CSPDHIES: a new publickey encryption scheme from matrix conjugation

Download PDF
Comment
Report 3 Downloads 127 Views
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2012; 5:809–822 Published online 3 October 2011 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.376

RESEARCH ARTICLE

CSP-DHIES: a new public-key encryption scheme from matrix conjugation Ping Pan1, Lihua Wang2, Licheng Wang1*, Lixiang Li1 and Yixian Yang1 1

2

Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China National Institute of Information and Communications Technology (NICT), 4-2-1 Nukui-Kitamachi, Koganei, Tokyo 184-8795, Japan

ABSTRACT We propose a new public-key cryptosystem named conjugacy search problem-based Diffie–Hellman integrated encryption scheme (CSP-DHIES), by using conjugation-related assumptions for a special monoid of matrices of truncated multi-variable polynomials over the ring ℤ12 where the CSP is assumed to be intractable. Our construction can be viewed as the first noncommunicative variant of the well-known DHIES cryptosystem. Under the assumptions of the intractability of the CSP-based hash Diffie–Hellman problem and the CSP-based oracle Diffie–Hellman problem, our scheme is provably secure against both chosenplaintext attacks and secure against chosen-ciphertext attacks. Our proofs are constructed in the standard model. We also discuss the possibility of implementing our proposal using braid groups. Copyright © 2011 John Wiley & Sons, Ltd. KEYWORDS conjugacy search problem; (a)symmetric encryption; message authentication code; truncated multi-variable polynomials over a ring; braid groups *Correspondence Licheng Wang, PO Box 126, 10 West Tucheng Road, Haidian District, Beijing 100876, China. E-mail: [email protected]

1. INTRODUCTION Because the inception of public-key cryptography [1], several public-key cryptosystems have been proposed and studied extensively. Among them, the two most popular categories are as follows: (i) the RSA cryptosystem [2] and its variants, and (ii) the ElGamal cryptosystem [3] and its variants, along with its curve-based extension, the elliptic curve cryptosystem. The security of these two categories is rooted either in the intractability assumption of the integer factoring problem (IFP) or in the intractability assumption of the discrete logarithm problem (DLP), including the DLP over elliptic curve (ECDLP). However, the progress on quantum computation raises doubt about these intractability assumptions. For example, Shor [4] invented efficient quantum algorithms for solving IFP and DLP. Shor’s quantum algorithms were also extended to elliptic curves, due to Proos–Zalka [5], for solving ECDLP. It is interesting, therefore, to probe the possibility of building cryptosystems that have the potential to resist currently known quantum attacks. In 1995, Kiteav [6] proposed a unified framework, called the hidden subgroup problem (HSP), for studying quantum algorithms. To date, we are aware of efficient quantum algorithms for HSP over arbitrary commutative groups, but there is evidence to suggest that HSP over noncommutative groups might be harder than HSP over commutative groups: Copyright © 2011 John Wiley & Sons, Ltd.

progress in quantum algorithms for HSP over noncommutative groups is limited or even negative [7,8]. In this study, therefore, we pay attention primarily to the possible constructions of cryptosystems from certain noncommutative algebraic structures. More specifically, our motivation and originality come from the following advances in cryptography: (1) In 2000, Ko et al. proposed a cryptosytem using braid groups. Subsequently, many braid-based cryptographic primitives were proposed. Unfortunately, almost all published braid-based cryptographic schemes have now been shown to be insecure by many attacks, including the length-based attack [9] and the linear representation attack [10]. The challenge remains to design secure braid-based encryptions. (2) In 2001, Abdalla et al. [11] described a new DH-based encryption, that is, the Diffie–Hellman integrated encryption scheme (DHIES), which now comes in several standards. The Abdalla– Bellare–Rogaway (ABR for short) technique is not only as efficient as the original ElGamal encryption, but also has stronger security properties. DHIES has proven to be secure in the standard model, assuming that the so-called oracle Diffie–Hellman (ODH) 809

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

problem in a finite field is intractable. If, however, the DLP in the underlying finite field is tractable, for instance using a quantum computer as mentioned, neither the standard computational/decisional Diffie– Hellman (CDH/DDH) problem nor the ODH problem is intractable. Therefore, it is interesting to probe a possible reincarnation of DHIES. (3) In 2006, Dehornoy [12] proposed an authentication scheme based on the left self-distributive systems that are defined by conjugacy operations over braid groups. However, some cryptanalysis in Dehorney’s scheme was reported [13]. It is therefore interesting to find appropriate new platforms and a range of cryptographic applications for Dehornoy’s idea. (4) In 2009, Grigoriev and Shpilrain [14] proposed the authentication scheme from a matrix conjugation, the security of which rests on the difficulty assumption for solving the conjugacy search problem (CSP) in the noncommutative monoid of matrices of truncated polynomial over a ring. This platform seems to be the first serious candidate for the platforms that have a generically hard CSP problem [14]. (5) In 2009, Prasolov [15] constructed some small braids with a large ultra summit set (USS). This result indicates a potential way to generate secure keys for braid-based cryptosytems. We believe that it is now time to integrate the aforementioned advances. First, the noncommutative monoid suggested by Grigoriev and Shpilrain can be viewed as a stronger platform than the braid groups supporting Dehornoy’s idea. Second, the ABR technique [11] gives us the ability to realize a noncommutative variant of DHIES. Third, Prasolov’s method of generating hard CSP instances over braid groups can be combined with our proposal to design new braid-based encryptions. The rest of this paper is organized as follows: In Section 2, we briefly recall related security models and the wellknown encryption scheme DHIES; in Section 3, we develop some cryptographic assumptions for the monoid of matrices over truncated multi-variable polynomials; in Section 4, we propose a noncommutative variant of DHIES over the suggested monoid and present related security reductions. Furthermore, in Section 5, we present a discussion on the possibility to develop braid-based DHIES encryptions. Finally, concluding remarks are presented in Section 6.

(with key space Ksym) and a message authentication scheme MAC = (MAC.gen, MAC.ver) (with key space Kmac). They are captured by the following experiments (see Figures 1, 2 and 3), in which a probabilistic polynomial time (p.p.t.) adversary A = (A1, A2) and a p.p.t. forgery F are involved, respectively. Here, atk 2 {cpa, cca} and O1 Δ ASYM: decðsk; Þ; O3 Δ ¼ ¼ SYM. dec(k, ) but  O2 ðpk; cÞ ¼

O1 ðpk; cÞ; if c 6¼ c ⊥; otherwise

(1)

and  O4 ðk; cÞ ¼

O3 ðk; cÞ; ⊥;

if c 6¼ c otherwise

 (2)

Now define the advantage of A (resp. F) in violating the ind-atk (resp. suf-cma) security of ASYM (resp. SYM or MAC) as

Figure 1. Security experiment of ASYM.

