,�<sup>1</sup> <sup>g</sup>�<sup>1</sup> � <sup>I</sup> to get rlCl <sup>þ</sup> slC<sup>1</sup> and g Ið Þ <sup>þ</sup> <sup>e</sup>�1,l � <sup>e</sup>�l, <sup>1</sup> <sup>g</sup>�<sup>1</sup> � <sup>I</sup> to get <sup>r</sup>�lC�<sup>l</sup> <sup>þ</sup> <sup>s</sup>�lC�1. We set <sup>N</sup> <sup>¼</sup> <sup>r</sup>1C<sup>1</sup> <sup>þ</sup> <sup>s</sup>1C�2; …;rl�<sup>1</sup> <sup>½</sup> Cl�<sup>1</sup> þ sl�<sup>1</sup>C�<sup>l</sup>;rlCl þ slC1;r�<sup>1</sup>C�<sup>1</sup> þ s�<sup>1</sup>C2; …;r�ð Þ <sup>l</sup>�<sup>1</sup> C�ð Þ <sup>l</sup>�<sup>1</sup> þ s�ð Þ <sup>l</sup>�<sup>1</sup> Cl;r�lC�<sup>l</sup>þ s�lC�1�. Now it is easy to note that N ¼ g Dð Þ <sup>1</sup> þ PD<sup>2</sup> , where D<sup>1</sup> ¼ diag r1; …;rl ð Þ ;r�1; …;r�<sup>l</sup> , D<sup>2</sup> ¼ diag s1; …; sl ð Þ ; s�1; …; s�<sup>l</sup> , and P are permutation matrix corresponding to the permutation of indexing set 1 ! �2 ! 3 ! �4 ! ⋯ ! l � 1 ! �l ! �1 ! 2 !

Thus we get N ¼ g Dð Þ <sup>1</sup> þ PD<sup>2</sup> , where D<sup>1</sup> and D<sup>2</sup> are diagonal and P is a permutation matrix. This is not a diagonal matrix. One can do a similar computation for

Remark 4.1 An observant reader would ask the question: why does this attack works for the special linear and symplectic groups but not for orthogonal groups? The answer lies

In the special linear groups, the generators are the elementary transvections of the form I þ tei,j where i 6¼ j and t∈Fq. Then the attack goes on smoothly as we saw earlier. However, when we look at generators of the form I þ tei,j � te�j,�<sup>i</sup>, where t∈F<sup>q</sup> and i 6¼ j, conjugating by them, it gets us a linear sum of the ith and jth column, not scalar multiple of one particular column. This stops the attack from going forward. However in the symplectic groups, there are generators of the form I þ ei,�<sup>i</sup> and I þ e�i,i for 1≤i≤ l. These generators make the attack possible for the symplectic groups. However there are no such generators for orthogonal groups,

One serious objection against a MOR cryptosystem is the size of the key ([10], Section 7). The reason is that in a MOR cryptosystem, the automorphisms are presented as action on generators. Now the bigger the number of generators, the

On the other hand, many of the finite simple groups can be generated by two elements. However, a set of generators is not enough. We must be able to compute the image of an arbitrary element. When the automorphism is presented as action on generators, we need an efficient solution to the word problem in order to do that. We have demonstrated in Appendix A that there is one set of generators, the

The theme of this section is that for symplectic and even-order split orthogonal groups, there are two generators and for the odd-orthogonal group there are three generators. Over the prime field of odd characteristic, one can easily compute the

So one can present the automorphisms ϕ and ϕ<sup>m</sup> as action on these few generators and then compute the action of these automorphisms on the elementary matrices later. This substantially reduces the key-size. To do this we use the technique of straight line programs, which is popular in computational group theory. These are programs, but in practice are actually easy to use formulas. Say, for example, we want to compute xi,jð Þ<sup>t</sup> for some <sup>t</sup>∈Fq. We have loaded matrices <sup>w</sup><sup>i</sup>�<sup>1</sup>x1, <sup>2</sup>ð Þ� <sup>w</sup>ð Þ <sup>i</sup>�<sup>1</sup> in

the odd-orthogonal group and twisted orthogonal group as well.

in a closer look at the generators (elementary matrices) for these groups.

and so this attack turns out to be impossible for orthogonal groups.

5. The case for two-generators and prime fields

elementary matrices, for which the word problem is easy.

word corresponding to the elementary matrices for these generators.

<sup>g</sup>�<sup>1</sup> � <sup>I</sup> and choose <sup>r</sup>�iC�<sup>i</sup> <sup>þ</sup> <sup>s</sup>�iCð Þ <sup>i</sup>þ<sup>1</sup> for each

g I þ ei,iþ<sup>1</sup> � e�ð Þ <sup>i</sup>þ<sup>1</sup> ,�<sup>i</sup>

larger the key-size.

95

larly compute g I þ eiþ1,i � e�i,�ð Þ <sup>i</sup>þ<sup>1</sup>

DOI: http://dx.doi.org/10.5772/intechopen.84663

�3 ! 4 ! ⋯ ! �ð Þ! l � 1 l ! 1:

However, in the case of orthogonal groups, we show that one cannot recover g up to a diagonal matrix using the above approach, and hence the above reduction attack does not work.

Theorem 4.1 Let g ∈ GOð Þ d; q . Consider the conjugation automorphism ϕ : Oð Þ! d; q Oð Þ d; q . Let xf g<sup>r</sup> be a set of Chevalley generators of O(d,q) described in Appendix A. Suppose that the public-key is presented as an action of ϕ on xf g<sup>r</sup> , then it is impossible to recover a matrix gD, where D is a diagonal matrix using the above reduction.

Proof. We prove the theorem for Oþð Þ d; q , d even, and the theorem follows for other cases similarly. Let d ¼ 2l and we write g in columns form as <sup>g</sup> <sup>¼</sup> <sup>C</sup>1; …;Cl;C�1; …;C�<sup>l</sup> ½ �. We compute gerg�<sup>1</sup> which gives the following equations:


Suppose one can construct a matrix B from columns obtained above such that B ¼ gD, where D is diagonal, then we can see that diCi ¼ aiCj þ bjCk for some i, j, k which is a contradiction as detð Þg 6¼ 0. Thus, it is not possible to construct a matrix B such that B ¼ gD, where D is diagonal.

This conclusively proves that the attack on the special linear groups and symplectic groups will not work for most orthogonal groups.

For orthogonal groups, the best we can do is the following: We can construct N such that N ¼ g Dð Þ <sup>1</sup> þ PD<sup>2</sup> , where D<sup>1</sup> and D<sup>2</sup> are diagonal and P is a permutation matrix. We demonstrate the construction of N in the case of a split orthogonal group Oþð Þ 2l; q ; similar construction works for other cases as well. Computing gerg�<sup>1</sup> gives the following equations:


