An authentication scheme based on the twisted conjugacy problem

An authen tication sc heme based on the t wisted conjugacy problem Vladimir Shpilrain and Alexander Ushako v 1 Department of Mathematics, The City College of New Y ork, NY 10031, U SA shpil@grou ps.sci.ccny.cuny. edu ⋆ 2 Department of Mathematics, S tevens Institute of T ec hnology , Hob oken, NJ 07030, USA aushakov@stevens .edu Abstract. The conjugacy searc h problem in a group G is the problem of recov ering an x ∈ G from giv en g ∈ G and h = x − 1 g x . The alleged computational hardness of this problem in some g roup s w as u sed in sev- eral recently suggested pu blic key exchange protocols, includ ing the one due to Anshel, Anshel, and Goldfel d , and the one due to Ko, Lee et al. S ib ert, Dehornoy , and Girault used this problem in their auth enti- cation scheme, whic h was in sp ired by t he Fiat-Sh amir sc heme invo lv in g rep eating several times a three-pass challenge-response step. In this pap er, we offer an authentica tion scheme whos e security is based on the apparent hardness of th e twiste d c onjugacy se ar ch pr oblem which is: given a pair of endomorphisms (i.e., homomorphisms into itself ) ϕ, ψ of a g roup G and a pair of elements w , t ∈ G , find an element s ∈ G such that t = ψ ( s − 1 ) w ϕ ( s ) pro v ided at least one suc h s exists. This problem app ears to b e very non-trivial even for free groups. W e offer here another p latform, namely , t h e semigr oup of all 2 × 2 matrices ov er truncated one- v ariable p olynomials ov er F 2 , th e field of tw o elements, with t ran sp osition u sed instead of inv ersion in the equality above. 1 In tro duction One of the mo st obvious ramifica tions of the discrete log arithm pro blem in the noncommutativ e s ituation is the c onjugacy se ar ch pr oblem : Given a g r oup G and t wo conjugate elements g , h ∈ G , find a par ticular element x ∈ G such that x − 1 g x = h . This pro blem alwa ys ha s a recursive solution be c a use one can recursively enum er ate all conjuga tes of a given ele ment, but this kind of so lution can b e extremely inefficient. Sp ecific g roups may or may not admit more efficient so- lutions, so the choice of the platform group is of par amount imp ortance for security of a cr yptographic pr imitive bas e d o n the c onjugacy sea rch problem. A great deal of resea rch was (a nd s till is) concer ned with the co mplexity of this problem in braid groups bec ause ther e were several prop osa ls, including the one ⋆ Researc h o f the first auth or was partially sup p orted by the NSF grant DMS-0405105. by Anshel, Anshel, and Goldfeld [1], and the one by Ko, L e e a t al. [1 1 ] on using the alleged computatio na l ha r dness of this pr oblem in br aid gro ups to build a key exchange pr oto col. Also, Sib ert, Dehornoy , and Gira ult [15] used this problem in their authentication sch eme, which w a s inspir ed by the Fiat-Sha mir s cheme inv olving rep eating several times a three-pass challenge-res p o nse step. At the time o f this writing, no deterministic p olynomial- time a lgorithm for solving the conjugacy sea rch problem in br aid gr oups has bee n r ep orted yet; see [3] and [4] for recent pro gress in this direction. Howev er, s everal heuristic alg orithms, in particular so-ca lled “length base d attacks”, were shown to hav e v er y hig h suc- cess rates, see e .g. [7], [8], [10], [1 2 ], [13]. This shows that one has to b e r eally careful when choosing the platfor m (semi)group to try to avoid length ba sed or similar attacks. One way to achiev e this goa l is , info r mally sp eaking , to hav e “ a lot of co mm utativity” inside o therwise non-co mmutative (semi)group; see [1 3] for a more detailed discussion. In this pap er, we prop ose an authentication scheme whose security is based