Figure 2. Security experiment of SYM.

2. PRELIMINARIES 2.1. Related security models Let us recall the security models of an asymmetric encryption scheme ASYM = (ASYM.key, ASYM.enc, ASYM. dec), a symmetric encryption SYM = (SYM.enc, SYM.dec) 810

Figure 3. Security experiment of MAC. Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

 h i 1  ind-atk ind-atk AdvASYM;A ¼ Pr ExpASYM;A ¼ 1   2

(3)

and ðencKey; macKeyÞ

H ðpk u Þ

(10)

resp.   h i   Pr Expindatlk ¼ 1  1 Advindatk ¼ SYM;A SYM;A  2

(4)

• DHIES.dec is a deterministic decryption algorithm that takes as inputs the secret key sk and a ciphertext triple c = (U, E, T). It at first computes 

or h

suf -cma suf -cma ExpMAC;F ¼ Pr ExpMAC;F

i ¼1

(5)

encKey′ ; macKey′



  H U sk ;

and then checks whether  ? MAC:ver macKey′ ; E; T ¼ 1

2.2. Review on DHIES The DHIES is an extension of the ElGamal encryption scheme. It was suggested in [16] and is now in the draft standards of ANSI X9.63, SECG, and IEEE P1363a standards [11]. The name DHIES stands for “Diffie–Hellman Integrated Encryption Scheme.” It is “integrated” in the sense of using several different tools, including message authentication code (MAC), private-key, and public-key primitives [11]. The DHIES makes use of a finite cyclic group G = hgi, a symmetric encryption scheme SYM = (SYM.enc, SYM. dec) with key space Ksym, and a massage authentication scheme MAC = (MAC.gen, MAC.ver) with key space Kmac. Let H : G ! Ksym  Kmac be a hash function. From these primitives, we define the public-key encryption scheme as a triple of three algorithms [11]: DHIES ¼ ðDHIES:key; DHIES:enc; DHIES:decÞ:

(6)

(11)

(12)

holds. If so, it outputs the message   m ¼ SYM:dec encKey′ ; E

(13)

otherwise, it outputs ⊥, which indicates that c is an invalid ciphertext. According to [11], if the symmetric encryption scheme SYM is secure and the so-called hash Diffie–Hellman (HDH) problem on G is intractable, then the resultant DHIES meets the security notion of indistinguishability under an adaptive chosen-plaintext attack (IND-CPA). Furthermore, if both the symmetric encryption scheme SYM and the message authentication scheme MAC are secure and the so-called ODH problem on G is intractable, then the resultant DHIES meets the security notion of indistinguishability under an adaptive chosen-ciphertext attack (IND-CCA). (Interested readers can refer to [11] for more details.)

The component algorithms of DHIES are defined as follows: • DHIES.key is a probabilistic key generation algorithm that takes as input (G, g), picks v 2 {1, . . ., |G|} at random and returns a public key pk and a private key sk, where pk

gv ; sk

v:

ðU; E; T Þ;

3.1. Monoid of matrices over truncated multi-variable polynomials

(7)

• DHIES.enc is a probabilistic encryption algorithm that takes as inputs the public key pk and a message m, picks a u 2 {1, . . ., |G|} at random and then returns a ciphertext c

3. NEW CRYPTOGRAPHIC ASSUMPTIONS FROM MATRIX CONJUGATION

(8)

where

In 2009, Grigoriev and Shpilrain [14] proposed an authentication scheme based on the monoid of m  m matrices over l-truncated K-variable polynomials over a ring R. According to [14], we can choose the parameters as follows: m = 3, l = 1000, and K = 10, while the ring R is instantiated with Z12. In other words, let us define ^ l;K Δ f f 2 Z12 ½x1 ; . . . ; xK  : degð f Þ < lg: R ¼

(14)

^ l;K takes the form Then, each element f 2 R U E T

u

g SYM:encðencKey; mÞ MAC:genðmacKey; EÞ

(9)

Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

f ¼

X

fj1 ⋯js xj1 ⋯xjs

(15)

0≤s≤l1

811

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

where fj1 ⋯js are elements of Z12 and xj1 ; . . . ; xjs 2 ^ l;K fx1 ; . . . ; xk g are variables. For two elements in R f ¼

X

fj1 ⋯js xj1 ⋯xjs

X



0≤s≤l1

gi1 ⋯it xi1 ⋯xit

0≤t≤l1

(16) let us define X

 g≜h ¼ f

hl1 ⋯lu xl1 ⋯xlu ;

(17)

B 2 G that is a similarity transformation of A, B = XAX1, so we say that A and B are conjugate with respect to X [17]. Definition 1 (Conjugacy search problem: CSP) Given two matrices A, B 2 G such that B = XAX1 for some unknown matrix X 2 G1, the objective of the CSP in G is to find X′ 2 G1 such that B = X′AX′1 holds. Here, X′ is not required to be equivalent to X. Proposition 1. If F : G1  G ! G is defined by the following conjugate operation:

0≤u≤l1

ðA; BÞ↦ABA1

where 1

0 B B hl1 ⋯lu ¼ B B @

X sþt ¼u 0≤s; t; u≤l  1

then F satisfies the following conditions:

C C fj1 ⋯js gi1 ⋯it C C mod12 (18) A

and

(1) F(R, F(S, P)) = F(F(R, S), F(R, P)) for 8 R, S 2 G 1 and 8 P 2 G. (2) F(Am, B) = F(As, F(At, B)) holds for 8 m, s, t 2 N such that m = s + t. Proof 1. According to the definition of F, we have

xl1 ⋯xlu ¼ xj1 ⋯xjs xi1 ⋯xit

(19)

Now, let us define   ^ l;K G¼Δ Matm R

(20)

^ l;K ) and for two (i.e., the set of m  m square matrices over R matrices A = (aij)m  m 2 G and B = (bij)m  m 2 G, the monoid operation is defined by   ABΔC ¼ cij mm 2 G; ¼