The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

We construct a matrix N as follows: For each i ¼ 1, …, l � 1, compute g I þ ei,iþ<sup>1</sup> � e�ð Þ <sup>i</sup>þ<sup>1</sup> ,�<sup>i</sup> <sup>g</sup>�<sup>1</sup> � <sup>I</sup> whose each column is a linear combination of Ci and C�ð Þ <sup>i</sup>þ<sup>1</sup> . Choose one of its column say riCi þ siC�ð Þ <sup>i</sup>þ<sup>1</sup> for each i ¼ 1, …, l � 1. Similarly compute g I þ eiþ1,i � e�i,�ð Þ <sup>i</sup>þ<sup>1</sup> <sup>g</sup>�<sup>1</sup> � <sup>I</sup> and choose <sup>r</sup>�iC�<sup>i</sup> <sup>þ</sup> <sup>s</sup>�iCð Þ <sup>i</sup>þ<sup>1</sup> for each <sup>i</sup> <sup>¼</sup> <sup>1</sup>, …, l � 1. Further, we compute g Ið Þ <sup>þ</sup> <sup>e</sup>1,�<sup>l</sup> � el,�<sup>1</sup> <sup>g</sup>�<sup>1</sup> � <sup>I</sup> to get rlCl <sup>þ</sup> slC<sup>1</sup> and g Ið Þ <sup>þ</sup> <sup>e</sup>�1,l � <sup>e</sup>�l, <sup>1</sup> <sup>g</sup>�<sup>1</sup> � <sup>I</sup> to get <sup>r</sup>�lC�<sup>l</sup> <sup>þ</sup> <sup>s</sup>�lC�1. We set <sup>N</sup> <sup>¼</sup> <sup>r</sup>1C<sup>1</sup> <sup>þ</sup> <sup>s</sup>1C�2; …;rl�<sup>1</sup> <sup>½</sup> Cl�<sup>1</sup> þ sl�<sup>1</sup>C�<sup>l</sup>;rlCl þ slC1;r�<sup>1</sup>C�<sup>1</sup> þ s�<sup>1</sup>C2; …;r�ð Þ <sup>l</sup>�<sup>1</sup> C�ð Þ <sup>l</sup>�<sup>1</sup> þ s�ð Þ <sup>l</sup>�<sup>1</sup> Cl;r�lC�<sup>l</sup>þ s�lC�1�. Now it is easy to note that N ¼ g Dð Þ <sup>1</sup> þ PD<sup>2</sup> , where D<sup>1</sup> ¼ diag r1; …;rl ð Þ ;r�1; …;r�<sup>l</sup> , D<sup>2</sup> ¼ diag s1; …; sl ð Þ ; s�1; …; s�<sup>l</sup> , and P are permutation matrix corresponding to the permutation of indexing set 1 ! �2 ! 3 ! �4 ! ⋯ ! l � 1 ! �l ! �1 ! 2 ! �3 ! 4 ! ⋯ ! �ð Þ! l � 1 l ! 1:

Thus we get N ¼ g Dð Þ <sup>1</sup> þ PD<sup>2</sup> , where D<sup>1</sup> and D<sup>2</sup> are diagonal and P is a permutation matrix. This is not a diagonal matrix. One can do a similar computation for the odd-orthogonal group and twisted orthogonal group as well.

Remark 4.1 An observant reader would ask the question: why does this attack works for the special linear and symplectic groups but not for orthogonal groups? The answer lies in a closer look at the generators (elementary matrices) for these groups.

In the special linear groups, the generators are the elementary transvections of the form I þ tei,j where i 6¼ j and t∈Fq. Then the attack goes on smoothly as we saw earlier. However, when we look at generators of the form I þ tei,j � te�j,�<sup>i</sup>, where t∈F<sup>q</sup> and i 6¼ j, conjugating by them, it gets us a linear sum of the ith and jth column, not scalar multiple of one particular column. This stops the attack from going forward. However in the symplectic groups, there are generators of the form I þ ei,�<sup>i</sup> and I þ e�i,i for 1≤i≤ l. These generators make the attack possible for the symplectic groups. However there are no such generators for orthogonal groups, and so this attack turns out to be impossible for orthogonal groups.

#### 5. The case for two-generators and prime fields

One serious objection against a MOR cryptosystem is the size of the key ([10], Section 7). The reason is that in a MOR cryptosystem, the automorphisms are presented as action on generators. Now the bigger the number of generators, the larger the key-size.

On the other hand, many of the finite simple groups can be generated by two elements. However, a set of generators is not enough. We must be able to compute the image of an arbitrary element. When the automorphism is presented as action on generators, we need an efficient solution to the word problem in order to do that. We have demonstrated in Appendix A that there is one set of generators, the elementary matrices, for which the word problem is easy.

The theme of this section is that for symplectic and even-order split orthogonal groups, there are two generators and for the odd-orthogonal group there are three generators. Over the prime field of odd characteristic, one can easily compute the word corresponding to the elementary matrices for these generators.

So one can present the automorphisms ϕ and ϕ<sup>m</sup> as action on these few generators and then compute the action of these automorphisms on the elementary matrices later. This substantially reduces the key-size. To do this we use the technique of straight line programs, which is popular in computational group theory. These are programs, but in practice are actually easy to use formulas. Say, for example, we want to compute xi,jð Þ<sup>t</sup> for some <sup>t</sup>∈Fq. We have loaded matrices <sup>w</sup><sup>i</sup>�<sup>1</sup>x1, <sup>2</sup>ð Þ� <sup>w</sup>ð Þ <sup>i</sup>�<sup>1</sup> in

<sup>g</sup>q�<sup>1</sup> <sup>¼</sup> 1 and gcdð Þ <sup>d</sup>; <sup>q</sup> � <sup>1</sup> 6¼ 1, then to solve the discrete logarithm in h i <sup>ϕ</sup> , one needs

However, in the case of orthogonal groups, we show that one cannot recover g up to a diagonal matrix using the above approach, and hence the above reduction

Proof. We prove the theorem for Oþð Þ d; q , d even, and the theorem follows for

<sup>g</sup> <sup>¼</sup> <sup>C</sup>1; …;Cl;C�1; …;C�<sup>l</sup> ½ �. We compute gerg�<sup>1</sup> which gives the following equations:

whose all columns are linear combinations of columns Ci and C�<sup>j</sup>.

whose all columns are linear combinations of columns Ci and Cj.

whose all columns are linear combinations of columns C�<sup>i</sup> and C�<sup>j</sup>.

This conclusively proves that the attack on the special linear groups and

symplectic groups will not work for most orthogonal groups.

th place and Gj is at �<sup>i</sup>

where G�<sup>i</sup> is at jth place and G�<sup>j</sup> is at ith place. This will give us a linear

Suppose one can construct a matrix B from columns obtained above such that B ¼ gD, where D is diagonal, then we can see that diCi ¼ aiCj þ bjCk for some i, j, k which is a contradiction as detð Þg 6¼ 0. Thus, it is not possible to construct a matrix

For orthogonal groups, the best we can do is the following: We can construct N such that N ¼ g Dð Þ <sup>1</sup> þ PD<sup>2</sup> , where D<sup>1</sup> and D<sup>2</sup> are diagonal and P is a permutation matrix. We demonstrate the construction of N in the case of a split orthogonal group Oþð Þ 2l; q ; similar construction works for other cases as well. Computing

<sup>g</sup>�<sup>1</sup> <sup>¼</sup> <sup>0</sup>; …; <sup>0</sup>;Ci; <sup>0</sup>; …; <sup>0</sup>;C�<sup>j</sup>; <sup>0</sup>; …; <sup>0</sup> <sup>g</sup>�1, where Ci is at

<sup>g</sup>�<sup>1</sup> <sup>¼</sup> <sup>0</sup>; …; <sup>0</sup>;Ci; <sup>0</sup>; …; <sup>0</sup>;Cj; <sup>0</sup>; …; <sup>0</sup> <sup>g</sup>�1, where Ci is at

<sup>g</sup>�<sup>1</sup> <sup>¼</sup> <sup>0</sup>; …; <sup>0</sup>;C�<sup>i</sup>; <sup>0</sup>; …; <sup>0</sup>;C�<sup>j</sup>; <sup>0</sup>; …; <sup>0</sup> <sup>g</sup>�1, where <sup>C</sup>�<sup>i</sup>

th place. After multiplying by g�1, we get a matrix

th place. After multiplying by g�1, we get a matrix

th place. After multiplying by g�1, we get a matrix

<sup>g</sup>�<sup>1</sup> <sup>¼</sup> <sup>0</sup>; …; <sup>0</sup>; Gi; <sup>0</sup>; …; <sup>0</sup>; <sup>G</sup>�<sup>j</sup>; <sup>0</sup>; …; <sup>0</sup> <sup>g</sup>�1,

