5.4 Twisted orthogonal group O�ð Þ 2l; p

We use the following generators which we refer as Steinberg generators.

$$\begin{aligned} \mathbf{x} &= \mathbf{x}\_{1,2}(\mathbf{1}), \\\\ \mathbf{x}' &= \mathbf{x}\_{-1,2}(\mathbf{1}), \\\\ w &= \begin{pmatrix} -I\_2 & \mathbf{0} & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & -\mathbf{1} \\ \mathbf{0} & -I\_{2l-3} & \mathbf{0} \end{pmatrix}, \\\\ w\_l &= I - \varepsilon\_{l,l} - \varepsilon\_{-l,-l} - \varepsilon\_{l,-l} - \varepsilon\_{-l,l}, \\\\ \mathbf{x}\_1(t,s), \text{ where } t \in \mathbb{F}\_p^\times, s \in \mathbb{F}\_p \text{ and } \mathbf{x}\_2. \end{aligned}$$

In the context of MOR cryptosystem, we need to know how to go back and forth between these generators and elementary matrices (Table A7). The procedure is almost similar to the case of O<sup>+</sup> (2l,p). Again, note that x ¼ x1, 2, x<sup>0</sup> ¼ x�1, 2, x1ð Þ t; s , and x<sup>2</sup> are elementary matrices. Thus, we just need to write w as a product of elementary matrices. However, computing w is fairly easy, just put this generator through our Gaussian elimination algorithm in Appendix A. Here we demonstrate the other way round, that is, how to write elementary matrices as a product of w, x, and x<sup>0</sup> . First, we compute <sup>x</sup>1,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>i</sup>�<sup>1</sup>x1, <sup>2</sup>ð Þ<sup>1</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> which is of length 2<sup>i</sup> � 1 for <sup>2</sup><sup>≤</sup> <sup>i</sup><sup>≤</sup> <sup>l</sup>. Now we compute xi, <sup>1</sup>ð Þ<sup>t</sup> using the relation xi, <sup>1</sup>ðÞ¼ <sup>t</sup> wl�<sup>1</sup>x1,ið Þ �<sup>t</sup> <sup>w</sup>�ð Þ <sup>l</sup>�<sup>1</sup> for

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

$$\mathbf{1} \le i \le l, \text{ where } w^{l-1} = (-1)^{l-1} \begin{pmatrix} I\_2 & \mathbf{0} & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & I\_{l-1} \\ \mathbf{0} & I\_{l-1} & \mathbf{0} \\ \mathbf{0} & \mathbf{I}\_{l-1} & \mathbf{0} \end{pmatrix} \text{ and length of this SLP is}$$

2ð Þþ l � 1 2i � 1. Thus, we get xi, <sup>1</sup>ð Þt and x1,ið Þt , for i ¼ 2, …, l. Similarly we compute xi,�1ð Þ<sup>t</sup> and <sup>x</sup>�1,ið Þ<sup>t</sup> using the relations <sup>x</sup>�1,iðÞ¼ <sup>t</sup> <sup>w</sup>i�1x�1, <sup>2</sup>ð Þ<sup>1</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> and xi,�1ðÞ¼ <sup>t</sup> <sup>w</sup>l�1x�1,ið Þ �<sup>t</sup> <sup>w</sup>�ð Þ <sup>l</sup>�<sup>1</sup> for 2 <sup>≤</sup>i<sup>≤</sup> <sup>l</sup>, and length of this SLP are 2<sup>i</sup> � 1 and 2ð Þþ l � 1 2i � 1, respectively. Next, we compute x2,3ð Þt using the commutator formula <sup>x</sup>2, <sup>3</sup>ðÞ¼ <sup>t</sup> <sup>x</sup>2, <sup>1</sup> <sup>t</sup> 2 � �; <sup>x</sup>1,3ð Þ<sup>1</sup> � �, and length of this SLP is 4ð Þþ <sup>l</sup> � <sup>1</sup> 8. In what follows, we denote the length of SLPs by Lð Þ δ; i , where δ ¼ j � i and 2 ≤i , j≤l.