(21)

where

cij ¼

u X ail blj

! mod12

(22)

l¼1

It is easy to see that the identity matrix Im  m is the identity of G, that is, for 8A 2 G, AI = A = IA holds. Furthermore, for a matrix A 2 G, if there exists B 2 G so that AB = Im  m = BA, we say that A is invertible, and B is called an inverse of A. The inverses of A, if they exist, are unique, and are thus denoted by A1. The set of all invertible matrices of G forms a subgroup and is denoted by G1. In the sequel, we use the symbols G and G1 without further explanation. 3.2. Conjugacy search problem and hard instance sampling The conjugacy problem has been extensively studied in group theory. In this paper, however, we would like to use the conjugacy concept in the context of matrix monoid G in a similar manner: Given two matrices A 2 G and X 2 G1, there must be a matrix 812

(23)

F ðR; FðS; PÞÞ ¼ RF ðS; PÞR1 ¼ RSPS1 R1 ¼ RSR1 RPR1 RS1 R1 1 ¼ ðRSR1 ÞF ðR; PÞðRSR1 Þ 1 ¼ F ðR; SÞF ðR; PÞF ðR; SÞ ¼ F ðF ðR; SÞ; F ðR; PÞÞ 2. Apparently, for m = s + t, we have F ðAm ; BÞ ¼ Am BAm ¼ As ðAt BAt ÞAs ¼ F ðAs ; F ðAt ; BÞÞ The aforementioned first condition also says that F can be viewed as a left self-distributive system defined in [12]. Because F is defined by a conjugate operation, let us view it as a Conj-LD system for abbreviation. Now, using the notation of F, the CSP problem in G can be re-formulated as follows: Given (A, F(A, B)), output A′ such that F(A′, B) = F(A, B). In cryptographic applications, we need to sample a matrix A 2 G efficiently and randomly. According to Grigoriev and Shpilrain [14], it is easy to generate B because it does not need to be invertible, whereas A that is required to be invertible can be generated as a random product of v (m3 ≤ n ≤ 2m3) elementary matrices. Here, a square matrix is called elementary if it differs from the identity matrix by exactly one nonzero element outside the diagonal [14]. In other words, A can be specified by v random triples fði; j; uÞg 2 f1; . . . ; mg2  ^ l;k : Each triple (i, j, u) indicates an elementary matrix that R has a non-zero entry u 6¼ 0 in the (i,j)th place (i 6¼ j), and A is the product of all these v elementary matrices. Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

According to Grigoriev and Shpilrain [14], using the aforementioned sample technique, the CSP problem over G seems intractable. According to the best of our knowledge, finding the matrix A 2 G from given (B, ABA 1) 2 G2, one must solve a system of m2 linear equations and m2 quadratic ^ l;K . The adversary equations, with 2m2 unknowns, over R can further translate this into a system of linear equations over Z12 if he/she collects coefficients at similar monomials, but this system will be huge: as explained in [14], it will have more than 1020 equations (based on the number of monomials). As far as we know, this monoid G is the first serious candidate for the platforms that have a generically hard CSP problem [14]. 3.3. New cryptographic assumptions Assume a Conj-LD system F over the matrix monoid G (cf. formula 23). For arbitrary A 2 G1, let G[A] denote the subgroup generated by {A, A 1}, that is, G[A] ≜ hA, A 1i. Now, for arbitrary A 2 G1 and B 2 G, let us define the following notations and use them in the sequel without further explanation: • TΔ f1; . . . ; ng is a finite subset of Z, where n is the or¼ der of G[A]. • K½A;B Δ fF ðAi ; BÞ : i 2 Τg is a finite subset of G. ¼ • The symbols “2 T” and “ $ Τ” always indicate sampling procedures that pick random integers uniformly from T, whereas the symbol “ $ K½A;B ” indicates a sampling procedurethat, at first, picks l 2 Τ at random and then outputs F Al ; B . • i : G ! {0, 1}k (where k = dlog|K[A, B]|e) is an encoding algorithm that maps each element in K[A, B] into a bit string. Note that in cryptographic applications, we should choose A and B such that n is large enough to resist exhaustive attacks. Definition 2 (CSP-based hash Diffie–Hellman: CSP-HDH) Let F be a Conj-LD system over the matrix monoid G. For given h 2 N, let H : {0, 1}* ! {0, 1}h, and let A be an adversary. For arbitrary A 2 G 1 and B 2 G, let us consider the following two experiments (see Figure 4). Now, the advantage of A in violating the CSP-based HDH assumption is defined by

Advcsphdh ¼ jPr½E1   Pr½E0 j F;A

where the events E1 and E0 are defined by -hdh-real ¼ 1 Expcsp E1 Δ F; A ¼

(25)

-hdh-rand ¼ 1 Expcsp E0 Δ F; A ¼

(26)

and

respectively. In other words, the CSP-HDH assumption says that for arbitrary polynomial algorithm A, its advancsp-hdh tage AdvF;A is negligible with respect to the total size of the specification of G, F, A, B, T, K[A,B], i, and H. Now, suppose that adversary A is allowed to access an oracle Hj(), which computes the function Hj(U) = H(i(F (Aj, U))), where H is a cryptographic hash function, such as SHA-256. Definition 3 (CSP-based oracle Diffie–Hellman: CSP-ODH) Let F be a Conj-LD system over the matrix monoid G. For given h 2 N, let H : {0, 1}* ! {0, 1}h, and let A be an adversary. For arbitrary A 2 G 1 and B 2 G, let us consider the following two experiments (see Figure 5). Now, the advantage of A in violating the CSP-based ODH assumption is defined by csp-odh AdvF;A ¼ jPr½E3   Pr½E2 j

(27)

where the events E3 and E2 are defined by -odh-real ¼ 1 E3 ≜Expcsp F;A

(28)

-odh-rand ¼ 1 E2 ≜Expcsp F;A

(29)

and

respectively. In other words, the CSP-ODH assumption says that for csp-odh arbitrary polynomial algorithm A, its advantage AdvF;A is negligible with respect to the total size of specification of G, F, A, B, T, K[A,B], i , Hj, and H. Note that in the CSPODH definition, the adversary A is not allowed to call its oracle Hj() on X.

(24)

Figure 4. Experiments of the CSP-HDH problem. Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Figure 5. Experiments of the CSP-ODH problem.