<sup>g</sup>�<sup>1</sup> <sup>¼</sup> <sup>0</sup>; …; <sup>0</sup>; Gi; <sup>0</sup>; …; <sup>0</sup>; Gj; <sup>0</sup>; …; <sup>0</sup> <sup>g</sup>�1,

<sup>g</sup>�<sup>1</sup> <sup>¼</sup> <sup>0</sup>; …; <sup>0</sup>; <sup>G</sup>�<sup>i</sup>; <sup>0</sup>; …; <sup>0</sup>; <sup>G</sup>�<sup>j</sup>; <sup>0</sup>; …; <sup>0</sup> <sup>g</sup>�1,

th place. This gives us a linear

th place. This will give us a linear

Theorem 4.1 Let g ∈ GOð Þ d; q . Consider the conjugation automorphism ϕ : Oð Þ! d; q Oð Þ d; q . Let xf g<sup>r</sup> be a set of Chevalley generators of O(d,q) described in Appendix A. Suppose that the public-key is presented as an action of ϕ on xf g<sup>r</sup> , then it is impossible to recover a matrix gD, where D is a diagonal matrix using the above

other cases similarly. Let d ¼ 2l and we write g in columns form as

to solve the discrete logarithm in F<sup>q</sup> and Fqd .

Modern Cryptography – Current Challenges and Solutions

attack does not work.

1. Note that g ei,j � e�j,�<sup>i</sup>

2. Note that g ei,�<sup>j</sup> � ej,�<sup>i</sup>

3. Note that g e�i,j � e�j,i

jth place and C�<sup>j</sup> is at �i

th place and Cj is at �<sup>i</sup>

th place and <sup>C</sup>�<sup>j</sup> is at <sup>i</sup>

B such that B ¼ gD, where D is diagonal.

gerg�<sup>1</sup> gives the following equations:

1. G1; …Gl; G�<sup>1</sup>; …; G�<sup>l</sup> ½ � ei,j � e�j,�<sup>i</sup>

2. G1; …Gl; G�<sup>1</sup>; …; G�<sup>l</sup> ½ � ei,�<sup>j</sup> � ej,�<sup>i</sup>

3. G1; …Gl; G�<sup>1</sup>; …; G�<sup>l</sup> ½ � e�i,j � e�j,i

where Gi is at �j

94

where Gi is at jth place and G�<sup>j</sup> is at �i

combination of the columns Gi and G�<sup>j</sup>.

combination of the columns Gi and Gj.

combination of the columns G�<sup>i</sup> and G�<sup>j</sup>.

reduction.

�j

is at j

the memory in such a way that this formula takes as input t and put it in the (1, 2) position of the matrix x1, <sup>2</sup>ð Þ� and do the matrix multiplication. This is one straight line program. Since these programs are loaded in the memory, computation is much faster. This is somewhat similar to a time-memory trade-off. We have built a series of these straight line programs, where one straight line program can use other straight line programs and have written down the length of these programs. The length is nothing but the number of matrices in the formula.

Using the symplectic group in the MOR cryptosystem is straightforward. However, using orthogonal groups is little tricky because of the presence of λ in the output of the Gaussian elimination algorithm (see Section A.2.3). It is well known that the elementary matrices, without wi—the row interchanges matrices and generates Ω, the commutator subgroup of a orthogonal group. However in between the commutator and the whole group, there is another important subgroup, WΩ ¼ h i Ω; wi for some i. From the algorithmic point of view, it is the subgroup of all the matrices for which the λ is a square. Now once the λ is a square and we can efficiently compute the square root, we can write this matrix down as product of elementary matrices, and it is easy to implement in the MOR cryptosystem. It is well known that if p � 3 mod4 ð Þ, then it is easy to compute the square root. Only for this reason, in the latter part of this section and for orthogonal groups, we concentrate on p � 3 mod4 ð Þ.

#### 5.1 Symplectic group Sp (2l, p)

Let p be an odd prime. It is known [16] that the group Sp(2l,p) is generated by two elements:

$$\mathfrak{x} = \mathfrak{x}\_{\mathbf{1},2}(\mathbf{1}) \tag{1}$$

Now <sup>w</sup><sup>l</sup> ¼ �ð Þ<sup>1</sup> <sup>l</sup>�<sup>1</sup> <sup>0</sup> Il

DOI: http://dx.doi.org/10.5772/intechopen.84663

xi,�<sup>j</sup>ð Þt 2≤i≤ l � 1

ð Þ i þ 1≤ j≤l

xi,�<sup>i</sup>ð Þ<sup>t</sup> <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, l � <sup>1</sup> xi,iþ<sup>1</sup> <sup>t</sup>

xl,�<sup>l</sup>ð Þ<sup>t</sup> xl,l�<sup>1</sup> <sup>t</sup>

5.2 Split orthogonal group O+

ated by two elements:

and 1≤ i , j≤l.

97

xi,�<sup>j</sup>ð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,jð Þ<sup>t</sup> for 1≤<sup>i</sup> , <sup>j</sup>≤<sup>l</sup> and <sup>w</sup><sup>l</sup>

the following:

wl

and w.

�Il 0

and xj,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup>

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

Elements Indices Equation Length <sup>x</sup>1,�<sup>l</sup>ð Þ<sup>t</sup> wxl�1,lð Þ<sup>t</sup> <sup>w</sup>�<sup>1</sup> <sup>2</sup><sup>l</sup> � <sup>1</sup> x1,�<sup>i</sup>ð Þt 2≤ i≤l � 1 xi,l ½ � ð Þt ; x1,�<sup>l</sup>ð Þ1 2ð Þ L lð Þþ � i; i 2l � 1

2

2

(2l, p)

Let <sup>p</sup> � 3 mod4 ð Þ be a prime. It is known [16] that the group O<sup>+</sup>

We will refer these two elements as Steinberg generators. As we discussed earlier, in context of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets—Steinberg generators and elementary matrices (Table A1). To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm. Here we demonstrate the other way round, that is, how to write elementary matrices as a product of x and w. In what follows, we denote the length of SLPs by Lð Þ δ; i , where δ ¼ j � i

So we generate all xi,�<sup>j</sup>ð Þt for 1≤ i , j≤l and xi,�<sup>i</sup>ð Þt for 1≤i ≤l. Now

then we get x�i,jð Þt and x�i,ið Þt . Total number of SLPs is l þ ð Þþ 3 þ 1 ð Þ 2 þ 1 ¼ l þ 7. Hence we generate all the elementary matrices (Table A3) using only two generators x and w. Hence Sp(2l, p) is generated by only two generators x

Lð Þþ δ; i 2l. Hence we get all xi,jð Þt for 1≤i 6¼ j≤l. Number of SLP is l. Next observe

xi, <sup>1</sup>ð Þ<sup>t</sup> ; <sup>x</sup>1,�<sup>j</sup>ð Þ<sup>1</sup> <sup>2</sup>ð Þ L ið Þþ � <sup>1</sup>; <sup>1</sup> <sup>4</sup><sup>l</sup> � <sup>1</sup>

; xi,�ð Þ <sup>i</sup>þ<sup>1</sup> ð Þ<sup>1</sup> 2 2ð Þ L lð Þþ � <sup>2</sup>; <sup>1</sup> <sup>10</sup><sup>l</sup> � <sup>5</sup>

