Semirings as building blocks in cryptography 9781527541702


267 18 3MB

English Pages 133 Year 2020

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Contents......Page 6
Acknowledgements......Page 9
Preface......Page 10
Chapter One......Page 12
2.1.1 Definitions......Page 15
2.1.2 Public key Cryptosystems based on the Discrete Logarithm Problem......Page 16
2.1.3 Generic algorithms for solving the Discrete Logarithm Problem......Page 19
2.1.4 Index Calculus algorithms for finite fields......Page 21
2.2.1 The Discrete Logarithm Problem in abelian groups......Page 23
2.2.2 The Discrete Logarithm Problem in nonabelian groups......Page 24
2.2.3 Groups used as platforms for cryptosystems......Page 28
2.3.1 The Diffie-Hellman protocol in terms of formal algebra –a parallel between groups and rings......Page 33
2.3.2 The Discrete Logarithm Problem in noncommutative rings......Page 35
2.3.3 The Discrete Logarithm Problem and cryptography using semirings......Page 37
2.3.4 Semirings and cryptography......Page 39
Bibliography to Chapters One and Two......Page 42
3.1 Idempotent Algebra......Page 64
3.1.1 Dioids as lattices......Page 67
3.1.2 Residuated maps......Page 69
3.1.3 Semimodules over idempotent semirings......Page 70
3.1.4 Residuated lattices......Page 73
3.1.5 Construction of complete dioid......Page 74
3.1.6 Matrices defined over idempotent semifields......Page 76
3.1.7 Residuated operations over matrix semimodules......Page 80
3.1.8 Max-plus algebra......Page 81
3.1.9 Min-plus algebra......Page 84
3.1.10 Max-time algebra......Page 88
3.1.11 Min-time algebra......Page 89
3.2 Linear Equations......Page 91
3.3 Applications of Idempotent Algebra in Cryptography......Page 95
Bibliography to Chapter Three......Page 98
4.1 Definitions and Motivation to Study......Page 107
4.2 Distributed Secure Multicast Protocol......Page 109
Bibliography to Chapter Four......Page 113
5.1 Endomorphism Semirings......Page 115
5.2 Simplices and Simplicial Complexes......Page 118
5.3.1 Motivation, basic definitions and notations......Page 123
5.3.2 Three key-exchange protocols based on endomorphism semirings......Page 126
5.3.3 Four key exchange protocols using right identities of the simplex......Page 128
Bibliography to Chapter Five......Page 132
Recommend Papers

Semirings as building blocks in cryptography
 9781527541702

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

Semirings as Building Blocks in Cryptography

Semirings as Building Blocks in Cryptography By

Mariana Durcheva

Semirings as Building Blocks in Cryptography By Mariana Durcheva This book first published 2020 Cambridge Scholars Publishing Lady Stephenson Library, Newcastle upon Tyne, NE6 2PA, UK British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Copyright © 2020 by Mariana Durcheva All rights for this book reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owner. ISBN (10): 1-5275-4170-3 ISBN (13): 978-1-5275-4170-2

CONTENTS

Acknowledgements .................................................................................. viii Preface ........................................................................................................ ix Chapter One ............................................................................................... 1 Introduction Chapter Two .............................................................................................. 4 The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography 2.1 Discrete Logarithms in Finite Fields ................................................ 4 2.1.1 Definitions ............................................................................... 4 2.1.2 Public key cryptosystems based on the Discrete Logarithm Problem....................................................... 5 2.1.3 Generic algorithms for solving the Discrete Logarithm Problem....................................................... 8 2.1.4 Index Calculus algorithms for finite fields ............................ 10 2.2 Group Based Cryptography ........................................................... 12 2.2.1 The Discrete Logarithm Problem in abelian groups .............. 12 2.2.2 The Discrete Logarithm Problem in nonabelian groups ........ 13 2.2.3 Groups used as platforms for cryptosystems ......................... 17 2.3 The Discrete Logarithm Problem in Rings and Semirings............. 22 2.3.1 The Diffie-Hellman protocol in terms of formal algebra – a parallel between groups and rings .......................................... 22 2.3.2 The Discrete Logarithm Problem in noncommutative rings . 24 2.3.3 The Discrete Logarithm Problem and cryptography using semirings ......................................................................... 26 2.3.4 Semirings and cryptography .................................................. 28 Bibliography to Chapter One and Chapter Two................................... 31

vi

Contents

Chapter Three .......................................................................................... 53 The Role of Idempotent Semirings 3.1 Idempotent Algebra ....................................................................... 53 3.1.1 Dioids as lattices.................................................................... 56 3.1.2 Residuated maps .................................................................... 58 3.1.3 Semimodules over idempotent semirings .............................. 59 3.1.4 Residuated lattices ................................................................. 62 3.1.5 Construction of complete dioid ............................................. 63 3.1.6 Matrices defined over idempotent semifields ........................ 65 3.1.7 Residual operations over matrix semimodules ...................... 69 3.1.8 Max-plus algebra ................................................................... 70 3.1.9 Min-plus algebra ................................................................... 73 3.1.10 Max-time algebra ................................................................ 77 3.1.11 Min-time algebra ................................................................. 78 3.2 Linear Equations ............................................................................ 80 3.3 Applications of Idempotent Algebra in Cryptography ................... 84 Bibliography to Chapter Three ............................................................ 87 Chapter Four ........................................................................................... 96 Distributed Multicast Key-Exchange Protocol Based on Idempotent Semirings 4.1 Definitions and Motivation to Study .............................................. 96 4.2 Distributed Secure Multicast Protocol ........................................... 98 Bibliography to Chapter 4 ....................................................................... 102 Chapter Five .......................................................................................... 104 Endomorphism Semirings and Certain Cryptographic Protocols Based on Them 5.1 Endomorphism Semirings ............................................................ 104 5.2 Simplices and Simplicial Complexes ........................................... 107 5.3 Cryptography Based on Endomorphism Semirings ..................... 112 5.3.1 Motivation, basic definitions and notations ......................... 112

Semirings as Building Blocks in Cryptography

vii

5.3.2 Three key-exchange protocols based on endomorphism semirings ................................................... 115 5.3.3 Four key exchange protocols using right identities of the simplex ......................................................................... 117 Bibliography to Chapter 5 .................................................................. 121

ACKNOWLEDGEMENTS

This book is the revised, updated and expanded version of my monograph “Applications of Some Algebraic structures in cryptography”, published in 2015 in Bulgarian under the editing of Prof. Ivan Trendafilov to whom I would like to express my sincere gratitude.

PREFACE

Nowadays when the main communication between people takes place over the Internet, information protection is crucial. With the development of virtual business and e-commerce, data sharing through unprotected public channels is expanded. The role of cryptography is to protect users’ data from malicious intrusions. Public-key cryptography underlies the security features of many issues such as signed and encrypted email, single sign-on, and Secure Sockets Layer (SSL) communications. Publickey introduces a concept involving key pairs: one for encrypting, the other for decrypting. Various approaches are used to create the key exchange protocol. In this book we show the role of some algebraic structures as building blocks for these protocols. We first review and analyze some algebraic structures that have already been used to build cryptographic protocols – finite fields, groups and rings. Then we discuss the role in cryptography of the structures that are either not used for such purposes or used in a limited way. Such structures are idempotent semirings and semirings of the endomorphisms of a finite chain. Based on these studies, several key exchange protocols are developed. We hope that “Semirings as building blocks in cryptography” will be useful not only for cryptographers and specialists in Applied Algebra, but also for students of Cryptography or Applied Algebra.

CHAPTER ONE INTRODUCTION

Let us answer the following questions honestly: Do the measures now used to increase information security offer comfort to ordinary people, or do these measures provide the protection we think we need? Nowadays, when the Internet is the main means of communication between millions of people around the world and constitutes an important trading tool, esecurity is becoming extremely important. There are many aspects of security, including security in e-commerce, e-money, peer-to-peer communications, password protection and digital signatures. One of the main aspects of secure communications is ensured by cryptography. Cryptography is a centuries-old science. The term cryptography comes from Greek words NUXSW oV – hidden and JUDMZ – to write. In the past, it has been used primarily by military and diplomatic organizations to ensure the secrecy of their messages. The first data on the application of cryptography are from 1900 BC in ancient Egypt, where special hieroglyphs were used for this purpose. Nowadays, the role of cryptography has radically changed: it includes protection of information. With the development of virtual business and e-commerce, data sharing is expanded through unprotected public channels. Since users who share information on unprotected channels are usually remote from each other, the low level of protection can tempt some malicious individuals to perform prohibited acts, such as disclosing the confidentiality of information, secretly modifying data, falsifying facts and so on. In each cryptographic system, from a security point of view, the following requirements need to be met: x Authentication: This is the process of establishing the authenticity of the subject. x Confidentiality: This is to ensure the confidentiality of information, i.e., ensuring that the message you send will be read only by the person for whom it is intended.

2

Chapter One

x Data integrity: The aim is to ensure correct transmission of messages between users without making changes, additions, deletions or modifications. x Indisputability: The aim is to ensure the origin of each message so that the person who sent it cannot subsequently abandon his authorship. Encryption and decryption processes are managed by cryptographic keys. There are two types of cryptosystems: symmetric key cryptosystems (private-key cryptosystems), where the encryption and decryption procedures are performed with the same key, and asymmetric key cryptosystems, which are called more often public-key cryptosystems. These two cryptosystems use two different types of keys – encryption keys and decryption keys. The encryption key is public and the decryption key is secret. Public key cryptosystems are used on unprotected channels, or when users are remote from each other and are unable to communicate directly. Because asymmetric algorithms are much slower than symmetric ones, the two types of algorithms are used in combination to optimize the speed of communication without compromising security. Public key cryptosystems rely on the hardness of two main problems: the problem of integer factorization and the discrete logarithm problem. Of course, there is no strong evidence that these two problems are really hard. We recall that Peter Shor in [273] presented an algorithm for these problems that runs in polynomial time on a theoretical quantum computer. While some cryptographers do not agree on the possibility of physically implementing this model, the US National Security Agency (NSA) is concerned about this possibility to warn that government and industry should move away from these cryptosystems in the "not too far future" [232]. The most important issue in public key cryptography (the question P z NP ?) is not yet solved. So, it can be concluded that most of the cryptographic primitives rely on unproven assumptions. Some researchers (see [18]) advocate so-called "reduction-based security" which means "to reduce the security of a great many cryptographic constructions to a relatively small number of simple-to-state and widely studied assumptions". In public key cryptography there are two main approaches: The first one deals with algebraic (group-theoretical) constructions and is based on integer factoring and the discrete logarithm problem; the second one deals with geometric (coding/lattice) constructions and relies on geometric

Introduction

3

computational problems on linear codes or integer lattices for their security. To the first type can be assigned the RSA cryptosystem (based on the problem of integer factoring) [253], the Diffie-Hellman key exchange (based on the discrete logarithm problem) [83] and its elliptic curve variants ([213], [175]), the ElGamal encryption scheme [93], the RabinMiller test [249], and the Goldwasser-Micali scheme [126]. To the second type can be assigned the McEliece cryptosystem [205], the GoldreichGoldwasser-Halevi Cryptosystem [125] and its variants, the NTRU cryptosystem invented by Hoffstein, Pipher and Silverman [147], and Knapsack cryptosystems [211]. It is known that the complexity of the algorithms for an "algebraic" cryptosystem is of the type NP ˆ coNP. According to [18], both hard problems – integer factoring and discrete logarithm – fall into the class TFNP, which are NP search problems where every input is guaranteed to have a solution. Problems in this class cannot be NP-hard unless NP = coNP. The complexity of "geometric" constructions is NP ˆ coNP or SZK. The aim of the present work is to investigate some algebraic structures that have so far not been used in cryptography and to consider the use of these structures as platforms for cryptographic protocols. The monograph consists of four main chapters. The first of them has an introductory character, focusing on the applications of one of the basic "one-way" functions in public key cryptography, namely discrete logarithms. The discrete logarithm problem over finite fields, in groups and in semirings is considered. The second of them is devoted to the idempotent semirings, also termed dioids, which can be used as building blocks for various cryptosystems. The third of them considers distributed multicast key-management and a key-exchange protocol, based on idempotent semirings, is proposed. The fourth of them deals with endomorphism semirings of a finite chain; the concepts of simplices and simplicial complexes are examined as well. Several cryptographic protocols are built on these semirings.

CHAPTER TWO THE ROLE OF DIFFERENT ALGEBRAIC STRUCTURES AS BUILDING BLOCKS IN PUBLIC KEY CRYPTOGRAPHY

2.1 Discrete Logarithms in Finite Fields 2.1.1 Definitions Encryption has become tangibly more and more important in our everyday life. Many of the methods used to keep our communications secret and our important information private involve the Discrete Logarithm Problem (DLP) in some way. The difficulty of the DLP underlies security for many algorithms in public key cryptography, for performing tasks such as exchanging secret keys via public channels, authentication in electronic messages, digital signatures, and so on. Definition. Let g be a generator of the group q . For all nonzero elements h of

q,

the discrete logarithm of h to the base g (denoted

log g (h) ) is the least nonnegative integer t of the set {0,…,q–2} such that gt

h . Note that log g (h) is unique modulo q – 1.

Definition. The Discrete Logarithm Problem in a finite field is: for the finite field q with a generator g of the group Fq* and for the element h

* q,

calculate the discrete logarithm log g (h).

The discrete logarithm problem in a finite prime field

p

is equivalent

to the problem of the solvability of the exponential Diophantine equation:

gt = h + px, or in other words, the discrete logarithm problem in a prime field details).

p

can be viewed as a Diophantine function (see [330] for more

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

5

Some authors (as in [319]) examined the discrete logarithm problem as a formal problem specification, depending on the order of the cyclic group: x DLP (Discrete Logarithm Problem) – when the order of the cyclic group is unknown; x DLKOP (Discrete Logarithm with Known Order Problem) – when the order of the cyclic group is known; x DLKOFP (Discrete Logarithm with Known Order Factorization Problem) – when the factorization of the order of the cyclic group is known.

2.1.2 Public key Cryptosystems based on the Discrete Logarithm Problem The Diffie-Hellman key exchange protocol. In 1976 Whitfield Diffie and Martin Hellman published the paper New Directions in Cryptography ([83]), in which they proposed an algorithm that allows two users (called Alice and Bob for convenience) to communicate via an insecure (public) channel, creating a common secret key for this purpose. The Diffie-Hellman Key Exchange Protocol consists of the following steps: 1. Alice and Bob publicly agree on the finite field q , as well as on a primitive element g 

* q.

2. Alice and Bob choose respectively integers a and b from the set {2,…, q–2}. These integers are their secret keys. 3. Alice computes g a and transmits it to Bob ( g a is her public key), while Bob computes g b and transmits it to Alice ( g b is his public key). 4. Alice computes and Bob computes ka ( g b )a g ba

kb ( g a )b g ab . At the end of the protocol, both users obtain the same secret key k ka kb . Definition. The problem of finding g ab in the field

q

for given g,

g a and g b is called the Diffie-Hellman Problem (DHP). It is clear that if we can solve the DLP, then we could solve the DHP; however, the opposite has not been proven so far. For most groups, the

6

Chapter Two

two problems (DLP and DHP) are considered to be of similar complexities (see [26], [43], [64], [176], [178], [328]). Some authors (see, for example, [296]) discussed two variants of the Diffie-Hellman problem: the Computational Diffie-Hellman problem (CDH) and the Decisional Diffie-Hellman problem (DDH). In [49] and [201], several improvements of the Diffie-Hellman protocol are proposed. The Diffie-Hellman's key exchange protocol is standardized: ANSI x 9.42 ([13]). Furthermore, it is the basis of a number of protocols, such as TLS. The ElGamal cryptosystem. In 1985 Tahir ElGamal ([93]) published a public key cryptosystem, which is the following protocol: Key generation 1. Alice selects the final field

q

and a primitive element g of this

field. 2. Alice selects a random integer a {2,}, q  1}, which is her secret key. 3. Alice computes ka g a and publishes her public key ( q , g, ka ). Encryption 1. Bob encodes the message m that he wants to send to Alice as an element of the field q , using a public encryption scheme. 2. Bob selects a random integer b {2,}, q  1}, which is his secret key. 3. Bob computes c1 g b and c2 (ka )b m . 4. Bob sends Alice the encrypted message (c1 , c2 ) . Decryption 1. Alice receives the encrypted message (c1 , c2 ) . 2. Alice computes c1a c2 ( g b )a ( g a )b m g ab g ab m m. 3. Alice decodes the message sent by Bob from the acquired m , with the help of the same public encryption scheme used by Bob. Some authors (see, for example, [233]) stated that the security of the ElGamal cryptosystem is equivalent to that of the Diffie-Hellman protocol

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

7

and that the algorithms used to solve the Diffie-Hellman problem can also be used to break the ElGamal cryptosystem, and vice versa. Various modifications of the ElGamal cryptosystem can be found in [16], [44], [56], and [188]. The Digital Signature Scheme (DSS). In the same paper [93], ElGamal also introduced a digital signature scheme, which owes its security to the difficulty of solving the discrete logarithm problem. In 1994, the version of this scheme was accepted as a standard in the United States for public use (NIST standard). The ElGamal digital signature scheme (DSS) has undergone a number of modifications (see [314]). We briefly describe the idea of the ElGamal digital signature scheme. It consists of three algorithms: x The first phase is keys generation, or distributed keys generation (DKG), during which an appropriate large prime finite field p and secret key are selected. In addition, at this stage, the public key is computed. Some improvements to the algorithm for this first phase are proposed in [132]. x The second phase is message signing. x The third phase is signature verification. Peter Schnorr ([269]) suggested a variant of the ElGamal scheme which has some advantages over the classical ElGamal scheme; for example, the Schnorr scheme is not vulnerable to the "adaptive chosen message" (see [242]). In order to make the ElGamal scheme more resistant to attacks of the type mentioned, a number of authors (see [311], [327], [328]) proposed improvements to the ElGamal scheme. Modification of the ElGamal scheme is presented in [201]. In [237] it is demonstrated that breaking the Schnorr scheme is not equivalent to solving the DLP. The free software GnuPG uses ElGamal DSS as a standard for digital signature (see [207], [229]). This scheme is also the basis of the products Open SSL and Pretty Good Privacy (PGP), as well as of other software (see [236]). It is predicted that in the near future the discrete logarithm problem will not be difficult to solve, and this will affect the length of the keys of these cryptosystems that owe their security to this problem (see [186]). There are various trials to find the explicit form of the discrete logarithms over some finite fields. Mullen and White in [222] for the first time gave an explicit form of the discrete logarithm over special finite

8

Chapter Two

fields. Meletiou [209] and Niederreiter [230] showed the explicit form of the discrete logarithm over the field GF ( p, k ) (see also [208]). Wan improved their results in [321]. These explicit forms have no big value for cryptographic purposes, and we will not focus our attention on them. In recent years, a number of papers have appeared on polynomial approximation of discrete logarithms over a finite field (see [48], [171], [182], and [206]).

2.1.3 Generic algorithms for solving the Discrete Logarithm Problem Some known attacks on the discrete logarithm problem are considered in [94] and [170]. An algorithm that computes a discrete logarithm is called generic if it can solve the DLP in an arbitrary finite cyclic group. The Baby-step, giant-step algorithm. This algorithm was first proposed by Shanks [271], and it is a generic method applicable to each cyclic group. Let G = ¢ g ² be a cyclic group of prime order p, and h  G. We want to find the value of the integer k (0 d k d p–1) modulo p, such that h Let

k

k0  k1[ p ] . Then (since k d

gk .

p–1), the following

inequalities hold: 0 d k0 , k1 d [ p ]  1 . It is clear that to find k, it is enough to find the values of k0 and k1. The baby-step consists of computing gi = gi for 0 d i d [ p ] ; the giant-step consists of computing h j

h.g  j[

p]

for 0 d j d [ p ]. Then

the algorithm tries to find a match between the individual values in the tables obtained in the two steps, i.e. the goal is to find such gi, for which gi = hj. Each element, that is common to both tables, allows us to find the discrete logarithm of h. For each cyclic group of prime order p, this algorithm has running time O ( p ) ; it also requires O ( p ) memory to store values in the tables. The Pollard k

U method. The main idea for solving the DLP

g { h (mod p) in

* p

i j is to find a match between g h and g l h m for

some known exponents i, j, l, m 

(see [248]). Then g i l

hm j and

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

by taking the roots in

p

9

we will solve the problem of representing h as a

power of g. The difficulty is to find a function f :

p

o

p

easy to compute and seemingly random. If the function f :

which is both p

o

p

has

these properties, then the expected running time of the algorithm is O ( p ) group multiplications. In [303] E. Teske suggested an alternative method for the series of generators. Better parameters for Teske's iteration function were achieved in [17], [172], [214]. In [235] a parallel search for matches was considered, which is used in cryptography. A new efficient matching algorithm for the Pollard U method was presented in [322]. Some ways to speed up the performance of the Pollard U method were discussed in [63]. At the same time, Pollard suggested another method, called the O method (ses [248]). Like the U method, the O method is based on finding a sequence of collisions and the complexity of the algorithm is estimated by the so-called birthday paradox. In 2000, Pollard published an article ([247]) in which he revised both methods using improvements suggested by different authors. The Pohlig-Hellman algorithm. This algorithm ([242]) works in any cyclic group. In [51] is shown that the discrete logarithm problem in a cyclic group G can be reduced to the DLP in a cyclic group of prime order if the factorization of the group order is known: n |G|

–pH

( p)

.

p/n

Here H ( p) means the maximal power such that p H ( p ) divides n. Let us assume that we can factorize the integer p–1 into prime factors: n

p 1

– qD . i

i

i 1

Then the Pohlig-Hellman algorithm works in 3 steps: x Step 1 consists of creating a table of numbers; x In Step 2, the table from Step 1 is used for obtaining the values of

log g h (mod qiDi ), i 1,}, s ; x In Step 3, the Chinese remainder theorem is used to compute

log g h (mod p  1) from the obtained log g h (mod qiDi ) .

10

Chapter Two



The Pohlig-Hellman algorithm has the polynomial complexity



O (log p)C1 , when all prime divisors qi of

p–1 are smaller than

(log p)C2 , for nonzero constants C1 and C2. If p–1 has a prime divisor q, such that q t pC for a positive constant C, then the complexity of the Pohlig-Hellman algorithm becomes exponential (see [317]). For the field 2n of characteristics 2, it is possible to choose n so that the number 2n – 1 is prime (Mersenne prime). In this case, the PohligHellman reduction presents no benefit for attacking. For fields of odd characteristics, there exist primes p, known as Sophie Germain primes, with the property that the numbers of type 2p+1 are also prime. Utilizing such numbers minimizes the usefulness of the Pohlig-Hellman reduction (see [80] and [251]). Lower bounds. In 1997 Victor Shoup improved the results from [228] and defined a lower bound for a cyclic group of order pr for a prime p (see [274]). In his model, the generic algorithm starts with 1 and gx; during s

run-time it supports a list with elements of the group g i . The discrete logarithm can only be calculated by finding the collision. After m group operations, the probability of collision is OȋmʹpȌǤ A combinatorial point of view on generic attacks on the DLP was first suggested by Schnorr ([270]) and was further developed in [60], where characteristics are given for generic attacks on groups of prime order (see also [296]). In [215], the theory of lower bounds for the generic group model of the discrete logarithm problem was developed, constrained by the subset S Ž p , known to the attacker (constrained DLP).

2.1.4 Index Calculus algorithms for finite fields The term "index calculus" describes a family of algorithms for computing discrete logarithms in which the details of calculations depend on the fields used (see [233]). The first known method of computing the discrete logarithms is due to Adleman ([3]). His algorithm is applicable to prime order fields p . Recently, an algorithm has been developed for all finite fields [1]. The first generalization for the fields p n was given by Hellman and Reyneri ([144]). In [42], this method was improved for an arbitrary field

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography pn

, and a variant for the field of characteristic 2 (

2n

11

) was also

proposed. Then, the last concept was extended by Coppersmith, Odlyzko, Schroeppel in [73], in order to create a fast algorithm (COS) for the field . 2n The Waterloo algorithm, which is a variant of the index calculus method for computing discrete logarithms in the field 2n , was suggested in [87]. The possibility of using the factor base for the field

pn

is

considered in [29]. The best known algorithm for computing the discrete logarithms in the field *p is a variant of the index calculus method, called the number field sieve (NFS). In [2] is also considered a function field sieve. Different improvements of the algorithm NFS were suggested in [161], [263]–[268]. A variant of the index calculus method for computing the discrete logarithms on an algebraic torus was shown in [134]. We will briefly discuss the index calculus method. Let us consider the equation gx = h, where g, h  ( / p )* , p is prime, and g is of order p – 1 (modulo p). The first step of the algorithm is to choose a factorial base B, which is a subset consisting of "small" prime numbers. The second step is to compute the discrete logarithm for the selected element h, using discrete logarithms of the elements of the factor base. A new methodology for this phase of the algorithm is proposed in [237]. The complexity of the Adleman algorithm is Lp ( 1 ; c); the COS

2 1 algorithm achieves Lp ( ; 1); the complexity of the NFS algorithm is 2

Lp ( 1 ; 1,923) (see [148], [210], [317]). 3

The index calculus method for solving the DLP in the field

* p

is

subexponential (see [148], [95]). Progress in computing the discrete logarithm in the multiplicative group of the field of characteristic 2 was achieved by Joux ([159]), whose algorithm for a finite field of order Q = pn reached the heuristic complexity LQ ( 1 ; o(1)). Gary McGuire et al. improved Joux’s algorithm 4

12

Chapter Two

and set a world record for computing the discrete logarithm using a 1 971 bit number (see [127]). Recently, quasipolynomial-time algorithms have been shown for discrete logarithms over finite fields of small characteristic [162].

2.2 Group Based Cryptography Definition. Let G be a finite cyclic group of order n. Let g be a generator of G and let h  G. Then a discrete logarithm of h at base g (denoted by log g (h) ) is the only integer x of the interval 0 d x d n – 1. In cryptographic literature, two main approaches to group-based cryptography are considered. In the first approach, it is suggested to use abelian groups, and in the second one, nonabelian (see [309]). To investigate the possibility of using the group as a platform of a cryptographic protocol, attention should be paid to several questions: how should it be set and what properties should a given group, taken as a potential candidate, have in order to be a platform for building cryptographic protocols; what should the algorithmic problem be which is the basis of the protocol; what are the general principles of the proposed constructions and which are the conditions providing the resilience of the cryptosystem?

2.2.1 The Discrete Logarithm Problem in abelian groups Here we will briefly discuss some of the applications of abelian groups in public key cryptography. Simon Blackburn showed in his paper [33] that by using Picard's groups in finite graphs, the DLP can be efficiently solved in Biggs's groups. The same author in [34] breaks the Arifin-Abu cryptosystem, indicating that the discrete logarithm problem in this case is easily computable. In [35], a cryptosystem based on Drinfeld modules is considered; it is shown that this cryptosystem is insecure. In several papers, there is a suggestion of using cyclic subgroups of matrix groups, but in these groups the DLP is not harder than the DLP over the multiplicative group of the finite field (see [184] for details). In [194], an ElGamal like public-key cryptosystem is proposed in which the order of the underlying cyclic group is hidden. In paper [300], a generic algorithm for computing discrete logarithms in a finite abelian pgroup is presented. Paper [288] is a survey of twisting commutative algebraic groups and applications to discrete logarithm based

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

13

cryptography. Different applications of the DLP in abelian groups can be found in [111]–[115]. To the cryptosystems based on the DLP in abelian groups can be also assigned the cryptosystems operating in groups of points over elliptic curves, as well as those using the Jacobian of hyperelliptic curves. Excluding these examples, it can be summarized that the cryptosystems, based on the difficulty of the discrete logarithm problem in abelian groups, are not really secure. This is the reason why the cryptographic community focuses on the use of nonabelian groups.