on the apparent ha rdness of the (double) twiste d c onjugacy se ar ch pr oblem whic h is: given a pair o f endomor phisms (i.e., homomorphisms into itself ) ϕ, ψ of a gro up G a nd a pair of ele ments w , t ∈ G , find an element s ∈ G such that t = ψ ( s − 1 ) wϕ ( s ) provided at least one such s exists. This problem, to the b est of o ur knowledge, has not b een considered in group theory b efor e, and neither was its decision version: given ϕ, ψ ∈ E nd ( G ), w, t ∈ G , find out whether or no t there is an element s ∈ G such that t = ψ ( s − 1 ) wϕ ( s ). How ever, the fo llowing sp ecial ca se of this pr oblem (called the twiste d c onjugacy pr oblem ) has recently attracted a lot of in ter e st among gro up theo rists: given ϕ ∈ E nd ( G ), w , t ∈ G , find out whether o r not there is a n element s ∈ G such that t = s − 1 wϕ ( s ). This problem is very non-trivia l e ven for free gr oups; see [5] for an as to n- ishing solution in the sp ecia l case where ϕ is an automorphism of a free group. T o the b est of our knowledge, this decis ion pro blem is op en for fr ee groups if ϕ is an arbitrar y endomorphism. Another class of gro ups wher e the t wisted con- jugacy problem was consider ed is the cla ss of p olycyclic-by-finite gro ups [1 6]. Again, the pr o blem was s olved for these groups in the sp ecial ca se where ϕ is an automorphism. The conjugacy pro blem is a sp ecial ca se of the twisted conjugacy proble m, where ϕ is the ident ity map. Now a natur al question is: what is the adv ant a ge of the mo re g eneral (double) twisted conjuga cy se arch pr oblem over the co njugacy search problem in the co ntext of a n a uthen tica tion s cheme? The a nswer is: if the platform (semi)gr oup G has “a lot” of endomorphisms, then Alice (the prover), who selects ϕ, ψ , w , and s , has an opp or tunit y to select them in such a wa y that there ar e a lot of cancelations b etw een ψ ( s ) , w , and ϕ ( s ), thus rendering length based a tta cks ineffective. In this pap er, we use the semig r oup o f all 2 × 2 matric e s over truncated one-v ariable p olyno mia ls ov er F 2 , the field of t wo elements, as the platfor m. It may seem that the platform nece ssarily has to b e a gro up since one sho uld at least have the element s (se e a bove) inv ertible. How ever, as we will s ee in the next s ection, we do not rea lly need the inv ertibility to make our a uthen tica tio n proto col work; what we need is just some antih o momorphism of G in to itself, i.e., a map ∗ : G → G such that ( ab ) ∗ = b ∗ a ∗ for any a, b ∈ G . Every group has such an a ntihomomorphism; it takes e very e le ment to its inv er se. Every semigr oup of squ ar e m atric es has such an antihomomorphism, to o; it takes every ma trix to its transp ose. Some (semi)gr oups have other sp ecia l antihomomorphisms; for example, any free (semi)gro up has an antihomomorphism that rewr ites every element “backw ar ds ”, i.e., right-to-left. Here we prefer to fo cus on semigr o ups of ma tr ices (ov er commutativ e rings ) since we b elieve tha t these have several features ma king them fit to b e platforms of v a rious cr y ptographic proto c o ls, see [14] for a more deta iled dis cussion. 2 The prot o col In this section, we give a descr iption of a single ro und of our authentication pr o- to col. As with the origina l Fia t- Shamir scheme, this proto c o l has to b e rep eated k times if one w a nt s to r educe the probability of suc c essful forg ery to 1 2 k . Here Alice is the pr over and Bob the verifier. Let G b e the platfor m semi- group, and ∗ an antihomomorphism o f G , i.e., ( ab ) ∗ = b ∗ a ∗ . 1. Alice’s public key is a pa ir of endomorphis ms ϕ , ψ of the group G and tw o elements w , t ∈ G , such that t = ψ ( s ∗ ) wϕ ( s ), where s ∈ G is her priv ate key . 