; xl�1,�<sup>l</sup>ð Þ<sup>1</sup> 2 2ð Þ L lð Þþ � <sup>2</sup>; <sup>1</sup> <sup>12</sup><sup>l</sup> � <sup>5</sup>

xi,jð Þ �<sup>t</sup> <sup>w</sup>�<sup>l</sup>

2ð Þ L ið Þþ � 1; 1 2L lð Þþ � j; j 6l � 2

2ðLð Þþ 1; i 2L ið Þþ � 1; 1 4L lð � ð Þ i þ 1 ; i þ 1Þ þ 12l � 4Þ

xi,�<sup>i</sup>ð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,ið Þ<sup>t</sup> for 1<sup>≤</sup> <sup>i</sup>≤l,

x ¼ x1, <sup>2</sup>ð Þ1 , (3)

, so length of this SLP is

j ¼ l j 6¼ l

i ¼ l � 1 i 6¼ l � 1

(2l,p) is gener-

ð4Þ

$$w = \begin{pmatrix} \mathbf{0} & \mathbf{1} \\ -I\_{2l-1} & \mathbf{0} \end{pmatrix} \tag{2}$$

We will refer these two elements as Steinberg generators. However in the context of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets—Steinberg generators and elementary matrices (see Table A3). To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm. Here we demonstrate the other way round, that is, how to write elementary matrices as a product of x and w. In what follows, we denote the length of SLPs by Lð Þ δ; i , where δ ¼ j � i and 1≤i , j≤ l.

$$\begin{array}{llll}\delta=\mathbf{1}, & \varkappa\_{i,j}(t) = & \boldsymbol{w}^{i-1}\boldsymbol{\varkappa}\_{1,2}(t)\boldsymbol{w}^{-(i-1)},\\ \delta=\mathbf{2}, & \varkappa\_{i,j}(t) = & [\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})],\\ \delta=\mathbf{3}, & \varkappa\_{i,j}(t) = & [\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})],\\ \vdots & \vdots & \vdots\\ \delta=l-\mathbf{1}, & \varkappa\_{i,j}(t) = & [\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})].\end{array}$$

Here

$$L(\delta, i) = \begin{cases} 2i - 1 & \text{for } \delta = 1, \\ 2L(\delta - 1) + 4(i + \delta) - 6 & \text{for } \delta = 2, 3, \dots, l - 1. \end{cases}$$

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

Now <sup>w</sup><sup>l</sup> ¼ �ð Þ<sup>1</sup> <sup>l</sup>�<sup>1</sup> <sup>0</sup> Il �Il 0 and xj,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup> xi,jð Þ �<sup>t</sup> <sup>w</sup>�<sup>l</sup> , so length of this SLP is Lð Þþ δ; i 2l. Hence we get all xi,jð Þt for 1≤i 6¼ j≤l. Number of SLP is l. Next observe the following:


So we generate all xi,�<sup>j</sup>ð Þt for 1≤ i , j≤l and xi,�<sup>i</sup>ð Þt for 1≤i ≤l. Now wl xi,�<sup>j</sup>ð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,jð Þ<sup>t</sup> for 1≤<sup>i</sup> , <sup>j</sup>≤<sup>l</sup> and <sup>w</sup><sup>l</sup> xi,�<sup>i</sup>ð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,ið Þ<sup>t</sup> for 1<sup>≤</sup> <sup>i</sup>≤l, then we get x�i,jð Þt and x�i,ið Þt . Total number of SLPs is l þ ð Þþ 3 þ 1 ð Þ 2 þ 1 ¼ l þ 7. Hence we generate all the elementary matrices (Table A3) using only two generators x and w. Hence Sp(2l, p) is generated by only two generators x and w.

#### 5.2 Split orthogonal group O+ (2l, p)

Let <sup>p</sup> � 3 mod4 ð Þ be a prime. It is known [16] that the group O<sup>+</sup> (2l,p) is generated by two elements:

$$\mathbf{x} = \mathbf{x}\_{1,2}(\mathbf{1}),\tag{3}$$

$$\mathbf{w} = \begin{pmatrix} 0 & \cdots & 0 & \vert & 0 & \cdots & 1 \\ -1 & \cdots & 0 & \vert & 0 & \cdots & 0 \\ \vdots & \ddots & \vdots & \vdots & \ddots & \vdots \\ \cdots & -1 & 0 & 0 & \cdots & 0 \\ \hline 0 & \cdots & 1 & 0 & \cdots & 0 \\ 0 & \cdots & 0 & -1 & \cdots & 0 \\ \vdots & \ddots & \vdots & \vdots & \ddots & \vdots \\ 0 & \cdots & 0 & \cdots & -1 & 0 \\ \end{pmatrix} \tag{4}$$

We will refer these two elements as Steinberg generators. As we discussed earlier, in context of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets—Steinberg generators and elementary matrices (Table A1). To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm. Here we demonstrate the other way round, that is, how to write elementary matrices as a product of x and w. In what follows, we denote the length of SLPs by Lð Þ δ; i , where δ ¼ j � i and 1≤ i , j≤l.

the memory in such a way that this formula takes as input t and put it in the (1, 2) position of the matrix x1, <sup>2</sup>ð Þ� and do the matrix multiplication. This is one straight line program. Since these programs are loaded in the memory, computation is much faster. This is somewhat similar to a time-memory trade-off. We have built a series of these straight line programs, where one straight line program can use other straight line programs and have written down the length of these programs. The

Using the symplectic group in the MOR cryptosystem is straightforward. However, using orthogonal groups is little tricky because of the presence of λ in the output of the Gaussian elimination algorithm (see Section A.2.3). It is well known that the elementary matrices, without wi—the row interchanges matrices and generates Ω, the commutator subgroup of a orthogonal group. However in between the

WΩ ¼ h i Ω; wi for some i. From the algorithmic point of view, it is the subgroup of all the matrices for which the λ is a square. Now once the λ is a square and we can efficiently compute the square root, we can write this matrix down as product of elementary matrices, and it is easy to implement in the MOR cryptosystem. It is well known that if p � 3 mod4 ð Þ, then it is easy to compute the square root. Only for this reason, in the latter part of this section and for orthogonal groups, we concentrate

Let p be an odd prime. It is known [16] that the group Sp(2l,p) is generated by

<sup>w</sup> <sup>¼</sup> 0 1 �I2l�<sup>1</sup> 0 

We will refer these two elements as Steinberg generators. However in the context of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets—Steinberg generators and elementary matrices (see Table A3). To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm. Here we demonstrate the other way round, that is, how to write elementary matrices as a product of x and w.

In what follows, we denote the length of SLPs by Lð Þ δ; i , where δ ¼ j � i and

⋮ ⋮⋮

<sup>δ</sup> <sup>¼</sup> <sup>1</sup>, xi,jðÞ¼ <sup>t</sup> <sup>w</sup><sup>i</sup>�<sup>1</sup>x1, <sup>2</sup>ð Þ<sup>t</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> , <sup>δ</sup> <sup>¼</sup> <sup>2</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�<sup>1</sup>ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> , <sup>δ</sup> <sup>¼</sup> <sup>3</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�<sup>1</sup>ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> ,

<sup>δ</sup> <sup>¼</sup> <sup>l</sup> � <sup>1</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�<sup>1</sup>ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> :

2i � 1 for δ ¼ 1,

2Lð Þþ δ � 1 4ð Þ� i þ δ 6 for δ ¼ 2, 3, …, l � 1:

x ¼ x1, <sup>2</sup>ð Þ1 (1)

(2)

length is nothing but the number of matrices in the formula.

Modern Cryptography – Current Challenges and Solutions

on p � 3 mod4 ð Þ.

two elements:

1≤i , j≤ l.