2.2.2 The Discrete Logarithm Problem in nonabelian groups The idea of using nonabelian groups in cryptography originated with Wagner and Magyarik ([320]) in 1985. This cryptosystem owes its security to the difficulty of solving the word problem for finitely represented groups, but the cryptoscheme proposed by the authors is too theoretical, with unresolved issues. A cryptoanalysis of the WagnerMagyarik scheme can be seen in [27], [130], and [187]. There are finitely represented groups with a recursively unsolved word problem (see, for the details, [231]). Birget et al. in [28] presented their cryptosystem, which is inspired by the Wagner-Magyarik scheme. The cryptoanalysis of it is shown in [40], [131]; in the last article, it is also proved that the cryptosystem [119] is insecure. Surveys of the application of nonabelian groups in cryptography are presented in [102], [103], [226], and [227]; especially for the discrete logarithm problem in non-abelian groups, see: [153] – [155], and [173]. The conjugator search problem. One of the possible generalizations of the discrete logarithm problem in arbitrary groups is the conjugator search problem, which can be formulated as follows: for two elements a, b from a nonabelian group G, find at least one element x  G such that a x b. 1

Here by a x we understand xax . The computational complexity of this problem in some special groups (e.g. in the braid group) is used in a number of cryptosystems ([277], [280] and [285]). The conjugator search problem is the basis of the security of the two most popular cryptosystems based on non-abelian groups, namely: x Ko, Lee, Cheon, Han, Kang and Park cryptosystem ([174]); x Anshel, Anshel and Goldfeld cryptosystem ([11], [12]). Both of them use the braid group.

14

Chapter Two

Of course, the braid group is not the only platform for cryptosystems using the conjugator search problem. As such, Thompson's groups F, matrix groups, Artin's groups, Grigorchuk's groups are also used (for details, see [226]). We will briefly review the above-mentioned two protocols, which are analogous to the Diffie-Hellman key-exchange, and in which the conjugator search problem is the basis of their security. Ko-Lee-Cheon-Han-Kang-Park key-exchange protocol. Let G be a nonabelian group and let g be a publicly known element of G. Let A and

B be two commuting subgroups of the group G, given by their generating (finite) subsets, such that ab = ba for all a  A, b  B. Alice and Bob, who want to create a common secret key, do the following: 1. Alice selects an arbitrary element a  A, computes g a a 1 ga and transmits the obtained value to Bob. 2. Bob selects an arbitrary element b  B, computes g b b 1 gb and transmits the obtained value to Alice. 3. Alice computes k A ( g b ) a , while Bob computes kB ( g a )b . Since ab = ba, it follows that kA = kB. Anshel-Anshel-Goldfeld key-exchange protocol. The advantage of this protocol is that, unlike the Ko et al. protocol, there is no need to search for commuting subgroups A and B of group G. In addition, it can be applied to any nonabelian group in which the word problem can be efficiently solved. Definition. Let S be an arbitrary set. A word w in S is a finite sequence (it may be empty as well) of elements

w

y1... yn , yi  S .

The integer n is called the length of the word w. Definition. The word problem (WP) consists of the following: For a given recursive representation of the group G and an element g  G , decide whether g = 1 in G. Then the protocol consists of the following:

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

15

Let G be a nonabelian group and let the elements a1 ,..., al , b1 ,..., bm  G be public. In order to create a common secret key, Alice and Bob have to proceed in the following way: 1. Alice chooses a word x from a1 ,..., al and transmits b1x ,..., bmx to Bob. 2. Bob chooses a word y from b1 ,..., bm and transmits a1y ,..., aly to Alice. 3. Alice computes x(a1y ,}, aly ) 4. Bob computes

y(b1x ,..., bmx )

xy

yx

y 1xy.

x1 yx.

5. The shared secret key k is the commutator [ x, y ] : x 1 y 1 xy. To 1

obtain this key, Alice multiplies y 1 xy on the left by x , while Bob multiplies x 1 yx on the left by y 1 and then gets the inverse 1 1

1

1

1

element ( y x yx) x y xy. The difficulty of the protocol is based on the difficulty of the following Problem. For given elements x, a1 ,..., al and group G, find the representation (if it exists) of x as a word from the sequence a1 ,..., al . It is worth noting that this protocol is not fully determined, as it is necessary to specify how to select the elements ai , b j and how Alice and Bob generate the words x and y, respectively. Some attacks on this protocol can be seen in [149], [224], and [225]. Some authors (see [102]) consider also the following Simultaneous search conjugacy problem. Let G be a finitely represented group and let the following elements of the group be given: u1 ,}, uk , v1 ,}, vk  G, so that x1ui x vi for all i  {1, 2, …, k}. Finally, an algorithm is needed to find an element z  G that satisfies the condition z 1ui z vi for all i  {1, 2,…, k}. The decomposition problem and protocols based on it. The decomposition problem is the following: in a non-abelian group G, find two elements a , b  G (usually asking for elements a , b of some subgroup of G) with the property h a ˜ g ˜ b for g and h being two known elements of the group (see [226]). In general, a protocol, whose security is based on the decomposition problem, consists of the following:

16

Chapter Two

Two users publicly agree on group G, the element g  G, and two subgroups A, B Ž G , whose elements commute, i.e. a ˜ b b ˜ a for all

a  A, b  B. 1. Alice selects two random elements a1 , a2  A. She transmits the value a1 ˜ g ˜ a2 to Bob. 2. Bob selects two random elements b1 , b2  B. He transmits the value b1 ˜ g ˜ b2 to Alice. 3. Alice computes k A

a1 ˜ b1 ˜ g ˜ b2 ˜ a2 , while Bob computes

k B b2 ˜ a1 ˜ g ˜ b1 ˜ a2 . Since ai ˜ bi bi ˜ ai in group G, by the end of the protocol the two users receive the shared secret key kA = kB = k (as an element of G). Some of modifications of the above protocol are: x the Shpilrain-Ushakov protocol for "twisted" groups ([281]); x the Shpilrain-Ushakov protocol for hidden subgroups ([282]); x the Kurt protocol for triple decomposition ([180]); x the Stickel protocol ([295]). We point out that the Shpilrain-Ushakov protocol used Thompson's groups as platform, noting that the word problem in these groups is solvable for almost linear time. In [86] it was shown that these cryptosystems are not secure. Thompson's groups are also used in [313]. Stickel employed matrix groups as a platform for his protocol, which was broken by Sramka [291], Shpilrain [278], and Mullan [220]. Logarithmic signatures and cryptosystem using them. Logarithmic signature for the finite group G is called an ordered n-tuple  = (A1, A2, . . . , An) of the subsets Ai of G, such that every element g  G can be represented in an unique way in the form g = a1. . . an for ai  Ai . A natural way to construct a logarithmic signature for a group G is to select subgroups from the following chain 1 G0  G1  }  Gn G . Let Ai be the set of representatives of cosets Gi 1 in Gi . Then

 = (A1, A2, ... , An) is a logarithmic signature of the group G. Cryptosystems using logarithmic signatures are suggested in [185], [190]–[192], [289].

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

17

We note that Lempken et al. (see [184]) invented the cryptosystem MST3, based on logarithmic signatures, for which Magliveras et al. in [193] showed that it is not secure using a special method of generating secret keys. Another attack against the cryptosystem MST3 was described in [38]. Paeng et al. in [238] proposed a new cryptoscheme based on the difficulty of the DLP in the group of inner automorphisms. A cryptoanalysis of the protocol proposed by Grigoriev and Ponomarenko ([135]) was made in [65] using the heuristic method of rediscovering the secret key from the public key. In [92], a new cryptosystem using polycyclic groups is proposed. Frey [107] showed that the Brauer group plays an important role in cryptosystems whose security is based on the discrete logarithm problem. In [259], the authors (using some ideas from [287]) proposed a keyexchange protocol, the security of which relies on two simultaneous problems in group representation level: the matrix conjugator search problem and matrix discrete logarithm problem.

2.2.3 Groups used as platforms for cryptosystems The braid group. Due to the fact that many of the cryptosystems using groups are based on the braid group, we will first focus on it. The braid group was introduced by E. Artin in 1947. This group is very interesting in many aspects: there are equivalent representations in completely different mathematical areas; the word problem in this group is solvable relatively easy, but some other problems, such as the problem of the conjugate element and the decomposition problem, in this group seem to be hard to solve. There are several definitions of braid groups; we consider one algebraic-geometric definition. For n t 2, the braid group Bn is defined as follows:

V 0 ,}, V n 1

V iV j V jV i V iV i 1V i V i 1V iV i 1

for | i  j |t 2 for | i  j | 1

.

This way of defining the braid group is called Artin's representation and the generating elements are called Artin's generators. We refer to V i , 0 d i < n–1 as an elementary braid on n strands and interpret that as the braid that interchanges strand i and i+1 by passing i+1 over i. An element from Bn is called an n-braid. For each n, the identity mapping on

18

Chapter Two

{V 1 ,}, V n 1} induces an embedding from Bn into Bn 1 , so that we can consider an n-braid as a part of (n+1)-braid. Since B2 is an infinite cyclic group, it is isomorphic to the group of integers. For n t 3, the group Bn is not commutative and its center is an infinite cyclic subgroup. When a group is specified using presentation, each element of the group is an equivalence class of words with respect to the congruence, generated by the relations of the presentation. Hence (by definition), every n-braid is an equivalence class of n-braid words under the congruence. Birman et al. in [29] and [30] presented a new canonical form for the elements of the braid group. Another normal form is given in [91] and [156]. Some efforts to solve the conjugacy problem in polynomial time can be found in [128] and [183]. Campagna in [54] proposed a new canonical form called the max run form, using Artin's generators, and also provided some algorithms that can be used for cryptographic purposes. Wiest in [325] showed an algorithm for finding a unique short representative for any given element of Artin's braid group. Hofheinz and Steinwandt in [149] used a heuristic algorithm for attacking the conjugacy search problem, which is the basis of the cryptosystems presented in [11] and [174]. Myasnikov and Ushakov ([224], [225]) suggested a variant of the "length-based attacks" for these cryptosystems. Similar attacks are proposed in [54]. Other attacks are also considered in [45] and [223]. Chowdhury in [66] showed that the suggested implementation of the "Algebraic Eraser scheme" to the braid group is not secure. For more details about the algebraic eraser, see also [124]. The algebraic eraser is used in the recently patented protocol [10]. Some solutions to the word problem in the braid group based on the "handle reduction process" are discussed in [79] and [117]. Three authentication schemes based on the conjugacy search problem and the root extraction problem are presented in [286]. A cryptanalysis of the root extraction problem can be found in [137]. There are also attempts to combine various problems in the braid group to create more resistant cryptosystems. For example, Thomas and Lal in [304] suggested a digital signature scheme that combines the conjugate search problem, the decomposition problem, and the root search problem. Chowdhury in [67] considered cryptographic protocols using noncommutative semigroups to improve the security of the Cha-Ko-LeeHan-Cheon cryptosystem based on the braid group, while providing two algorithms to solve the decomposition problem.

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

19

The Thompson group. The Thompson group has the following infinite presentation:

F

¢ x0 , x1, x2 ,}| xi1xk xi

xk 1 (k ! i) ².

The classic normal form for the Thompson's group is a word of the type

xi1 } xis x jt1 } x j11 , so that the following two conditions are met: x i1 d } d is and j1 d } d jt ; x

1

if both xi and xi

1

are present, then either xi 1 , or xi 1 is also

present. There is a relatively simple procedure for reducing an arbitrary word w to normal form in the Thompson group. (Different properties of the Thompson group are discussed in [55]). We want to note that in the Thompson group there are effective attacks on the decomposition problem ([200]). As some authors have stated (see, for example, [226]), in the Thompson group, as well as in the braid group, the use of different representations of normal forms for group elements poses cryptographic risk due to the fact that what we are trying to hide in one normal form is quite possibly revealed in another. Matrix groups. The advantage of using matrix groups over finite commutative rings as platforms for cryptographic protocols is that, on the one hand, the matrix product is not commutative, and on the other hand, matrix entries that are elements of the commutative ring offer a good mechanism to hide the information we want. Another advantage of matrix groups is the periodicity of the matrix when it is defined over a finite ring. Different finite rings can be considered, over which matrix groups can be defined. The simplest example is the ring n . We point out that matrix groups over the ring

n

can also be used as a platform for the “classical”

Diffie-Hellman key-exchange protocol, but the disadvantage is that the number n must be very large to provide a relatively efficient key space. (here p is a field with Another ring of interest is R p [ x] / ( f ( x))

p elements,

p

an ideal of

p

[ x] is a ring of polynomials over the field

p

, and ( f(x)) is

[ x ], generated by an irreducible polynomial f(x) of degree

n). This ring is isomorphic to the field

pn

, but the presentation of R

allows a large key space to be obtained with relatively small basic parameters. This ring is employed by Tillich and Zemor in [306] to

20

Chapter Two

construct hash functions (see also [276]). The matrices used by them are from the group SL2(R). It is also possible to use the ring of the reduced polynomials over the ring

n

. Reduced polynomials are expressions of the type

N

¦a x

k

k

,

k 0

taken with the normal addition, and the multiplication is in accordance with the rule

xi ˜ x j

x (i  j )

mod ( N 1)

.

The ring of reduced polynomials is a factor-ring; the ideal generated by the polynomial x N 1 is prime, and, for this reason, the factor-ring calculations are quite efficient. This ensures that a small amount of money is spent to provide a large space of keys. There are also mixed protocols in which the authors combined matrix groups with some other groups. For example, in the Climent-FerrandezVicent-Zamora key-exchange protocol (see [68]), matrix groups are combined with the sets of points on an elliptic curve defined over a finite field. Analysis of the protocol was performed in [69], where a number of improvements were proposed to enhance security. Another example of a mixed protocol is the one proposed by P. Vitkus, E. Sakalauskas, N. Listopadskis, and R. Vitkiene in ([318]), which uses the left and right actions of a matrix on a matrix. As a platform for their protocol, the authors employed the braid group Bn. The following map is used to transform the braid group into a matrix group U : Bn o GL(n  1, p ) , p prime;

Vi for t 

p

§ l t 0 · ¸ ¨ I i  2 † ¨ 0 t 0 ¸ † I n  i  2 ¨ 0 t 1 ¸ © ¹

.

Cryptanalysis of the protocols using matrix groups is shown in [218]. Extra special groups. For a given prime p, all groups of order p2 are abelian. The first nonabelian group G is of order p3. There exists a complete classification of groups of order p3. For odd p, there are two non-isomorphic classes of extra special groups of order p3:

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

21

x The group of triangular 3 u 3 matrices over a field of order p with 1's on the diagonal. The group has an exponent p. This group is called the Heisenberg group; x The group for which there exists a semidirect product of a cyclic group of order p2 by a cyclic group of order p, acting nontrivially on it. This group has exponent p2. For p = 2, there are two groups of order 8, namely: x the dihedral group D8, which has four elements of order 4; x the quaternion group Q8, which has six elements of order 4. Using extra special groups for cryptographic purposes The Heisenberg group as a platform for the AAG protocol was suggested in [53]. The authors believe that, using this group as a platform, the AAG protocol becomes resistant under a "length-based attack". The Heisenberg group is used as a platform for the MOR cryptosystem from Ayan Mahalanobis in [197] and [198]. The dihedral group is applied to construct the visual cryptography scheme (see [312]). The quaternion group is used as a platform for the cryptoscheme in [89]. In [179], it is proved that in the extra special groups, security assumptions are based on the hidden subgroup problem on random polynomials chosen for end users. Other groups that are used as platforms. Some other groups used for cryptographic purposes are: x small cancellation groups, proposed as a platform in [283]; x free meta-abelian groups, applied in the protocol [284]; x Artin's groups, used as a platform in [285]; x Grigorchuk’s groups, used in [241]; x Linear groups ([21]); x Cremona’s groups ([315]).

22

Chapter Two

2.3 The Discrete Logarithm Problem in Rings and Semirings 2.3.1 The Diffie-Hellman protocol in terms of formal algebra – a parallel between groups and rings In cryptographic literature, several trials of formalizing the Diffie-Hellman protocol are known. Here we discuss some of them. Boreale and Buscemi in [47] suggested a formalization of the algebraic operations in the Diffie-Hellman protocol (see also [8], [104], and [212]). A symbolic approach to this protocol is preferred in [75], [97], [98], and [133]. We will describe briefly the approach used by D. Dougherty and J. Guttman ([84] – [86]). A Diffie-Hellman structure is said to be a given cyclic group G of prime order q with а generating element g, together with an exponentiation operation. The exponents are integers modulo q which form a field E with characteristic q. For cryptographic purposes, the group G is often selected to be a subgroup of the multiplicative group of integers modulo a prime number p, for which q divides p  1. We recall that, according to the Diffie-Hellman hypothesis, it is not possible to find the index x from the g x (the values that Alice and Bob exchanged via an insecure channel). It is preferable to use the following two sets: on the one hand, the set G for the group elements that are the bases of the exponentiation, and on the other hand, a set E for the exponents, keeping in mind that from the nonzero elements of the set E to be created a new set N E . Thus, the following table can be completed:

˜ : G u G o G id :o G inv : G o G , , : E u E o E 0 :o E exp : G u E o G i : N E o N E 1:o N E

: N E u NZE o N E .

The following axioms hold: 1. (G, ˜, inv, id ) is an abelian group; 2. ( E , , 0, , ,1) is a commutative ring with one; 3. Via the exponentiation the group G becomes a right E -module with one, i.e.

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

a x y , a1

(a x ) y

a , id x ( x y )

23

id ,

( a ˜ b) a ˜ b , a a ˜ay for all a , b  G; x, y  E. 4. The set N E is closed under the multiplicative operation: u

v u v , u i (u ) 1 , i (u ) i (u ), i (u v) i (u ) i(v) , i(1) 1 , i(i( w)) w for all u, v, w  N E . x

x

x

x

The following additional rules can also be derived: In the set G In the set E

inv(id ) o id

(0) o 0

inv(a ˜ b) o inv(a ) ˜ inv(b) ( x  y ) o ( x)  ( ( y )) inv(inv(b)) o b

(( x)) o x

(inv(a)) o inv(a )

0 x o 0

a 0 o id

( x ) y o ( x y )

x

a

( x)

x

.

o inv(a ) x

Diffie-Hellman structures that are algebraically isomorphic may have different properties with respect to computational difficulties. For example, a prime field Fq , represented as a group of integers mod q, can be considered as a Diffie-Hellman structure, for which the group formed from the bases of the exponentiation is the additive group of the field Fq , and the exponentiation is a multiplication. Then the discrete logarithm problem is easily solvable. On the other hand, the field Fq is isomorphic to a subgroup of order q of the multiplicative group of integers modulo a prime number p. In this group, the discrete logarithm problem might be hard to solve. For the field F, the following model MF is also applicable: the elements of the sets E and G are taken from F; the set NE consists of nonzero elements of E. Here E is a field and the operations defined in E are the same as in the field F; G is a group, with a group operation ( ˜ ) which is taken to be the additive operation of the field E. The element id is 0, the operation inv is  ; the exponentiation is the multiplication, i.e. ae is interpreted as a e. In this case, takes place the following

24

Chapter Two

Proposition. ([84]) Each Diffie-Hellman structure is isomorphic to a model M F , where F is a prime field of order q. q

This formalization shows that the operations of the Diffie-Hellman protocol can be considered as actions on a cyclic group of prime order together with the operation of exponentiation. The set of the indicators, together with the exponentiation, forms the finite field. This method could also be applied to other protocols. For example, the group G can also be a set of points of an elliptic curve. The idea of the protocol could also be used for bilinear pairing in elliptic curves.

2.3.2 The Discrete Logarithm Problem in noncommutative rings In 2006, for the first time, the employing of noncommutative rings in public key cryptography was proposed (see [58]). For a given noncommutative ring R, its -modular structure [ r ] is used. Moreover, this -modular method is extended for noncommutative groups and noncommutative semigroups. We will briefly focus our attention on the basic concepts of the -modular method. Let R be a ring with zero (0) and one (1), for which ( R, , 0) is an abelian group and ( R, ˜, 1) is a noncommutative semigroup. For k  and r  R:



(k )r : r } r . k - times 

Similarly, for k 

we define

(k )(r ) : (r ) } (r ).

(k )r

k - times

For k = 0, we set (k)r = 0. Then we come to the following Proposition. For all a, b, m, n 

; r  R , the equalities hold: (a)r m ˜ (b)r n (ab)r m n (b)r n ˜ (a)r m In general case, ( a ) r ˜ (b) s z (b) s ˜ ( a ) r where r z s, since the multiplication in the ring R is not commutative. For elements r  R, we define polynomials with coefficients that are positive integers in the standard way: n

f (r )

¦ (a )r i

i 0

i

(a0 )1  (a1 )r } (an )r n .

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

25

The set of all polynomials of this type defined over the ring R is denoted by  [r ]. Let ( R, , ˜) be a noncommutative ring. For all elements s  R, we define the set Ps Ž R in the following way:

Ps { f (s) : f (r )   [r ]}. Then, in the noncommutative ring R the following problems can be posed: x Symmetric Decomposition Problem for Polynomials: For given elements (s, x, y)  R3 and integers m, n, find the element z  Ps, such that y z m xz n . zz

z z

x Diffie-Hellman Problem for Polynomials: Find x 1 2 (or x 2 1 ) from given s, x  R and z1, z2  Ps. These two problems are considered hard, which means that no algorithm exists that solves them in polynomial time. Based on these two problems, the following protocol (which is analogous to the Diffie-Hellman protocol) is constructed over a noncommutative ring R: At the beginning of the protocol, Alice and Bob choose two random small integers m and n, as well as two random elements a, b  R. 1. Alice selects a polynomial f ( x)   [ x] such that f (a ) z 0 (her secret key is f ( a ) ). She computes rA

f (a ) m ˜ b ˜ f (a ) n and

transmits her public key rA to Bob. 2. Bob selects a polynomial h( x) 



[ x] such that h(a) z 0 (his secret key is h( a ) ). He computes rB h(a ) m ˜ b ˜ h(a ) n and

transmits his public key rB to Alice. 3. Alice computes k A 4. Bob computes k B

f (a)m ˜ rB ˜ f (a)n . h( a ) m ˜ rA ˜ h( a ) n .

At the end of the protocol, both users obtain a shared secret key k = kA =

k B. Using the hardness of the symmetric decomposition problem and the Diffie-Hellman problem for polynomials, the protocol similar to the ElGamal encryption scheme over a noncommutative ring R can be constructed.

26

Chapter Two

This protocol works as follows: Initial phase Alice and Bob choose two random small primes m, n and two random elements a, b  R, as well as a hash function H : R o M (here M is the space of the messages). Key generation For this phase, the above protocol is used, which is analogous to the Diffie-Hellman protocol; the obtained common secret key is k. Encryption Alice wants to send to Bob the message M  M. She encrypts this message in the following way:

H (k ) † M and transmits the encrypted message d to Bob. d

Decryption Bob reads the message using his private key. Theorem. ([57]) Let H be a random algorithm that maps the elements of R into M. Suppose that A is an eavesdropper, and let the probability that he is able to read the message in t steps be H . Let A performs qH > 0 trials to discover the algorithm H. Then there is an algorithm B which solves the Diffie-Hellman problem for polynomials over a noncommutative ring R with the probability of succeeding at least H c in

t c steps, where H c

2H and t c = OȋtȌ. qH

In cryptographic literature one can find a number of cryptosystems based on the considered protocols. The protocols suggested by Fujisaki and Okamoto [109], as well as several cryptosystems proposed in [323], are of this type; see also [70].

2.3.3 The Discrete Logarithm Problem and cryptography using semirings Definitions and examples. The term semiring was introduced for the first time by Harry Vandiver [316] in 1934, as well as by Udo Hebisch and

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

27

Hanns Joachim Weinert ([142]). The definition in Jonathan Golan's monograph [122] supposes that there is zero and one in the semiring. A semiring in [316] and [142] is defined by a nonempty set R, equipped with two binary operations: addition (+) and multiplication ( ˜ ) with the following properties: (1) ( R, ) is a commutative semigroup, i.e. x + y = y + x and

x + (y + z) = (x + y) + z for all x, y, z  R; (2) ( R, ˜) is a semigroup, i.e. x ˜ ( y ˜ z ) ( x ˜ y ) ˜ z for all x, y, z  R; (3) the distributive laws hold: x ˜ ( y  z ) x ˜ y  x ˜ z and ( x  y ) ˜ z x ˜ z  y ˜ z for all x, y, z  R. Let R = ( R, , ˜) be a semiring. Then: x If there is a neutral element 0 of the semigroup ( R, ) , that is, x + 0 = 0 + x = x for all x  R and it satisfies the condition 0 ˜ x x ˜ 0 0 for all x  R, this element is called a zero. x If there is a neutral element 1 of the semigroup ( R, ˜) , that is, x ˜1 1˜ x x for all x  R, this element is called a one. A semiring R = ( R, , ˜) is called proper if it is not a ring, i.e. if ( R, ) is not a group. A semiring is called commutative if the semigroup ( R, ˜) is commutative. Here are listed some examples of semirings: (1) The set of natural numbers is a semiring with the binary operations: usual addition and multiplication.  is a semiring together (2) The set of positive rational numbers with the same operations. 

(3) The set of positive real numbers is a semiring along with the usual addition and multiplication of the real numbers. (4) If S is a subsemiring of , then S  S ˆ  is a subsemiring of  . (5) If R is a semiring, and I(R) is the set of all ideals of R, then I(R) is a semiring; the dual operations are the addition and multiplication of ideals. The zero in this semiring is the zero ideal of R; one is the semiring itself. Motivation to study semirings. We briefly consider the various applications of the semirings in different fields of mathematics, as well as in some other sciences.

28

Chapter Two

After Vandiver introduced semirings in 1934, they remained unused by mathematicians for a long time, and only when Marcel Schützenberger ([262]) presented the concept of a weighted machine in 1961, did interest in semirings appear again. Various applications of semirings in the theory of automata and formal languages can be seen in [71], [72], [260]. New ideas in the automata theory and in formal languages, as well as many other applications of the semiring theory, can be found in [24], [240], [244] – [246]. Different aspects of the semirings applications in finite state machines can be seen in [59], [76], [88], [99], [108], [168], [86], and [326]. Weighted finite state machines play an important role in computer science; they find their place in the structural theory of so-called recognizable languages, speech recognition and image compression (see [4]–[5]). The behavior of a weighted finite state machine can be described using the mapping of a free monoid into a semiring. Some formal systems for studying the correctness and effectiveness of computer programs are related to various semirings: Hoare algebras, dynamic algebras, and Kleene algebras (see [146], [140], [23], [108]). Using idempotent semirings, some properties of computer programs and transition systems can be modeled by establishing a connection between algebraic formalism and dynamic and temporal logic, as is shown in [25], [31], and [82]. Hidden Markov models are standard probabilistic models for states of consistently marked data that appear, for example, in speech recognition (see [250]). In [152], the Forward-Backward (FB) algorithm for efficient calculation of entropy in hidden Markov models is provided, which works with elements of commutative semirings. The action on these semirings requires less memory than the existing algorithms. Other applications of semirings can be found in [122] and [123]. Gröbner bases for semirings are considered in [46] and [145].

2.3.4 Semirings and cryptography In 2007, Gérard Maze, Chris Monico, and Joachim Rosenthal proposed (see [202]) one of the first cryptosystems based on semigroups and semirings, using some ideas from [11], as well as from their previous article [204]. This cryptosystem was further developed in [203]. Also in 2007, K. Slavin (see [290]) received a US patent for his cryptosystem using ideas similar to those in [202].