813

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

4. THE CONJUGACY SEARCH PROBLEM-BASED DIFFIE–HELLMAN INTEGRATED ENCRYPTION SCHEME SCHEME Now, let us derive a new variant of the DHIES scheme, denoted by CSP-DHIES, based on the aforementioned matrix monoid G. As far as we know, this might be the first variant of DHIES that is based on a noncommutative algebraic structure.

X Y Z

F ðAt ; BÞ SYM:encðencKey; mÞ MAC:genðmacKey; YÞ

• CSP-DHIES.dec is a deterministic decryption algorithm that takes as inputs the secret key sk = s and the ciphertext triple c = (X, Y, Z). It at first computes encKey′ jjmacKey′

H ðiðF ðAs ; X ÞÞÞ

(32)

4.1. Construction and then checks whether The construction of CSP-DHIES is very similar to that of DHIES, replacing each appearance of gu with F(Au, B) for properly picked matrices A and B. More specifically, CSP-DHIES makes use of the following tools:

 ? MAC:ver macKey′ ; Y; Z ¼ 1 holds. If so, it outputs the message

–1

• A Conj-LD system F : G  G ! G, where G is the aforementioned matrix monoid G, and the specifications of G, F, A, B, T, K[A,B], and i. • A symmetric encryption scheme SYM = (SYM.enc, SYM.dec), key length eLen, message space M, and cipher space Csym. • A massage authentication scheme MAC = (MAC.gen, MAC.ver), key length mLen, tag length tLen, and message space Mmac = Csym. • A hash function H : {0, 1}* ! {0, 1}eLen + mLen. Now, for given the key space K[A,B], the message space M, and the cipher space C = K[A, B]  Csym  {0, 1}eLen + mLen, the CSP-DHIES scheme is given by CSP-DHIES ¼ ðCSP-DHIES:key; CSP-DHIES:enc; CSP-DHIES:decÞ

where the components of CSP-DHIES are defined as follows:

• CSP-DHIES.key is a probabilistic key generation algorithm that takes as input the aforementioned matrix monoid G, picks A 2 G1 and B 2 G and defines the Conj-LD system F (cf. Proposition 1), and the subset T, as well as the key space K[A,B] accordingly (cf. Section 3.3), then picks an s 2 T at random and returns a public key pk and a private key sk, where pk

F ðAs ; BÞ; sk

s

(30)

Note that the specifications for G, A, B, T, K[A,B], i as well as SYM, MAC, and H are publicly known and shared by all users. • CSP-DHIES.enc is a probabilistic encryption algorithm that takes as inputs the public key pk and a message m 2 M, picks a t 2 T at random, computes encKeyjjmacKey

H ðiðF ðAt ; pk ÞÞÞ

and then returns a ciphertext c = (X,Y,Z) where 814

(31)

(33)

  m ¼ SYM:dec encKey′ ; Y

(34)

otherwise, it outputs ⊥, which indicates that c is an invalid ciphertext. Theorem 1 (Consistency) The encryption scheme of CSP-DHIES is consistent; that is, for 8m 2 M, we have 2

3 ðpk; skÞ CSP  DHIES:key; 5 ¼ 1 (35) Pr4 c CSP  DHIES:encðpk; mÞ; m′ CSP  DHIES:decðsk; cÞ : m′ ¼ m Proof. Because X = F(At, B) and pk = F(As, B), we have that F ðAs ; X Þ ¼ F ðAs ; F ðAt ; BÞÞ ¼ F ðAt ; F ðAs ; BÞÞ ¼ F ðAt ; pk Þ Therefore, encKeyjjmacKey ¼ H ðiðF ðAt ; pkÞÞÞ ¼ H ðiðF ðAs ; X ÞÞÞ ¼ encKey′ jjmacKey′ That is, the encryption key and tag generation key used in the encryption are identical to those used in the decryption. We know that, for the underlying symmetric encryption scheme SYM, if the key used in the encryption is identical to the key used in the decryption, the ciphertexts and the corresponding plaintexts are always consistent. Moreover, with the same tag generation key, the valid ciphertext will inevitably pass authentication, thus the decryption algorithm will output the correct plaintext, instead of ⊥. □ Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

4.2. Security Theorem 2 Suppose that the underlying symmetric encryption scheme SYM is secure, then the ciphertext of CSP-DHIES encryption is indistinguishable against chosen-plaintext attack (IND-CPA) under the CSP-HDH assumption in the standard model. More specifically, if there is an adversary A that breaks the IND-CPA security of CSP-DHIES within time t with a probability e, then there exists either (1) an adversary B that breaks the semantic security of the SYM encryption scheme within time t′ with a probability of at least e′, or (2) an algorithm C that breaks the CSP-HDH assumption within time t00 with a probability of at least e00

• B at first picks a s 2 T at random and sends pk = F(As, B), that is, the corresponding public key of CSPDHIES, to adversary A, while keeping s secret. • When A outputs a pair of challenge messages (m0, m1), B regards m0 and m1 as its own challenge messages and forwards them to S. • Upon receiving the challenge messages m0 and m1, S flips a fair coin b 2 {0,1} and then constructs a challenge ciphertext Y* = SYM.enc(encKey, mb) for some encKey 2 {0,1}eLen that is known only to S. Finally, S sends the challenge ciphertext Y* to B. • Upon receiving the challenge ciphertext Y*, B at first picks X* 2 K[A,B] and macKey 2 {0,1}mLen at random, and then computes a challenge ciphertext c* for A as follows: Z c

where e≤e′ þ e t ¼ t þ tsimuB 00 t ¼ t þ tsimuC 00



(36)

Here, tsimuB and tsimuC represent the additional time for performing the simulation on adversaries B and C, respectively. Proof. Recall the definition of the security of symmetric encryption given in Section 2.1, adversary B’s goal is to distinguish which of two messages is enclosed in the challenge ciphertext. For convenience, let us picture a virtual challenger S that will simulate the symmetric encryption scheme SYM and will be involved in the following interactions with B, while B will call adversary A whenever it is necessary (see Figure 6):

MAC:genðmacKey; Y  Þ ðX  ; Y  ; Z  Þ

• Finally, B sends the challenge ciphertext c* to A. • Upon receiving the challenge ciphertext c*, A is asked to guess which challenge message, m0 or m1, is enclosed in c*. Assume that A’s output is b′ 2 {0,1}. • Now, B takes b′ as its own guess on b. That is, B returns b′ to S. Note that macKey used in forming the challenge ciphertext is chosen at random and independent to the true symmetric encryption key encKey that is only known to S. Therefore, if the output of H looks random, adversary A has no means of deciding whether the challenge ciphertext c* is valid or not. Moreover, because the challenge message mb is enclosed in Y* and Y* is in turn enclosed in c*, whenever A makes a correct guess, so does B. Therefore, e′ = e.