Here

96

Lð Þ¼ δ; i

5.1 Symplectic group Sp (2l, p)

commutator and the whole group, there is another important subgroup,

$$\begin{aligned} \delta &= \mathbf{1}, \quad \boldsymbol{\varkappa}\_{i,j}(t) = \quad \boldsymbol{w}^{i-1} \boldsymbol{\varkappa}\_{1,2}(t) \boldsymbol{w}^{-(i-1)},\\ \delta &= \mathbf{2}, \quad \boldsymbol{\varkappa}\_{i,j}(t) = \quad \left[\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})\right],\\ \delta &= \mathbf{3}, \quad \boldsymbol{\varkappa}\_{i,j}(t) = \quad \left[\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})\right],\\ \vdots & \quad \vdots & \quad \vdots\\ \delta &= l-\mathbf{1}, \quad \boldsymbol{\varkappa}\_{i,j}(t) = \quad \left[\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})\right]. \end{aligned}$$

x ¼ x0, <sup>1</sup>ð Þ1 , (5)

CA, (6)

2 � �; <sup>x</sup>0, <sup>2</sup>ð Þ<sup>1</sup> � �

> i ¼ l � 1 i 6¼ l � 1

> j , l � 1 j ¼ l � 1 j ¼ l

1

wl ¼ I � el,l � e�l,�<sup>l</sup> þ el,�<sup>l</sup> þ e�l,l: (7)

w ¼

DOI: http://dx.doi.org/10.5772/intechopen.84663

Now

and xi,0ðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup>

Here

Lð Þ¼ δ; i

Next observe the following:

xi,�<sup>j</sup>ð Þt 2 ≤i≤l � 1

99

ð Þ i þ 1≤j ≤l

As xj,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup>

�

xi,jð Þ �<sup>t</sup> <sup>w</sup>�<sup>l</sup>

Elements Indices Equation (SLP) Length <sup>x</sup>1,�<sup>l</sup>ð Þ<sup>t</sup> wxl�1,lð Þ<sup>t</sup> <sup>w</sup>�<sup>1</sup> <sup>6</sup><sup>l</sup> <sup>þ</sup> <sup>6</sup> x1,�<sup>i</sup>ð Þt 2≤i ≤l � 1 xi,l ½ � ð Þt ; x1,�<sup>l</sup>ð Þ1 24l þ 20

Lð Þ δ; i , where δ ¼ j � i and 1≤i , j≤ l.

0

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

B@

<sup>w</sup><sup>l</sup> ¼ �ð Þ<sup>1</sup> <sup>l</sup>

we get xi,0ð Þ<sup>t</sup> and <sup>x</sup>0,ið Þ<sup>t</sup> for <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, l. Again we have <sup>x</sup>1,2ðÞ¼ <sup>t</sup> <sup>x</sup>1,<sup>0</sup> <sup>t</sup>

⋮⋮ ⋮

�10 0 0 0 �1 0 �I2l�<sup>1</sup> 0

We will refer these three elements as Steinberg generators. However in context

1

CA

<sup>x</sup>0,ið Þ �<sup>t</sup> <sup>w</sup>�<sup>l</sup> for 1≤<sup>i</sup> <sup>≤</sup>l, and length of this SLP is 2<sup>l</sup> <sup>þ</sup> <sup>2</sup><sup>i</sup> � 1. So

0

B@

and length of this SLP is 4l þ 8. In what follows, we denote the length of SLPs by

<sup>δ</sup> <sup>¼</sup> <sup>1</sup>, xi,jðÞ¼ <sup>t</sup> <sup>w</sup><sup>i</sup>�<sup>1</sup>x1, <sup>2</sup>ð Þ<sup>t</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> , <sup>δ</sup> <sup>¼</sup> <sup>2</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�<sup>1</sup>ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> � �, <sup>δ</sup> <sup>¼</sup> <sup>3</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�<sup>1</sup>ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> � �,

<sup>δ</sup> <sup>¼</sup> <sup>l</sup> � <sup>1</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�<sup>1</sup>ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> � �:

2i þ 4l þ 6 for δ ¼ 1,

generate all xi,jð Þt for 1≤ i 6¼ j≤l and the number of SLPs is 3 þ ð Þþ l � 1 1 ¼ l þ 3.

2Lð Þþ δ � 1; i 4ð Þ i þ δ þ 2l þ 2 for δ ¼ 2, 3, …, l � 1:

xi, <sup>1</sup>ð Þ<sup>t</sup> ; <sup>x</sup>1,�<sup>j</sup>ð Þ<sup>1</sup> � � <sup>2</sup>L ið Þþ � <sup>1</sup>; <sup>1</sup> <sup>4</sup>L l<sup>ð</sup> � <sup>j</sup> � <sup>δ</sup>; <sup>j</sup> � <sup>δ</sup>Þ þ 4 7ð Þ <sup>l</sup> <sup>þ</sup> <sup>6</sup>

, so the length of this SLP is Lð Þþ δ; i 2l. Hence we

2L lð Þþ � i; i 12ð Þ l þ 1

2L ið Þþ � 1; 1 4 7ð Þ l þ 5 2L ið Þþ � 1; 1 10l þ 6

of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets—Steinberg generators and elementary matrices (Table A5). To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm. Here we demonstrate the other way round, that is, how to write elementary matrices as a product of w and x. First we compute, <sup>x</sup>0,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>i</sup>�<sup>1</sup>x0, <sup>1</sup>ð Þ<sup>1</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> which is of length 2<sup>i</sup> � 1 for 1≤i<sup>≤</sup> <sup>l</sup>.

Here

$$L(\delta, i) = \begin{cases} 2i - 1 & \text{for } \delta = 1, \\ 2L(\delta - 1) + 4(i + \delta) - 6 & \text{for } \delta = 2, 3, \dots, l - 1. \end{cases}$$

Now <sup>w</sup><sup>l</sup> ¼ �ð Þ<sup>1</sup> <sup>l</sup> <sup>0</sup> Il Il 0 and xj,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup> xi,jð Þ �<sup>t</sup> <sup>w</sup>�<sup>l</sup> , so length of this SLP is Lð Þþ δ; i 2l. Hence we get all xi,jð Þt for 1≤ i 6¼ j≤l. The number of SLPs is l. Next observe the following:


So we generate all xi,�<sup>j</sup>ð Þ<sup>t</sup> for <sup>i</sup> . <sup>j</sup>. Now <sup>w</sup><sup>l</sup> xi,�<sup>j</sup>ð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,jð Þ<sup>t</sup> , and we get x�i,jð Þt and the total number of SLPs is l þ 4. It is shown by Ree [17] that elementary matrices xi,jð Þt generate Ωð Þ 2l; p , the commutator subgroup of O(2l, p). Hence we generate Ωð Þ 2l; p , using only two elements x and w. Since we generate xi,jð Þt and wi,j as a product of xi,jð Þt and w ¼ w1, <sup>2</sup>ð Þ1 w2,3ð Þ1 ⋯wl�1,lð Þ1 wl, so we are able to generate wl. Here wi,jðÞ¼ t xi,jð Þt xj,i �t �<sup>1</sup> ð Þxi,jð Þ<sup>t</sup> for <sup>i</sup> 6¼ <sup>j</sup> and wl <sup>¼</sup> <sup>I</sup> � el,l � <sup>e</sup>�l,�<sup>l</sup> <sup>þ</sup> el,�<sup>l</sup><sup>þ</sup> e�l,l. Now we know wl�<sup>1</sup> ¼ wlwl,l�<sup>1</sup>ð Þ1 wl�1,�<sup>l</sup>ð Þ1 , so we generate wl�1. Hence by induction, we generate wi ¼ wiþ<sup>1</sup>wiþ1,ið Þ1 wi,�ð Þ <sup>i</sup>þ<sup>1</sup> ð Þ1 for i ¼ l � 1, …, 1. Here wi,�<sup>j</sup>ðÞ¼ t xi,�<sup>j</sup>ð Þt ð Þ1 x�i,j t �<sup>1</sup> ð Þxi,�<sup>j</sup>ð Þ<sup>t</sup> , for <sup>i</sup> , <sup>j</sup>. Hence we generate all the elementary matrices (Table A1) using only two generators x and w. So we generate a new subgroup WΩð Þ 2l; p of O(2l,p), which is a normal subgroup of O(2l, p). Our algorithm output matrix is <sup>d</sup>ð Þ¼ <sup>λ</sup> diag 1; <sup>1</sup>; …; <sup>λ</sup>; <sup>1</sup>; <sup>1</sup>; …; <sup>λ</sup>�<sup>1</sup> . If <sup>λ</sup>∈F�<sup>2</sup> <sup>p</sup> , say λ � t <sup>2</sup>ð Þ mod <sup>p</sup> , then <sup>t</sup> � <sup>λ</sup> pþ1 <sup>4</sup> ð Þ mod p , since p � 3 mod ð Þ 4 . Then