2. T o be g in authentication, Alice selects an element r ∈ G and sends the ele- men t u = ψ ( r ∗ ) tϕ ( r ), called the c ommitmen t , to Bob. 3. Bob chooses a r andom bit c a nd sends it to Alice. – If c = 0, then Alice sends v = r to B ob a nd Bob checks if the equality u = ψ ( v ∗ ) tϕ ( v ) is s atisfied. If it is, then Bob accepts the authentication. – If c = 1, then Alice sends v = sr to Bob and Bob chec ks if the e q uality u = ψ ( v ∗ ) wϕ ( v ) is satisfied. If it is, then Bob accepts the authentication. Let us chec k now that everything works the wa y we want it to work. – If c = 0, then v = r , s o ψ ( v ∗ ) tϕ ( v ) = ψ ( r ∗ ) tϕ ( r ) = u . – If c = 1, then v = sr , so ψ ( v ∗ ) wϕ ( v ) = ψ (( sr ) ∗ ) wϕ ( sr ) = ψ ( r ∗ s ∗ ) wϕ ( s ) ϕ ( r ) = ψ ( r ∗ ) ψ ( s ∗ ) wϕ ( s ) ϕ ( r ) = u . 3 The platform and parameters Our sugge s ted platform se mig roup G is the semigroup of all 2 × 2 matr ices ov er truncated one- v a riable p o lynomials over F 2 , the field of tw o elements. T runcated (more pr e cisely , N -truncated) o ne - v ariable p olynomia ls ov er F 2 are e xpressions of the form X 0 ≤ i ≤ N − 1 a i x i , wher e a i are elements of F 2 , a nd x is a v a riable. In other words, N -truncated p olynomia ls are elements of the factor algebra of the algebra F 2 [ x ] o f one-v ariable p olynomials ov er F 2 by the ideal gener ated by x N . Our s emigroup G has a lot o f endomorphisms induced by endomo rphisms o f the a lg ebra of truncated p olynomials. In fact, any map of the form x → p ( x ), where p ( x ) is a truncated p olyno mial with zero constant term, can be extended to an endomor phism φ p of the alg ebra o f truncated p olynomials . Indeed, it is sufficient to show that φ p ( x N ) = ( p ( x )) N belo ngs to the ideal genera ted by x N , which is obviously the case if p ( x ) ha s zero constant term. Then, since φ p is b o th an additive and a m ultiplicative homomor phis m, it extends to an endo mo rphism of the semigroup of all 2 × 2 ma tr ices ov er trunca ted one-v ariable p o lynomials in the natura l wa y . If we now let the a ntih o momorphism ∗ fro m the des cription of the proto col in our Section 2 to b e the matrix tr ansp osition, we have everything set up for an authentication s cheme using the semigroup G as the platfor m. Now w e hav e to sp ecify par a meters inv o lved in our scheme. The para meter N determines the size of the key space. If N is on the order of 30 0, then there are 2 300 po lynomials of deg ree < N ov er F 2 , so ther e are 2 1200 2 × 2 matrices ov er N -truncated poly no mials, i.e., the size of the priv ate key space is 2 1200 , which is large enoug h. A t the sa me time, co mputatio ns with (truncated) p olynomials over F 2 are very efficient (see e.g. [2], [6], or [9] for details). In particular, – Addition of tw o po lynomials of degre e N can b e per formed in O ( N ) time. – Multiplication of tw o po lynomials of degree N ca n be perfo rmed in O ( N log 2 N ) time. – Computing comp os ition p ( q ( x )) mod x N of tw o p olynomial o f degree N can be p erfo r med in O (( N log 2 N ) 3 2 ) time (see e.g. [6, p.51 ]). Since tho s e a re the only op eratio ns used in our proto co l, the time complexity of e xecuting a single round of the proto co l is O (( N log 2 N ) 3 2 ). The size o f public key space is lar ge, too . O ne public key is, aga in, a 2 × 2 matrix over N -truncated p olynomials , and tw o other public k ey s are endomo r- phisms of the form x → p ( x ), where p ( x ) is an N -truncated p olyno mia l with zero constant term. Thus, the nu mber o f different endomo r phisms in this context is on the order of 2 300 , hence the num be r of differ ent p airs of endo morphisms is on the order of 2 600 . W e also hav e to say a few words ab out how a priv ate key s ∈ G is s elected. W e s uggest that all entries of the matrix s have non- zero c o nstant term; other co efficients of the entries can b e selected randomly , i.e., “0” a nd “ 1” a re selected with probability 1 2 each. Non-zer o cons tant terms are useful here to ens ur e that there ar e sufficiently many non-zer o terms in the final pr o duct t = ψ ( s ∗ ) wϕ ( s ). 