The Role of Different Algebraic Structures as Building Blocks in Public Key Cryptography

29

Maze-Monico-Rosenthal key-exchange protocol. In the initial part of this protocol, a finite semiring R is presented; this semiring cannot be embedded into a field and is not necessarily commutative. The n u n matrices with entries from R are considered. The center of the semiring R is denoted by C; for a matrix M  Mat n ( R), the commutative semiring consisting of polynomials of M with coefficients from C, is denoted by C[M]. For two given matrices M1 , M 2  Mat n ( R), the following linear action is considered:

(C[ M1 ] u C[ M 2 ]) u Mat n ( R) o Mat n ( R), (( p( M1 ), q( M 2 )), X )

p( M1 ) ˜ X ˜ q( M 2 ).

Based on this action, the following key-exchange protocol is created: The two users agree on the finite semiring R, whose center C is not an empty set and which cannot be embedded into a field. In addition, they choose a natural number n and two matrices M1, M2, S  Mat n ( R) . 1. Alice selects two polynomials pa , qa  C[t ], (which are her secret keys) and computes A

pa ( M1 ) ˜ S ˜ qa ( M 2 ). She sends her

public key A to Bob. 2. Bob also selects two polynomials pb , qb  C[t ] (his secret keys) and computes B

pb ( M1 ) ˜ S ˜ qb ( M 2 ). He sends his public key

B to Alice. 3. After receiving the matrix B, Alice computes

kA

pa ( M1 ) Bqa ( M 2 )

pa (M1 ) pb (M1 ) S qb (M 2 )qa (M 2 ).

4. Bob, using Alice's matrix A, computes

kB

pb ( M1 ) Aqb ( M 2 )

pb ( M1 ) pa ( M1 ) S qa ( M 2 )qb ( M 2 ). At the end of the protocol, they obtain the shared secret key kA = kB. This protocol owes its security to the following Two-sided action problem of matrix semirings. For given 3 matrices M1, M2, S  Mat n ( R) and a matrix T  C[M1 ] ˜ S˜ C[M2 ] , find the matrices U1  C[ M1 ] and U 2  C[ M 2 ] such that T

U1 ˜ S ˜U 2 .

The authors of the protocol proposed finite simple semirings as a platform for their protocol.

30

Chapter Two

Several cryptosystems based on semigroups and semirings were constructed by Ivan Trendafilov and Mariana Durcheva (see [308] and [310]). Atani ([14] – [15]) published two cryptosystems using semimodules over factor semirings. Dwivedi et al. provided a protocol [90] based on polynomials over noncommutative factor semirings. A similar idea is employed in the protocols [9] and [234]. Idempotent semirings as a platform for building cryptographic systems will be discussed in the next chapters.

BIBLIOGRAPHY TO CHAPTERS ONE AND TWO

[1] Adleman L., DeMarrais J., A Subexponential Algorithm for Discrete Logarithms over All Finite Fields, LNCS, CRYPT0 ’93. [2] Adleman L., Huang M., Function Field Sieve Method for Discrete Logarithms over Finite Fields, Information and Computation 151 (1999), pp. 5 – 16. [3] Adleman L. (1979), A subexponential algorithm for the discrete logarithm problem with applications to cryptography, Proc. SFCS ’79. [4] Allauzen C., Mohri M. (2009), Linear-Space Computation of the Edit Distance between a String and a Finite Automaton, arXiv:0904.4686v1 [cs.FL] 29 Apr 2009. [5] Allauzen C., Mohri M., Roark B., General algorithms for testing the ambiguity of finite automata, in Proc. of 12th Int. Conf. Developments in Language Theory, v. 5257 of LNCS, Kyoto, Japan, 2008. Springer, Heidelberg, Germany. [6] Alvarez R., Martinez F., Vincent J., Zamora A. (2007), A New Public Key Cryptosystem based on Matrices, 6th WSEAS Int. Conf. Inf. Sec. Priv., Spain, 2007, pp. 36 – 39. [7] Anjaneyulu G., Vasudeva Reddy P., Reddy U. (2008), Secured Digital Signature Scheme using Polynomials over Non-Commutative Division Semirings, IJCSNS Int. J. of Computer Science and Network Security, Vol.8 No.8, August 2008, pp. 278-284. [8] Amadio R., Lugiez D., Vanackere V. (2003), On the symbolic reduction of processes with cryptographic functions, Theoretical Computer Science, 290(1),pp. 695-740, 2003. [9] Anjaneyulu G., Vasudeva Reddy P., Reddy U. (2008), Secured Digital Signature Scheme using Polynomials over Non-Commutative Division Semirings, IJCSNS Int. J. of Computer Science and Network Security, Vol.8 No.8, 2008, pp. 278 – 284. [10] Anshel I., Anshel M., Goldfeld D. (2018), Method and apparatus for establishing a key agrrement protocol US Patent No: US 2018/0071335 A1, Mar. 15, 2018. [11] Anshel I., Anshel M., Goldfeld D. (1999), An algebraic method for public-key cryptography, Math. Res. Lett. 6, (1999), pp. 1-5. [12] Anshel I., Anshel M, Fisher B., Goldfeld D. (2001), New key agreement protocols in braid group cryptography, Progress in

32

Bibliography to Chapter One and Chapter Two

Cryptology – CT – RSA 2001, LNCS, Springer-Verlag, 2020 (2001) 13-27. [13] ANSI x9.42 (2003), PKC for the Financial Services Industry; Agreement of Symmetric Keys Using DL Cryptography, Technical report, American Bankers Association, 2003. [14] Atani R. E., Public Key Cryptography Based on Semimodules over Quotient Semirings, Int. Mathematical Forum 2, №52, 2007, 2561– 2570. [15] Atani R., Atani S., Mirzakuchaki S. (2007), A Novel Public Key Crypto system Based on Semimodules over Quotient Semirings, IACR Cryptology ePrint Archive, 2007, Vol. 2007, p.391. [16] Ateniese G., Benson K., Hohenberger S. (2009), Key-Private Proxy ReEncryption, Topics in Cryptology, CT-RSA, 2009. [17] Bai S., Brent R., On the Efficiency of Pollard’s Rho Method for Discrete Logarithms, The Australasian Theory Symposium (CATS2008). [18] Barak B. (2017), The Complexity of Public-Key Cryptography, Electronic Colloquium on Computational Complexity, Report No. 65 (2017). [19] El Bashir R., Hurt J., Jančařìk A., Kepka, Simple Commutative Semirings, J. of Algebra 236, 2001, 277 – 306. [20] El Bashir R., Kepka T. (2007), Congruence-Simple Semirings, Semigroup Forum, 75, 2007, 588 – 608. [21] Baumslag G., Fine B, Xu X. (2006), Cryptosystems Using Linear Groups, Appl. Alg. in Engineering, Communication and Computing 17, 2006, 205-217. [22] Belluce L. P., Di Nola A. (2009), Commutative rings whose ideals form an MV-algebra, Mathematical Logic Quarterly, 55 (5), 2009, pp. 468 – 486. [23] Bergstra J., Klop J. (1984), The algebra of recursively defined processes and the algebra of regular processes, in J. Paredaens (ed.): Automata, Languages and Programming, Lecture Notes in Computer Science No 172, Springer – Verlag, Berlin, 1984. [24] Berstel J., Perrin D., Reutenauer C. (2010), Codes and Automata, Encyclopedia of Mathematics and its Applications No 129, Cambridge University Press, 2010. [25] Bertelle C., Duchamp G., Khatatneh Kh. (2005), Tables, Memorized Semirings and Applications, arXiv:cs/0502081v1 [cs.MA] 20 Feb 2005.

Semirings as Building Blocks in Cryptography

33

[26] Biham E., Boneh D., Reingolg O. (1997), Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring, Inform. Process. Lett. 70, (1997). [27] Birget J., Magliveras S., Sramka M. (2006), On public-key cryptosystems based on combinatorial group theory, Tatra Mountains Mathematical Publications, 33 (2006), 137-148. [28] Birget J., Magliveras S., Wei W. (2002), Trap doors from subgroup chains and recombinant bilateral transversals, Proceedings of RECSI VII (2002) 31 – 48. [29] Birman J., Ko K., Lee S. (2001), The Infimum, Supremum, and Geodesic Length of a Braid Conjugacy Class, Adv. in Math. 164, (2001) 41 – 56. [30] Birman J., Ko K., Lee S., A new approach to the word and conjugacy problems in the braid groups, Adv. Math. 139 (1998) 322–353. [31] Bistarelli St. (2004), Semirings for Soft Constraint Solving and Programming, Springer-Verlag, Berlin, Heidelberg, 2004. [32] Björner A. (1995), Topological methods, chapter 34 in Handbook of Combinatorics, Edited by R. Graham, M. Grötschel and L. Lovász, 1995. [33] Blackburn S. (2009), Cryptanalysing the critical group: efficiently solving Biggs’s discrete logarithm problem, J. Math. Cryptology, v. 3 (2009) 199-203. [34] Blackburn S. (2010), The Discrete Logarithm Problem Modulo One: Cryptanalysing the Ariffin – Abu cryptosystem, J. Math. Cryptology, Vol 4 (2010) 193 – 198. [35] Blackburn S., Cid C., Galbraith S. (2006), Cryptanalysis of a cryptosystem based on Drinfeld modules, IEE Proc. Inform. Security, v. 153 (2006) 12 – 14. [36] Blackburn S., Cid C., Mullan C. (2011), Cryptanalysis of three matrix-based key establishment protocols, in J. Math. Crypt. 5 (2011), 159-168. [37] Blackburn S., Cid C., Mullan C. (2011), Group theory in cryptography, C. M. Campbell et al. (Eds), Proc. of Groups St Andrews 2009 in Bath;, Volume 1, Cambridge University Press, (2011) pp. 133 – 149. [38] Blackburn S., Cid C., Mullan C. (2009), Cryptanalysis of the MST 3 cryptosystem, J. Math. Crypt. 3 (2009) 321 – 338. [39] Blackburn S., Garefalakis T. (2001), Cryptanalysis of a cryptosystem due to Yoo, Hong, Lee, Lim, Yi and Sung, Electronics Letters, Vol. 37, No. 18 (2001), pp. 1118 – 1119.

34

Bibliography to Chapter One and Chapter Two

[40] Blackburn S., Murphy S., J. Stern J. (1995), The cryptanalysis of a public key implementation of Finite Group Mappings, J. Cryptology 8 (1995), pp. 157–166. [41] Blake I., Gao X., Mullin R., Vanstone S., Yaghoobian T. (1993), Applications of Finite Fields, Kluwer Academic Publishers, 1993. [42] Blake I., Fuji-Hara R., Mullin R., Vanstone S. (1984), Computing Logarithms In Finite Fields of Characteristic Two, SIAM J. Disc. Math., v.5, no. 2, 1984. [43] Blake I., Garefalakis T. (2004), On the complexity of the discrete logarithm and Diffie-Hellman problems, Journal of Complexity 20 (2004), pp. 148–170. [44] Blaze M., Bleumer G., Strauss M. (1998), Divertible Protocols and Atomic Proxy Cryptography, EUROCRYPT’98, LNCS 1403, 98. [45] Bohli J., Glas B., Steinwandt R. (2006), Algebraic Cryptosystems and Side Channel Attacks: Braid Groups and DPA, Congressus Numerantium, vol. 182 (2006) 145 – 154. [46] Bokut L. A., Chen Y., Mo Q. (2012), Gr¨obner-Shirshov bases for semirings, arXiv:1208.0538v1 [math.RA] 20 Jul 2012. [47] Boreale M., Buscemi M. (2003), Symbolic analysis of cryptoprotocols based on modular exponentiation, Mathematical Foundations of Computer Science 2003, pp. 269-278. [48] Brandstatter N., Winterhof A. (2006), Approximation of the discrete logarithm in finite fields of even characteristic by real polynomials, Arch. Math., v. 42, no. 1 (2006) 43 – 50. [49] Bresson E., Chevassut O., Pointcheval D. (2002), The group DiffieHellman Problems, Selected Areas in Crypt. 2002, LNCS 2595, Springer. [50] Bruns W., Herzog J. (1998), Cohen–Macaulay rings, Cambridge University Press, 1998. [51] Buchmann J. (2001), Introduction to Cryptography, 2001 SpringerVerlag New York Inc. [52] Buchmann J., Weber D. (2000), Discrete logarithms: recent progress, in Coding theory, cryptography and related areas, pp. 42 – 56, Berlin, 2000. Springer. [53] Cahrobaey D., Lam Ha T. (2014) Heisenberg Groups As Platform For The AAG Key-Exchange Protocol, 22nd IEEE Intern. Conf. on Network Protocols (ICNP) (2014), pp. 660-664. [54] Campagna M. (2002), Algorithms in braid groups, Advances in Mathematics, Vol. 167 (2002), pp. 142 – 159.

Semirings as Building Blocks in Cryptography

35

[55] Cannon J., Floyd W., Parry W. (1996), Introductory notes on Richard Thompson’s groups, L’Enseignement Mathématique (2) 42 (1996), pp. 215-256. [56] Canetti R., Hohenberge S. (2007), Chosen-Ciphertext Secure Proxy Re-Encryption, In Proc. of CCS’07, New York, NY, USA, 2007. [57] Cao Z. (2012), New Directions of Modern Cryptography, CRC Press. Taylor and Francis Group. [58] Cao Z., Dong X., Wang L. (2007), New public key cryptosystems using polynomials over non-commutative rings, IACR Cryptology ePrint Archive, 2007:9. [59] Carta–Gerardino E., Babali P. (2010), Weighted Automata and Recurrence Equations for regular languages. CoRR, 2010, Vol. abs/1007.1045. [60] Chateauneuf M., Ling A., Stinson D. (2001), Slope Packings and Coverings and Generic Algorithms for Discrete Logarithms Problem, CORR 200160. [61] Chen H., Shen X., Lv Y. (2011), An Implicit ELGamal Digital Signature Scheme, Journal of Software, v. 6, no. 7, July 2011. [62] Cheng Q. (2005), On the Bounded Sum of digits Discrete Logarithm Problem in Finite Fields, preprint, 2005. [63] Cheon J., Hong J., Kim M. (2012), Accelerating Pollard’s Rho Algorithm on Finite Fields, Journal of Cryptology, 25(2), 2012. [64] Cherepnev M. (2009), On the connection between the discrete logarithms and the Diffie-Hellman problem, Discrete Mathematics and Applications, v.6, Issue 4, pp. 341 – 350. [65] Choi S., Blackburn S., Wild P. (2007), Cryptanalysis of a homomorphic public-key cryptosystem over a finite group, J. Math. Cryptography, Vol. 1 (2007), pp. 351 – 358. [66] Chowdhury M. (2007), On the AAGL Protocol, arXiv:0708.2397v5 [cs.CR] 22 Nov 2007. [67] Chowdhury M. (2007), On the Security of the Cha-Ko-Lee-HanCheon Braid Group Public key Cryptosystem, arXiv:0708.2571v5 [cs.CR] 15 Nov 2007. [68] Climent J. , Ferrandez F., Vicent J., Zamora A. (2006), A Non-linear Elliptic Curve Cryptosystem Based on Matrices, Appl. Math. and Comp., v. 174-1, pp.150-164, 2006. [69] Climent J., Gorla E, Rosenthal J. (2006), Cryptanalysis of the CFVZ cryptosystem, arXiv:cs/0602037v1 [cs.CR] 10 Feb 2006. [70] Climent J., Navarro P., Tortosa L. (2012), Key exchange protocols over noncommutative rings. The case of End ( p u 2p ) , Int. Journal of Computer Mathematics, 89 (1314), pp. 17531763, 2012.

36

Bibliography to Chapter One and Chapter Two

[71] Cohn P. (2006), Free Ideal Rings and Localization in General Rings, Cambridge University Press, 2006. [72] Conway J. (1971), Regular Algebra and Finite Machines, Chapman and Hall, London, 1971. [73] Coppersmith D., Odlzyko A., Schroeppel R. (2007), Discrete logarithms in GF( p ), Algorithmica, v.1, no.1-4 (2007) 1–15. [74] Coron J., Lefranc D., Poupard G. (2005), A New Baby-Step GiantStep Algorithm and Some Applications to Cryptanalysis, LNCS 2005, v.3659 (2005) 47–50. [75] Cremers C., Schmidt B., Meier S., Basin D. (2012), Automated analysis of Diffie-Hellman protocols and advanced security properties, in Computer Security Foundations (CSF), 2012. [76] Crosswhite G. (2012), Embracing divergence: a formalism for when your semiring is simply not complete, with applications in quantum simulation, CoRR, 2012, vol. abs/1208.0659. [77] Darwiche A. (2009). Modeling and Reasoning with Bayesian Networks. Cambridge University Press, 2009. [78] Dehornoy P. (2004), Braid-based cryptography, Contemp. Math., 360 (2004), pp. 5-33. [79] Dehornoy P. (2011), Convergence of handle reduction of braids, http://www.math.unicaen.fr/˜dehornoy/Surveys/Dhn.pdf. [80] Delfs H., Knebl H. (2007), Introduction to Cryptography, SpringerVerlag Berlin, 2007. [81] Desbrun M., Hirani A., Leok M., Marsden J. (2005), Discrete Exterior Calculus, arXiv:math/0508341v2 [math.DG] 18 Aug 2005. [82] Desharnais J., Möller B., Struth G. (2011), Algebraic notion of termination, Logical Methods in Computer Science, V 7 (1:1), 2011, pp. 1-29. [83] Diffie W., Hellman M. (1976), New directions in cryptography, IEEE Trans. Information Theory 22 (1976), pp. 644 – 654. [84] Dougherty D., Guttman J. (2013), An Algebra for Symbolic DiffieHellman Protocol Analysis, In C. Palamidessi and M. Ryan, eds. Trustworthy Global Computing, LNCS. Springer, 2013. [85] Dougherty D., Guttman J. (2013), Symbolic protocol analysis for Diffie-Hellman, Arxiv preprint arXiv:1202.2168, 2012. [86] Dougherty D., Guttman J. (2014), Decidability for Lightweight DiffieHellman, 2014 IEEE 27th Computer Security Foundations Symposium, pp. 217231. [87] Drmota M., Panario D., A Rigorous Proof of the Waterloo Algorithm for the DLP, Des. Codes and Cryptography, 26, 2002.

Semirings as Building Blocks in Cryptography

37

[88] Droste M., Vogler H., The Chomsky-Schützenberger Theorem for Quantitative Context-Free Languages, In DLT, Lecture Notes in Computer Science vol. 7907, pp. 203–214. Springer, 986 2013. [89] Durcheva M., Karailiev K. (2017), New public key cryptosystem based on quaternions, AIP Conference Proceedings 1910, 060014 (2017). [90] Dwivedi A., Ojha D., Sharma A., Mishra A. (2011), A KeyAgreement Protocol using Polynomials Root Problem over NonCommutative Division Semirings, Int. J. of Computer Information Systems, Vol. 2, No. 3, 2011, pp. 60–69. [91] Dynnikov I., B. Wiest B. (2007), On the complexity of braids, J. of the Europ. Math. Soc. 9, 4 (2007), pp. 801–840. [92] Eick B., Kahrobaei D. (2004), Polycyclic groups: A new platform for cryptology?, arxiv.org/abs/math.GR/0411077. [93] ElGamal T. (1985), A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory 31 (1985), pp. 469 – 472. [94] van Tilborg H. (ed.)(2005), Encyclopedia Of Cryptography And Security, 2005 Springer Science + Business Media, Inc. [95] Enge A., Gaudry P. (2002), A General Framework for Subexponential Discrete Logarithm Algorithms, Acta Arithmetica 102 (2002), pp. 83–103. [96] Eriksson N., Ranestad K., Sturmfels B., Sullivant S. (2005), Phylogenetic algebraic geometry, In Projective varieties with unexpected properties, 2005, pp. 237 – 255. [97] Escobar S., Meadows C., Meseguer J. (2008), State space reduction in the Maude-NRL protocol analyzer, Computer Security-ESORICS 2008, pp. 548562, 2008. [98] Escobar S., Meadows C., Meseguer J. (2009), Maude-NPA: Cryptographic protocol analysis modulo equational properties, Foundations of Security Analysis and Design V, pp. 1-50, 2009. [99] Ésik Z., Maletti A. (2010), Simulation vs. Equivalence, arXiv:1004.2426v1 [cs.FL] 14 Apr 2010. [100] Ferrario D., Piccinini R. (2011), Simplicial Structures in Topology, Springer, New York, USA, 2011. [101] Fierens D., Van den Broeck G., Thon I., Gutmann B., De Raedt L. (2011), Inference in probabilistic logic programs using weighted CNF’s, in Proc. of 27th Conf. on Uncertainty in Artificial Intelligence, pp. 211–220. [102] Fine B., Habeeb M., Kahrobaei D., Rosenberger G. (2011), Aspects of Nonabelian Group Based Cryptography: A Survey and Open

38

Bibliography to Chapter One and Chapter Two

Problems Groups-Complexity-Cryptology arXiv:1103.4093v2 [cs.CR] 22 Mar 2011. [103] Fine B., Myasnikov A., Rosenberger G., Generic Subgroups of Group Amalgams,Groups-Complexity-Cryptology V 1, N.1 (2009) 5161. [104] Fiore M., Abadi M., Computing symbolic models for verifying cryptographic protocols, in Comp. Security Found. Workshop, Jun 2001. [105] Flaška V. (2009), One very particular example of a congruencesimple semiring, European Journal of Combinatorics, 30, 2009, 759– 763. [106] Flaška V., Kepka T., Šaroch J. (2005), Bi-ideal-simple semirings, Comment. Math. Univ. Carolin. 46, 3, 2005, 391 – 397. [107] Frey, G. (2004), On the Relation between Brauer Groups and Discrete Logarithms, Unpublished manuscript. [108] Fülöp Z., Vogler H., Characterizing Weighted MSO for Trees by Branching Transitive Closure Logics, arXiv:1208.5317v1 [cs.FL] Aug 2012. [109] Fujisaki E., Okamoto T., How to enhance the security of public key encryption at minimum cost, in H. Imai and Y. Zheng, ed., Public Key Cryptography, v.1560 of LNCS, 53-68. Springer, 1999. CRC Press. Taylor and Francis Group. [110] Galbraith S. (2012), Cryptosystems Based on Lattices, Cambridge University Press, 2012. [111] Galbraith S. (2012), Mathematics of Public Key Cryptography, Cambridge University Press, 2012. [112] Galbraith S., Paterson K., Smart N. (2008), Pairings for cryptographers, Disc. Appl. Math. 156 (2008) 3113 – 3121. [113] Galbraith S., Pollard J., Ruprai R. (2012), Computing discrete logarithms in an interval, Math. of Computation, 2012. [114] Galbraith S., Rotger V. (2004), Easy decision Diffie-Hellman groups, LMS J. Comput. Math. 7 (2004), pp. 201 – 218. [115] Galbraith S., Ruprai R, Using Equivalence Classes to Accelerate Solving the Discrete Logarithm Problem in a Short Interval, in P. Nguyen, D. Pointcheval (eds.), PKC 2010, Springer LNCS 6056 (2010), pp. 368 – 383. [116] Garber D. (2009), Braid Group Cryptography, arXiv:0711.3941v2 [cs.CR] 27 Sep. 2008. [117] Garber D., Kaplan S., Teicher M., A new algorithm for solving the word problem in braid groups, in Adv. Math. 167(1) (2002), pp. 142 – 159.

Semirings as Building Blocks in Cryptography

39

[118] Garefalakis T., Panario D., The Index Calculus Method Using Non Smooth Polynomials, in Math. of Comp., v.70, 235 (2001), pp 1253 – 1264. [119] Garzon M., Zalcstein Y., The complexity of Grigorchuk groups with application to cryptography. Theoretical Comp. Sc. , 88(1) (1991), pp. 83 – 98. [120] Gebhardt V. (2005), A new approach to the conjugacy problem in Garside groups, J. Algebra 292(1) (2005), pp. 282 – 302. [121] Gennaro R., Jarecki S. (2007), Secure Distributed Key Generation for Discrete-Log Based Cryptosystems, J. Cryptology 20 (2007), pp. 51 – 83. [122] Golan J. (1999), Semirings and Their Applications, Kluwer, Dordrecht, 1999. [123] Golan J. (2005), Some recent applications of semiring theory, Int. Conf. on Algebra in Memory of Kostia Beidar, National Cheng Kung University, Tainan, 2005. [124] Goldfeld D., Gunnells P., Deffeating the Kalka-Teicher-Tsaban linear algebra attack on the algebraic eraser, arXiv:1202.0598v1 [cs.CR] 3 Feb 2012. [125] Goldreich O., Goldwasser S., Halevi S., Public-key cryptosystems from lattice reduction problems. In Advances in Cryptology CRYPTO ’97, 17th Annual Int. Cryptology Conf., Santa Barbara, CA, USA, August 17-21, 1997, Proc., pp. 112-131. [126] Goldwasser S., Micali S. (1982) Probabilistic encryption and how to play mental poker keeping secret all partial information. In Proc. of the 14th Annual ACM Symposium on Theory of Computing, May 5-7, 1982, San Francisco, CA, USA, pp. 365-377. [127] Göloglu F., Granger R., McGuire G., Zumbrägel J., On the function field sieve and the impact of higher splitting probabilities: Application to discrete logarithms in F21971 , Advances in Cryptology, CRYPTO 2013, LNCS 8043 (2013), 109-128. [128] González-Manchon P., There exist conjugate simple braids whose associated permutations are not strongly conjugate, Math. Proc. Cambridge Phil. Soc. 143 (2007) 663 – 667. [129] González-Meneses J., Gebhardt V. (2007), On the cycling operation in braid groups, arXiv:0704.2600v1 [math.GT] 19 Apr 2007. [130] González-Vasco M., Steinwandt R. (2004), A reaction attack on a public key cryptosystem based on the word problem, Applicable Algebra in Engineering, Communication and Computing 14 (2004), pp. 335 – 340.

40

Bibliography to Chapter One and Chapter Two

[131] González-Vasco M., Hofheinz D., Martínez C., Steinwandt R. (2004), On the security of two public key cryptosystems using nonabelian groups, Des. Codes Crypt. 32 (2004), pp. 207–216. [132] Gordon D. (1992), Discrete Logarithms in GF(p) using the Number Field Sieve, preprint, Febr.1992. [133] Goubault-Larrecq J., Roger M., Verma K. (2005), Abstraction and resolution modulo AC: How to verify Diffe-Hellman-like protocols automatically, Journal of Logic and Algebraic Programming, 64(2), pp. 219-251, 2005. [134] Granger R., Vercauteren F. (2005), On the Discrete Logarithm Problem on Algebraic Tori, Crypto 2005, LNCS 3621 (2005) 66–85. [135] Grigoriev D., Ponomarenko I. (2004), Homomorphic public-key cryptosystems over groups and ring, in Compl. of computations and proofs, Quaderni di Matematica, Vol 13, 2004, 305 – 325. [136] Grigoriev D., Ponomarenko I. (2005), Constructions in public-key cryptography over matrix groups, arXiv:math/0506180v1 [math.GR] 10 Jun 2005. [137] Groch A., Hofheinz D., Steinwandt R. (2006), A practical attack on the root problem in braid groups, Contemp. Math. 418 (2006), pp. 121–131. [138] Habeeb M., Kahrobaei D., Shpilrain V., A public key exchange using semidirect products of groups, Proceedings of SCC 2010, pp. 137 – 141. [139] Hardouin L., Cottenceau B., Lhommeau M., Le Corronc E. (2013), Interval systems over idempotent semiring, arXiv:1306.1136v1[math.OC]. [140] Harel D. (1979), First-Order Dynamic Logic, Lecture Notes in Computer Science V.68, Springer-Verlag, Berlin, 1979. [141] Hatcher A. (2002), Algebraic topology, Cambridge University Press, 2002. [142] Hebisch U., Weinert H. J. (1998), Semirings: algebraic theory and applications in computer science, Series in Algebra, vol. 5, World Scientific Publishing Co. Inc., River Edge, NJ, 1998. [143] Heidergott B., Olsder G., van der Woude J. (2005), Max plus at work: modeling and analysis of synchronized systems. A course on max-plus algebra. Princeton: Princeton University Press, 2005. [144] Hellman D., Reyneri J. (1998), Fast Computation of Discrete Logarithms in GF(q), Springer-Verlag, 1998. [145] Hept K., Theobald Th. (2009), Tropical bases by regular projections. Proc. Amer. Math. Soc., 137(7), 2009, 2233 – 2241.