Figure 6. Adversary B for breaking SYM. Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

815

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

Now, suppose that the underlying symmetric encryption scheme SYM is semantic secure but the output of H does not look random, let us construct an algorithm C that breaks the CSP-HDH assumption. Suppose C’s challenge is a triple ðX; Y; Z Þ 2 K½2A;B  f0; 1gh for some unknown i,j 2 T, such that X = F(Ai, B) and Y = F(Aj, B), and C’s goal is to tell whether Z ¼? H ðiðF ðAiþj ; BÞÞÞ. C is allowed to call adversary A whenever it is necessary. C is defined by the following interactions (see Figure 7): • C at first sends the public key pk = X to A. • Upon receiving pk, A returns two challenge messages m0 and m1 to C. • C flips a fair coin b 2 {0,1} and computes the challenge ciphertext c* = (X*, Y*, Z*) as follows: X Y Z

Y SYM:encðencKey; mb Þ MAC:genðmacKey; Y  Þ

Figure 7. Algorithm C for breaking the CSP-HDH assumption.

adversary B does. Therefore, where mk ek

h i -hdh-rand ¼ 1 ¼ 1 þ e′ Pr Expcsp F;A 2

Z ½1::mLen Z½mLen þ 1 ::mLen þ eLen *

Finally, C sends the challenge ciphertext c to A. (Here, we should pay attention to the differences among X and X*, Y and Y*, and Z and Z*, respectively.) • Upon receiving the challenge ciphertext c*, A is asked to guess which challenge message, m0 or m1, is enclosed in c*. Assume that A’s output is b′ 2 {0,1}. • Now, C checks whether b′ ¼? b. If so, C outputs 1 indicating that (X, Y, Z) is a real CSP-HDH triple; otherwise, C makes a random guess as to whether (X, Y, Z) is a real CSP-HDH triple. Apparently, if Z = H(i(F(Ai + j, B))) holds, then c* is a valid ciphertext from A’s viewpoint. Thus, according to our simulation, if A correctly guesses b, then C’s decision is correct (i.e., outputting 1), too. Even if A incorrectly guesses b, C’s random decision has a certain probability of being correct. Therefore, we have that h i -hdh-real ¼ 1 ≥ 1 þ e Pr Expcsp F;A 2

(37)

If Z 6¼ H((i(F(Ai + j, B))), the challenge ciphertext c* is invalid and independent from mb,† and A is no better placed to correctly guess b. Consequently, C is no better placed to make a correct decision. Further, we notice that in this case, algorithm C runs A in the same way as the †

However, adversary A has no means to learn that.

816

(38)

In total, we have C’s advantage as e00 ≥ e  e′. Therefore, e ≤ e′ + e00 . According to the simulation, we also have t ′ ¼ t þ tsimuB

(39)

and 00

t ¼ t þ tsimuC

(40)

Theorem 3 Suppose that if both the underlying symmetric encryption scheme SYM and the message authentication scheme MAC are secure, then the ciphertext of CSP-DHIES encryption is indistinguishable against chosen-ciphertext attack (IND-CCA) under the CSP-ODH assumption in the standard model. More specifically, if there is adversary A that breaks the IND-CCA security of CSP-DHIES within time t with a probability e, then there exists either (1) an adversary B that breaks the semantic security of the SYM encryption scheme within time t′ with a probability of at least e′, (2) an algorithm F that breaks the MAC scheme within time t00 with a probability of at least e00 , or (3) an algorithm C that breaks the CSP-HDH assumption within time t000 with a probability of at least e000 where e≤e′ þ e þ e t ¼ t þ tsimuB 00 t ¼ t þ tsimuF 000 t ¼ t þ tsimuC 00

000



Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

Here, tsimuB, tsimuF and tsimuC represent the additional time for performing the simulation on the adversaries B, F, and C, respectively. Proof. The basic idea for proving the theorem is similar to Theorem 2, except that, in the corresponding constructions, we should consider the responses to decryption queries invoked by the adversary A = (A1,A2). Let F(As,B) be the recipient public key, and let c* = (X*, Y*, Z*) be the challenge ciphertext that adversary A2 obtains. We consider the following three cases: • Case 1: Output H does not look random. In this case, we present an algorithm C that breaks the ODH assumption. • Case 2: Output H looks random, and adversary A has made a decryption query on some ciphertext c = (X*, Y, Z) 6¼ c*. In this case, we present a forgery F that breaks the underlying message authentication scheme MAC. • Case 3: Output H looks random, but adversary A has never made a decryption query on a ciphertext c = (X*, Y, Z) 6¼ c*. In this case, we present an adversary B that breaks the underlying symmetric encryption scheme SYM. First, let us consider case 3. Similarly, let us picture a virtual challenger S that will simulate an instantiation of the underlying symmetric encryption scheme SYM with an arbitrary specified secret key encKey. S will be involved in the following interactions with B = (B1, B2), and B will call adversary A = (A1, A2) whenever it is necessary.{ Note that B’s goal is to break the IND-CPA security of SYM without knowing encKey (see Figure 8). • B1 at first picks an s 2 T at random and sends pk = F (As, B), that is, the recipient public key of CSPDHIES, to the adversary A1, while keeping s secret. B1 also picks X* 2 K[A,B] at random in advance. • When A1 invokes a decryption query on c = (X, Y, Z), we have X 6¼ X* according to the specification of case 3. Now, B1 computes ′



encKey jjmacKey

H ðiðF ðA ; X ÞÞÞ s

(41)

and then checks whether  ? MAC:ver macKey′ ; Y; Z ¼ 1

(42)

holds. If so, it replies A1 with the message   m ¼ SYM:dec encKey′ ; Y

(43)

otherwise, it replies A1 with ⊥ that indicates c is an invalid ciphertext. { Note that A2 knows what A1 knows because both of them belong to the same adversary. Similarly, B2 knows what B1 knows, too.

Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

• When A1 outputs a pair of challenge messages (m0, m1), B1 regards m0 and m1 as its own challenge messages and forwards them to S. • Upon receiving the challenge messages m0 and m1, S flips a fair coin b 2 {0,1} and then constructs a challenge ciphertext Y* = SYM.enc(encKey, mb) for some encKey 2 {0,1}eLen that is known only to S. Finally, S sends a challenge ciphertext Y* to B2. • Upon receiving the challenge ciphertext Y*, B2 picks macKey 2 {0,1}mLen at random and then computes a challenge ciphertext c* for A2 as follows: Z c

MAC:genðmacKey; Y  Þ ðX  ; Y  ; Z  Þ

Finally, B2 sends the challenge ciphertext c* to A2. • Upon receiving the challenge ciphertext c*, A2 is asked to guess which challenge message, m0 or m1, is enclosed in c*. Before outputting its guess, A2 is permitted to make decryption queries on c = (X, Y, Z) 6¼ c*. • When A2 invokes a decryption query on c = (X, Y, Z), we have X 6¼ X* according to the specification of case 3. Now, B2 computes encKey′ macKey′

H ðiðF ðAs ; X ÞÞÞ

(44)

and then checks whether  ? MAC:ver macKey′ ; Y; Z ¼ 1

(45)

holds. If not, it replies A1 with ⊥ indicating that c is an invalid ciphertext; otherwise, A2 replies A1 with the message   m ¼ SYM:dec encKey′ ; Y (46) • Suppose A2’s output is b′ 2 {0, 1}. Now, B2 takes b′ as its own guess on b. That is, B2 returns b′ to S. Then, if the output of H looks random, adversary A2 has no means of deciding whether the challenge ciphertext c* is valid or not. Thus, whenever A2 makes a correct guess, so does B2. Therefore, e′ = e. Next, let us consider case 2. Similarly, let us picture a virtual challenger T that will simulate an instantiation of the underlying message authentication scheme MAC with a key macKey 2 {0, 1}mLen. T will involve in the following interactions with F, and F will call the adversary A = (A1, A2) whenever it is necessary. Note that F’s goal is to forge a valid tag Z^ for an adaptively chosen message Y^ without knowing macKey (see Figure 9). • F first picks an s 2 T at random and sends pk = F(As, B), that is, the recipient public key of CSP-DHIES, to the adversary A1, while keeping s in secret. F also picks encKey 2 {0, 1}eLen and X* 2 K[A, B] at random. 817

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

Figure 8. Adversary B for breaking SYM.

• When A1 invokes a decryption query on c = (X, Y, Z), F responses differently according to whether X ¼? X  holds: – For X = X*, F at first sends (X, Z) to T for invoking a tag validation query and gets the reply x 2 {0, 1} from T. If x = 1, F sets Z^ Z , Y^ Y and then replies A1 with the message m SYM. dec (encKey, Y); otherwise, F replies A1 with ⊥ indicating that c is an invalid ciphertext. – For X 6¼ X*, F computes encKey′ jjmacKey′

H ðiðF ðAs ; X ÞÞÞ

• When A1 outputs a pair of challenge messages (m0, m1), F flips a fair coin b 2 {0,1} and then constructs a challenge ciphertext as follows: – First, F sets Y

SYM:encðencKey; mb Þ

(50)

– Then, F sends Y* to T to invoke a tag generation query and gets T’s reply Z

MAC:genðmacKey; Y  Þ

(51)

(47) Note that F does not know macKey.

and then checks whether 





?

MAC:ver macKey ; Y; Z ¼ 1

(48)

holds. If so, it replies A1 with the message   m ¼ SYM:dec encKey′ ; Y

(49)

otherwise, it replies A1 with ⊥ that indicates c is an invalid ciphertext. 818

• Finally, F sends the challenge ciphertext c* = (X*, Y*, Z*) to A2. • Upon receiving the challenge ciphertext c*, A2 is asked to guess which challenge message, m0 or m1, is enclosed in c*. Before outputting the guess, A2 is permitted to make decryption queries on c = (X, Y, Z) 6¼ c*. • When A2 invokes a decryption query on c = (X, Y, Z), F responds similarly. Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

Figure 9. Adversary F for breaking MAC.

• Suppose A2’s output is b′  2 {0,  1}. No matter whether b′ = b holds, F outputs Y^ ; Z^ as its forgery. Seemingly, F’s forgeability is irrelevant to A’s indistinguishability. However, under the adaptively chosen message attacks, A′ indistinguishability is equivalent to its malleability [18], while A’s capability to invoke a valid decryption query on the ciphertext (X*,Y,Z) implies A’s malleability. According to the specification of case 2, in the aforementioned simulation, either A1 or A2 will make a valid decryption query on some c = (X*, Y, Z). Thus, we have Z as a valid tag on Y with respect to the unknown tag generation key macKey. Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

  Therefore, Y^ ; Z^ ðY; Z Þ is a successful forgery from F’s viewpoint. Therefore, e00 ≥ e. Finally, let us consider case 1. Suppose C’s challenge is a triple c ¼ ðX; Y; Z Þ 2 K½2A;B  f0; 1gh for some unknown i, j 2 T such that X = F(Ai, B) and Y = F(Aj, B), and C’s goal is to tell whether Z ¼? H ðiðF ðAiþj ; BÞÞÞ. According to the definition of the CSP-ODH assumption, we know that C is allowed to call the CSP-ODH oracle Hj(U) for arbitrary U 6¼ X, where Hj(U) is defined by  def    Hj ðU Þ ¼ H i F Aj ; U

(52)

819

P. Pan et al.

CSP-DHIES: a new PKE scheme from matrix conjugation

Now, C is defined by the following interactions with the adversary A = (A1, A2) (see Figure 10): • C at first sends the public key pk = X to A1. • When A1 invokes a decryption query on c′ = (X′, Y′, Z′), C sets   m decSimuHj ðÞ c; c′ (53) and replies A1 with m, where decSimu, having access to the oracle Hj(), is C’s sub-routing for computing the response according to the decryption query on (X′, Y′, Z′) (see Algorithm 1). • When A1 outputs two challenge messages m0 and m1 to C, C flips a fair coin b 2 {0, 1} and computes a challenge ciphertext c* = (X*, Y*, Z*) as follows: X Y Z