$$\begin{aligned} \delta &= \mathbf{1}, \quad \boldsymbol{\varkappa}\_{i,j}(t) = \quad \boldsymbol{w}^{i-1} \boldsymbol{\varkappa}\_{2,3}(t) \boldsymbol{w}^{-(i-1)},\\ \delta &= \mathbf{2}, \quad \boldsymbol{\varkappa}\_{i,j}(t) = \quad \left[\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})\right],\\ \delta &= \mathbf{3}, \quad \boldsymbol{\varkappa}\_{i,j}(t) = \quad \left[\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})\right],\\ \vdots & \quad \vdots & \quad \vdots\\ \delta &= l-\mathbf{1}, \quad \boldsymbol{\varkappa}\_{i,j}(t) = \quad \left[\boldsymbol{\varkappa}\_{i,j-1}(t), \boldsymbol{\varkappa}\_{j-1,j}(\mathbf{1})\right]. \end{aligned}$$

Here

So we generate all xi,�jð Þ<sup>t</sup> for <sup>i</sup> , <sup>j</sup>. Now <sup>w</sup><sup>l</sup>

Modern Cryptography – Current Challenges and Solutions

<sup>d</sup>ð Þ¼ <sup>λ</sup> diag 1; <sup>1</sup>; …; <sup>λ</sup>; <sup>1</sup>; …; <sup>λ</sup>�<sup>1</sup> � �. If <sup>λ</sup>∈F�<sup>2</sup>

dð Þ¼ λ diag 1; 1; …; t

group Wh i Ω; dð Þζ is the orthogonal group.

5.4 Twisted orthogonal group O�ð Þ 2l; p

almost similar to the case of O<sup>+</sup>

and x<sup>0</sup>

100

wi,jðÞ¼ t xi,jð Þt xj,i �t

since p � 3 mod4 ð Þ. Then

x�i,jð Þt . The total number of SLPs is l þ 7. It is shown in Ree [17] that elementary matrices xi,jð Þt generate Ωð Þ 2l þ 1; p , the commutator subgroup of O 2ð Þ l þ 1; p which is of index 4. So we generate Ωð Þ 2l þ 1; p , using only two generators x and w. Now we know wl�<sup>1</sup> ¼ wlwl,l�1ð Þ1 wl�1,�lð Þ1 , so we generate wl�1. Hence inductively we can generate wi ¼ wiþ<sup>1</sup>wiþ1,ið Þ1 wi,�ð Þ <sup>i</sup>þ<sup>1</sup> ð Þ1 for i ¼ l � 1, …, 1. Here

�<sup>1</sup> ð Þxi,jð Þ<sup>t</sup> for <sup>i</sup> 6¼ <sup>j</sup> and wi,�jðÞ¼ <sup>t</sup> xi,�jð Þ<sup>t</sup> <sup>x</sup>�i,j <sup>t</sup>

<sup>p</sup> , say λ � t

; 1; 1; …; ; t

¼ wl�1,lð Þ1 wl�1,lð Þt wl�1,lð Þ �1 wl�1,�<sup>l</sup>ð Þt wl�1,�<sup>l</sup>ð Þ �1 wl�1,lð Þ �1 :

Remark 5.1 Let dð Þ¼ <sup>ζ</sup> diag 1; <sup>1</sup>; …; <sup>ζ</sup>; <sup>1</sup>; …; <sup>ζ</sup>�<sup>1</sup> � �, where <sup>ζ</sup> is non-square in <sup>F</sup>�

We use the following generators which we refer as Steinberg generators.

x ¼ x1, <sup>2</sup>ð Þ1 ,

x<sup>0</sup> ¼ x�1,2ð Þ1 ,

wl ¼ I � el,l � e�l,�<sup>l</sup> � el,�<sup>l</sup> � e�l,l,

In the context of MOR cryptosystem, we need to know how to go back and forth between these generators and elementary matrices (Table A7). The procedure is

. First, we compute <sup>x</sup>1,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>i</sup>�<sup>1</sup>x1, <sup>2</sup>ð Þ<sup>1</sup> <sup>w</sup>�ð Þ <sup>i</sup>�<sup>1</sup> which is of length 2<sup>i</sup> � 1 for <sup>2</sup><sup>≤</sup> <sup>i</sup><sup>≤</sup> <sup>l</sup>. Now we compute xi, <sup>1</sup>ð Þ<sup>t</sup> using the relation xi, <sup>1</sup>ðÞ¼ <sup>t</sup> wl�<sup>1</sup>x1,ið Þ �<sup>t</sup> <sup>w</sup>�ð Þ <sup>l</sup>�<sup>1</sup> for

and x<sup>2</sup> are elementary matrices. Thus, we just need to write w as a product of elementary matrices. However, computing w is fairly easy, just put this generator through our Gaussian elimination algorithm in Appendix A. Here we demonstrate the other way round, that is, how to write elementary matrices as a product of w, x,