Semirings as Building Blocks in Cryptography

41

[146] Hoare C. (1969), An axiomatic basis for computer programming, Comm. ACM 12, 1969, 576 – 580. [147] Hoffstein J., Pipher J., and Silverman J. (1998) Ntru: A ring-based public key cryptosystem. In Algorithmic number theory, pp. 267-288. Springer, 1998. [148] Hoffstein J. Pipher J., Silverman J., An Introduction to Mathematical Cryptography, 2008 Springer Science + Business Media, LLC. [149] Hofheinz D., Steinwandt R., A practical attack on some braid group based cryptographic primitives, 6th Workshop on Practice and Theory in Public Key Crypt, PKC 2003 Proc., Desmedt, ed., LNCS 2567, pp. 187 – 198. [150] Hughes J., Tannenbaum A. (2002), Length-Based Attacks for Certain Group Based Encryption Rewriting Systems, Workshop SECI02 SEcurite de la Comm. sur Intenet, Sept. 2002, Tunis. [151] Hurley B., Hurley T. (2011), Group ring cryptography, arXiv:1104.1724v1 [math.GR] 9 Apr 2011. [152] Ilić V. (2011), Entropy Semiring Forward-backward Algorithm for HMM Entropy Computation, arXiv:1108.0347v1 [cs.IT] 1 Aug 2011. [153] Ilić I., Magliveras S., Crypto applications of combinatorial group theory, Info. Security, Coding Th. and Related Combinatorics, D. Crnkovic, V. Tonchev (Eds.), ASI-NATO volume IOS Press (2011) pp. 1-16. [154] Ilić I., Magliveras S., Weak discrete logarithms in non-abelian groups, in Journal Comb. Math and Comb. Computing, (JCMCC) 74 (2010), pp. 3 – 11. [155] Ilić I., Magliveras S., Generalized discrete logarithm problem in finite non-abelian groups, Crypt., Des. and Finite Groups – CDFG 2009. [156] Jacobson, Jr M. (2000), Computing Discrete Logarithms in Quadratic Orders, J. Cryptology 13 (2000), pp. 473 – 492. [157] Ježek J., Kepka T. (2009), The semiring of 1–preserving endomorphisms of a semilattice, Czechoslovak Mathematical Journal, 59 (134), 2009, 999–1003. [158] Ježek J., Kepka T., Maròti M. (2009), The endomorphism semiring of a semilattice, Semigroup Forum, 78, 2009, pp. 21 – 26. [159] Joux A. (2013), A new index-calculus algorithm with complexity L(1/4 + o(1)) in very small characteristic), Selected Areas in Cryptography - SAC 2013, LNCS 8282 (2014), pp. 355-379. [160] Joux A., Lercier R. (2001), Discrete Logarithms in GF(2), preprint, Sep 2001.

42

Bibliography to Chapter One and Chapter Two

[161] Joux A., Lercier R., Smart N., Vercauteren F. (2006), The Number Field Sieve in the Medium Prime Case, CRYPTO 2006, LNCS 4117, Springer 2006. [162] Joux A. and Pierrot C., Technical history of discrete logarithms in small characteristic finite fields – the road from subexponential to quasipolynomial complexity, in Des. Codes Crypto, 78(1):73-85, 2016. [163] Kahrobaei D., Khan B., A Non-Commutative Generalization of the ElGamal Key Exchange using Polycyclic Groups Proceeding of IEEE, GLOBECOM, 2006, pp. 1–5. [164] Kala V., Kepka T., Simple semirings, in Bakalarska Prace, 2007. [165] Kala V., Kepka T. (2008), A note on finitely generated ideal-simple commutative semirings, Comment. Math. Univ. Carolin. 49, 2008, pp. 1–9. [166] Kala V., Korbelár M. (2010), Congruence-simple subsemirings of  , Semigroup Forum, 81, 2010, pp. 286–296. [167] Kala V., Kepka T., Korbelár M., Phillips J. D. (2009), Various subsemirings of the field Q of rational numbers, Acta Univ. Carolin. Math. Phys. 50 (1), 2009, pp. 29–59. [168] Kambites M., Render E. (2007), Rational semigroup automata, arXiv: 0708.0947v1 [math.RA] 7 Aug 2007. [169] Katsov Y., Nam T. G., Zumbrägel J. (2011), On Simpleness of Semirings and Complete Semirings, arXiv:1105.5591v1 [math.RA], 27 May, 2011. [170] Katz J., Lindell Y., Introduction to Modern Cryptography, Chapman & Hall CRC Press, 2008. [171] Kiltz E., Winterhof A. (2006), Polynomial interpolation of cryptographic functions related to Diffie-Hellman and DLP, Disc. Appl. Math., 154 (2006). [172] Kim J., Montenegro R., Tetali P., Near Optimal Bounds for Collision in Pollard Rho for Discrete Log, In: Foundations of Computer Science (FOCS), pp. 215–223. IEEE (2007) [173] Klingler L., Magliveras S., Richman F., Sramka M. (2008), Discrete logarithms for finite groups, June 2009, Computing 85(1-2):3-19. [174] Ko K., Lee S., Cheon J., Han J., Kang J., Park C., New public-key cryptosystem using braid group, Advances in Cryptology - CRYPTO 2000 (M. Bellare, ed.), LNCS 1880 (Springer, Berlin, 2000) 166-183. [175] Koblitz N. (1987), Elliptic curve cryptosystems, Mathematics of computation, 48(177):203-209, 1987. [176] Koblitz N., Menezes A., Shparlinski I. (2011), Discrete Logarithms, Diffie-Hellman and Reductions, Vietnam J. Math., 39 (2011), 267-285.

Semirings as Building Blocks in Cryptography

43

[177] Koh J. (2006), Cryptosystems using commuting pairs in a monoid, USPatent 7136484, Nov. 14. 2006. [178] Konyagin S., Lange T., Shparlinski I. (2003), Linear Complexity of the Discrete Logarithm, Des. Codes and Crypt., 28 (2003) 135 – 146. [179] Kumar G., Saini H. (2017) Novel Noncommutative Cryptography Scheme Using Extra Special Group, Hindawi Security and Communication Networks, V. 2017, Article ID 9036382. [180] Kurt Y. (2006), A New Key Exchange Primitive Based on the Triple Decomposition Problem, http://eprint.iacr.org/2006/378. [181] LaMacchia B., Odlyzko A. (1991), Computation of Discrete Logarithms in Prime Fields, Des. Codes and Crypt.1 (1991) 47 – 62. [182] Lange T., Winterhof A., Interpolation of the discrete logarithm in Fq by Boolean functions and by polynomials in several variables modulo a divisor of q−1, Disc. Appl. Math. 128 (2003). [183] Lee E., Lee S. (2008), Abelian subgroups of Garside groups, Comm. Alg. 36(3) 1121 – 1139. [184] Lempken W., Magliveras S., van Trung T., Wei W. (2009), A public key cryptosystem based on non-abelian finite groups, J. Cryptology 22 (2009) 62–74. [185] Lempken W, van Trung T. (2005), On minimal logarithmic signatures of finite groups, J. Exp. Math. 14 (2005) 257–269. [186] Lenstra A., Verheul E. (2001), Selecting Cryptographic Key Sizes, J. of Cryptology 14 (2001). [187] Levy-dit-Vehel F., Perret L. (2010), Security analysis of word problem-based cryptosystems, Des. Codes Crypto 54 (1) (2010) 29–41. [188] Libert B., Vergnaud D. (2008), Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption, In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). [189] Lidl R., Niderreiter G. (1985), Finite Fields, Cambridge University Pres, 1985. [190] Magliveras S. (2002), Secret and public-key cryptosystems from group factorizations, Tatra Mt. Math. Publ. 25 (2002) 1–12. [191] Magliveras S. (1986), A Cryptosystem from Logarithmic Signatures of Finite Groups, in Proc. of the 29th Midwest Symposium on Circuits and Systems, Elsevier Publ. Co., 1986, 972–975. [192] Magliveras S., Stinson D., van Trung T. (2002), New approaches to designing public key cryptosystems using one-way functions and trapdoors in finite groups, J. Cryptology 15 (2002) 167–183. [193] Magliveras S., Svaba P., van Trung T., Zajac P., On the security of a realization of cryptosystem MST3, Tatra Mt. Math. Publ.41(2008), pp. 65–78.

44

Bibliography to Chapter One and Chapter Two

[194] Magliveras S., van Trung T., Wei W. Hoffman F., Cryptographic primitives based on groups of hidden order, Tatra Mt. Math. Publ, (2004) 147–155. [195] Mahalanobis A. (2009), The discrete logarithm problem in the group of non-singular circulant matrices,arXiv:0905.3135v2 [cs.CR]21Sep 2009. [196] Mahalanobis A. (2011), The El-Gamal cryptosystem over circulant matrices, arXiv:1109.6416v2 [cs.CR] 17 Oct 2011. [197] Mahalanobis A. (2015), The MOR cryptosystem and finite p-groups, Contemporary Mathematics, Vol. 633, 2015, pp. 81-95. [198] Mahalanobis A. (2011), The MOR cryptosystem and extra-special p-groups, Journal of Discrete Mathematical Sciences and Cryptography. [199] Mames C., Paillier P., Pointcheval D., Encoding-Free ElGamal Encryption Without Random Oracles, PKC-Crypto’06, LNCS, Springer, 2006. [200] Matucci F. (2008), Cryptanalysis of the Shpilrain-Ushakov Protocol for Thompson’s Group, Journal of Cryptology, 2008. [201] Maurer U.,Wolf S.(1999), The Relationship Between Breaking The Diffie-Hellman Protocol and Computing Discrete Logarithms, SIAM J. Comp. v.28, 5. [202] Maze G., Monico C. Rosenthal J., Public key cryptography based on semigroup actions, Advances in Mathematics of Communications, Volume 1, No. 4, 2007, pp. 489–507. [203] Maze G., Monico C. Rosenthal J. (2002), Public key cryptography based on simple modules over simple rings, in Proc. of the 15-th Int. Symp. on the Math. Theory of Networks and Systems (eds. D. Gilliam and J. Rosenthal), University of Notre Dame, August 2002, pp. 1–8. [204] Maze G., Monico C. Rosenthal J., A Public Key Cryptosystem Based on Actions by Semigroups, ISlT 2002, Lausanne, Switzerland, June 30 – July 5, 2002. [205] McEliece RJ (1978). A public-key cryptosystem based on algebraic coding theory. Deep Space Network Progress Report, 44:114-116, 1978. [206] Meidl W., Winterhof A.(2001), Lower Bounds on the Linear Complexity of the Discrete Log in Finite Fields, IEEE Trans. on Inform. Theory, v.47, 2001. [207] Meier A. (2005), The ElGamal Cryptosystem, A CRC Press, NEW YORK, USA. 2005. [208] Meletiou G. (2009), Polynomial Interpolation of the k-th root of the Discrete Logarithm, A.T.E.I. of Epirus, Arta, GREECE.

Semirings as Building Blocks in Cryptography

45

[209] Meletiou G. (1993), Explicit Form for the Discrete Log over the Field GF(p,k), Arch.Math. (Brno) 29, 1993. [210] Menezes A. ,VanOorschot P., Vanstone S. (1997), Handbook of Applied Cryptography, Series on Dis. Math. and its Appl., CRC Press, Boca Raton (1997). [211] Merkle R., Hellman D., Hiding information and signatures in trapdoor knapsacks. Information Theory, IEEE Transactions on, 24(5):525-530, 1978. [212] Millen J., Shmatikov V. (2001), Constraint solving for boundedprocess cryptographic protocol analysis, in 8th ACM Conference on Computer and Communications Security, pp. 166-175. ACM, 2001. [213] Miller V. (1985) Use of elliptic curves in cryptography. In Advances in Cryptology, CRYPTO’85 Proc., pp. 417-426. Springer, 1985. [214] Miller S., Venkatesan R. (2006), Spectral Analysis of Pollard Rho Collisions, preprint, Apr.2006. [215] Mironov I., Mityagin A., Nissim K. (2006), Hard Instances of the Constrained Discrete Logarithm Problem, ANTS VII, LNCS 4076, 2006. [216] Mitchell S., Fenoglio P. (1988), Congruence-free commutative semirings, Semigroup Forum 37 (1988), no. 1, 79–91. [217] Monico C. (2004), On finite congruence-simple semirings, Journal of Algebra, 271, 2004, 846 – 854. [218] Monico C., Neusel M. (2014), Cryptanalysis of a system using matrices over group rings, preprint, April 2014. [219] Mullan C. (2012), Some results in group-based cryptography, Technical Report RHUL – MA – 2012 – 1,10 January 2012. [220] Mullan C. (2011), Cryptanalysing variants of Stickel’s key agreement protocol, J. Math. Crypt. 4 (4) (2011) 365 – 373. [221] Mullen G., Panario D. (ed.) (2011), Handbook of Finite Fields, Chap. & Hall CRC Press, 2011. [222] Mullen G., White D. (1986), A Polynomial Representation for Logs in GF(q), Acta Arithmetica, 1986. [223] Myasnikov A., Romankov V., A linear decomposition attack, Groups Complexity Cryptology, 7(1):81–94, 2015. [224] Myasnikov A., Ushakov A., Length based attack and braid groups: cryptanalysis of Anshel-Anshel- Goldfeld key exchange protocol, Public Key Cryptography – PKC 2007 (T. Okamoto, X. Wang, eds.), LNCS 4450 (Springer, Berlin, 2007) 76–88. [225] Myasnikov A., Ushakov A. (2008), Random subgroups and analysis of the length-based and quotient attacks, J. Math. Crypt. 2 (2008), pp. 29–61.

46

Bibliography to Chapter One and Chapter Two

[226] Myasnikov A., Shpilrain V., Ushakov A. (2008), Group-based Cryptography, Advanced Courses in Mathematics CRM Barcelona (Birkhäuser, Basel, 2008). [227] Myasnikov A., Shpilrain V., Ushakov A. (2011), Non-commutative Cryptography and Complexity of Group-theoretic Problems, Amer. Math. Soc. Surveys and Monographs, 2011. [228] Nechaev V. (1994), Complexity of a Determinate Algorithm for the Discrete Logarithm, Mathematical Notes, v.55 (2), 1994. [229] Nguyen P. (2004), Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard, Eurocrypt’04. [230] Niederreiter H. (2002), Incomplete Character Sums and Polynomial Interpolation of the Discrete Log, Finite Fields and Their Appl.8, (2002). [231] Novikov P. S. (1955), On the algorithmic unsolvability of the word problem in group theory, Trudy Mat. Inst. Steklov 44 (1955) 1–143. [232] NSA Cryptography today: Memorandum on suite b cryptography, 2015. https://www.nsa.gov/ia/programs/suiteb cryptography/. [233] Odlyzko A., Discrete logarithms: The past and the future, Des. Codes Crypt. 19 (2000). [234] Ojha D., Pandey N., Kumar A., Kumar B. (2010), Commitment scheme on polynomials over division semiring, Int. J. of Adv. Eng. Sci. and Tech., Vol. 1, Issue 1, 2010, 61–63. [235] VanOorschot P., Wiener M. (1999), Parallel Collision Search with Cryptanalytic Applications, in J. of Crypt. 12 (1999). [236] Paar C., Pelzl J. (2010), Understanding Cryptography, SpringerVerlag Berlin Heidelberg 2010. [237] Padmavathya R., Bhagvati C. (2011), Discrete logarithm problem using index calculus method, Math. and Comp. Modelling, 2011. [238] Paeng S., Ha K., Kim J., Chee S., Park C. (2001), New public key cryptosystem using finite non abelian groups, Advances in Cryptology: Proc. of CRYPTO 2001, LNCS, Springer-Verlag, 2139 (2001) 470485. [239] Paillier P., Vergnaud D., Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log, ASIACRYPT’05, LNCS 3788, Springer 2005. [240] Perrin D., Pin J-E. (2004), Infinite words, automata, semigroups, logic and games, Elsevier Academic Press, 2004. [241] Petrides G. (2003), Cryptanalysis of the Public Key Cryptosystem Based on the Word Problem on the Grigorchuk Groups, 9th IMA Int. Conf. on Cryptography and Coding, LNCS 2898, pp. 234-244. Springer, Berlin, 2003.

Semirings as Building Blocks in Cryptography

47

[242] Pohlig S., Hellman M. (1978), An Improved Algorithm for Computing Logs over GP(p) and Its Crypt. Significance, IEEE Trans. on Inf. Theory, 1978. [243] Pointcheval D., Stern J. (2000), Security Arguments for Dig. Signatures and Blind Signatures, J. of Cryptology, v.13(3), Springer, 2000. [244] Polák L. (2001), Syntactic semiring of a language (extended abstract), In Mathematical foundations of computer science, 2001 (Mariánské Láznê), V. 2136 of LNCS, Springer, Berlin, 2001, pp. 611–620. [245] Polák L. (2003), Syntactic semiring and language equations, in Implementation and application of automata, Vol. 2608 of LNCS, Springer, Berlin, 2003, 182–193. [246] Polák L. (2003), Syntactic semiring and universal automaton, in Developments in language theory, V. 2710 of LNCS, Springer, Berlin, 2003, 411–422. [247] Pollard J. (2000), Kangaroos, Monopoly and Discrete Logarithms, J. of Cryptology 13 (2000) 437–447. [248] Pollard J. (1978), Monte Carlo Methods for Index Computation mod p, Math. of Comp., v.32 (143), 1978. [249] Rabin M. Digitalized signatures and public-key functions as intractable as factorization, MIT Technical Report, 1979. [250] Rabiner L. (1989), A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition, in: Proceedings of the IEEE, 1989, 257–286. [251] Ribenboim P. (1996), The new book of prime number records, 1996 SpringerVerlag, NY Inc. [252] Richter-Gerbert J., Sturmfels B., Theobald T. (2005), First steps in tropical geometry, Idempotent mathematics and mathematical physics, Vol. 377 of Contemp. Math., Amer. Math. Soc., 2005, 289–317. [253] Rivest R., Shamir A. and Adleman L., A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120-126, 1978. [254] Rhodes J., Steinberg B. (2007), The q-theory of Finite Semigroups, Springer, 2007. [255] Ruinskiy D., Shamir A., Tsaban B. (2007), Cryptanalysis of groupbased key agreement protocols using subgroup distance functions, PKC07, Springer LNCS 4450 (2007) 61–75. [256] Sakalauskas E.(2004), New digital signature scheme in Gaussian monoid, Informatica, 2004, Vol. 15, No. 2, 251 – 270.

48

Bibliography to Chapter One and Chapter Two

[257] Sakalauskas E., Burba T. (2003), Basic semigroup primitive for cryptographic session key exchange protocol (SKEP), Information Technology and Control. ISSN 1392-124X, No.3 (28), 2003. [258] Sakalauskas E., Burba T., Digital signature scheme based on action of infinite ring, in Informacines Technologijos Ir Valdymas, 2004, Nr.2 (31) 60–64. [259] Sakalauskas E., Tvarijonas P. Raulynaitis A., Key Agreement Protocol (KAP) Using Conjugacy and Discrete Logarithm Problems in Group, Informatica, 2007, Vol. 18, No. 1, 115–124. [260] Salomaa A., Soittola M. (1978), Automata-theoretic Aspects of Formal Power Series, Springer-Verlag, Berlin, 1978. [261] Samardziska S., Markovski S., Gligoroski D. (2010) , Multivariate quasigroups defined by T-functions, Proceedings of SCC 2010, 117– 127. [262] Schützenberger M. (1961), On the definition of a family of automata, Inform. Control 4, 1961, 245–270. [263] Schirokauer O. (1993), Discrete Logarithms and Local Units, Phil. Trans. R. Soc. Lond. A 345 (1676), 1993. [264] Schirokauer O. (1999), Using Number Fields to Compute LOGS In Finite Fields, Math. of Comp., v.69 (231), 1999. [265] Schirokauer O. (2002), The Special Function Field Sieve, SIAM J. Discrete Math. 16 (4) 2002. [266] Schirokauer O. (2008), The Impact of the Number Field Sieve on the DLP in Finite Fields, Alg. Number Theory, v.44, 2008. [267] Schirokauer O. (2010), The Number Field Sieve For Integers of Low Weight, Math.of Comp., v.79 (269), 2010. [268] Schirokauer O., Weber D., Denny T., Discrete Logs: The Effectivness of the Index Calculus Method, Springer-Verlag (1996) 337-361. [269] Schnorr C. (1989), Efficient identification and signatures for smart cards, CRYPTO’89, LNCS Springer, 1989. [270] Schnorr C. (2000), Small Generic Hardcore Subsets for the Discrete Log: Short Secret DL-Keys, Presented at rump session of Eurocrypt’2000. [271] Shanks D. (1971), Class Number a Theory of Factorization and General, SPM, v.20, Providence, AMS, 1971. [272] Shcherbacov V. (2010), Quasigroups in cryptology, arXiv:1007.3572v1 [math.GR] 21 Jul 2010. [273] Shor P. W., Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput., 26(5):1484-1509, 1997.

Semirings as Building Blocks in Cryptography

49

[274] Shoup V. (1997), Lower Bounds for the Dis. Logs and Related Problems, EUROCRYPT’97, LNCS 1233, Springer, 1997. [275] Shparlinski I. (1999), Finite Fields: Theory and Computation, Kluwer Ac. Publishers, 1999. [276] Shpilrain V., Hashing with polynomials, Information Security and Cryptology - ICISC 2006, LNCS 4296, pp. 22-28. Springer, 2006. [277] Shpilrain V. (2004), Assessing security of some group based cryptosystems, Contemp. Math. 360 (2004) 167–177. [278] Shpilrain V. (2008), Cryptanalysis of Stickel’s key exchange scheme, in Computer Science – Theory and Applications (E.A. Hirsch et al., eds.), LNCS 5010 (Springer, Berlin, 2008) 283-288. [279] Shpilrain V. (2011), Sublinear time algorithms in the theory of groups and semigroups, arXiv:1105.3252v1 [math.GR] 17 May 2011. [280] Shpilrain V., Ushakov A. (2006), The conjugacy search problem in public key cryptography: unnecessary and insufficient, Applicable Algebra in Engineering, Communication and Computing 17 (2006), 285 – 289. [281] Shpilrain V., Ushakov A. (2005), Thompson’s group and public key cryptography, Lecture Notes Comp. Sci. 3531 (2005), 151 – 164. [282] Shpilrain V., Ushakov A., A new key exchange protocol based on the decomposition problem, Algebraic Methods in Crypto, Contemporary Mathematics 418, pp. 161-167. American Mathematical Society, 2006. [283] Shpilrain V., Zapata G., Using decision problems in public key cryptography, Groups, Complexity, and Cryptology 1 2009, 33-49. [284] Shpilrain V., Zapata G., Using the subgroup membership search problem in public key cryptography, Alg Methods in Cryptography, Cont. Mathematics 418, pp. 169-179. American Mathematical Society, 2006. [285] Shpilrain V., Zapata G. (2006), Combinatorial group theory and public key cryptography, Applicable Algebra in Engineering, Communication and Computing 17 (2006), 291–302. [286] Sibert H., Dehornoy P., Girault M., Entity authentication schemes using braid word reduction, Disc. Appl. Mathematics 154 (2006) 420436. [287] Sidelnikov V. M., Cherepnev M. A., Yashcenko V. Y. (1994), Systems of open distribution of keys on the basis of noncommutative semigroups, Russian Acad. Sci. Dokl. Math. 48-2 (1994), 384–386. [288] Silverberg A. (2008), Applications to cryptography of twisting commutative algebraic groups, in Dis. App. Mat. 156 (2008), pp. 3122–3138.

50

Bibliography to Chapter One and Chapter Two

[289] Singhi N., Singhi N., Magliveras S., Minimal logarithmic signatures for groups of Lie type, Des, Codes and Crypto (DCC) 55 (2010), pp. 243-260. [290] Slavin K. R. (2007), Public key cryptography using matrices, February 2007, US Patent 10260818. [291] Sramka M. (2008), On the Security of Stickels Key Exchange Scheme, in Comb. Math. Comb. Comput. 66, 151159 (2008). [292] Stanley R. (1999), Enumerative combinatorics, Vol. 2, Cambridge University Press, 1999. [293] Stanley R. (2009), Bijective proof problems, http://wwwmath.mit.edu/?rstan/bij.pdf, 2009. [294] Stein A., Teske E. (2005), Optimized Baby Step-Giant Step Methods, J. Ramanujan Math. Soc. 20, no.1 (2005), pp. 1–32. [295] Stickel E. (2005), A new public-key cryptosystem in non abelian groups, Proc. of the 13th International Conference on Information Technology and Applications (2005) 426–430. [296] Stinson D. (2006), Cryptography, Theory and Practice, 2006, Chapman & Hall CRC Press. [297] Stinson D. (2001), Some Baby-Step Giant-Step Algorithms For The Low Hamming Weight DLP, Math. of Comp., v.71 (237) 2001. [298] Sturmfels B., Tevelev J. (2008), Elimination theory for tropical varieties. Math. Res. Lett., 15(3), 2008, 543–562. [299] Sturmfels B., Yu J. (2008), Tropical implicitization and mixed fiber polytopes. In Software for algebraic geometry, volume 148 of IMA Vol. Math. Appl., Springer, New York, 2008, 111–131. [300] Sutherland A. (2012), Structure computation and discrete logarithms in finite abelian p-groups, Mathematics of Comput. 80 (2011), 477500. [301] Szigeti J. (2008), Linear algebra in lattices and nilpotent endomorphisms of semisimple modules, Journal of Algebra, 319, 2008, pp. 296–308. [302] Terr D. (1999), A Modification of Shank’s Baby-Step Giant-Step Algorithms, Math. of Comp. v.69 (230), 1999. [303] Teske E. (2001), Square-Root Algorithms for the DLP (a Survey), preprint, Jan. 2001. [304] Thomas T., Lal A. (2006), Group signature schemes using braid groups, Preprint arXiv: cs.CR/0602063, 2006. [305] Thomé E. (2002), Discrete Logarithms in GF(2607), 2002/02/23. Email to the NMBRTHRY mailing-list, short computation report. [306] Tillich J., Zemor G. (1994), Hashing with SL2, Advances in Cryptology CRYPTO 1994, LNCS 839, pp. 40-49. Springer, 1994.