$$\begin{aligned} d(\lambda) &= \text{diag}\left(\mathbf{1}, \dots, t^2, \mathbf{1}, \dots, t^{-2}\right) \\ &= w\_{l-1,l}(\mathbf{1}) \text{diag}\left(\mathbf{1}, \dots, t^2, \mathbf{1}, \mathbf{1}, \dots, t^{-2}, \mathbf{1}\right) w\_{l-1,l}(-\mathbf{1}) \\ &= w\_{l-1,l}(\mathbf{1}) w\_{l-1,l}(t) w\_{l-1,l}(-\mathbf{1}) w\_{l-1,-l}(t) w\_{l-1,-l}(-\mathbf{1}) w\_{l-1,l}(-\mathbf{1}). \end{aligned}$$

Hence we generate WΩð Þ 2l; p using only two generators x and w.

#### 5.3 Orthogonal group O(2l+1, p)

Let p � 3 mod4 ð Þ be a prime. It is known [16] that the group O(2l+1, p) is generated by these elements:

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

$$
\pi = \mathfrak{x}\_{0,1}(\mathbf{1}),\tag{5}
$$

$$w = \begin{pmatrix} -1 & 0 & 0 \\ 0 & 0 & -1 \\ 0 & -I\_{2l-1} & 0 \end{pmatrix},\tag{6}$$

$$
\sigma w\_l = \quad I - \mathfrak{e}\_{l,l} - \mathfrak{e}\_{-l,-l} + \mathfrak{e}\_{l,-l} + \mathfrak{e}\_{-l,l}.\tag{7}
$$

We will refer these three elements as Steinberg generators. However in context of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets—Steinberg generators and elementary matrices (Table A5). To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm. Here we demonstrate the other way round, that is, how to write elementary matrices as a product of w and x. First we compute, <sup>x</sup>0,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>i</sup>�<sup>1</sup>x0, <sup>1</sup>ð Þ<sup>1</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> which is of length 2<sup>i</sup> � 1 for 1≤i<sup>≤</sup> <sup>l</sup>. Now

$$w^l = (-1)^l \begin{pmatrix} \mathbf{1} & \mathbf{0} & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & I\_l \\ \mathbf{0} & I\_l & \mathbf{0} \end{pmatrix}$$

and xi,0ðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup> <sup>x</sup>0,ið Þ �<sup>t</sup> <sup>w</sup>�<sup>l</sup> for 1≤<sup>i</sup> <sup>≤</sup>l, and length of this SLP is 2<sup>l</sup> <sup>þ</sup> <sup>2</sup><sup>i</sup> � 1. So we get xi,0ð Þ<sup>t</sup> and <sup>x</sup>0,ið Þ<sup>t</sup> for <sup>i</sup> <sup>¼</sup> <sup>1</sup>, <sup>2</sup>, …, l. Again we have <sup>x</sup>1,2ðÞ¼ <sup>t</sup> <sup>x</sup>1,<sup>0</sup> <sup>t</sup> 2 � �; <sup>x</sup>0, <sup>2</sup>ð Þ<sup>1</sup> � � and length of this SLP is 4l þ 8. In what follows, we denote the length of SLPs by Lð Þ δ; i , where δ ¼ j � i and 1≤i , j≤ l.

$$\begin{aligned} \delta &= \mathbf{1}, \quad \varkappa\_{i,j}(t) = \quad \left. w^{i-1} \mathbf{x}\_{1,2}(t) w^{-(i-1)} \right|, \\ \delta &= \mathbf{2}, \quad \varkappa\_{i,j}(t) = \quad \left[ \mathfrak{x}\_{i,j-1}(t), \mathfrak{x}\_{j-1,j}(\mathbf{1}) \right], \\ \delta &= \mathbf{3}, \quad \varkappa\_{i,j}(t) = \quad \left[ \mathfrak{x}\_{i,j-1}(t), \mathfrak{x}\_{j-1,j}(\mathbf{1}) \right], \\ \vdots & \quad \vdots & \quad \vdots \\ \delta &= l-\mathbf{1}, \quad \varkappa\_{i,j}(t) = \quad \left[ \mathfrak{x}\_{i,j-1}(t), \mathfrak{x}\_{j-1,j}(\mathbf{1}) \right]. \end{aligned}$$

Here

<sup>δ</sup> <sup>¼</sup> <sup>1</sup>, xi,jðÞ¼ <sup>t</sup> <sup>w</sup>i�1x1, <sup>2</sup>ð Þ<sup>t</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> , <sup>δ</sup> <sup>¼</sup> <sup>2</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�1ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> , <sup>δ</sup> <sup>¼</sup> <sup>3</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�1ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> ,

<sup>δ</sup> <sup>¼</sup> <sup>l</sup> � <sup>1</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�1ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> :

2i � 1 for δ ¼ 1,

2Lð Þþ δ � 1 4ð Þ� i þ δ 6 for δ ¼ 2, 3, …, l � 1:

xi,jð Þ �<sup>t</sup> <sup>w</sup>�<sup>l</sup>

xi, <sup>1</sup>ð Þ<sup>t</sup> ; <sup>x</sup>1,�<sup>j</sup>ð Þ<sup>1</sup> <sup>2</sup>ð Þ L ið Þþ � <sup>1</sup>; <sup>1</sup> <sup>2</sup>L lð Þþ � <sup>j</sup>; <sup>j</sup> <sup>6</sup><sup>l</sup> � <sup>2</sup> 2ð Þ L ið Þþ � 1; 1 4l � 1

�<sup>1</sup> ð Þxi,jð Þ<sup>t</sup> for <sup>i</sup> 6¼ <sup>j</sup> and wl <sup>¼</sup> <sup>I</sup> � el,l � <sup>e</sup>�l,�<sup>l</sup> <sup>þ</sup> el,�<sup>l</sup><sup>þ</sup>

�<sup>1</sup> ð Þxi,�<sup>j</sup>ð Þ<sup>t</sup> , for <sup>i</sup> , <sup>j</sup>. Hence we generate all the elementary

, so length of this SLP is

xi,�<sup>j</sup>ð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,jð Þ<sup>t</sup> , and we get

<sup>p</sup> , say

j 6¼ l j ¼ l

⋮⋮ ⋮

and xj,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup>

Elements Indices Equation Length <sup>x</sup>1,�<sup>l</sup>ð Þ<sup>t</sup> wxl�1,lð Þ<sup>t</sup> <sup>w</sup>�<sup>1</sup> <sup>2</sup><sup>l</sup> � <sup>1</sup> x1,�<sup>i</sup>ð Þt 2≤i≤ l � 1 xi,l ½ � ð Þt ; x1,�<sup>l</sup>ð Þ1 2ð Þ L lð Þþ � i; i 2l � 1