�I<sup>2</sup> 0 0 0 0 �1 0 �I2l�<sup>3</sup> 0

1

CA,

<sup>p</sup> , s∈ F<sup>p</sup> and x2:

(2l,p). Again, note that x ¼ x1, 2, x<sup>0</sup> ¼ x�1, 2, x1ð Þ t; s ,

�2 ; <sup>1</sup> � �wl�1,lð Þ �<sup>1</sup>

i , j. Hence we generate all the elementary matrices (Table A5) using only two generators x and w and an extra element wl. Hence we generate a new subgroup WΩð Þ 2l þ 1; p of the orthogonal group O 2ð Þ l þ 1; p , containing Ω, which is indeed

a normal subgroup of O 2ð Þ l þ 1; p . In our algorithm the output matrix is

2

2 ; 1; …; ; t �<sup>2</sup> � �

Hence we generate WΩð Þ 2l þ 1; p using x, w and wl.

w ¼

0

B@

x1ð Þ t; s , where t∈ F�

¼ wl�1,lð Þ1 diag 1; 1; …; t

xi,�jð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,jð Þ<sup>t</sup> , and we have

<sup>2</sup>ð Þ mod<sup>p</sup> , here <sup>t</sup> � <sup>λ</sup>

�<sup>1</sup> ð Þxi,�jð Þ<sup>t</sup> for

pþ1

<sup>4</sup> ð Þ modp ,

<sup>p</sup> . The

$$L(\delta, i) = \begin{cases} 2i + 4(l - 1) + \delta & \text{for } \delta = 1, \\ 2L(\delta - 1, i) + 4(i + \delta + 2(l - 1) + 2) & \text{for } \delta = 2, 3, \dots, l - 2. \end{cases}$$

As xj,iðÞ¼ <sup>t</sup> <sup>w</sup><sup>l</sup>�<sup>1</sup>xi,jð Þ �<sup>t</sup> <sup>w</sup>�ð Þ <sup>l</sup>�<sup>1</sup> , so length of this SLP is <sup>L</sup>ð Þþ <sup>δ</sup>; <sup>i</sup> <sup>2</sup>ð Þ <sup>l</sup> � <sup>1</sup> . Hence, we get all xi,jð Þt for 2≤i 6¼ j≤l and the number of SLPs is l þ 2. Next, we compute the remaining elementary matrices using the commutator formula and are listed in the table; let r ¼ l � 1.


Thus, we have generated all xi,�<sup>j</sup>ð Þt for i , j. Now, using the formula wl xi,�<sup>j</sup>ð Þ<sup>t</sup> <sup>w</sup>�<sup>l</sup> <sup>¼</sup> <sup>x</sup>�i,jð Þ<sup>t</sup> , we get <sup>x</sup>�i,jð Þ<sup>t</sup> and the total number of SLPs required is l þ 6. Now we know wl�<sup>1</sup> ¼ wlwl,l�<sup>1</sup>ð Þ1 wl�1,�<sup>l</sup>ð Þ1 , so we generate wl�1. Hence by induction we can generate wi ¼ wiþ<sup>1</sup>wiþ1,ið Þ1 wi,�ð Þ <sup>i</sup>þ<sup>1</sup> ð Þ1 , for i ¼ l � 1, …, 2. Here wi,jðÞ¼ t xi,jð Þt xj,i �t �<sup>1</sup> ð Þxi,jð Þ<sup>t</sup> , for <sup>i</sup> 6¼ <sup>j</sup>, and wi,�<sup>j</sup>ðÞ¼ <sup>t</sup> xi,�<sup>j</sup>ð Þ<sup>t</sup> <sup>x</sup>�i,j <sup>t</sup> �<sup>1</sup> ð Þxi,�<sup>j</sup>ð Þ<sup>t</sup> , for i , j. Hence we generate all the elementary matrices defined in Table A7 using generators x, x<sup>0</sup> , x1ð Þ t; s , x2, and w and an extra element wl. In our algorithm the output matrix is <sup>d</sup>ð Þ¼ <sup>λ</sup> diag 1; <sup>1</sup>; <sup>1</sup>; …; <sup>λ</sup>; <sup>1</sup>; …; <sup>λ</sup>�<sup>1</sup> � �. If <sup>λ</sup>∈F�<sup>2</sup> <sup>p</sup> , say λ � t <sup>2</sup>ð Þ mod <sup>p</sup> , here t � λ pþ1 <sup>4</sup> ð Þ mod p , since p � 3 mod ð Þ 4 .