Semirings as Building Blocks in Cryptography

51

[307] Trendafilov I., Durcheva M., The Discrete Logarithm Problem in Finite Fields, Proc of the Technical University-Sofia, v. 2, book 2, 2012. [308] Trendafilov I., Durcheva M., Discrete logarithms in finite fields – some algorithms for computing. New public key cryptosystem, AMEE, 36th Int. Conf. AIP Conf. Proc., Vol. 1293 (2010) 295–302. [309] Trendafilov I., Durcheva M. (2012), The discrete logarithm problem and cryptography using some algebras (groups, semigroups, semirings, Proceedings of the Technical University of Sofia–v.62, book 1, 2012. [310] Trendafilov I., Durcheva M. (2011), New Public Key Cryptosystem Based on Semirings and Semimodules, AMEE, 37th Int. Conf. AIP Conf. Proc., Vol. 1410, 2011, 331–338 [311] Tsiounis Y., Yung M. (1998), On the Security of ElGamal Based Encryption, LNCS, 98, v.1431 (1998). [312] Uno M., Kano M., Visual Cryptography Schemes with Dihedral Group Access Structure for Many Images, In: Dawson, Wong (eds). Inf. Security Practice and Experience. ISPEC 2007. LNCS, v/ 4464. Springer, Berlin, Heidelberg. [313] Upadhyay S., Kumar S., Lal R. (2011), Public key protocol based on amalgamated free product, arXiv:1105.1086v1 [cs.CR] 16 Apr. 2011. [314] U. S. Department of Commerce NIST, Digital Signature Standard (DSS), http://csrc.nist.gov. publications/fips 186-2-change1.pdf. [315] Ustimenko V., On algebraic graphs, optimization problems and new multivariate cryptosystems over various rings, NATO ASI, Ohrid 2014. [316] Vandiver H. S. (1934), Note on a simple type of algebra in which cancellation law of addition does not hold, Bull. Amer. Math. Soc. 40 (1934), 914–920. [317] Vasilenko (2003), Number-Theoretical Algorithms in Cryptography (in Russian), M. 2003. [318] Vitkus P., Sakalauskas E., Listopadskis N., Vitkiene R. (2012), Microprocessor Realization of Key Agreement Protocol based on Matrix Power Function, Electronics and Electrical Engineering, 2012. No. 1(117). [319] Vaudenay S. (2006), A Classical Introduction to Cryptography, 2006 Springer Science + Business Media, Inc. [320] Wagner N., Magyarik M. (1984), A public key cryptosystem based on the word problem, in Advances in Cryptology – CRYPTO ’84 (G.R. Blakley, D. Chaum, eds.), LNCS 196 (Springer, Berlin, 1985), pp. 19–36.

52

Bibliography to Chapter One and Chapter Two

[321] Wan Z. (2008), A shorter proof for an explicit formula for discrete logarithms in finite fields, Discrete Math. 308 (2008). [322] Wang P., Zhang F. (2012), An Efficient Collision Detection Method for Computing Discrete Logs with Pollard’s Rho, J. of Appl. Math. 2012. [323] Wang L., Cao Z., Okamoto E., Shao J. (2010), New constructions of public key encryption schemes from conjugacy search problems, in X.Lai, M. Yung, and D. Lin, ed., Inscrypt, v. 6584 of LNCS,1-17 Springer, 2010. [324] Wells A. (1984), A polynomial form for logarithms modulo a prime, IEEE Trans. on Inf. Theory, 1984, v.30 (6). [325] Wiest B. (2002), An algorithm for the word problem in braid groups, http://arXiv.org/abs/math.GT/0211169. [326] Worthington J. (2009), A Bialgebraic Approach to Automata and Formal Language Theory, arXiv:0807.4553v4 [math.RA] 30 Oct 2009. [327] Yao A., Zhao Y. (2011), A New Family of Practical Non-Malleable Protocols, CoRR abs/1105.1071: (2011). [328] Yao A., Zhao Y. (2011), A New Family of Practical Non-Malleable DiffieHellman Protocols, arXiv:1105.1071v5 [cs.CR] 19 Dec 2011. [329] Zumbrägel J. (2008), Classification of finite congruence-simple semirings with zero, J. of Algebra and its Applications 7(3), 2008, pp.363-377. [330] Ерофеев С. Ю. (2011), Диофантовость дискретного логарифма, Прикладная дискретная математика 2011. №4 (14), 31-32. (In Russian).

CHAPTER THREE THE ROLE OF IDEMPOTENT SEMIRINGS

As already mentioned, semirings as algebraic structures were introduced by Vandiver in 1934. Of course, the semirings were known earlier, but only a few of them were really used, such as the semiring of natural numbers or the semiring of the ideals of a ring. The role of semirings for computer sciences has been established by Schützenberger in order to apply them in automata theory. The semirings turned out to be very important for different purposes; they are the basis of tropical algebra and tropical geometry.

3.1 Idempotent Algebra Semiring theory is a natural generalization of ring theory. This allows the additive structure to be only a commutative semigroup, instead of an abelian group. Let R be a semiring. A semiring R is called commutative if a semigroup ( R, ˜) is commutative. If a commutative semigroup (R, +) is an abelian group, then a semiring is ring. If it is not an abelian group, then the semiring is called a proper semiring. An element e of the semiring R is called the left (right) unit if e ˜ x x ( x ˜ e x ) for all x  R. An element 0 of the semiring R is called the left (right) zero if 0 ˜ x 0 ( x ˜ 0 x ) for all x  R. An element a of the semiring R is called an additively (multiplicatively) absorbing if a + x = a ( a ˜ x x ˜ a a ) for all x  R. An element that is additively and multiplicatively absorbing is called an infinity and is denoted by f . An element a of the semiring ( R, , ˜) is called additively idempotent if a+a = a. If each element of the semiring is additively idempotent, then R is called an additively idempotent semiring.

54

Chapter Three

An element a of the semiring ( R, , ˜) is called multiplicatively idempotent if a ˜ a a . If the semiring R is an additively idempotent, then its multiplicatively idempotent elements are called idempotent elements, or idempotents. A semiring R ( R, , ˜) is called idempotent if it is an additively idempotent. For all additively idempotent semirings, if a+ b+ c = a, then

a + b = a. Indeed, it is clear that:

a = a+b+c = a+b+b+c = (a+b+c) +b = a+b. Idempotent semirings are proper semirings, since they do not have additively inverse elements except zero (it can be seen that of c + a = 0 implies a a  0 a  c  a, or a a  c 0 ). If the semiring R has zero 0, we denote R* R \{0}. Then, if ( R* , ˜) is a group, the semiring R is called a semifield. A semiring R with a unit is called a semifield if all nonzero elements of R have inverse elements with respect to multiplication. The case of finite semifields is not interesting due to the following Theorem. ([142]) Each finite semifield is a field or its order is less than or equal to 2. For the idempotent semifield R, the zero element 0 is absorbing with respect to the multiplicative operation, since 0 ˜ a a ˜ 0 0 for all a  R. An idempotent semiring with zero and unit is called a dioid [8]. For every two elements a and b of the dioid D and nonzero rational numbers D and E , the following properties are satisfied: x

(a  b)D

x

aD ˜ b E d (a  b)(D  E ) ;

x

aD  bD ;

a ˜b d a  b .

Some examples of idempotent semirings. Exotic semirings are idempotent semirings whose elements are from different sets of numbers (it is possible for f and/or f to be included as well) and for which the additive operation is defined either by choosing the minimum or by choosing the maximum, and the multiplicative operation is the usual addition (+) or multiplication ( u ). A semiring ¢ ‰{ ‰{f, f}, } max, min² is an idempotent max,min semiring, which is not a semifield. In this semiring 0

f, e

f.

The Role of Idempotent Semirings

55

The inverse element with respect to the operation min does not exist, and the maximal element is f. Well studied are the following four idempotent semifields: max,

¢ ‰ ‰{ {f}, max, ²,

max,u

¢



‰{0} ‰{0}, max, max u²,

¢ ‰{f} }, min min, ²,

min, min i 

¢

min, min i u



‰{f}, } min, min u²,

{x  | x ! 0}. Some good examples of idempotent semirings can be found in [23], [92], and [126]. when

is the field of real numbers and



Applications of idempotent semirings. MV-algebras (which are introduced as an algebraic correspondence of the infinitely-valued logic of Łukasiewicz) deal with idempotent semirings (see [13] and [32] – [33]). The connection between tropical linear algebra and Łukasiewicz maxsemiring is shown in [49]. Max-algebra, which deals with idempotent semirings, has a close connection with automata theory and discrete event systems. The basic ideas in this regard were suggested by Stephen Kleene in his paper [71], and later by Samuel Eilenberg in his famous book Automata, Languages, and Machines [40]. Max-algebra has important practical applications in problems such as nonlinear partial differential equations and various optimization theories ([8], [23], [46]), as well as for modelling the processes of synchronization in multiprocessor interactive systems [16]. The semiring min-algebra, isomorphic to max-algebra is used in statistics and computational biology (see [99] – [100]), as well as in net calculus, in so-called fading channels (see, for example, [1]). A new type of supermartingale decomposition using max-plus martingale and its applications to insurance portfolios are considered in [67]. The max-analogue of the law of large numbers (LLN) is shown in [93]. Many other applications of max-semirings can be found in [29], [55], [74], [83], and [87]. The term idempotent analysis (idempotent calculus) was invented by Victor Maslov and his collaborators in 1985 in order to give a name to their new theory, see [89] – [91]. The main idea in idempotent analysis is to replace the field of real numbers with the semifield max . The most important advantage is that many problems which are nonlinear in the field of real numbers are converted to linear using this new arithmetic, i.e. they become linear over the appropriately chosen semiring. Idempotent analysis is a powerful tool for constructing new algorithms, analogies and ideas. These ideas are applied in various fields, such as a new integral theory, a new linear algebra, a new spectral theory, an idempotent

56

Chapter Three

functional analysis, an idempotent Fourier transform, etc. In addition, this theory has applications in a number of optimization problems, such as multicriterial decision making, optimization in graphs, discrete optimization with large parameters, optimal design of computer systems and computer media, optimal organization of parallel data processing, as well as for solving some specific problems of dynamic programming, differential equations and numerical methods (see [8]–[12], [27]–[28], [42], [69], [72], [76]–[85]). Tropical geometry can be considered as a type of algebraic geometry of the semifield ( min ). Tropical geometry deals with geometric max objects such as tropical varieties. Scientists such as A. Barvinok ([10]– [12]), Zur Izhakian ([59]–[64]), G. Mihalkin ([58], [94]–[97]), E. Shustin ([88], [111]–[112]), and B. Sturmfels ([30]–[31], [96], [252], [298]–[299]) are actively involved in this field. For a tropicalisation is an operation which transforms complex projective varieties in polyhedral fans: see [31] and [102]. Some papers which discuss tropical curves (elliptic and hyperelliptic) are [9], [43]–[45], [56], and [97]–[98].

3.1.1 Dioids as lattices Ordered sets. A structure ¢ L, d² is called a partially ordered set if L is a set and the relation d is reflexive, transitive, and antisymmetric over the set L. The order relation d over L extends the strong order relation < in the following way: x < y if and only if x d y and x z y. A partially ordered set ¢ L, d² is called a chain if for each pair x,y  L, either x d y or y d x is satisfied, i.e. all two elements of L are comparable. A partially ordered set ¢ L, d² is called an antichain if x d y in L only if x = y, i.e. every two elements of the set L are incomparable. Let H Ž L and a  L. Then the element a is an upper limit of the set L if it maximizes all elements h  L. The smallest upper limit a of H is called the supremum of H if it is majorized by all the upper limits of H. We denote it by a = sup H or a = › H. Similarly, the smallest lower limit is called the infimum of H and is denoted by inf H or š H. Let ‡ be an empty set and let its supremum a = sup ‡ exist. All elements b  L are upper limits of ‡, since b majorizes all h  ‡ (no such h). Thus a is majorized by all b  L. In this case, sup ‡ exists if and

The Role of Idempotent Semirings

57

only if H has the smallest element. We call sup ‡ a zero of L and denote it by 0L. Similarly, we come to the conclusion that inf ‡ exists if and only if L has the largest element. We call inf ‡ a unit of L and denote it by 1L. Lattices and dioids. At the beginning we need some definitions. Definition. A partially ordered set for which there is a supremum for each pair of its elements is called an upper semilattice. Definition. A partially ordered set for which there is an infimum for each pair of its elements is called a lower semilattice. Definition. A partially ordered set which is both an upper and lower semilattice is called a lattice. Definition. A lattice L is called complete if every nonempty subset of L has both supremum and infimum in L. In the lattice L, the supremum of every two elements a and b is denoted by a › b, and the infimum by a š b. Definition. A lattice L is called distributive if for all a, b, c  L the following laws are valid: x a š (b › c) (a š b) › (a š c); x a › (b š c) (a › b) š (a › c). We note that every totally ordered set is a lattice, but not every partially ordered set is a lattice. A set in which there is a total order is a chain. Each chain is a distributive lattice. In the dioid D, the natural ordering can be introduced in the following way:

a d b œ a  b b a, b  D.

This natural ordering allows us to consider the dioid as a semilattice for which

a  b a › b sup{a, b}.

The properties that the dioid possesses as a semiring allow this ordering to be complied, since for all a, b, c  D:

a d b Ÿ a  c d b  c, a ˜ c d b ˜ c.

For the dioids

max , 

and

max ,u

, the natural ordering d coincides

with the usual ordering. For the dioids

min , 

opposite of the usual ordering, which means that

a d b œ ab a

and

min ,u

, it is the

58

Chapter Three

for every two elements a, b of these dioids. A dioid is said to be complete if each of its subsets has a supremum and the multiplication distributes over the supremum. It is easy to establish the following Theorem. Let ( D, , ˜) be a dioid in which the natural ordering is defined as follows:

a d b œ ab b for all a, b  D. Hence, if D is a semifield, then (D, d ) is a lattice. 3.1.2 Residuated maps

Let (S, d ) and (T, d ) be two ordered sets, the map f : S o T is called residuated if there exists a map f such that

f ( s) d t œ s d f (t ) i.e. for all t  T, the set {s  S | f ( s ) d t} has a maximal element f (t )). The map f (t ) is called a residual map. The map f is residuated if and only if it is monotone, i.e. from s d sc it follows that f ( s ) d f ( sc) and

f q f d idT , f q f t idS , where idT and idS are the identities of the correspondent sets. If S and T are completely ordered sets, then the monotone map f : S o T is called continuous if for all U  S takes place: f (›U ) › f (U ) , where f (U ) { f ( x) | x  U }. In this way we come to the following Lemma. ([22], [65]) Let (S, d ) and (T, d ) be two ordered sets. The map f : S o T is residuated if and only if it is continuous. Using the monotony, the following propositions can be proven: x fqf qf f;

f qfqf f ; x f qg (gq f ) , where g : T o W is another residuated map; x

x

f is injective œ f q f

idS œ f is surjective;

x

f is surjective œ f q f

idT œ f is injective;

The Role of Idempotent Semirings

x

(› fi ) iI

šf iI

i

59

,

where { f i }iI is a family of residuated maps of the type S o T .

3.1.3 Semimodules over idempotent semirings Let ( K , †, …, H , ) be an idempotent semifield, where H and are the neutral elements for the additive operation † and the multiplicative operation … , respectively. Idempotent vector semimodules. For the semiring K , we consider the Cartesian product K m . For all vectors a, b  K m :

a (a1,}, am )T , b (b1,}, bm )T and a scalar x  K, the following operations are defined:

a † b (a1 † b1 ,}, am † bm )T , x … a ( x … a1,}, x … am )T . The vector 0 (H , }, H )  K is called a zero vector. Thus defined operations have the following properties [73] (as usual, the product sign … is omitted): 1. a † (b † c) (a † b) † c (associativity of † ); T

2. 3. 4. 5. 6. 7.

m

a † b b † a (commutativity of † ); a † 0 a (existence of a zero vector);

a † a a (idempotency of † ); ( xy )a (associativity of … ); a a a (existence of an unit); x(a † b) xa † xb (distributivity); 8. ( x † y )a xa † ya (distributivity), x( ya)

for all a, b  K m and x, y  K. The set K m , together with the operations † and … forms a vector semimodule over idempotent semifield K. The operations vector addition and multiplication of a vector and a m scalar are monotone, i.e. for random a, b, c  K and x  K, the inequality a d b implies the inequalities a † c d b † c and

xa d xb.

60

Chapter Three

Complete semimodules. Let ( M , †, H ) be an idempotent monoid. This monoid can be completed with a natural ordering according to the following rule:

a d b œ a † b b,

for a † b ›{a, b}. A semiring K is said to be complete if it is complete as a natural ordered set and if the left and right products are continuous. Let La , Ra : K o K , then La ( x) a … x is a left product, and

x … a is a right product. The monoid ( M , †, H ) is called a right K-semimodule, if it is a

Ra ( x)

commutative monoid endowed with a map (right action)

M u K o M , ( x, O ) o xO

that satisfies the following conditions (see [22]): x x(OP ) ( xO ) P ;

( x † y )O xO † yO , x(O † P ) xO † xP ; x x xH H , HO H , x for all x, y  M and O , P  K. Since ( K , †) is idempotent, then ( M , †) is idempotent, due to the x( x( † ) x † x x † x. fact that x x x

The K-semimodule is called a K-bisemimodule, if it is a semimodule for which the left and the right actions commute. An idempotent semifield K is a K-semimodule, if the left and the right actions represent the x … y. multiplication in the semiring, i.e. ( x, y ) Right K-semimodule M is called complete if it is complete as a naturally ordered set and for all x  M; O  K, the left product RO : M o M , x xO and the right product LO : K o M , O xO are both continuous. A complete left K-semimodule and a complete K-bisemimodule can be defined similarly. Given are a complete semimodule M and a right semimodule K over it; the residual left and right semimodules can be defined in the following way:

x \ y : ( Lx ) ( y)

{O  K | xO d y};

x / O : ( RO ) ( x)

{ y  M | yO d x},

The Role of Idempotent Semirings

61

for x, y  M; O  K. From the definition of a residuated map, it follows that

xO d y œ O d x \ y œ x d y / O.

This means that formulas for the residuated maps can be rewritten in the following way [22]:

x( x \ y ) d y, ( x / O )O d x; ( x \ y )O d x \ ( yO ), x(O / P ) d ( xO ) / P ; x \ ( xO ) t O , ( xO ) / O t x; x \ (š S ) š( x \ S ), (šU ) / O š(U / O ); x( x ( xyy )) xy, (( xO ) / O )O xO ; x \ ( x( x \ y )) x \ y, (( x / O )O ) / O x / O ; O \ ( x \ z ) ( xO ) \ z, ( x / P )O x / (OP ); (›U ) \ y š(U \ y ), x / (› S ) š( x / S ) for all x, y, z  M; O , P  K; U  M , S  K ; (U \ y ) {u \ y | u U } ; ( x / S ) {x / s | s  S }. In the case when M is a bisemimodule, then for the elements P ,Q  K, the maps x xO and x Q x commute, which means that their residual transformations also commute, i.e.

(Q \ x) / P Q \ ( x / P ).

Opposite semimodules. If M is a complete right K-semimodule, then the opposite semimodule of M is a left K -semimodule M op over the set M, for which the additive operation has a form ( x , y ) š {x , y ( š is valid for the natural ordering in M) and the right action

K u M o M , (O , x ) o x / O is defined. It follows that M op is a semimodule for which the following properties are satisfied (see [22]):

(OP )op .x

x / (OP )

( x / P /)O

O op .( P op .x)

op for all O , P  K ; x  M .

op

We denote by \ and / over M op , and obtain

op

the two residual operations, constructed

O \op x ( Lop xO; O ) ( x) A { y  M | y / O t x} x / op y ( Ryop ) ( x) {O  K | y / O t x} x \ y.

62

Chapter Three

Hence: if M is a complete K-semimodule, then the equality ( M op )op = M holds.

3.1.4 Residuated lattices Residuated lattices are introduced as a generalization of the lattices of the ring's ideals in 1939 by Ward and Dilworth in [125]. A residuated lattice is an algebra of the type L ¢ L, š, ›, , \, /, 0,1² in which there is an ordering d , such that: x ¢ L, š, › , 0,1² , is a bounded lattice with the smallest element 0 and the largest element 1; ¢ L, ,1², ² , is an ordered monoid, which means that the operation

x

is associative and the the equality x 1 x holds; x \ and / are binary operations with the property: a b d c œ a d c / b œ b d a \ c for all a, b, c  L. For each residuated lattice L and for a, b, c  L, the following properties are satisfied (see [65]): x (a \ b) c d a \ b c;

a \ b d c a \ c b; (a \ b)(b \ c) d a \ c; a b \ c b \ (a \ c); a \ (b / c) (a \ b) / c; (a \1) b d a \ b; a (a \ a ) a; (a \ a) (a \ a) (a \ a).

x x x x x x x

For the smallest element 0 and the largest element 1 of the lattice L , and for all a  L we have:

a

0

0

a

0, a / 0 0

0 \ a 1, 1/ a

a \1 1.

¢ L, š, ›, , \, \ /, / 0,1 0,1²², the operation negation ™ : L o L is defined in the following way: ™x x \ 0 (for all For the residuated lattice L

x  L). Many of the lattices and algebras are actually residuated lattices. Some examples of residuated lattices are:

The Role of Idempotent Semirings

63

x A Girard integral commutative monoid [57] is a residuated lattice which satisfies the double negation law: x ™™x ; x A Heyting algebra [66] is a residuated lattice with š š;; x A MV-algebra [21] is a residuated lattice for which:

x› y

( x \ y ) \ y;

x A MTL-algebra [41] is a residuated lattice for which:

( x \ y ) › ( y \ x) 1;

x A BL-algebra [53] is MTL-algebra, satisfying:

xš y

x

( x \ y );

x A 3 -algebra [53] is BL-algebra, satisfying: ™™z d (( x z ) \ ( y z )) \ ( x \ y ) and x š ™x 0; x A Gödel algebra [57] is both a Heyting algebra and an MTLalgebra; x An R0 -algebra [124] is a residuated lattice for which

x

y

™( x \ ™y ).

3.1.5 Construction of complete dioid Let us start with the group G ¢G, d, …² which has a lattice ordering (see [116]). To the elements of the group we join two new elements A and and, thus, we get G G ‰ {A, }. This means that we can extend the ordering in the group G in the following way: Ad a d The operation of the group can also be extended:

for all a  G .

a …• b

­A if a, b  G ‰ {A, } or a A or b A, ° o a or b , ® if a, b  G ‰ { } or °a … b if a, b  G , ¯

a… b

or b ­ if a, b  G ‰ {A, } or a ° ®A if a, b  G ‰ { } or a A or b A, °a … b or a, b  G . ¯



,

¢G, d, …• , …• ² obtained in this way is a canonical extension of the group G ¢G, d, …². In this structure, the operations … • The structure G

64

Chapter Three

and …• are associative and commutative over G . Applying this approach to the dioid D another

dioid

¢ D, †, …, H , ², ² , we first complete it on the top. Thus, D ¢ D, † • , …• , H , ² is determined, for which

D ‰ { } . The operation …• coincides with the above-defined operation. In this case, D has a lattice structure and is a multiplicative D

(semi-)group; furthermore, the operation (top) element:

a †• b

†

is extended by adding a new

or b , ­ if a ® ¯a † b if a, b  D .

A similar approach can be applied for completing the idempotent semifield from the top. Let D be an idempotent semifield for which the described construction is applicable and the top element is added. In order to determine the inverse element of this top element, it is needed to define: and 1 H . Thus, we constructed two complete idempotent H 1 semifields, namely: x a complete semilattice with respect to the natural ordering ¢ D, d² , i.e. the structure D

¢ D, † •

› , … • , A, ² ;

x a complete semilattice with respect to the dual of the natural ordering ¢ D, dd ² ¢ D, t², i.e. the structure

Dd

¢ D, †•

š, …• , , ²²..

In these complete algebraic structures, laws similar to the DeMorgan's laws are valid: Proposition. ([113]) In the complete semifield D obtained from the commutative semifield D, the following rules apply:

(a †• b)1

a1 †• b1, (a †• b)1

a1 †• b1,

(a …• b)1

a1 …• b1 , (a …• b)1

a1 …• b1.

If the complete semifield D is idempotent, then residuated operations

a …• b d c œ b d a \ • c œ a d c / • b,

a …• b d d c œ b d d a \ • c œ a d d c / • b can be expressed by multiplicative operations in the following way:

a \• c a1 …• c (a …• c1 )1 , c / • a c …• a1

(c1 …• a)1 ,

a \• c a1 …• c (a …• c1 )1 , c / • a c …• a1

(c1 …• a)1.

The Role of Idempotent Semirings

65

3.1.6 Matrices defined over idempotent semifields Let ( K , †, …, H , ) be an idempotent semifield and let us consider matrices with entries from K. If all entries of the matrix are H , this is the null matrix and is denoted by O. If in each row of the matrix A there is at least one nonzero element, then the matrix is called regular. It is clear that in the regular matrix there is no null row. If for a regular matrix A, the matrix AT is also regular, then the matrix A is said to be proper. The proper matrix has neither null rows nor null columns. For some random matrices A (aij )  K mun , B (bij )  K mun , C (cij )  K nul , the operations addition and multiplication of matrices, as well as the operation multiplication of a matrix and a scalar x  K are determined in the usual way by the formulas:

( A † B )ij

aij † bij , ( B … C )ij

n

†b

ik

… ckj , ( x … A)ij

x … aij .

k 1

It follows from the properties of operations in the semifield K that the operations thus defined obtain the following properties (as usual, we omit the notation … for the multiplication): 1. A † ( B † C ) ( A † B ) † C (associativity); 2. A † B B † A (commutativity); 3. A † O A (existence of zero matrix); 4. A † A A (idempotency); 5. x( yA) ( xy ) A (associativity);

A A (existence of unit); 6. A 7. x( A † B ) xA † xB (distributivity); 8. ( x † y ) A

xA † yA (distributivity), mun

and all scalars x, y  K. for all matrices A, B, C  K From the properties determined in this way, it follows that the set K mun , together with the operations of matrix addition and multiplication of matrix by а scalar, is a semimodule over the idempotent semiring K. Finally, for arbitrary matrices A, B, C, D (of appropriate size, so that the correspondent matrix multiplications exist), we have the following properties: 9. A( BC ) ( AB)C (associativity);

66

Chapter Three

10. B (C † D ) BC † BD (distributivity). The enumerated matrices have the property of monotonicity, according to which for arbitrary matrices A, B, C, D and a scalar x, from the inequality A d B follow the inequalities:

A † C d B † C , AD d BD, xA d xB.

Let us note that from the properties of distributivity and idempotency, one can obtain the following useful inequality:

( A † B)(C † D) t AC † BD.

Square matrices over idempotent semifields. Consider a square matrix A  K nun . Like the usual definition, a matrix A is called diagonal if all its nondiagonal entries are zeros. The diagonal matrix A with diagonal entries a11 ,..., ann is denoted by A = diag (a11 ,..., ann ) . If aii z H for all i

1,..., n, then the matrix is said to be strongly diagonal. A strongly diagonal matrix I = diag(1,…,1) is called a unit

K nun is closed with respect to matrix multiplication, and nun for arbitrary matrices A, B, C  K , the following conditions are

matrix. The set satisfied: 1. A( BC )

( AB)C (associativity);

2. AI IA A (existence of unit matrix); 3. A( B † C ) AB † AC (distributivity). The set K nun is a commutative idempotent semiring having the unit element with respect to matrix multiplication. Matrix exponentiation is introduced in a standard way: for an appropriate matrix A z O and an integer p > 0, we have

A0 I , A p A p 1 A AA p 1 , O p O. The matrix A is called nilpotent of the r-th degree if there is an integer r > 0, such that Ar = O, and it is required r to be the least integer with this property. A matrix is called decomposable if it can be reduced to the blocktriangular (normal) form by transposition. A decomposable matrix A  K nun is said to be in a normal form if it can be represented as:

The Role of Idempotent Semirings

§ A11 ¨ A A ¨ 21 ¨ ¨ © As1

H

}

A22 } As 2

H · H ¸¸

¸ ¸ } Ass ¹

67

,

where Aii is a nondecomposable or null matrix of order ni, Aij is an appropriate matrix of order ni u nj for all

n1 } ns

j  i ; i 1,..., s , and

n.