4 Cryptanalysis As we hav e po inted out in the pre vious se ction, the key space with sug gested parameters is quite lar ge, so that a “brute for ce” attack b y exhausting the key space is not feasible. The next natural attack that co mes to mind is attempting to so lve a s y stem of equations over F 2 that aris e s from equating co efficients at the sa me p owers of x on b oth sides of the equatio n t = ψ ( s ∗ ) wϕ ( s ). Recall that in this equatio n t, w, ϕ, and ψ a r e known, whereas s is unknown. More sp ecifica lly , our expe r iments e mulating this a tta ck were designed a s follows. The ent r ies of the priv ate matrix s were generated as p olynomials of degree N − 1, with N = 100 (which is m uch smaller than the sugg ested N = 300 ), with r a ndomly se le c ted binar y co e fficie nts, except that the constant term in all p olyno mials was 1. Then, the e ndo morphisms ϕ and ψ were of the for m x → p i ( x ), whe r e p i ( x ) are p olynomials o f deg ree N − 1, with N = 150, with randomly selected binary co efficients, except tha t the constant term in bo th of them was 0 . Finally , the entries o f the public matr ix w were g enerated, aga in, as poly nomials of degr ee N − 1, with N = 100 , with randomly s elected binary co efficients, ex cept that the constant term in all po lynomials w a s 1. The attack itself then pro ceeds as follo ws. The matrix equa tion t = ψ ( s ∗ ) wϕ ( s ) is c onv erted to a system o f 4 N p olyno mia l e q uations ( N for each entry o f a 2 × 2 matrix) over F 2 . The unknowns in this sy stem are co efficien ts of the p olynomials of degree N − 1 that a re the entries o f the priv ate matrix s . Then, star ting with the co nstant term and going up, we equa te co efficients at the same p ow er s of x on b oth sides of each equation. After tha t, again s tarting with the co efficients at the co nstant term and going up, we find all po ssible so lutions of each equation, one a t a time. Thus we are g etting a “ tree” of solutions b ecause some of the un- knowns that oc c ur in co efficients at low er p ow ers o f x also o ccur in co efficien ts a t higher p owers of x . If this tree do es not g row to o fa s t, then there is a chance that we can get all the w ay to the co efficie nts a t highest power of x , thereby finding a solution o f the system. This so lutio n may not neces sarily yield the same matrix s tha t was selected by Alice, but it is sufficient for forgery a nyw ay . W e hav e r un ov er 10 00 e x pe riments of this kind (which to o k ab out tw o weeks), allowing the solutio n tree to gr ow up to the width of 1638 4, i.e ., allowing to go over at most 1638 4 so lutions of each equatio n when pro ceeding to a higher power of x . Each exp eriment ran on a pers onal computer with Pen tium 2Ghz dual core pro cesso r. The success r ate o f the des crib ed attack with these parameters was 0 %. 5 Conclusions W e have introduced: 1. An authent ica tion scheme based o n the (double) twisted conjugacy pr oblem, a new problem, which is alleg edly har d in some (s e mi)groups. 