$$\begin{split} \text{Then } d(\lambda) &= \text{diag}\left(\mathbf{1}, \mathbf{1}, \mathbf{1}, \dots, t^2, \mathbf{1}, \dots, t^{-2}\right) \\ &= w\_{l-1,l}(\mathbf{1}) \text{diag}\left(\mathbf{1}, \mathbf{1}, \mathbf{1}, \dots, t^2, \mathbf{1}, \mathbf{1}, \dots, t^{-2}, \mathbf{1}\right) w\_{l-1,l}(-\mathbf{1}) \\ &= w\_{l-1,l}(\mathbf{1}) w\_{l-1,l}(t) w\_{l-1,l}(-\mathbf{1}) w\_{l-1,-l}(t) w\_{l-1,-l}(-\mathbf{1}) w\_{l-1,l}(-\mathbf{1}). \end{split}$$

Remark 5.2 Let dð Þ¼ <sup>ζ</sup> <sup>d</sup>iag <sup>1</sup>; <sup>1</sup>; <sup>1</sup>; …; <sup>ζ</sup>; <sup>1</sup>; …; <sup>ζ</sup>�<sup>1</sup> , where <sup>ζ</sup> is non-square in <sup>F</sup>� p . Then as a consequence of our Gaussian elimination algorithm in Appendix A, we can see that x, x0 , x1ð Þ t; s , x2,w and wl along with dð Þζ generate the twisted orthogonal group.

Acknowledgements

DOI: http://dx.doi.org/10.5772/intechopen.84663

the field k.

Chevalley groups.

• Orthogonal groups:

103

We are thankful to the editor and referees for their valuable comments which has improved the paper substantially. This work was supported by a SERB research grant. This chapter contains part of the PhD thesis of the first and the third author,

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

In computational group theory, one is always looking for algorithms that solve the word problem. When G is a special linear group, one has a well-known algorithm to solve the word problem—the Gaussian elimination algorithm. One observes that the effect of multiplying an element of the special linear group by an elementary matrix (also known as elementary transvection) from left or right is either a row or a column operation, respectively. Using this algorithm one can start with any matrix g ∈SLð Þ l þ 1; k and get to the identity matrix, thus writing g as a product of elementary matrices ([18], Proposition 6.2). One of the objective of this appendix is to discuss a similar algorithm for orthogonal and symplectic groups, with a set of generators that we will call elementary matrices in their respective groups. Similar algorithms can be found in the works of Brooksbank [19, 20] and Costi [21]. However, we have no restrictions on the cardinality or characteristic of

We first describe the elementary matrices and the row-column operations for the respective groups. These row-column operations are nothing but multiplication by elementary matrices from left and right, respectively. Here elementary matrices used are nothing but Chevalley generators which follows from the theory of

The basic idea of the algorithm is to use the fact that multiplying any orthogonal matrix by any one of the generators enables us to perform row or column operations. The relation Tgβ<sup>g</sup> <sup>¼</sup> <sup>β</sup> gives us some compact relations among the blocks of <sup>g</sup> which can be used to make the algorithm faster. To make the algorithm simple, we

• Symplectic groups: Since all non-degenerate skew-symmetric bilinear forms are equivalent ([22], Corollary 2.12), we have a Gaussian elimination algorithm

• Since non-degenerate symmetric bilinear forms over a finite field of odd characteristics are classified ([22], p. 79) according to the β (see Section 3), we have a Gaussian elimination algorithm for all orthogonal groups

characteristics can be classified ([23], p. 10) according to quadratic forms Q(x) defined in ([24], Section 4.2), we have a Gaussian elimination

• Since non-degenerate quadratic forms over a perfect field of even

will write the algorithm for O 2ð Þ l þ 1; k , Oþð Þ 2l; k , and O�ð Þ 2l; k separately.

A.1 Groups in which Gaussian elimination works

for all symplectic groups over an arbitrary field.

over a finite field of odd characteristics.

directed by the second and the fourth author at IISER Pune.

Appendix A. Solving the word problem in G