Lð Þþ δ; i 2l. Hence we get all xi,jð Þt for 1≤ i 6¼ j≤l. The number of SLPs is l. Next

x�i,jð Þt and the total number of SLPs is l þ 4. It is shown by Ree [17] that elementary matrices xi,jð Þt generate Ωð Þ 2l; p , the commutator subgroup of O(2l, p). Hence we generate Ωð Þ 2l; p , using only two elements x and w. Since we generate xi,jð Þt and wi,j as a product of xi,jð Þt and w ¼ w1, <sup>2</sup>ð Þ1 w2,3ð Þ1 ⋯wl�1,lð Þ1 wl, so we are able to generate

e�l,l. Now we know wl�<sup>1</sup> ¼ wlwl,l�<sup>1</sup>ð Þ1 wl�1,�<sup>l</sup>ð Þ1 , so we generate wl�1. Hence by induction, we generate wi ¼ wiþ<sup>1</sup>wiþ1,ið Þ1 wi,�ð Þ <sup>i</sup>þ<sup>1</sup> ð Þ1 for i ¼ l � 1, …, 1. Here

matrices (Table A1) using only two generators x and w. So we generate a new subgroup WΩð Þ 2l; p of O(2l,p), which is a normal subgroup of O(2l, p). Our algo-

<sup>4</sup> ð Þ mod p , since p � 3 mod ð Þ 4 . Then

¼ wl�1,lð Þ1 wl�1,lð Þt wl�1,lð Þ �1 wl�1,�<sup>l</sup>ð Þt wl�1,�<sup>l</sup>ð Þ �1 wl�1,lð Þ �1 :

�2 ; <sup>1</sup> wl�1,lð Þ �<sup>1</sup>

; 1; 1; …; ; t

Let p � 3 mod4 ð Þ be a prime. It is known [16] that the group O(2l+1, p) is

rithm output matrix is <sup>d</sup>ð Þ¼ <sup>λ</sup> diag 1; <sup>1</sup>; …; <sup>λ</sup>; <sup>1</sup>; <sup>1</sup>; …; <sup>λ</sup>�<sup>1</sup> . If <sup>λ</sup>∈F�<sup>2</sup>

2

Hence we generate WΩð Þ 2l; p using only two generators x and w.

pþ1

¼ wl�1,lð Þ1 diag 1; …; t

2 ; 1; …; ; t �<sup>2</sup>

Here

Lð Þ¼ δ; i

Now <sup>w</sup><sup>l</sup> ¼ �ð Þ<sup>1</sup> <sup>l</sup> <sup>0</sup> Il

observe the following:

xi,�<sup>j</sup>ð Þt 2≤ i≤l � 1

wl. Here wi,jðÞ¼ t xi,jð Þt xj,i �t

<sup>2</sup>ð Þ mod <sup>p</sup> , then <sup>t</sup> � <sup>λ</sup>

dð Þ¼ λ diag 1; …; t

5.3 Orthogonal group O(2l+1, p)

generated by these elements:

wi,�<sup>j</sup>ðÞ¼ t xi,�<sup>j</sup>ð Þt ð Þ1 x�i,j t

λ � t

98

ð Þ i þ 1≤j ≤l

So we generate all xi,�<sup>j</sup>ð Þ<sup>t</sup> for <sup>i</sup> . <sup>j</sup>. Now <sup>w</sup><sup>l</sup>

Modern Cryptography – Current Challenges and Solutions

Il 0 

$$L(\delta, i) = \begin{cases} 2i + 4l + 6 & \text{for } \delta = 1, \\ 2L(\delta - 1, i) + 4(i + \delta + 2l + 2) & \text{for } \delta = 2, 3, \dots, l - 1. \end{cases}$$

As xj,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup> xi,jð Þ �<sup>t</sup> <sup>w</sup>�<sup>l</sup> , so the length of this SLP is Lð Þþ δ; i 2l. Hence we generate all xi,jð Þt for 1≤ i 6¼ j≤l and the number of SLPs is 3 þ ð Þþ l � 1 1 ¼ l þ 3. Next observe the following:


So we generate all xi,�jð Þ<sup>t</sup> for <sup>i</sup> , <sup>j</sup>. Now <sup>w</sup><sup>l</sup> xi,�jð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,jð Þ<sup>t</sup> , and we have x�i,jð Þt . The total number of SLPs is l þ 7. It is shown in Ree [17] that elementary matrices xi,jð Þt generate Ωð Þ 2l þ 1; p , the commutator subgroup of O 2ð Þ l þ 1; p which is of index 4. So we generate Ωð Þ 2l þ 1; p , using only two generators x and w. Now we know wl�<sup>1</sup> ¼ wlwl,l�1ð Þ1 wl�1,�lð Þ1 , so we generate wl�1. Hence inductively we can generate wi ¼ wiþ<sup>1</sup>wiþ1,ið Þ1 wi,�ð Þ <sup>i</sup>þ<sup>1</sup> ð Þ1 for i ¼ l � 1, …, 1. Here wi,jðÞ¼ t xi,jð Þt xj,i �t �<sup>1</sup> ð Þxi,jð Þ<sup>t</sup> for <sup>i</sup> 6¼ <sup>j</sup> and wi,�jðÞ¼ <sup>t</sup> xi,�jð Þ<sup>t</sup> <sup>x</sup>�i,j <sup>t</sup> �<sup>1</sup> ð Þxi,�jð Þ<sup>t</sup> for i , j. Hence we generate all the elementary matrices (Table A5) using only two generators x and w and an extra element wl. Hence we generate a new subgroup WΩð Þ 2l þ 1; p of the orthogonal group O 2ð Þ l þ 1; p , containing Ω, which is indeed a normal subgroup of O 2ð Þ l þ 1; p . In our algorithm the output matrix is <sup>d</sup>ð Þ¼ <sup>λ</sup> diag 1; <sup>1</sup>; …; <sup>λ</sup>; <sup>1</sup>; …; <sup>λ</sup>�<sup>1</sup> � �. If <sup>λ</sup>∈F�<sup>2</sup> <sup>p</sup> , say λ � t <sup>2</sup>ð Þ mod<sup>p</sup> , here <sup>t</sup> � <sup>λ</sup> pþ1 <sup>4</sup> ð Þ modp , since p � 3 mod4 ð Þ. Then

<sup>2</sup><sup>≤</sup> <sup>i</sup><sup>≤</sup> <sup>l</sup>, where <sup>w</sup>l�<sup>1</sup> ¼ �ð Þ<sup>1</sup> <sup>l</sup>�<sup>1</sup>

2

DOI: http://dx.doi.org/10.5772/intechopen.84663

mula <sup>x</sup>2, <sup>3</sup>ðÞ¼ <sup>t</sup> <sup>x</sup>2, <sup>1</sup> <sup>t</sup>

Here

Lð Þ¼ δ; i

the table; let r ¼ l � 1.

xi,�<sup>j</sup>ð Þt 2≤i ≤r � 1

wi,jðÞ¼ t xi,jð Þt xj,i �t

pþ1

generators x, x<sup>0</sup>

here t � λ

101

wl

ð Þ i þ 1 ≤j≤l

�

I<sup>2</sup> 0 0 0 0 Il�<sup>1</sup> 0 Il�<sup>1</sup> 0

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

xi,�1ð Þ<sup>t</sup> and <sup>x</sup>�1,ið Þ<sup>t</sup> using the relations <sup>x</sup>�1,iðÞ¼ <sup>t</sup> <sup>w</sup>i�1x�1, <sup>2</sup>ð Þ<sup>1</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> and