Inverse and pseudoinverse matrices. Let A be a square matrix. It is well known that matrix A1 is inverse of A if A1 A AA1 I . We will show that the matrix A has an inverse matrix if and only if each column and row of the matrix have only one nonzero element. Indeed, the sufficiency can be proven with immediate checking. We will now prove the necessity. Let us suppose that for the matrix A ( aij ) there exists a matrix B

(bij ) , so that AB

i 1,..., n , the following equality holds: ai1b1i †}† ainbni

BA I . Then for each ,

from which it follows that there exists such an index j for which aij ! H and bji ! H . Suppose that in the j -th column of the matrix A, there is another nonzero element, for example, amj z H for m z i. In this case, we have:

am1b1i }amnbni ! amjbji ! H ,

which contradicts the condition AB I . Therefore, the matrix A cannot have two nonzero elements in a single column. Similarly, from the equality BA I , it can be shown that the matrix A cannot have two nonzero elements in a single row. It is clear that in the semiring K nun , only strong diagonal matrices and the matrices obtained from them by exchanging rows or columns are invertible. For a given matrix D = diag (d1 ,..., d n ) , where d1 ,..., d n z H , the inverse matrix is

D 1

diag (d11 ,..., d n1 ).

68

Chapter Three

For a matrix A

A

(aij )  K mun , we can define a pseudoinverse matrix

(aij )  K num with entries:

­ a ji1 if a ji z H , ° a ® ° ¯H if a ji H . It is easy to see that for a regular matrix A, the inequalities AA t I and A A t I hold. Besides, if the matrix A has an inverse, it is clear that A A1. For each matrix A  K mun , the support of the matrix consists of the  ij

ordered pairs of indices of nonzero elements of the matrix, i.e.

supp( A) {(i, j) | aij z H ,1 d i d m,1 d j d n}. For matrices A and B , which are of the same order and have a common support, from the inequality A d B, it follows that A t B  . For an arbitrary vector x ( x1 ,..., xn )T  K n , we define the vector

x

( x1 ,..., xn ), where xi xi1 if xi z H , and xi H otherwise. From the inequality x d y for vectors x and y having a common support, it can be concluded that x t y  . We will show that for arbitrary vectors x, y  K n it follows that xy  t (x  y )1 I . We note that the inequality

x y x11 y1 †}† xn1 yn t xi1 yi holds for all i = 1,..., n; then we obtain: xy  t diag ( x1 y11 ,..., xn yn1 ) t (x y)1 I . For y

x, the last inequality has the form xx  t I . Finally, it is easy

to verify that for each matrix A  K mun \{H } and any vector x  K n , the following inequality is satisfied:

( Ax) A d x . Indeed, if x  K n , then

( Ax) A d ( Ax) Axx

x .

The Role of Idempotent Semirings

69

3.1.7 Residuated operations over matrix semimodules For the natural numbers g and m, the semimodule of finite matrices ) m ( D)) -bisemimodule; matrix ¢ D gum , †, I ² is a ( g ( D), g um ( D) multiplication is considered as left and right actions; matrix addition is component-wise. Special cases are the bisemimodules of column vectors and row vectors 1u g ( D ). mu1 mu 1 ( D) For the complete semifields

max,

and

min,

, the following

definitions hold:

( A …• B)ij : max kn 1 ( Aik • Bkj ), (C …• D)ij : min kn 1 (Cik • Dkj ). If D is an idempotent (complete) semifield, then the finite matrix semimodules are idempotent (complete) with partial order, which is the natural order of the elements of the matrices. If D is a complete semifield, the left and right residuated operations of …• and …• are, respectively:

†

( A \ • B )ij

m k 1

p

†( B

( Aki1 …• Bkj ), ( B / • C )ij

…• C jk1 ),

ik

k 1

†

( A \ • B )ij

m k 1

( Aki1 …• Bkj ), ( B / • C )ij

p

†( B

ik

…• C jk1 ).

k 1

The Kleene star operator. Let S be a complete semiring. The additive closure of the matrix A  S

T :S

nun

nu n

is defined in the following way:

o S nun , A

A*

†A , i

iN0

0

where A

k

I, A

k 1

A … A , and I is the unit matrix.

The mapping defined in this way is closed, since T K t Id Snun . It is called the Kleene star operator (see [109]). Let A  S

nun

T

T and

, X  S nu p . Consider the left transformation

L*A : S nu p o S nu p , X o A* … X . The following property is valid (see [15]):

A* … A* … X

A* … X .

is the dual operation of the operation … in the dual Similarly, if semiring of the complete semiring S , then a dual operator of the Kleene star operator can also be defined in the following way ([15]):

70

Chapter Three

B*

šB

k

,

k N 0

where B 0 I , B k B B ( k 1) . For the operator, thus defined, the following is satisfied:

B*

B*

X

B*

X.

3.1.8 Max-plus algebra Definition. An algebraic structure

max

including the set

‰ ‰{{f} , on

which two operations max and + (playing the role of the binary operations † and , respectively) are defined, is called a max-plus algebra (or just a max algebra). The additive operation † generates a natural order, namely:

a d b, if a † b b. It is easy to see that for all x, y, z  max , the following rules are

satisfied: x x † ( y † z) x x x x x x

( x † y ) † z; x † y y † x; x ( y z ) ( x y ) z; x y y x; x ( y † z ) x y † x z; x 0 x; x † (f) x;

x x†x x. These properties show that the defined operations are associative, commutative, and distributive; the semiring ( max , †, ) has zero element ( f ) and unit element 0. The additive operation is idempotent. defined by the set Definition. An algebraic structure max ‰ ‰{{f} ‰ {f} and the operations max and + (playing the role of the binary operations † and , respectively), and the additional requirement that (f)  f f f  (f) , is called complete max-plus algebra. It is worth noting that a † (f) f for all a  max .

The Role of Idempotent Semirings

71

The element f is denoted by , and the element f : by A . Therefore, we come to the following Theorem. The structure max is an additive idempotent commutative semifield. having the Let us compare the properties of operations † and properties of usual addition + and multiplication u , respectively: 1. addition † is not symmetric (for element a, there is no element b, such that max(b, a) f , when a z f); 2. addition † is idempotent; 3. in max from a † b f Ÿ a Matrices over the semiring with entries from

max

max

f or b nu n max

. Let

f.

be the set of n u n matrices

along with the operations:

x the usual matrix addition (by adding the corresponding entries together), which is denoted by † ; : x the usual matrix multiplication, denoted by

(A

n

†A

B )ij

Bkj ,

ik

k 1

x the product of matrix and scalar:

O  nu n max

The set

max

, A 

nun max

, O A (O Aij ).

is an idempotent algebra with:

x a null matrix, which is denoted by O; all of its entries are H ; x a unit matrix, which is denoted by I and whose diagonal entries are e but all others are H . Polynomials in the semirings max . Let us denote the n -th power of x by x

•n

x



x



}



x

nx. Hence:

n

1. x0 2. x (  n )

0;

nx (n ! 0);

3. ( x † y) x n † y n , when n t 0. Definition. An expression of the type n

P( x)

†

n

• i 0

ai



x

•i

72

Chapter Three

is called a max polynomial, where n  1 determines the length of the polynomial. Lemma. ([24]) If P(x) is a max polynomial of length l and x  , then its value can be calculated for OȋlȌ steps. In a max polynomial can be found terms, known as nonsignificant, that do not contribute to its value. For example, for the polynomial 2 5 † (3) • x •2 † x •3 the term ( 3) • x • is nonsignificant. Thus, we come to the following Definition. The term ar

x



•r

is said to be nonsignificant for the

polynomial P(x), if for all x we have

ar



x

•r

d † ai n



x

•i

.

• i 0

The nonsignificant terms can be removed, and in this way the polynomial is represented in reduced form. For example, for the polynomial 5 † (3) • x •2 † x •3 , the reduced form is 5 † x •3 . For cryptographic purposes, it is recommended to use only polynomials in reduced form. Residual theory and max-plus algebra. Let us consider the space nmax (

n max

respectively) of all vector-columns of n-th size x

for x1 , }, xn belonging to the set

max

(

max

( x1 , } , xn )T ,

respectively), where two

operations: element-by-element addition (denoted by † ) and multiplication by a scalar are added. Thus, we obtain a semimodule over In this case, if x ( x1 ,}, xn )T  nmax max ( max respectively). (

n max

respectively) and O 

vector x

n max

(

n max

respectively), then xO is the

( x1  O,}, xn  O )T .

As in linear algebra, each max-plus linear operator I from m max

(from

n max

to

m max

respectively) satisfies the equalities

I ( x † y ) I ( x) † I ( y ) ; I ( xO ) I ( x)O , for all x, y 

n max

(

n max

); O 

max

(

max

).

n max

to

The Role of Idempotent Semirings

73

Therefore, each linear operator can be represented by a matrix of the type m u n, i.e. A ( Aij )i[ m], j[ n] over max ( max ), where I ( x) Ax, which means that:

I ( x)i max j[ n ] ( Aij  x j ) for i  [m]. Here: [ n] {1, }, n} , [m] {1, }, m} (see [8]). The vector and matrix spaces over

(

max

max

) are idempotent

monoids with respect to the additive operation. These monoids preserve a natural order (the supremum operation is equivalent to the additive operation), and it coincides with the usual partial order; they are complete semimodules over max ( max ). This allows us to define a residuated operation A \ B for arbitrary matrices A  following way:

A \ B : max{C 

mu p max

|A

nu m max

and B 

nu p max

in the

C d B}.

In this case, the maximum means that the supremum is reached. In particular, for every two elements P ,Q 

P \Q : max{O 

max

max

|P

it holds that

O d Q }}.

Definition. A semimodule V is called b-complete if each of its subsets, which are bounded above, has a supremum in V (see [81]). It can be noted that nmax is b-complete semimodule over max and the natural ordering is the usual partial ordering. The semimodule V of nmax is b-complete semimodule over

n max

if

the supremum of every subset of V (bounded above) belongs to V. The matrix semimodules with entries of max are not complete semimodules, but only b-complete; the result A \ B of matrices A  and B 

nu p max

is not a matrix of

mu p max

nu m max

. In this case, the term maximum in

the definition of A \ B can be substituted by the term supremum in

mu p max

.

3.1.9 Min-plus algebra Before proceeding to min-plus algebra, in order to avoid confusion in the operations on different semirings, certain clarifications are needed. In the semiring , we will use the following notation: for the additive max

74

Chapter Three

operation †•

› ; for multiplicative operation

we use the following notation: for the additive operation †

min



for the multiplicative operation By

min

š;

we denote a complete min-plus algebra, which by definition

x multiplication a for all a, b 



.

is a semiring, for which the set of real numbers equipped with the following two operations: x addition a †• b : min(a, b);

min

‰ ‰{{f} ‰ {f} is

b: a b



. ‰{ ‰ {f}, the semiring will be denoted by

If we consider the set min

. In the semiring



. We call attention to the fact that: a



(f) f if a 

‰{ ‰ {f} and (f)



(f) f.

, the neutral element for the additive operation min

In the semiring

(zero) is f, and the neutral element for the multiplicative operation (unit) is 0. The element f is denoted by , and the element f by A . Moreover, it is clear that for every three elements a, b, c 

min

, the

associative law holds:

(a



b)



c

a



(b



c).

For the operations, defined in this way, the following can be proved easily: Proposition. For all a, b, c  ‰{ ‰ {f} ‰ {f} it is satisfied that:

(a



b) a



(b).

Using this proposition, we find that the semiring defined as an image of

max

min

could also be

via the map:

o , a  a, a  . This map is an isomorphism between the complete semirings . The connection between the images is given by the following: Proposition. For all a, b  max :

min

max

and

The Role of Idempotent Semirings •

a\b b

75

(a).

Proof. Following the definition, we obtain:

a \ b : max{c 

max

|a

c d b},

which in the standard notation can be written in the following way:

a \ b : max{c  | a  c d b}. On the other hand, for each a, b, c 

:

ac db œ c db



( a )

so we get

a \ b : max{c  | c d b



(a)} b



(a),

which is the desired result. The following corollaries can be obtained from the proposition proved above: Corollary 1. For all a, b  max , we have:

a \ b  œ a  and b  ; a \ b f œ a f or b f . •

Proof. It follows from the proposition and the definition of a f if and only if a f. Corollary 2. For all a, b  max , the following holds:

a\b

f œ (a

f and b  f) or (a ! f and b

, since

f).

From the definition of a residuated operation between matrices, it follows that for two arbitrary vectors x ( x1 , }, xn )T , y ( y1 , }, yn )T  max n : x\ y

max{O 

max

O d y} max{ ax{O 

|x

max

| xi

O d yi }

šx

i

\ yi ,

i

where i  {1, }, n} and š denotes the infimum. On the other hand, taking into account the proposition proved above, for i  {1, }, n} we get:

x \ y max{O  | xi  O d yi } mini ( yi



( xi )).

From the latter, we come to the conclusion that for an arbitrary vector x  max n with i  {1, }, n} the following is satisfied:

x\x

šx \ x i

i

min i ( xi



( xi ))

i

Finally, for each O  valid:

max

and x, y 

­f if xi rf, ® ¯0 if xi z rf. n max

, the next property is

76

Chapter Three

O d x\ y œ x Square matrices over the semiring matrices with entries from

O d y.

min

nu n min

. Let

along with the following operations:

min

x the usual matrix addition, denoted by †• ; x the usual matrix multiplication, denoted by •

(A

be the set of n u n

• n

†

B )ij

k 1





Aik

:

Bkj ,

x the multiplication of a matrix and a scalar:

O  The set

nu n min

min i

nun min

, A 

, O A (O Aij ).

is an idempotent algebra containing:

x a null matrix, denoted by O, whose entries are H ; x a unit matrix, denoted by I , whose diagonal entries are e and the others H . Polynomials in the semiring

x



n

min



x

. Let us denote the n-th power of x by •

x

}



x



x

nx.

n

Definition. An expression of the type • n

†

P( x)

a

i 0 i



i

is called a min polynomial. The integer n+1 determines the length of the polynomial. In the min polynomials can also be observed nonsignificant terms that do not contribute to their value. For cryptographic purposes, it is recommended to use only reduced min polynomials.

ar

We recall that the term



x



r

is called nonsignificant for

polynomial P( x) if for all x holds:

ar



x



r

• n

t †i 0 ai





x i.

The meaning of nonsignificant terms is that they could be removed from the polynomial, and thus the polynomial is represented in a reduced form.

The Role of Idempotent Semirings

Remark. It is easy to see that dual to min

is a complete idempotent semiring

min

if we consider them as semimodules. We write:

max

max op

77

and vice versa,

max

min op

.

3.1.10 Max-time algebra In the semiring operation †•

max,u

, we use the following notation: for the additive

› , for the multiplicative operation …•

We denote by

….

the max-time algebra. By definition, it is a

max,u

semiring, for which the set of the positive real numbers is extended by adding a zero element: ‰{0} {0} , and which is equipped with the  ‰ following two operations: x addition a †• b : max(a, b); x multiplication a …• b : a.b for all a, b  In the semiring

max,u

max,u max

.

, the neutral element for the multiplicative

= 1, and the neutral element for the additive operation operation … is H is = 0 , i.e. they coincide with the usual unit and zero. † The semiring max,u can be considered complete in the following way: max,u



‰ {0} ‰ {f}. ‰{0}

In this case, the element f and the element A = 0. The additive operation defines a standard partial order d in accordance with the rule: a d b if and only if a † b =b. Matrices over the semiring with entries from

max,u

max,u

nun max ,u

. Let

be a set of n u n matrices

along with the following two operations:

x the usual matrix multiplication, denoted by …• :

( A …• B )ij

†

n

Aik …• Bkj ,

• k 1

x the multiplication of a matrix and a scalar:

O  The set

nun max ,u

max,u max

, A 

nun max ,u max,

, O A (O Aij ).

is an idempotent algebra with:

78

Chapter Three

x a null matrix, which is denoted by O and whose elements are H ; x a unit matrix, which is denoted by I and whose diagonal elements are e, and the others H . Polynomials in the semiring

x

…• n

max,u

. Let us denote the n-th power of x by

x …• x …• }… …• x

xn .

n

Definition. An expression of the type

†

P( x)

n

ai …• x …• i

• i 0

is called a max-time polynomial. The integer n+1 determines the length of the polynomial.

3.1.11 Min-time algebra In the semiring

min,u

we will use the following notation: for the additive

operation: † š and for the multiplicative operation: …• … . We denote by min,u the min-time algebra, which is by definition a •

semiring, for which the set



‰ {f} is equipped with the following ‰{

two operations: x addition a †• b : min(a, b); x multiplication a …• b : a.b for all a, b  min min,u . In the semiring

min,u

, the neutral element for the multiplicative

operation … is = 1, and the neutral element for the additive operation † is H f. can be expanded to a complete semiring by The semiring min,u adding zero, i.e.

‰ {f} ‰ {0}. ‰{ 0 and the element A f.

min,u



In this case, the element The semiring min,u can be defined as an image of the mapping

max,u

via the

The Role of Idempotent Semirings



o



1 , a a

,a



79

.

This transformation is an isomorphism between the complete semirings and min,u . We note that: 0 f,  f 0. max,u

The additive operation defines a standard partial order d , according to the rule: a d b if and only if a † b =b. Matrices over the semiring matrices with entries from

. Let

min,u

min,u

nun min ,u

be the set of n u n

for which the following operations are

defined: x the usual matrix addition, denoted by †• ; x the usual matrix multiplication, denoted by … • :

( A …• B )ij

• n

†

k 1

Aik …• Bkj ,

x the multiplication of a matrix and a scalar:

O  The set

nun min ,u

min,u min

nun nu min min, i u

, A 

, O A (O Aij ).

is an idempotent algebra with:

x a null matrix, denoted by O and whose elements are H ; x a unit matrix, denoted by I and whose diagonal elements are e and the others H . Polynomials in the semiring

. Let us denote the n -th power of x

min,u

by

x…• n

x …• x …• }…• x

xn .

n

Definition. An expression of the type

P( x)

• n

†



a …• x … i

i 0 i

is called a min-time polynomial. The integer n+1 determines the length of the polynomial.

80

Chapter Three

3.2 Linear Equations Let ( K , †, …, H , ) be an idempotent semifield. Each matrix A  K mun generates a mapping (operator) from the semimodule K n into the semimodule K m . Since for arbitrary vectors x, y  K n and a scalar D  K , the following two conditions are satisfied:

Ax † Ay, A(D x) D Ax,

A( x † y )

the transformation has the property of linearity. Such a mapping is called a linear operator. Let matrices A, B  K mun and vectors b, d  K m be given. Definition. A general linear equation with respect to an unknown vector x  K n is the equation:

Ax † b Bx † d.

The following special cases for the general linear equation are examined: x Ax b – Bellman homogeneous equation; x Ax † b x – Bellman non-homogeneous equation; x Ax Bx – two-sided linear equation. Let us consider two equations that are represented in the terms of different semirings. These equations are equivalent if the sets of their solutions (which are different from zero) coincide. Based on the isomorphism of the corresponding semirings, it is easy to verify the equivalence of the equations:

Ax 



x A

b ( 

b (

max,  max,

);

 min, min,

).

Similarly, we can establish the equivalence of the following pair of equations:

Ax

x  A

b (

b (

max,u max,u

),

min,u min, u

).

A variety of approaches have been proposed to solve the Bellman homogeneous equations. For example, Vorobiev in [121] demonstrated a method based on analysis of the subsets of the rows of a matched matrix, and gave some conditions for the existence of a solution, as well as suggested a procedure for finding all solutions. The expression for the maximal solution is obtained in the form x A … b, where A denotes

The Role of Idempotent Semirings

81

the pseudoinverse matrix of A in the given semiring, and … is the symbol for multiplication in the corresponding dual semiring. The development of the theory and methods for solving these equations was proposed by R. Cuninghame-Green in [23]. In this paper, the author first found a condition for the existence of solutions of the equation in the form A( A … b) b, and then gave a condition for the uniqueness of the solution. In [8], a solution of the equation was proposed in the form of an arbitrary vector x, for which Ax d b. The residual operation \ is introduced in the way that the maximal subsolution of the equation Ax b is A \ b . It is demonstrated that in the case when a solution of this equation exists, it can be written in terms of the dual semiring; i.e. the following equality holds:

A\b

A … b.

Zimmermann in [126] proposed a method for solving the equation

Ax = b, using covering sets. His method has complexity OȋmnȌ, where m and n are the number of the rows and columns of the matrices involved. Akian, Gaubert and Kolokoltsov later improved the Zimmermann method in [4]. In conclusion, it can be stated that the Bellman homogeneous equations should be avoided for cryptographic purposes. In [8], necessary and sufficient conditions for the existence of a subsolution of the type d d b of the equation Ax † d b are given. To solve the equation Ax † b x, Gondran and Minoux in [50] applied a method (similar to the classical iterative Jacobi method) in which they used the Kleene star operator. The complexity of their algorithm is OȋknʹȌ, if all the entries of the matrix A are different from H , and it is equal to OȋKMȌ, where M is the number of entries of A that differ from H . In this case, K is natural, such that AK

A* , where A* is a quasi-inverse matrix of the given matrix, i.e.

A*

I † AA*

I † A* A.

A universal method for solving Bellman nonhomogeneous equations for matrices was suggested in [82]. Unlike the Bellman equations (homogeneous and non-homogeneous), which can be solved in polynomial time, this is not always the case for the two-sided linear equation. The main investigations of solutions of this equation are related to the semirings max, and min,  . We will now turn our attention to the latest

82

Chapter Three

developments in this field. For example, in [17] it was proved that the set of solutions of the two-sided linear equation can be finitely generated. In [20], a polynomial time algorithm giving a solution to this equation or stating that the equation has no solution is developed. In [8], solutions to the same equation were found using a special technique, called symmetrization and balance resolution. Generators for solution sets were obtained in [17]. The idea of finding the minimal set of generators is considered in [110] and [122], but for the equivalent problem, namely Ax d Bx. An iterative method for another equivalent problem: Ax By, where x and y are unknown, is introduced in [25]. In [123] a recursive technique for solving the problem Ax † a Bx † b is applied. In [84], the two-sided linear equation in the considered semirings is solved by separating each matrix into two special matrices. Allamigeon et al. in [6] demonstrated a method which is similar to that previously suggested by Butkovič and Hegedus [17], which uses extreme rays to generate the set of all solutions in terms of the system of constraints for the algorithm. The analogue for the case in which the given equation is defined on an interval is due to Hardouin et al. (see [54]). The question of the complexity of the algorithms for solving the twosided linear equations in the semirings and has been max, min, resolved. It is established (see, for example, [14]) that the problem of solving the two-sided linear equation in polynomial time is reduced to solving the mean payoff game problem ([3]), which has been proven to be always of the type NP ˆ coNP (see [70]). Akian et al. in [2] also showed that the existence of a nontrivial solution of the equation under consideration is directly related to the solution of the mean payoff game problem. S. Gaubert and S. Sergeev in [47] proposed a solution not only for the equation Ax d Bx, but also for the case Ax By, using again the mean payoff game problem. However, there are a number of special cases where the two-sided linear equation can be solved in polynomial time. For example, A. Aminu in [7] examined such particular cases where the two-sided linear equation can be solved in time Oȋn͵Ȍ. The article [18] also presents the cases when the two-sided linear equation can be solved in polynomial time (i.e. in time Oȋȋm+nȌ͵Ȍ). Obviously, these cases should be avoided in cryptography. The algorithm for solving the two-sided linear equations in the semirings and min,u in polynomial time is not yet known. max,u

The Role of Idempotent Semirings

83

However, we have to mention that there is no evidence that the time to solve such equations is of the type NP. This is an open problem for now. Let us take a closer look at the solution of two-sided linear inequality in terms of the residual theory. We have seen that max-plus and min-plus transformations are mutually residuated. Recall that for the max-plus linear transformation n max

A:

m max

o

,

the residual operator

A :

m max ma

n max

o

is defined as

( A y) j : provided that (f)  (f)

f.

m

š(a

ij

 yi ),

i 1

n

m

Note that the operator A maps max into max , as long as the matrix A does not have columns consisting only of f. The term residual is associated with the property

Ax d y œ x d A y, where d is the partial order in plus linear system holds:

m max

or

n max

. This means that for a max-

Ax d Bx œ x d A Bx. In fact, the expression A Bx is to be understood as a composition of two operators: Bx means the multiplication of the matrix B and the vector x in the semiring max-plus, and A ( Bx) means the multiplication of the matrix A and Bx in the semiring min-plus. A similar connection can be also established for the other two dual semirings max,u and min,u . Finally, we note that Cuninghame-Green and Zimmermann in [26] described for the first time a general algorithm for solving the two-sided linear equation, presenting it in the form f ( x ) g ( y ), where f and g are residual functions. Their algorithm was improved later by Gonçalves et al. in [51]. A more general question is whether the two-sided linear equation of the type Ax = Bx can be solved, where the matrices A and B are of two dual semirings.

84

Chapter Three

In [15], a solution was given to the inequality A … X d X d B X , are product operators in two dual semirings. For this where … and purpose, the authors used residual matrix transformations. The idea is that if X 0 is the maximal solution of the system of inequalities

A… X d X d B

X and X d X 0 , then: A* … X

B*

X

X and X d X 0 .

The question of whether it is possible to find all the solutions of а twosided linear equation of the corresponding type has not yet been solved. We have a reason to believe that such a problem cannot be solved in polynomial time, taking into account what has already been proven for а two-sided equation in semirings max-plus and min-plus. Here, it is assumed that the presence of two mutually dual semirings in one equation will complicate its solution. So far, this is an open problem.

3.3 Applications of Idempotent Algebra in Cryptography The idempotency of the additive operation a † a a and the fact that there is no subtraction are the two main advantages of idempotent algebra, and that is what distinguishes it from usual linear algebra. In this section we discuss the use of idempotent semirings for cryptographic purposes. The application of these semirings as a platform for building cryptosystems arose a few years ago. D. Grigoriev and V. Shpilrain in [52] suggested using a min-plus (tropical) semiring. M. Durcheva applied different idempotent semirings ([34]  [39]) to construct cryptographic protocols. The idea of employing two dual idempotent semirings has been extended to create a distributed secure multicast keyexchange protocol ([39]). This protocol will be a topic for discussion in the next chapter. The main purpose of the present work is to show how the action of two dual idempotent semirings on a set can be applied to build a keyexchange protocol. Such an action is developed in the protocol of Maze, Monico and Rosenthal (see Section 2.3.4). Our idea is to use two dual idempotent matrix semirings acting on a third matrix semiring. Let S be a set and let d • • D ¢ S , †• , …• , A, ² and D ¢ S , † , … , A, ² be two complete dual dioids. Then we construct matrix semirings over S, D and D d . Let them be respectively nun ( S ), nun ( D) , and nun ( D d )). Next, we consider polynomials of matrices over two dual dioids.

The Role of Idempotent Semirings nun

If M 

( D), N 

(

nun

nun

( D d ) , and X  nun

nun

85

( S ), the action is:

( D) u ( D )) u ( S ) o nun ( S ), (( p( M ), q( N )), X ) p( p( M ) ˜ X ˜ q( M ). d

nun

In general, the protocol consists of the following: two users (Alice and Bob) who want to communicate on a public (unsecured) channel, agree on the dual dioids and concrete matrices M  nun ( D), N  nun ( D d ) , and



nun

(S ) .