Y SYM:encðencKey; mb Þ MAC:genðmacKey; Y  Þ

m

  decSimuHj ðÞ c; c′

(54)

and replies A2 with m. • Suppose A2’s output is b′ 2 {0, 1}. Now, C checks whether b′ ¼? b. If so, C outputs 1 indicating that (X, Y, Z) is a real CSP-ODH triple; otherwise, C makes a random guess as to whether (X, Y, Z) is a real CSP-ODH triple. Apparently, if Z = H(i(F(Ai + j, B))) holds, then c* is a valid ciphertext from A’s viewpoint. Thus, according to our simulation, if A correctly guesses b, then C makes a correct decision (i.e., outputting 1), too. Even if A incorrectly guesses b, C’s random decision has a certain probability of being correct. Therefore, we have that

where macKey encKey

• Upon receiving the challenge ciphertext c*, A2 is asked to guess which challenge message, m0 or m1, is enclosed in c*. Before outputting its guess, A2 is permitted to make decryption queries on c′ = (X′, Y′, Z′) 6¼ c*. • When A2 invokes a decryption query on c′=(X′, Y′,Z′)6¼ c*, C sets

Z ½1::mLen Z½mLen þ 1::mLen þ eLen

h i -odh-real ¼ 1 ≥ 1 þ e Pr Expcsp F;A 2

(55)

*

Finally, C sends the challenge ciphertext c to A2. (Here, we should pay attention to the differences among X and X*, Y and Y*, and Z and Z*, respectively.)

If Z 6¼ H(i(F(Ai + j, B))), the challenge ciphertext c* is invalid and independent of mb—but the adversary A has no means to learn that—and thus, A is no better placed to make correctly guess b. Consequently, C is no better placed to make a correct guess. Further, we notice that in this case, if A has never made a decryption query on (X*, Y, Z) 6¼ c*, the algorithm C runs A in the same way as the adversary B does; otherwise, if either A1 or A2 has made a decryption query on (X*, Y, Z) 6¼ c*, then the algorithm C runs A in the same way that forger F does. Therefore, h i -odh-rand ¼ 1 ¼ 1 þ e′ þ e00 Pr Expcsp F;A 2

(56)

In total, we have C’s advantage as e000 ≥ e  e′  e00 . Therefore, e ≤ e′ + e00 + e000 . According to the simulation, we also have t′ = t + tsimuB, t00 = t + tsimuF, and t000 = t + tsimuC.

5. DISCUSSION 5.1. Other possible platforms

Figure 10. Algorithm C for breaking the CSP-ODH assumption.

820

In fact, our proposal is suited to arbitrary noncommutative (semi-)groups where the CSP problem is well-defined and intractable. Thus, let us consider other possible platforms for instantiating the proposed CSP-DHIES scheme. In this section, we will discuss braid groups. In [19], we analyzed in detail current algorithmic progress with the CSP problem over braid groups. Most CSP instances over braid groups are tractable. However, Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

P. Pan et al.

comprehensive solution for the CSP problem over braid groups remains elusive. Starting in 2007, Birman, Gebhardt, and González-Meneses launched a project, referred to as the BGGM project, to find polynomial algorithms for solving the CSP problem over Garside groups, including braid groups [20–22]. The BGGM project may be the strongest known effort to solve the CSP problem over braid groups in polynomial time (with respect to the input size). The project has already made an excellent progress: Except for rigid pseudo-Anosov braids, the CSP instances over other braids can be solved in polynomial time [22]. Very recently, however, Prasolov [15] constructed some small braids with a large USS. Prasolov’s result represents a frustration for the BGGM project but does encourage that building of new cryptosystems under the intractability assumption of the CSP problem over braid groups. In addition, according to [23], one can defeat length-based attacks against the CSP instance (sps 1, p) by requiring that the length of sps1 is closer to the length of p. This in turn requires that p should lie in its super summit set [23]. We know that USS ⊂ SSS. Therefore, if we can work with the braids suggested by Prasolov, it is possible to instantiate our proposal with braid groups in a secure manner. Moreover, at present, there are no known quantum algorithms for solving the CSP problem over braid groups. In particular, it is difficult to deal with the CSP problem over braid groups from the perspective of HSPs [8]. This suggests that if we can implement the CSP-DHIES encryption scheme by using braids suggested by Prasolov, then the resulting scheme has the potential to resist currently known quantum attacks. 5.2. Security and efficiency issues in computing and representing F(As, B) To put our proposal into practice, we must compute and represent F(As, B) in a secure and efficient manner. Therefore, the following issues must be taken into account: • First, the basic semigroup operation of matrices (i.e., multiplication and inversion) can be finished efficiently. This also implies that the lengths of the representations of all elements in G, including A, B, As, and F(As, B), are polynomials in the system security parameters because the results have to be output bit-by-bit by using classical computers. • Second, although extracting the secret key s from the given public key F(As, B) is not equivalent to solving the CSP problem, we have no means to derive s without solving the problem of extracting As from the given pair (B, F(As, B)), which is an instance of the CSP problem over the aforementioned matrix monoid G. In fact, one can see that even if As is known, extracting s is equivalent to solving a DLP over certain rings. Therefore, extracting s from the given triple (A, B, F(As, B)) over G seems at least as challenging as solving the CSP instance (B, F(As, B)) over G. Certainly, s should be large enough to resist an exhaustive Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

CSP-DHIES: a new PKE scheme from matrix conjugation

Table I. Efficiency analysis of the CSP-DHIES. Algorithm/parameter

Computation

System parameters Public key Secret key Encryption Decryption

– (dlogse + 2)M + I – (dlogte + 4)M + I 2M

Size 6|G| |G| 2|G| |G|



search, considering that both matrices A and B are publicly known. • Third, the representation of the matrix F(As, B) should not reveal any information about As and s. Otherwise, our proposal could suffer from the so-called lengthbased attacks. • Fourth, for computing F(As, B), we should at first compute As, followed by one inversion and two multiplications in the underlying noncommutative monoid G. When s is large, say several hundred digits, rather than multiplying A s times, a similar “successive squaring” method should be employed; thus, a factor of dlogse would be taken into consideration in performance evaluations. Now, let us proceed to analyze the parameter sizes and the computational overhead of the proposed scheme. Considering that the CSP-DHIES scheme integrates a symmetric encryption scheme SYM, a message authentication code scheme MAC, and a hash function H. In our proposal, SYM, MAC, and H are intentionally left unspecified. Thus, in the following analysis, we omit the parameters for specifying them and the computational overhead for performing the underlying symmetric encryption/decryption, MAC generation/verification, and hash computation. For clarity, let |G| denote the representative size (in bit length) of an element in the aforementioned matrix monoid G. Without loss of generality, we assume that the representative size of each of the parameters G, A, B, T, K[A, B], and i is |G|. Now, let M and I denote the multiplication operation and the inversion operation in G, respectively. Then, besides the SYM, MAC, and H, the additional parameter sizes and the computational overhead of the proposed CSP-DHIES scheme can be summarized in Table I. Note that after key generation, As and its inversion have already been worked out and can be kept as the equivalent decryption key. Thus, we neglect the calculation on As and its inversion in the decryption algorithm, although we need to account for the related storage cost of the equivalent decryption key. From the aforementioned table, we can see that both the additional parameter sizes and the additional computation overheads are acceptable.