2ð Þþ l � 1 2i � 1. Thus, we get xi, <sup>1</sup>ð Þt and x1,ið Þt , for i ¼ 2, …, l. Similarly we compute

<sup>δ</sup> <sup>¼</sup> <sup>1</sup>, xi,jðÞ¼ <sup>t</sup> <sup>w</sup>i�1x2,3ð Þ<sup>t</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> , <sup>δ</sup> <sup>¼</sup> <sup>2</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�1ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> � �, <sup>δ</sup> <sup>¼</sup> <sup>3</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�<sup>1</sup>ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> � �,

<sup>δ</sup> <sup>¼</sup> <sup>l</sup> � <sup>1</sup>, xi,jðÞ¼ <sup>t</sup> xi,j�<sup>1</sup>ð Þ<sup>t</sup> ; xj�1,jð Þ<sup>1</sup> � �:

2i þ 4ð Þþ l � 1 6 for δ ¼ 1,

As xj,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup>�<sup>1</sup>xi,jð Þ �<sup>t</sup> <sup>w</sup>�ð Þ <sup>l</sup>�<sup>1</sup> , so length of this SLP is <sup>L</sup>ð Þþ <sup>δ</sup>; <sup>i</sup> <sup>2</sup>ð Þ <sup>l</sup> � <sup>1</sup> . Hence, we get all xi,jð Þt for 2≤i 6¼ j≤l and the number of SLPs is l þ 2. Next, we compute the remaining elementary matrices using the commutator formula and are listed in

2Lð Þþ δ � 1; i 4ð Þ i þ δ þ 2ð Þþ l � 1 2 for δ ¼ 2, 3, …, l � 2:

xi, <sup>1</sup>ð Þ<sup>t</sup> ; <sup>x</sup>1,�<sup>j</sup>ð Þ<sup>1</sup> � � <sup>2</sup>L ið Þþ � <sup>1</sup>; <sup>1</sup> 4 7ð Þþ <sup>r</sup> <sup>þ</sup> <sup>6</sup> <sup>4</sup>L rð Þ � <sup>j</sup> � <sup>δ</sup>; <sup>j</sup> � <sup>δ</sup>

, x1ð Þ t; s , x2, and w and an extra element wl. In our algorithm the

; 1; 1; …; ; t

¼ wl�1,lð Þ1 wl�1,lð Þt wl�1,lð Þ �1 wl�1,�<sup>l</sup>ð Þt wl�1,�<sup>l</sup>ð Þ �1 wl�1,lð Þ �1 :

�2 ; <sup>1</sup> � �wl�1,lð Þ �<sup>1</sup>

2L rð Þþ � i; i 12ð Þ r þ 1

2L ið Þþ � 1; 1 4 7ð Þ r þ 5 2L ið Þþ � 1; 1 10r þ 6

i ¼ l � 1 i 6¼ l � 1

j , l � 1 j ¼ l � 1 j ¼ l

�<sup>1</sup> ð Þxi,�<sup>j</sup>ð Þ<sup>t</sup> , for

<sup>2</sup>ð Þ mod <sup>p</sup> ,

<sup>p</sup> , say λ � t

xi,�1ðÞ¼ <sup>t</sup> <sup>w</sup>l�1x�1,ið Þ �<sup>t</sup> <sup>w</sup>�ð Þ <sup>l</sup>�<sup>1</sup> for 2 <sup>≤</sup>i<sup>≤</sup> <sup>l</sup>, and length of this SLP are 2<sup>i</sup> � 1 and 2ð Þþ l � 1 2i � 1, respectively. Next, we compute x2,3ð Þt using the commutator for-

lows, we denote the length of SLPs by Lð Þ δ; i , where δ ¼ j � i and 2 ≤i , j≤l.

⋮⋮ ⋮

Elements Indices Equation (SLP) Length <sup>x</sup>1,�<sup>l</sup>ð Þ<sup>t</sup> wxl�1,lð Þ<sup>t</sup> <sup>w</sup>�<sup>1</sup> <sup>6</sup>ð Þþ <sup>l</sup> � <sup>1</sup> <sup>6</sup> x1,�<sup>i</sup>ð Þt 2≤ i≤l � 1 xi,l ½ � ð Þt ; x1,�<sup>l</sup>ð Þ1 24ð Þþ l � 1 20

output matrix is <sup>d</sup>ð Þ¼ <sup>λ</sup> diag 1; <sup>1</sup>; <sup>1</sup>; …; <sup>λ</sup>; <sup>1</sup>; …; <sup>λ</sup>�<sup>1</sup> � �. If <sup>λ</sup>∈F�<sup>2</sup>

¼ wl�1,lð Þ1 diag 1; 1; 1; …; t

2 ; 1; …; ; t �<sup>2</sup> � �

<sup>4</sup> ð Þ mod p , since p � 3 mod ð Þ 4 .

Then dð Þ¼ λ diag 1; 1; 1; …; t

Thus, we have generated all xi,�<sup>j</sup>ð Þt for i , j. Now, using the formula

xi,�<sup>j</sup>ð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,jð Þ<sup>t</sup> , we get <sup>x</sup>�i,jð Þ<sup>t</sup> and the total number of SLPs required is l þ 6. Now we know wl�<sup>1</sup> ¼ wlwl,l�<sup>1</sup>ð Þ1 wl�1,�<sup>l</sup>ð Þ1 , so we generate wl�1. Hence by induction we can generate wi ¼ wiþ<sup>1</sup>wiþ1,ið Þ1 wi,�ð Þ <sup>i</sup>þ<sup>1</sup> ð Þ1 , for i ¼ l � 1, …, 2. Here

�<sup>1</sup> ð Þxi,jð Þ<sup>t</sup> , for <sup>i</sup> 6¼ <sup>j</sup>, and wi,�<sup>j</sup>ðÞ¼ <sup>t</sup> xi,�<sup>j</sup>ð Þ<sup>t</sup> <sup>x</sup>�i,j <sup>t</sup>

2

i , j. Hence we generate all the elementary matrices defined in Table A7 using

1

� �; <sup>x</sup>1,3ð Þ<sup>1</sup> � �, and length of this SLP is 4ð Þþ <sup>l</sup> � <sup>1</sup> 8. In what fol-

CA and length of this SLP is

0

B@

$$\begin{aligned} d(\lambda) &= \text{diag}\left(\mathbf{1}, \mathbf{1}, \dots, t^2, \mathbf{1}, \dots, t^{-2}\right) \\ &= w\_{l-\mathbf{1},l}(\mathbf{1}) \text{diag}\left(\mathbf{1}, \mathbf{1}, \dots, t^2, \mathbf{1}, \mathbf{1}, \dots, t^{-2}, \mathbf{1}\right) w\_{l-\mathbf{1},l}(-\mathbf{1}) \\ &= w\_{l-\mathbf{1},l}(\mathbf{1}) w\_{l-\mathbf{1},l}(t) w\_{l-\mathbf{1},l}(-\mathbf{1}) w\_{l-\mathbf{1},-l}(t) w\_{l-\mathbf{1},-l}(-\mathbf{1}) w\_{l-\mathbf{1},l}(-\mathbf{1}). \end{aligned}$$

Hence we generate WΩð Þ 2l þ 1; p using x, w and wl.

Remark 5.1 Let dð Þ¼ <sup>ζ</sup> diag 1; <sup>1</sup>; …; <sup>ζ</sup>; <sup>1</sup>; …; <sup>ζ</sup>�<sup>1</sup> � �, where <sup>ζ</sup> is non-square in <sup>F</sup>� <sup>p</sup> . The group Wh i Ω; dð Þζ is the orthogonal group.