Then: 1. Alice selects two reduced polynomials as her secret key: p ( x) over the dioid D and t ( x ) over the dual dioid D d . She computes

p ( M ) …• X …• t ( N ) (the matrix A is her public key) and sends A to Bob. 2. Bob selects two reduced polynomials as his secret key: q ( x ) over A

the dioid D and r ( x ) over the dual dioid D d . He computes

B q ( M ) …• X …• r ( N ) (the matrix B is his public key) and sends B to Alice. 3. Alice computes her secret key: k A p(M ) …• B …• t ( N ) p(M ) …• q(M ) …• X …• r ( N ) …• t ( N ). 4. Bob computes his secret key: kB q(M ) …• A …• r ( N ) q(M ) …• p(M ) …• X …• t ( N ) …• r ( N ). At the end of the protocol, both users receive a shared secret key k A kB . The security of the protocol is based on the following: Two dual dioids action problem. Let three initial matrices M  nun ( D), N  nun ( D d )), X  nun ( S ) and one matrix of the type

T  S1[M ] …• X …• S2 [ N ] be given. Find two matrices U1  S1[ M ] and

U 2  S2 [ N ], such that T U1 …• X …• U2 . Here, the matrix T can be Alice's public key A, or (which is the same) Bob's public key B; S1[ M ] and S 2 [ N ] are the matrix semirings generated by the matrices M and N, respectively. This means that in order to break the protocol, the eavesdropper needs to solve the two-sided matrix equation:

86

Chapter Three

T U1 …• X …• U 2 , where U1 and U2 are unknown matrices; T and X are known matrices. As mentioned above, a general solution to an equation of this type is not known. In addition, when using idempotent semirings, one should carefully consider whether it is possible to calculate the periods of the matrices M and N that users choose in polynomial time. There are matrices for which periods can be easily calculated (see, for example, [19]) and in this protocol they should be avoided. For our protocol, we recommend using the following pairs of complete dual dioids: x min,  ; max, and x

max,u

and

min,u

.

We do not suggest to use dual semirings max,min and min,max . One of the reasons to avoid them is that the period of the matrices per(A) over these semirings can be calculated for time Oȋn͵Ȍ, and in some cases for time OȋnʹȌ (see [48] for details). The proposed scheme can also be used to construct a digital signature protocol in which the stage of generating a common key overlaps with the proposed key-exchange protocol. We believe that this general protocol could use other dual dioids as a platform as well, if the corresponding twosided equation is not solvable in polynomial time.

BIBLIOGRAPHY TO CHAPTER THREE

[1] AlZubaidy H., Liebeherr J., Burchard A., A (min,×) Network Calculus for Multi-Hop Fading Channels, in IEEE INFOCOM, April 2013. [2] Akian M., Gaubert S., Guterman A., The correspondence between tropical convexity and mean payoff games, in Mathematical Theory of Networks and Systems, (2010), pp. 1295-1302. [3] Akian M., Gaubert S., Guterman A., Tropical polyhedra are equivalent to mean payoff games, International Journal of Algebra and Computation, 22(1), 2012. [4] Akian M., Gaubert S., Kolokoltsov V., Set Coverings and Invertibility of Functional Galois Connections, in G. Litvinov, V. Maslov (Ed.), Idempotent Math & Math Physics, American Math Society (2005), 1952. [5] Akian M., Gaubert St., Nitiˇca V., Singer I., Best approximation in max-plus semimodules, Linear Algebra and its Applications, V. 435, Issue 12, 15 December 2011, 3261-3296. [6] Allamigeon X., Gaubert S., Goubault E., The tropical double description method, in 27th International Symposium on Theoretical Aspects of Computer Science (STACS 2010), v. 5, pp. 47-58. [7] Aminu A. (2010), On the solvability of homogeneous two-sided systems in max-algebra, NNTDM Vol. 16 (2010), 2, 5-15. [8] Baccelli F., Cohen G., Olsder G., Quadrat J-P., Synchronization and Linearity. An Algebra for Discrete Event Systems, INRIA web eddition, 2001. [9] Baker M., Len Y., Morrison R., Pflueger N., Ren Q., Bitangents of Tropical Plane Quartic Curves, Mathematische Zeitschrift, pp. 1–15, 2015. [10] Barvinok A., Combinatorial Optimization and Computations in the Ring of Polynomials, DIMACS Technical Report 93 – 13, 1993. [11] Barvinok A., Matrices with prescribed row and column sums, Linear Algebra and its Applications (2012) 436, pp. 820–844. [12] Barvinok A., Thrifty approximations of convex bodies by polytopes, International Mathematics Research Notices, 2014 (16):4341–4356. [13] Belluce L., Di Nola A., Commutative Rings whose Ideals form an MV-algebra, Mathematical Logic Quarterly, 55 (5), 2009, 468 – 486.

88

Bibliography to Chapter Three

[14] Bezem M., Nieuwenhuis R., Rodriguez-Carbonell E., Hard problems in max-algebra, control theory, hypergraphs and other areas, Inf. Process. Lett., 110(4):133-138, 2010. [15] Brunsch T., Hardouin L., Maia C., Raisch J., Duality and interval analysis over idempotent semirings, Linear Algebra and its Application, 437 (2012) 2436-2454. [16] Butkovič P., Aminu A., Introduction to Max-linear programming, IMA J. of Management Mathematics, 20 (2009), 3, 233-249. [17] Butkovič P., Hegedüs G., An elimination method for finding all solutions of the system of linear equations over an extremal algebra, Ekonom. Mat. Obzor 20, 203-214, (1984). [18] Butkovič P., MacCaig M., On the integer max-linear programming problem, Discrete Applied Mathematics 162 (2014) 128-141. [19] Butkovič P., Schneider H., S. Sergeev S., Z-matrix equations in maxalgebra, nonnegative linear algebra and other semirings, Linear and Multilinear Algebra 2012, 1–20. [20] Butkovič P., Zimmermann K., A strongly polynomial algorithm for solving two-sided systems in max-algebra, Discrete Math. Appl. 154, 437446, (2006). [21] Chang C., Algebraic analysis of many valued logics, Transactions of the American Mathematical Society, vol. 88, pp. 467-490, 1958. [22] Cohen G., Gaubert S., Quadrat J., Duality and SeparationTheorems in Idempotent Semimodules, INRIA, Rapport de recherche 4668, Dec. 2002. [23] Cuninghame-Green R., Mini–max algebra, v. 166 of Lecture Notes in Economica and Mathematical Systems. Springer-Verlag, Berlin, 1979. [24] Cuninghame-Green R., Maxpolynomial equations, Fuzzy Sets and Systems 75 (1995) 179-187. [25] Cuninghame-Green R., Butkovič P., The equation Aٔx = Bٔy over (max,+), Theoret. Comput. Sci. 293, 3-12, (2003). [26] Cuninghame-Green R., Zimmermann, K., Equation with residuated functions, Comment. Mathem. Univ. Carolinae, 2001 42 (4), 729740. [27] Del Moral P., Doisy M., Maslov idempotent probability calculus I, Theory Probab. Appl. 43, 1998, 562 – 576. [28] Del Moral P., Doisy M., Maslov idempotent probability calculus II, Theory Probab. Appl. 44, 1999, 319 – 332. [29] Deshpande A., Max-Plus Representation for the Fundamental Solution of the Time-Varying Differential Riccati Equation, Automatica, 47(8), 1667–1676 (2011).

Semirings as Building Blocks in Cryptography

89

[30] Develin M., Santos F., Sturmfels B, On the rank of a tropical matrix, in "Discrete and Computational Geometry”, vol. 52 of Math. Sci. Res. Inst. Publ., pp. 213–242. Cambridge Univ. Press, Cambridge, 2005. [31] Dickenstein A., Feichtner E., Sturmfels B., Tropical discriminants. J. Amer. Math. Soc., 20(4), 2007, 1111–1133. [32] Di Nola A., Gerla B., Algebras of Łukasiewicz’s Logic and their Semiring Reducts, Idempotent Mathematics and Mathematical Physics, 131 – 144, Contemp. Math., 377, Amer. Math. Soc., 2005. [33] Di Nola A., Russo C., Semiring and semimodule issues in MValgebras, Comm. Alg. 41/3 (2013), 1017–1048. [34] Durcheva M., Trendafilov I., Public Key Cryptosystem Based on Max - Semirings, AMEE,38th Int. Conf., AIP Conf. Proc.1497(2012), pp. 357- 364. [35] Durcheva M., Public Key Cryptography with max-plus matrices and polynomials, AMEE 39th Int. Conf., AIP Conf. Proc.,1570(2013) pp. 491–498. [36] Durcheva M., Public Key Cryptosystem Based on Two Sided Action of Different Exotic Semirings, J. of Math and System Science (2014) 4, pp. 6–13. [37] Durcheva M., An application of different dioids in public key cryptography, AMEE 40th Int. Conf., AIP Conf. Proc.,1631(2014), pp. 336–345. [38] Durcheva M., Rachev M., A public key encryption scheme based on idempotent semirings, AMEE 41th Int. Conf., AIP Conf. Proc.1690 (2015), 060008. [39] Durcheva M., Ivanova M., Key Agreement Protocol For Distributed Secure Multicast For eAssessment, Int. Journal on Information Technologies&Security, No 1 (vol. 10), 2018, pp.47-58. [40] Eilenberg S., Automata, Languages, and Machines, vol. A, Academic Press, New York, 1974. [41] Esteva S., Godo L., Monoidal t−norm based logic: towards a logic for left-continuous t-norms, Fuzzy Sets and Syst., v. 124, 3, pp. 271288, 2001. [42] Fleming W., Kaise H., Sheu Sh., Max-plus Stochastic Control and Risk-sensitivity, Applied Mathematics & Optimization 2010; 62:81– 144. [43] Gathmann A., Tropical algebraic geometry, Jahresbericht der Deutschen Mathematiker-Vereinigung 108 (2006) 3–32. [44] Gathmann A., Kerber M., A Riemann-Roch theorem in tropical geometry, Math. Z. 259:1 (2008), 217–230.

90

Bibliography to Chapter Three

[45] Gathmann A., Schmitz K., Winstel A., The realizability of curves in a tropical plane, e-print arXiv:1307.5686, 2014. [46] Gaubert S., Theorie des systemes lineaires dans les dioïdes, These, Ecole des Mines de Paris, July 1992. [47] Gaubert S., Sergeev S., The Level Set Method for the Two-Sided Max-Plus Eigenproblem, Discrete Event Dynamic Systems, 2013, V. 23, Issue 2, pp. 105–134. [48] Gavalec M., Computing orbit period in max-min algebra, Discrete Applied Mathematics, 100(1-2), 49–65, 2000. [49] Gavalec M., Nemcova Z., Sergeev S., Tropical linear algebra with the Łukasiewicz T-norm, Fuzzy Sets and Systems, 276, 2015, 131-148. [50] Gondran M., Minoux M., Graphs, Dioids and Semirings. New Models and Algorithms, 2008 Springer Science+Business Media, LLC. [51] Gonçalves V., Maia C., Hardouin L., Weak dual residuations applied to tropical linear equations, Linear Algebra and its Applications Vol. 445, 15 March 2014, pp. 69-84. [52] Grigoriev D., Shpilrain V. (2011), Tropical cryptography, MaxPlanck-Institut für Mathematik Preprint Series 11, 2011. [53] Hajek P., Mathematics of Fuzzy Logic, Kluwer Academic, Dordrecht, The Netherlands, 1998. [54] Hardouin L., Cottenceau B., Lhommeau M., Le Corronc E., Interval systems over idempotent semiring, Linear Algebra and its Applications (2009) 431 (5-7), 855-862. [55] Heidergott B., Olsder G., van der Woude J., Max plus at work: modeling and analysis of synchronized systems. A course on max-plus algebra. Princeton: Princeton University Press, 2005. [56] Hladky J., Kral D., Norine S., Rank of divisors on tropical curves, Journal of Combinatorial Theory, 2013, S. A, V. 120 (7), pp. 15211538. [57] Höhle U., Commutative residuated monoid, in Non-Classical Logics and Their Applications to Fuzzy Subsets, pp. 53-106, Kluwer Academic, Dordrecht, The Netherlands, 1995. [58] Itenberg I., Mikhalkin G., Shustin E., Tropical Algebraic Geometry, Oberwolfach Seminars, V.35, Birkhäuser, Basel – Boston – Berlin, 2009. [59] Izhakian Z., Tropical algebraic sets, ideals and an algebraic nullstellensatz, International Journal of Algebra and Computation, 18(06):1067–1098, 2008. [60] Izhakian Z., Knebush M., Rowen L., Supertropical quadratic forms I, Journal of Pure and Applied Algebra, V. 220, Issue 1, 2016, 61-93.

Semirings as Building Blocks in Cryptography

91

[61] Izhakian Z., Knebush M., Rowen L. (2011), Layered tropical mathematics, Preprint at arXiv:0912.1398, 2011. [62] Izhakian Z., Knebush M., Rowen L. (2011), Supertropical monoids: Basics, canonical factorization, and lifting ghosts to tangibles, preprint at arXiv:1108.1880, 2011. [63] Izhakian Z., Knebush M., Rowen L. (2012), Categories of layered semirings, arXiv:1207.3488v1 [math.RA] 15 Jul 2012. [64] Izhakian Z., Rhodes J., Steinberg B., Representation theory of finite semigroups over semirings, Journal of Algebra, 336, 2011, 139 – 157. [65] Jipsen P, Tsinakis C., A survey of residuated lattices, in ”Ordered Algebraic Structures” (J. Martinez, editor), Kluwer Academic Publishers, Dordrecht (2002), 19-56. [66] Johnstone P., Stone Spaces, v. 3 of Cambridge Studies in Advanced Mathematics, Cambridge University Press, Cambridge, Mass, USA, 1982. [67] Karoui N., Meziou A., Max-plus decomposition of supermartingales and convex order, in Aplications to American options and portfolio insurance, The Annals of Probability 2008, Vol. 36, No. 2, 647–697 [68] Katsov Y., Nam T. G., Zumbrägel J., On Simpleness of Semirings and Complete Semirings, arXiv:1105.5591v1 [math.RA], 27 May, 2011. [69] Katz R., Schneider H., Sergeev S., Commuting matrices in maxalgebra (Preprint 2010/03). University of Birmingham, School of Mathematics. [70] Klauck H., Algorithms for parity games, Automata Logics, and Infinite Games, v. 2500 of LNCS, 553-563. Springer Berlin, 2002. [71] Kleene S., Representation of events in nerve nets and finite automata, in Shannon &McCarthy (eds.): Automata Studies, Princeton Univ. Press, Princeton, 1956. [72] Kolokoltsov V., Maslov V., Idempotent analysis and its applications, Dordrecht: Kluwer Academic Publishers, 1997. [73] Krivulin N., Solution of Generalized Linear Vector Equations in Idempotent Algebra, Vestnik St. Petersb. Univ., Mathematics, v. 39, no. 1. [74] Krivulin N., The Max-Plus Algebra Approach in Modelling of Queueing Networks, Proc. 1996 Summer Computer Simulation Conf., Portland, OR, July 21-25, SCS, 1996, 485-490. [75] Li Y., Wang Q., Li Sh., On Quotients of Formal Power Series, Computing Research Repository, abs/1203.2236, 2012. [76] Litvinov G. (2012), Dequantization of Mathematics, idempotent semirings and fuzzy sets, arXiv: 1209.1718v1 [math.RA] 8 Sep 2012.

92

Bibliography to Chapter Three

[77] Litvinov G. (2012), Idempotent and tropical mathematics. Complexity of algorithms and interval analysis, arXiv: 1209.1721v1 [math.NA] 8 Sep 2012. [78] Litvinov G. (2007), The Maslov dequantization, idempotent and tropical mathematics: a very brief introduction. J. of Math. Sciences, 140(3), 2007, 426 – 444. [79] Litvinov G., Maslov V., Idempotent analysis and mathematical physics, in Contemp. mathematics: V. 377. Int. workshop, Feb 3-10, 2003, Schrödinger Int. Institute, Vienna, Austria. Providence: Amer. Math. Soc. [80] Litvinov G., Maslov V., Rodionov A., Sobolevski A., Universal algorithms, mathematics of semirings and paralel computations, Lecture Notes in Computational Science and Engineering, 75, 2011. [81] Litvinov G., Maslov V., Shpiz G., Idempotent functional analysis: an algebraic approach, Math. Notes, 69(5):696-729, 2001. [82] Litvinov G., Rodionov A., Sergeev S., Sobolevski A., Universal algorithms for solving the matrix Bellman equations over semiring, Soft Computing 17 (2013), 1767–1785. [83] Lopes G., B. Kersbergen, T. van den Boom, B. De Schutter, R. Babuška, On the eigenstructure of a class of max-plus linear systems, in 2011 50th IEEE Conference on Decision and Control and European Control Conference (CDC-ECC), Orlando, FL, USA, Dec 12–15, 2011. [84] Lorenzo E., de la Puente M., An algorithm to describe the solution set of any tropical linear system Ax = Bx, Linear Algebra and its Applications, 435(4):884–901, 2011. [85] Luttenberger M., Schlund M., An Extension of Parikh’s Theorem beyond Idempotence, CoRR, abs/1112.2864, 2011. [86] McEneaney W., Systems & control: foundations & applications. Max-plus methods for nonlinear control and estimation. Boston: Birkhaüser, 2005. [87] Marcolli M., Thorngren R., Thermodynamic semirings, Journal of Noncommutative Geometry, Vol. 8 (2014) N. 2, 337–392. [88] Markwig H., Markwig Th., Shustin E., Tropical surface singularities. Discrete Comput. Geom., 48(4):879–914, 2012. [89] Maslov V., New superposition principle for optimization problems, Sem. sur les Equations avec Dérivées Partielles 1985/6, Centre Mathématique de l’Ecole Polytechnique Palaiseau, 1986, esp. 24. [90] Maslov V., Tropical Mathematics and the Financial Catastrophe of the 17th Century. Thermoeconomics of Russia in the Early 20th

Semirings as Building Blocks in Cryptography

93

Century, Russian J. of Mathematical Physics, Vol. 17, No. 1, 2010, pp. 126 – 140. [91] Maslov V., Sambourskiĭ S., Idempotent Analysis, Advances in Soviet Mathematics No 13, Amer. Math. Soc., Providence, R.I., 1992. [92] Maslov V., Kolokolcov V., Idempotent Analysis and its application in optimal control, M., Fizmatlit, 1994 (in Russian). [93] Merlet G., Law of Large Numbers for products of random matrices with coefficients in the max-plus semiring, 2006. hal-00085782. [94] Mikhalkin G., Real algebraic curves, the moment map and amoebas, Ann. Math. (2) 151, 2000, 309 – 326. [95] Mikhalkin G., Enumerative tropical algebraic geometry in R2. J. Amer. Math. Soc., 18(2), 2005, 313 – 377. [96] Mikhalkin G., Tropical geometry and its applications, In International Congress of Mathematicians. II, Eur. Math. Soc., Zürich, 2006, 827 – 852. [97] Mikhalkin G., Zharkov I., Tropical eigenwave and intermediate jacobians, In Homological Mirror Symmetry and Tropical Geometry, v. 15 of Lec. Notes of the Unione Matematica Italiana, pp. 309–349. 2014 [98] Mikhalkin G., Zharkov I., Tropical curves, their jacobians and theta functions, In Curves and abelian varieties, v. 465 of Contemp. Math., pp. 203–230. Amer. Math. Soc., Providence, RI, 2008. [99] Pachter L., Sturmfels B., Tropical geometry of statistical models. Proc. Natl. Acad. Sci. USA 101 (46), 2004, 16132–16137. [100] Pachter L., Sturmfels B. – editors (2005). Algebraic statistics for computational biology. Cambridge University Press, New York, 2005. [101] Passare M., Tsikh A., Amoebas: their spines and their contours. In Idempotent mathematics and mathematical physics, v. 377 of Contemp. Math., Amer. Math. Soc., Providence, RI, 2005, 275–288. [102] Payne S., Fibers of tropicalization, in Math. Z., 262 (2), 2009, 301 – 311. [103] Petrov A., Semirings with conditions for idempotency, Chebishevskii Sbornik, v. 13, no 1, 2012 (in Russian). [104] Purbhoo K., A Nullstellensatz for amoebas. Duke Math. J., 141(3), 2008, 407 – 445. [105] Sergeev S., An application of the max-plus spectral theory to an ultradiscrete analogue of the Lax pair, arXiv:1112.3546v2 [math.RA] 6 Jun 2012. [106] Sergeev S. (2009), Max-algebraic powers of irreducible matrices in the periodic regime: an application of cyclic classes. Linear Algebra and Its Applications, 431, 1325 – 1339.

94

Bibliography to Chapter Three

[107] Sergeev S., Cyclic classes and attraction cones in max algebra (Preprint 2009/05). University of Birmingham, School of Mathematics. [108] Sergeev S., Schneider H., CSR expansions of matrix powers in max– algebra, (Preprint 2010/02). University of Birmingham, School of Mathematics. [109] Sergeev S., Schneider H., Butkovič P. (2009), On visualization scaling, subeigenvectors and Kleene stars in max algebra, Linear Algebra and Its Applications, 431, 2395 – 2406. [110] Sergeev S., Wagneur E., Basic solutions of systems with two maxlinear inequalities, in Linear Algebra and its Applications,V. 435, Issue 7, 1 October 2011, Pages 1758-1768. [111] Shustin E., Patchworking singular algebraic curves, nonArchimedean amoebas and enumerative geometry, Israel J. Math. 151 (2006), 125–144. [112] Shustin E., Izhakian Z., A tropical Nullstellensatz, Proc. Amer. Math. Soc. (2007), 3815–3821. [113] Singer I., Some relations between linear mappings and conjugations in idempotent analysis, J. of Math. Sciences, 115(5):26102630, 2003. [114] Simon I., Recognizable sets with multiplicities in the tropical semiring, in M. P. Chytil et al. (eds.): Mathematical Foundations for Computer Science, LNCS No 324, Springer-Verlag, Berlin, 1988. [115] Theobald Th., Computing amoebas. Experiment. Math., 11(4), 2003, 513 – 526. [116] Valverde-Albacete F., Carmen Pelaez-Moreno C., Further Galois Connections between Semimodules over Idempotent Semirings, In J. Diatta, & P. Eklund (Eds.), Proc. of the 4th conference on concept lattices and applications (cla 07), Montpellier (pp. 199–212). [117] Vechtomov E., Petrov A., Multiplicatively Idempotent Semirings, Fundamentalnaya i prikladnaya matematika, vol. 18 (2013), no. 4, pp. 41-70 (in Russian). [118] Vechtomov E., Petrov A., Some varieties of multiplicatively idempotent semirings, modern problems of mathematics and its applications, 45-th Int. Youth School Conference, dedicated to the 75th anniv. of the V. I. Berdysheva, Ekaterinburg, Feb 2-8, 2014 (in Russian). [119] Viro O., Dequantization of real algebraic geometry on a logarithmic paper, in Proceedings of the 3rd European Congress of Mathematicians, Progress in Mathematics No 201, Birkhäuser Verlag, Basel, 2001. [120] Viro O., Hyperfields for tropical geometry I. Hyperfields and dequantization, arXiv:1006.3034v2 [math.AG] 7 Sep 2010.

Semirings as Building Blocks in Cryptography

95

[121] Vorobyov N., Extremal algebra of positive matrices, Elektronische Informationsverarbeitung und Kybernetik, 1967, 3, no 1, pp. 39-72. [122] Wagneur E., Truffet L., Faye F., Thiam M., Tropical cones defined by max– linear inequalities, in G. L. Litvinov, S. N. Sergeev, (eds.) Tropical and idempotent mathematics, Proceedings Moscow 2007, American Mathematical Society, Contemp. Math. (2009). [123] Walkup E., Borriello G., A general linear max-plus solution technique, in J. Gunawardena (ed.), Idempotency, Publications of the Newton Institute, Cambridge U. Press, 1998. [124] Wang G., Non-Classical Mathematical Logic and Approximation Reasoning, Chinese Science Press, Beijing, China, 2000. [125] Ward M., Dilworth R., Residuated lattices, Transactions of the American Mathematical Society, v. 45, no. 3, pp. 335-354, 1939. [126] Zimmermann U. (1981), Linear and combinatorial optimization in ordered algebraic structures, Amsterdam: North-Holland, 1981.

CHAPTER FOUR DISTRIBUTED MULTICAST KEY-EXCHANGE PROTOCOL BASED ON IDEMPOTENT SEMIRINGS

4.1 Definitions and Motivation to Study Multicasting is defined as the ability to transmit a single stream to multiple subscribers at the same time (see [1]). The sender transmits one single copy of the message and yet the networking infrastructure ensures that all subscribers receive the information. The sender and the receivers may or may not be on the same network. Multicasting is an efficient way to send data since the message is sent once on each link in the network. Most often, a multicast communication is applied for video conferencing, audio/video streaming, stock market quotes, distributed games, training systems, and also in Pay-Per-View systems. In addition, multicasting is important for online testing, so researchers are looking for methods and algorithms to ensure secure communication. Difficulties in ensuring security in this case arise from the fact that the sender may even be someone outside the group, and also that the data received cannot be customized. In online testing, some multicasting security issues are associated with (see [10]): a correct authentication (correct identification of the group members – teachers and learners); ensuring the access control to the group (deciding who can be a member from this group and who can send data to the group members); a correct key management (for ensuring the data integrity and confidentiality); and fingerprinting (customization and individualization of the data transmitted to the receivers). Multicast security protocols are focused on the problem of keymanagement. The goal of the key-management is to securely distribute the group key to the group members, who can then use it to encrypt or decrypt multicast data. They deal with the number of key messages that are exchanged with increasing group size. Multicast key-exchange schemes can be divided into three different types: centralized, decentralized, and distributed (see [18]). A centralized

Distributed Multicast Key-Exchange Protocol Based on Idempotent Semirings

97

group key-exchange scheme needs a key server (KS) to generate and distribute a shared key to all group members (peers) via a secure channel. In the case of a decentralized key-exchange scheme, the whole group is divided into subgroups. Each subgroup is controlled by a single or several KS. The distributed key-exchange scheme enables each member to collaborate in generating a common shared key. Each of the schemes described has its own advantages and disadvantages. For example, a centralized scheme is simple, but there is a risk of single-point-failure; in a decentralized scheme, a number of difficulties can arise in the communication between two members within different subgroups; a distributed scheme is more complex than the others, but the advantage is that it does not need а key server, which is very useful, especially in the case when no one can play the role of a key server. Generally speaking, in key-exchange schemes each user has public information, called a static public key (SPK), and corresponding secret information, called a static secret key (SSK) (for more details, see [26]). The SPK is also expected to be certified with а user’s ID through an infrastructure, known as public key infrastructures (PKI). A peer that wants to share a session key with other peers exchanges via the server ephemeral public keys (EPKs) which are generated from the corresponding session through specific randomness called ephemeral secret keys (ESKs). Distributed key-exchange schemes can be divided into two groups: group key-exchange schemes and multicast key-distribution schemes. x Group key-exchange (GKE) schemes. The first provably secure GKE protocol is due to Bresson et al. [4]; it is not dynamic (this means that each group member is fixed before the start of the sessions). Almost at the same time, the first dynamic GKE protocols ([2], [3]) which required a linear number of rounds also appeared. After that, several constant round dynamic GKE protocols were suggested ([9], [14], [25]). As is known (see, for example, [26]), the GKE protocols are considered under the mesh topology; therefore, the costs for the users depend on their number. x Multicast key-distribution (MKD) schemes. The main application of MKD schemes are considered to be mobile ad-hoc networks (MANET). That is why most MKD protocols use the tree topology. The advantage of the tree-based MKD is that the total communication complexity is reduced to Oȋlog nȌ (see [26]). In the past three decades, different multicast key-exchange schemes have been proposed [5], [12], [21]. On the one hand, MKD protocols

98

Chapter Four

based on logical key hierarchies are well studied (see [6], [7], [20], [24]). On the other hand, with regard to MKD based on the star topology, there are few research papers ([15], [17], [19], [23]). Moreover, the communication complexity for users still depends on the number of users. Another model for MKD protocols in which there is an opportunity for the common session key shared by users to be known by the server is given in [17]. Zhang et al. in [27] introduced the layered degree-constrained overlay multicast (LDCOM) protocol that is applied to resolve conflicts in the case of dynamic interaction and live streaming, as well as to ensure maximum delay for the shared interaction. The protocol is used in the implementation of a live learning system that provides synchronous collaborative interactions. The experiment shows that the prototype, created using the LDCOM method, has the ability to support one-way live streaming at large scale and two-way interactions between the participants and the tutor, and also guarantees the delay. Granda et al. demonstrated the networking technique of delivering multimedia data in real time using IP multicast (see [11]). This technique is used in the development of multimedia applications for e-learning, where synchronous communication should connect employees from different multinational corporations located in different geographical places. The results confirm the efficiency of this technique compared to the delivering of unicast data. Kiah and Martin in [13] suggested a host protocol for a safe movement of group members from one area to another, as well as for their return to visited places in a wireless mobile environment. This protocol is relevant in the case of group communication at multimedia conferencing and in a virtual classroom, for example in the applications with multicast functionality. To effectively manage the movement of members, the protocol includes a mechanism "Mob-List" in which all movements are registered. Among other things, secure communication protocols based on peerto-peer or other types of ad-hoc networking are particularly helpful in critical infrastructure and in emergency situations as they can provide better coverage, sustainability, connectivity, security, anonymity and data privacy in such complex environments.