6. CONCLUSION In this paper, we reviewed the well-known Diffie–Hellman integrated encryption scheme (DHIES) defined over cyclic 821

CSP-DHIES: a new PKE scheme from matrix conjugation

groups. Under the intractability assumption of the CSP for a special monoid of matrices over truncated multi-variable polynomials over the ring Z12, we developed some related cryptographic assumptions, including the CSP-based HDH assumption and the CSP-based ODH assumption. We then constructed a CSP-based DHIES variant that is proven to be secure in the standard model. As far as we know, this is the first noncommutative variant of DHIES. Considering that the DLP is vulnerable to existing quantum attacks and there is no known quantum algorithm for solving the CSP problem over the suggested platform, our proposal may be an effective alternative in the post-quantum era.

ACKNOWLEDGEMENTS This work is supported by National Natural Science Foundation of China (Grant Nos. 60973159, 60821001, 61070251 and 61003285), the Foundation for the Author of National Excellent Doctoral Dissertation of China (FANEDD) (Grant No. 200951), the Asia 3 Foresight Program (Grant No. 61161140320), and the China National Basic Research Program of China (973 Program) (No. 2007CB311203).

REFERENCES 1. Diffie W, Hellman ME. New directions in cryptography. IEEE Transactions on Information Theory 1976; 22(5): 644–654. 2. Rivest R, Shamir A, Adleman L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, ACM New York: NY, USA,1978; 21(2): 120–126. 3. ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 1985; 31(4): 469–472. 4. Shor P. Polynomail-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 1997; 5: 1484–1509. 5. Proos J, Zalka C. Shor’s discrete logarithm quantum algorithm for elliptic curves. Quantum Information and Computation 2003; 3: 317–344. 6. Kitaev A. Quantum measurements and the Abelian Stabilizer Problem. Electronic Colloquium on Computational Complexity (ECCC) 1996; 3(3): 1–22. 7. Rotteler M. Quantum algorithms: a survey of some recent results. Informatik—Forschung und Entwicklung 2006; 21(1): 3–20. 8. Wang L, Wang L, Cao Z, Yang Y, Niu X. Conjugate adjoining problem in braid groups and new design of braid-based signatures. Science in China Series F: Information Sciences 2010; 53(3): 524–536. 9. Hughes J. The LeftSSS attack on Ko–Lee–Cheon– Han–Kang–Park Key Agreement Protocol in B45. Rump Session Crypto 2000. 822

P. Pan et al.

10. Hughes J. A linear algebraic attack on the AAFG1 braid group cryptosystem. In The 7th Australasian Conference on Information Security and Privacy ACISP 2002, Lecture Notes in Computer Science, vol. 2384, Batten LM, Seberry J (eds). Springer-Verlag: New York, 2002; 176–189. 11. Abdalla M, Bellare M, Rogaway P. The oracle Diffie– Hellman assumptions and an ananlysis of dhies. In CTRSA 2001. Lecture Notes in Computer Science, vol. 2020, Naccache D. (ed). Springer: Heidelberg, 2001; 143–158. 12. Dehornoy P. Using shifted conjugacy in braid-based cryptography. Contemporary Mathematics 2006; 418: 65–74. 13. Longrigg J, Ushakov A. Cryptanalysis of shifted conjugacy authentication protocol. Journal of Mathematical Cryptology 2008; 2: 107–114. 14. Grigoriev D, Shpilrain V. Authentication from matrix conjugation. Groups, Complexity and Cryptology 2009; 1(2): 199–205. 15. Prasolov M. Small braids having a big ultra summit set. http://arxiv.org/abs/0906.0076 16. Bellare M, Rogaway P. Minimizing the use of random oracles in authenticated encryption schemes. In The First International Conference on Information and Communication Security (ICICS’97), Lecture Notes in Computer Science, vol. 1334, Han Y, Okamoto T, Qing S (eds). Springer-Verlag: New York, 1997; 1–16. 17. Eric W. Conjugate Element. http://mathworld.wolfram.com/ConjugateElement.html 18. Bellare M, Desai A, Pointcheval D, Rogaway P. Relations among notions of security for public-key encryption schemes. In Advances in Cryptology— CRYPTO’98, Lecture Notes in Computer Science, vol. 1462, Krawczyk H (ed). Springer: 1998; 26–45. 19. Wang L, Wang L, Cao Z, Okamoto E, Shao J. New constructions of public-key encryption schemes from conjugacy search problems. In The 6th China International Conference on Information Security and Cryptology (Inscrypt 2010), Lecture Notes in Computer Science, vol. 6584, Lai X, Yung M, Lin D (eds). Springer-Verlag: New York, 2011; 1–17. 20. Birman JS, Gebhardt V, Gonzάlez-Meneses J. Conjugacy in garside groups I: cyclings, powers, and rigidity. Groups, Geometry and Dynamics 2007; 1(3): 221–279. 21. Birman JS, Gebhardt V, Gonzάlez-Meneses J. Conjugacy in garside groups III: periodic braids. Journal of Algebra 2007; 316(2): 746–776. 22. Birman JS, Gebhardt V, Gonzάlez-Meneses J. Conjugacy in garside groups II: structure of the ultra summit set. Groups, Geometry and Dynamics 2008; 2(1): 16–31. 23. Dehornoy P. Braid-based cryptography. Contemporary Mathematics, American Mathematical Society 2004; 360: 5–33. Security Comm. Networks 2012; 5:809–822 © 2011 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Recommend Documents