2. A new platform semigr oup, namely the semig roup of a ll 2 × 2 matrice s ov er truncated o ne-v ariable p o lynomials over F 2 . Computation in this semigro up is very efficient and, at the same time, the non-commutativ e structure of this semigroup provides for security a t le ast ag ainst obvious attacks. W e p oint o ut here one imp ortant adv antage of using the (double) twisted conjugacy problem over using a mo re “tra ditional” co njugacy sea rch problem as far as (semi)gr oups of ma tr ices ar e concer ned. The conjuga cy sear ch pro blem admits a linea r algebra a ttack up o n rewriting the equation x − 1 g x = h as g x = xh ; the latter translates into a system of n 2 linear equations with n 2 unknowns, where n is the size of the matric e s inv olved, and the unknowns are the entries of the matrix x . Of course, if the e ntries come not from a field but from a more g eneral ring, such a system of linear equations do es not necessa rily a dmit a stra ightf o rward solution, but metho ds emulating standard techniques (like Gauss elimination) usua lly have a pretty go o d success r ate anywa y . F or the t wis ted conjugacy pr oblem, how ever, ther e is no reductio n to a s ystem of linear equations. W e have co nsidered a n attack based on reducing the twisted co njugacy pr ob- lem to a s ystem of p olynomial equa tions over F 2 , but this a ttack b eco mes com- putationally infeasible even with a muc h smaller crucia l pa rameter (which is the maximum degree o f the p olynomials inv olved) than the one we sugg est in this pap er. References 1. I. A nshel, M. Anshel, D . Goldfeld, An algebr aic metho d for public-key crypto g- r aphy . Math. Res. L ett . 6 (1999), 287–291. 2. D. Bini, V . P an, Pol ynomial and Matrix Computations. V ol ume 1: F undamental Algor i thms , Birkh¨ auser, 1994. 3. J. Birman, V. Gebhardt, J. Gonzalez-Meneses, Conjugacy in Gar side gr oups I: Cycli ngs, p owers, and rigi dity , Groups, Geometry and Dyn amics 1 (2007), 221–279 . 4. J. Birman, V. Gebhardt , J. Gonzalez-Meneses, Conjugacy i n Garside gr oups II : Structur e of the ul tr a summi t set , Groups, Geometry and Dynamics 2 (2008), 13–61. 5. O. Bogopolski, A . Martino, O. Maslak ov a, E. V entura, F r e e-by-cyclic gr oups have solvable c onjugacy pr oblem , Bull. London Math. So c. 38 ( 2006), 787–794. 6. P . B¨ urgis ser, M. Clausen, M. A. Sh ok rollahi, and T. Lickteig, Algebr aic Com- plexity The ory , S pringer, 1997. 7. D. Garb er, S. Kap lan, M. T eicher, B. Tsaban, U. Vishne, L ength-b ase d c onjugacy se ar ch in the Br aid gr oup , Con temp . Math., Amer. Ma t h . So c. 418 (2006), 75-87 . 8. D. Garber, S. Kaplan, M. T eicher, B. Tsaban, U. Vishne, Pr ob abili stic solutions of e quations in the br aid gr oup , Adv ances in A pplied Mathematics 35 (2005), 323–334 . 9. J. von zur Gath en and J. Gerhard, Mo dern Computer Algebr a , Cambridge Uni- versi ty Press, 2nd edition, 2003. 10. D. Hofheinz, R. Steinw andt, A pr actic al attack on some br aid gr oup b ase d cryp- to gr aphic primiti ves , in Pub lic Key Cryptography , 6th International W orkshop on Practice and Theory in Public Key Cryptography , in: PKC 2003 (Y. G. Desmedt, ed.), Lectu re N otes Comp. Sc. 2567 (2002), 187–198 . 11. K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, J. Kang, C. Park, New public- key cryptosys tem using br aid gr oups , Adv ances in crypt ology—CR YPTO 2000 (Santa Barbara, CA), 166–183, Lecture Notes in Comput . Sci. 1880 , Springer, Berlin, 2000. 12. A. D. Myas n ikov, A. Ushako v, L ength b ase d attack in br ai d gr oups , in PKC 2007, Lecture Notes in Computer Science 4450 (2007), 76-88. 13. D. Ruinskiy , A. Shamir, B. Tsaban, Cryptanalysis of gr oup-b ase d key agr e ement pr oto c ols usi ng sub gr oup distanc e f unctions , in PKC 2007, Lecture Notes Comp. Sc. 4450 (2007), 61-75. 14. V. Sh p ilrain, Hashing with p olynomials , in: ICIS C 2006, Lecture Notes Comp. Sc. 4296 (2006), 22–28. 15. H. Sib ert, P . Dehornoy , M. Girault, Entity authentic ation schemes using br aid wor d r e duction , D iscrete Applied Math. 154-2 (2006), 420–436. 16. A. F el’sht yn, E. T roitsky , Twiste d c onjugacy sep ar able gr oups , preprint. http://a rx iv.org/abs/math/06 06764