4.2 Distributed Secure Multicast Protocol The idea of an extension of the Diffie-Hellman key exchange protocol for multicasting is due to Steiner et al. (see [21]). In this paper, the authors

Distributed Multicast Key-Exchange Protocol Based on Idempotent Semirings

99

suggested two protocols; one of them, called CLIQUES, is used by the same authors in [22] for rekeying in dynamic peer groups. Later this idea was also used by other authors. For example, Climent et al. in [8] employed a noncommutative unitary ring of matrices for building their multicast protocol. Here we use idempotent semirings to construct our multicast protocol, as in [10]. The notation will be the same as in Chapter Three. Let us denote the users (peers) by P1, P2,…, Pl. They agree on the set S and the dual semifields D S , †x , …x , A, and D d S , †x , …x , A, (here the least element is denoted by A and the largest element is ). Let the matrix semirings, defined over S, D and D d , be respectively: M nun (D ), M nun ( D d ) and M nun (S ) . If we consider the matrices M  M nun (D ), N  M nun ( D d ) , X  M nun (S ) , and two polynomials of matrices f(x) and g(x) over the dual semifields D and D d , the equality

f i (M ) …x f j (M ) …x X …x g j ( N ) …x gi ( N )

f j ( M ) …x f i ( M ) …x X …x g i ( N ) …x g j ( N )

(1)

always holds. This property enables us to construct the following protocol: At the beginning of the protocol, the peers select three matrices: nun d M  M nun (D ), N  M ( D ) , X  M nun (S ) , and these matrices become publicly available. Each peer Pi , i = 1,2,…,l chooses two polynomials fi (x) with coefficients from D and gi (x) with d

coefficients from D . A pair of polynomials (fi (x), gi (x)) is the private key for a peer Pi. 1. Peer P1 computes its public key K1 = f1 (М ) …x X …x g1 ( N ) and transmits K1 to peer P2. 2. Peer P2 computes its public keys K2,1= f2 (М ) …x X …x g2 ( N ) and

K2,2 = f2 (М ) …x K1 …x g2 ( N ) , and transmits (K1, K2,1, K2,2) to peer P3. 3. Peer P3 computes its public keys K3,1= f3 (М ) …x K1 …x g3 ( N ) ; K3,2= f3 ( М ) …x K 2,1 …x g3 ( N ) ; K3,3= f3 ( М ) …x K 2,2 …x g3 ( N ) , and transmits (K2,2, K3,1, K3,2, K3,3) to peer P4.

100

Chapter Four

...

i. Peer Pi computes its public keys: Ki,1= fi (М ) …x Ki 2,i 2 …x gi ( N ) , Ki,2= fi (М ) …x Ki 1,1 …x gi ( N ) ,…, Ki,i = fi (М ) …x Ki 1,i 1 …x gi ( N ) , and transmits (Ki-1,i-1, Ki,1, Ki,2,…, Ki,i-1, Ki,i) to the peer Pi+1. ... l. The last peer Pl computes its public keys:

Kl,1 = fl (М ) …x Kl 2,l 2 …x gl ( N ) , Kl,2 = fl ( М ) …x Kl 1,1 …x gl ( N ) ,…, Kl,l = fl (М ) …x Kl 1,l 1 …x gl ( N ) , and transmits to the peers P1, P2,…, Pl-1 the keys: (Kl,1, Kl,2, …, Kl,l-1). By the end of the protocol, all peers receive a secret key: Ai = fi (М ) …x Kl ,l i …x gi ( N ) for i = 1,2, …, l1. For the last peer Pl, the secret key is Al = Kl,l. Theorem 1. [10] By the end of the protocol, all peers (all members of the group) obtain the same secret key A1 = A2 = … = Al. Proof. Peer Pl computes A1 = fl ( М ) …x Kl 1,l 1 …x gl ( N ) = … = f l (М ) …x f l i (M ) …x ... …x f1 (M ) …x X …x g1 ( N ) …x ... …x gl 1 ( N ) …x gl ( N ).

Peer Pl-1 computes Al-1 = fl 1 ( М ) …x Kl ,1 …x gl 1 ( N ) = f l 1 (М ) …x f l ( M ) …x K l 2,l 2 …x g l ( N ) …x g l 1 ( N ) = … = fl 1 (М ) …x fl (M ) …x fl 2 (M ) …x ... …x f1 ( M ) …x X …x g1 ( N ) …x …

…x gl 2 ( N ) …x gl ( N ) …x gl 1 ( N ) ,…, Peer P1 computes A1 = f1 ( М ) …x Kl ,l 1 …x g1 ( N ) =… =

f1 ( М ) …x f l ( M ) …x K l 2,l 2 …x g l ( N ) …x g1 ( N ) =…= f1 (М ) …x fl (M ) …x fl 1 …x fl 2 (M ) …x ... …x f 2 (M ) …x X …x g2 ( N ) …x …

…x gl 2 ( N ) …x gl 1 ( N ) …x gl ( N ) …x g1 ( N ) .

Distributed Multicast Key-Exchange Protocol Based on Idempotent Semirings

101

From equality (1) it follows that A1 = A2 = …= Al. We note that this protocol can be extended to allow a new peer to join or a peer to leave. In both cases, a rekeying is needed in order to preserve secrecy. The basis of this protocol is the protocol, described in Section 3.3. Therefore, the security of the protocol 4.2 is based on the difficulty of the Two dual dioids action problem from Section 3.3. As has been already shown, this problem can be considered as a two-sided linear equation in which the two matrices involved arе defined over two dual idempotent semirings. A polynomial-time algorithm for finding a general solution to this equation has not yet been obtained. This gives us reason to believe that the proposed protocol has a satisfactory level of security. We consider that the presented protocol can be adapted for use in a real educational process, as well as for e-assessment, as proposed in [10].

BIBLIOGRAPHY TO CHAPTER FOUR

[1] Björner A., Topological methods, Ch. 34 in Handbook of Combinatorics, Edited by R. Graham, M. Grötschel and L. Lovász, 1995. [2] Bruns W., Herzog J., Cohen–Macauley rings, Cambridge University Press, 1998. [3] Desbrun M., Hirani A., Leok M., Marsden J., Discrete Exterior Calculus, arXiv:math/0508341v2 [math.DG] 18 Aug 2005. [4] Durcheva M., Trendafilov I., Rachev M., Public key cryptosystem based on endomorphism semirings of a finite chain, AIP Conference Proceedings 1631, 330 (2014). [5] Ferrario D., Piccinini R., Simplicial Structures in Topology, Springer, New York, USA, 2011. [6] Hatcher A., Algebraic topology, Cambridge University Press, 2002. [7] Kim K., Roush F., Markowsky G., Representation of inclines, Algebra Colloquim 4:4, 1997, 461 – 470. [8] Kozlov D., Combinatorial Algebraic Topology, Springer-Verlag Berlin, Heidelberg, 2008. [9] Moore E. H., A definition of abstract groups, Trans. Amer. Math. Soc, 3, 1902, 485 – 492. [10] Munkres J., Elements of Algebraic Topology, Perseus, Cambridge, Massachusetts, 1984. [11] Trendafilov I., Simplices in the Endomorphism Semiring of a Finite Chain, Algebra, vol. 2014, Article ID 263605, 2014. doi:10.1155/2014/263605 [12] Trendafilov I., Vladeva D., Idempotent Elements of the Endomorphism Semiring of a Finite Chain, Comptes rendus de l’Académie bulgare des Sciences, T. 66, No 5, 2013, pp. 621–628. [13] Trendafilov I., Vladeva D., The Endomorphism Semiring of a Finite Chain, Proceedings of the Technical University of Sofia, vol. 61, no. 1, 2011, 9–18. [14] Trendafilov I., Vladeva D. (2013), Nilpotent Elements of the Endomorphism Semiring of a Finite Chain and Catalan Numbers, Proc. of the 42nd Spring Conf. of the Union of Bulgarian Mathematicians, Borovetz, April 2–6, 2013, 265–271.

Bibliography to Chapter Four

103

[15] Trendafilov I., Vladeva D. (2013), Idempotent Elements of the Endomorphism Semiring of a Finite Chain, ISRN Algebra Volume 2013, Article ID 120231, 1–9. [16] Wachs M. (2006), Poset Topology: Tools and Applications, IAS/Park City Mathematics Series Vol. 00, 2004.

CHAPTER FIVE ENDOMORPHISM SEMIRINGS AND CERTAIN CRYPTOGRAPHIC PROTOCOLS BASED ON THEM

5.1 Endomorphism Semirings We defined the term semiring by using the definition proposed by Hari Vandiver and also by Udo Hebisch and Hanns Joachim Weinert. The notions of ideal of a ring can be also generalized for semirings. Let R be a semiring. A non-empty subset I Ž R is called: x a left ideal if I + I Ž I and R˜ I Ž I; x a right ideal if I + I Ž I and I˜ R Ž I; x an ideal if it is both a left ideal and a right ideal; x a bi-ideal if it is ideal and R + I Ž I. An ideal I is called proper if I  R. A semiring which has no proper ideals is called simple (ideal-simple). Let R be a semiring and a be a relation of equivalence in it. The relation is called a congruence if the following condition is satisfied x a y Ÿ x + a a y + a, x˜ a a y˜ a, a˜ x a a ˜ y for all a  R. Each semiring has at least two congruences: x the equality relation a { idR , defined as x a y œ x = y; x the total relation a { R  R , defined as x a y for all x, y  R. These two relations are called trivial congruencies. A semiring is called congruence-simple if it has only trivial congruences. Let L be a semilattice (join semilattice), i.e. an algebra with a binary operation › such that: x a › (b › c) = (a › b) › c for all a,b,c  L; x a › b = b › a for all a, b  L;

Endomorphism Semirings and Certain Cryptographic Protocols Based on Them

105

x a › a = a for all a  L. Another term used in the literature for the semilattice L is a commutative idempotent semigroup. For any a, b  L, we denote a d b œ a › b = b. In this notation, if there is a neutral element in L, this is the least element. A mapping f : L  L is called an endomorphism of the semilattice L if for all x, y  L, the following equality holds:

f (x › y) = f (x) › f (y). For an arbitrary semilattice L, the set EL of endomorphisms of L is a

semiring with addition and multiplication, defined in the following way: h = f + g if h(x) = f(x) › g(x) for all x  L; h = f ˜ g if h(x) = f (g(x)) for all x  L. This semiring is called an endomorphism semiring of the semilattice L. The connection between the additive idempotent semirings and the endomorphism semirings of a finite semilattice (lattice) is given by the following Theorem. [7] Any finite additive semiring can be embedded into the endomorphism semiring of a finite lattice. Further, to construct the cryptosystems below, we will use only the endomorphism semiring E of the finite lattice with n elements n

ᗛn = {0,…, n1}.

The endomorphisms from the semiring E for which k  ᗛn is a n fixed element form a subsemiring of the semiring E , which is denoted n by E ( k ) . n Let V  E n be such that V(k) = ik for all k  ᗛn. Then we denote V = (i0,…, in-1). For k ᗛn, each of the semirings E and E ( k ) thus defined has a unit, n n which is the identity i = (0,1,…,n1). This means that identity i turns to be the only invertible element of the semiring E (see Theorem 3.5, [13]). n

(k )

The only semiring of type E with zero is the semiring n zero of this semiring is the endomorphism 0

(0,}, 0) .

) E ((0) . The n

106

Chapter Five

( k , }, k ) , kᗛn, are called constant

Endomorphisms of the type k

endomorphisms. They form an ideal of the semiring E ((0)) . It is known n (see, for example, [9]) that all elements of a finite semigroup are either idempotents or roots of idempotents. We will be interested in the roots of constant endomorphisms. For every constant endomorphism k ( k ,}, k ) , k  ᗛn, elements of the type [k ] {V | V  Е , V nk k for some natural nk } n n

are called k-nilpotent endomorphisms. For all natural n (n t 2) and integer k {0,…, n1}, the set of k-nilpotent endomorphisms n[ k ] is a subsemiring of the semiring

En.

An important result that can be observed is that the order of the semiring n[ k ] is [k ] n

Ck .Cnk 1 ,

where Ck is the k-th Catalan number (see [14]). Theorem. [15] The subset of the semiring E ( n t 3 ) consisting of all n

idempotents with s fixed points k1, k2, …, ks, where k1 < k2< … < ks and 1 d s d n –1, is a semiring of order s

– k

m 1

 km .

m 1

From a cryptographic point of view, it is especially important to find the partition of the set of idempotent endomorphisms. Letting G be a finite multiplicative semigroup, we can define the following equivalence relation: for every two elements x, y  G, holds:

x ~ y œ  l, m  , xk where e is an idempotent element of G.

ym

e,

It is clear that every two different idempotent endomorphisms belong to different equivalence classes with respect to the relation a. For any idempotent e, the elements of the equivalence class, containing e are called the roots of the idempotent e. In this case, we will be interested in the partition of the roots of an arbitrary idempotent, when the selected multiplicative semigroup is:

E , ˜ . n

Endomorphism Semirings and Certain Cryptographic Protocols Based on Them

107

This issue is solved in [15] in the following way: for each endomorphism a jump point is defined, i.e. the point at which the endomorphism changesits value by more than 1. The endomorphism V with fixed points k1,1 , } , k ,,mm and jump points j i ,t is called an endomorphism of the type: i

[k1,1,}, k1,m1 , j1,t1 , k2,1,}, k 1,1 m 1 , j

1, 1t

1

, k ,1,1,}, k , m ].

((1)

Theorem. [15] Each equivalence class under relation a consisting of endomorphisms of type (1) is a subsemiring of E , where n t 2. The n

order of this semiring is 1





Ck1,1 – Cti Csi Cn 1 k , m , i 1

where Ck is the k-th Catalan number.

5.2 Simplices and Simplicial Complexes Simplices and simplicial complexes are the subjects of the subfield of algebraic topology, called "simplicial homology". There are many ways to represent a topological space, one being by a set of simplices that are glued to each other in a specific mode. This set can easily grow up, but all its elements are relatively simple. Points, line segments, triangles and tetrahedrons are examples of low dimensional simplices. A k-simplex is a geometric object with (k+1) vertices in a kdimensional space. The vertices of the simplex "generate" the simplex through a simple geometric construction. One vertex generates a point, two vertices generate a line segment (by connecting the two points), three vertices generate a triangle (by connecting each pair of points with segments and filling the space in between), and so on. The combinations of points is used to define simplices of a higher dimension. The term vertex is used for a 0-simplex, an edge for a 1-simplex, a triangle for a 2simplex, and a tetrahedron for a 3-simplex. In this section we use some ideas from [1]–[3], [5], [6], [8], [10], and [16]. Let S = {p0, p1,…, pk} be the set of points in d-dimensional Euclidean space d . A point k

x

¦O p i

i 0

i

108

Chapter Five

is called an affine combination of the points pi, where

k

¦O

i

1. An affine

i 0

hull is a set of affine combinations. An affine hull is a k-plane if k+1 points are affinely-independent in S, which means that no point is an affine combination of the other points in S. The affine combination

x=

6O p is a convex combination if all O i

i

i

are nonnegative. A convex hull is a set of convex combinations. Then а k-simplex is called a convex hull of k + 1 affinely-independent points V = conv{p0, p1, …, pk}. This simplex has a dimension dim V = k. Each subset of a set of affinely-independent points is also affinely-independent and thus also defines a simplex. A face W of a simplex V is the convex hull of a non-empty subset of the set S = {p0, p1, …, pk}. It follows that W d V , and if dim W = l , then W is called an l-face. The number of the l-faces of V is equal to the number of ways we choose l + 1 points from k + 1, i.e. § k  1· ¨ ¸. © l 1 ¹ Therefore, the total number of faces is k

§ k  1·

¦ ¨ l 1 ¸

l 1

©

¹

2k 1.

Definition. A simplicial complex K is the term for a collection of simplices such that: (1) if V  K and W d V , then W d K, i.e. if K contains a simplex V, then K also contains every face of V ; (2) from V, V0  K it follows that the intersection V ˆ V0 is either empty or is a common face for both simplices. The dimension of a simplicial complex K is the maximal dimension of any of its simplices. Note that the concept of a simplicial complex can also be defined in an abstract way: for a finite set V = {v1,…,vn}, the simplicial complex A over V is a collection of subsets of V for which the following two conditions are met: 1. {vi}  A, where i = 1,…, n; 2. if V  A and W  V , then W  A.

Endomorphism Semirings and Certain Cryptographic Protocols Based on Them

109

The elements vi, i = 1, …, n are called vertices of A. The elements of A are called faces of the simplicial complex. If V  A is a face and k is the number of its elements, then the dimension of V is dim V = k–1. The dimension of the simplicial complex A is: dim A = max(dim V) for V  A. The empty set ‡ has the dimension –1. The vertices of A have dimension 0. Faces with dimension 1 are called edges. A simplicial complex whose dimension is equal to l, is called an l-simplicial complex. Let {V1,…,Vl} be a random collection of subsets of the set V; then there exists the only one smallest simplicial complex containing all faces Vj (j = 1,…,l), denoted by ¢V1,…,Vl². The simplicial complex ¢V1,…,Vl² is generated by the faces {V1,…,Vl}. It includes all the subsets G  V which are contained in any face Vj, j = 1,…,l. A simplicial complex generated by a face is called a simplex. A simplicial complex is pure if all its maximal simplices have the same dimension, or, in other words, a d-simplicial complex is pure if any face is contained in a face of a dimension d. Let the set the vertices MA be the union of all simplices of A, i.e. MA V V A

and let us consider a simplex B Ž A. The two simplices are isomorphic if there is a bijection M: MA MB such that V  A œ M (V)  B. The largest simplicial complex with a set of vertices of size n has power 2n – 1. If a (geometric) simplicial complex K is given, we can construct an abstract complex A, ignoring all the simplices and leaving only their set of vertices. Then A is a set of the vertices of K and K is a geometric realization of A, as well as of any abstract simplicial complex isomorphic to A. We will briefly consider simplicial transformations. Let K be a simplicial complex with vertices u0, u1,…, un. Each point x  K belongs to the interior of exactly one simplex of K. Let V = conv{u0, u1,…, uk} be such a simplex. Hence for all i: x

k

¦O u

i i

i 0

when

k

¦O

i

i 0

1 and Oi > 0.

110

Chapter Five

We set bi (x) = Oi for 0 d i d k and bi (x) = 0 for k + 1 d i d n and, thus, we get: n

x

¦ b ( x)u . i

i

i 0

Here the coefficients bi (x) are called barycentric coordinates of x in K. Consider the following mapping: the function I : MK  ML (MK and ML are sets of vertices of the simplicial complexes K and L, respectively) with the property that the vertices of each simplex in K map to vertices of the simplex in L, is called a vertex map. Using the vertex map, one can also construct a simplicial transformation f generated by I in the following way: f : K  L so that n

f ( x)

¦ b ( x)I (u ). i

i

i 0

If the vertex map is bijective and

I : MK  M L I -1 : M L  M K

is also a vertex map, then the generated simplicial transformation f is a homomorphism; f is a simplicial homeomorphism or an isomorphism between K and L. An important class of simplicial complexes can be constructed from finite sets Q in which a partial order d is defined. A subset C of Q is called a chain if every two elements of C are comparable. An oriented simplex A(Q) of a partially ordered set Q is a set of chains of Q. Then A(Q) is a simplicial complex, called an o-simplicial complex. To each simplicial complex A corresponds a partially ordered set Q(A), which is the set consisting of the nonempty faces of the simplicial complex A, ordered by inclusion. If A is a simplicial complex, Q(A) is a partially ordered set of its faces, and we construct the о-simplicial complex A(Q(A)), then the resulting complex is called a barycentric subdivision. For a partially ordered set Q, the chain C of elements of Q such that a1  a2   al 1 is called an l-chain (the integer l indicates the length of the chain).

Endomorphism Semirings and Certain Cryptographic Protocols Based on Them

111

A chain C is said to be maximal if it is maximal with respect to inclusion. In this case, the set M(Q) of maximal chains of Q is actually the set of the maximal faces of the о-simplicial complex A(Q). For some purposes, it is important to know the order of the vertices of a simplex, so by n-simplex we mean an n-simplex whose vertices are ordered. Ordering of the vertices determines a canonical linear homeomorphism from the standard n-simplex K to any other n-simplex [p0, p1,…, pn] that preserves the order of vertices, namely: (u0 , , un ) ui pi .

¦ i

The coefficients ui are the barycentric coordinates of the point

¦u p i

i

in

i

[p0, p1,…, pn]. If one of the n  1 vertices of the n-simplex [p0, p1,…, pn] is deleted, then the remaining n vertices span the (n1)-simplex, called a face of [p0, p1,…, pn]. An orientation can be added to each simplicial complex. This helps us to define some important terms. Let an n-simplex V has a fixed orientation, i.e. the order of the vertices is fixed. Then the simplex is said to be oriented. Definition. An oriented simplicial complex is a simplicial complex in which all of its chains are oriented. If the simplicial complex K has oriented subsimplices, then this is an oriented simplicial complex. Definition. A boundary operator w is an operator that acts on the oriented Kn-simplex as follows:

w[ p0 , p1 , }, pn ]

n

¦ (1) [ p ,}, p ,}, p ], n

0

i

n

w[ pi ] 0.

i 0

Here the notation pi means that we take pi out from the simplex. In fact, we go through writing of the (n1)-simplices (the i-th entry is taken out), which have alternating signs. Another approach is that the boundary of the oriented n-simplices [ p0 , p1 , }, pn ] to be considered as the (n1)chain formed by the sum of the faces [ p0 , }, pi , }, pn ]. The interior of a simplex is the complement of the boundary. Examples. 1) w[p0, p1] = [p1] – [p0]; 2) w[ p0 , p1 , p2 ] (1)0 [ p0 , p1 , p2 ]  (1)1 [ p0 , p1 , p2 ]  ( 1)2 [ p0 , p1 , p2 ]

[p1, p2] - [p0, p2] + [p0, p1] = [p1, p2] + [p2, p0] + [p0, p1].

112

Chapter Five

As can be seen from the definition, for the oriented Kn(A) simplex, where A = [p0, p1,…, pn], the composition

K n ( A) w n K n 1 ( A) w n 1 K n  2 ( A) is zero. Speaking algebraically, we get a sequence of homomorphisms of abelian groups

...Cn1 ( A) w n1 Cn ( A) w n Cn1 ( A) o}o C1 w1 C0 w 0 0 with wnwn+1 = 0 for all n. This sequence is called a chain complex. The equation wnwn+1 = 0 is equivalent to the inclusion Im wn-1  Ker wn, where Im and Ker denote the image and the kernel (see [6]). As is known from the literature, simplicial homology is defined for simplicial complexes, which are K-complexes whose simplices are determined in a unique way through their vertices. Therefore, each n-simplex has unique n+1 distinct vertices. Consequently, a simplicial complex can be combinatorially described as a set V of vertices together with sets Vn of n simplices, which are (n+1)element subsets of V, with the requirement that each (l+1)-element subset of the vertices of an n-simplex in Vn is a l-simplex in Vl. It follows that the K-complex Vk can be constructed if we choose a partial ordering of the vertices of V, which imposes a linear ordering on the vertices of each simplex in Vn. Actually, each K-complex can be subdivided to be a simplicial complex and every K-complex is then homeomorphic to a simplicial complex (see, for details, [6]).

5.3 Cryptography Based on Endomorphism Semirings 5.3.1 Motivation, basic definitions and notations The classical Diffie-Hellman key-exchange protocol is the basis for constructing various public key-exchange protocols. This protocol, however, has its drawbacks; for example, exponentiation is quite demanding in terms of resources used; this protocol is not protected from man-in-the-middle attacks. These and some other disadvantages are the reason for cryptographers to look for more secure and practical analogues of the Diffie-Hellman protocol, which are protected not only by attacks of the above-mentioned type, but also against the expected development of

Endomorphism Semirings and Certain Cryptographic Protocols Based on Them

113

quantum computers. This means finding new, safer and more resourceefficient platforms for cryptographic systems. To meet these new requirements, we propose to use the endomorphism semirings of the finite chain. Let us consider the finite chain Cn = ({0, 1, … , n1}, ›) and denote the semiring of the endomorphisms of this chain by E . There n

is no requirement D (0) = 0 for arbitrary D  E n . This means that the semiring E does not have a zero. n If D  E

n

is such that f (k) = jk for all k  Cn, then we will call D

an ordered n-tuple (j0, j1, j2, … , jn-1). Here, all the mappings are in a componentwise manner, given that D˜E means "first D, then E ". We will note that both the identity i = (0,1,…,n1) and all constant endomorphisms k ( k , }, k ) are multiplicative idempotents. Let us take the elements a0, … , ak-1 of the chain Cn, where k d n, provided that a0 < … < ak-1, and consider the set A = {a0,… , ak-1}. Our aim is to study endomorphisms D  E n such that Im(D) Ž A. We will denote the resulting set by V (n){a0,…,ak-1}. Let {b0,…,bk-1} Ž {a0,…,ak-1} and consider the set:

V (n){b0,…,bl-1} = {E |E V (n){a0,…,ak-1}, Im(E) = {b0,…,bl-1}}. For the elements of the obtaining set, we define an equivalence relation in the following way: for E 1, E 2 V (n){b0,…,bk-1}, E 1 a E 2 if and only if the sets Im(E 1) and Im(E 2) have a common least element. Thus, each equivalence class can be identified by the least element, which is the constant endomorphism bc (bc ,}, bc ), where c = 0,…, l1. Further, we consider a simplicial complex K with a set of vertices:

W

{a0 ,}, ak 1}.

As we have shown, the subset {b0 ,}, b 1} is the face of K. Therefore, we can also consider the set V (n){b0,…, bl -1} as the face of K. Let us recall that when the simplicial complex K contains all the subsets of W, it is a simplex. In this case,

114

Chapter Five

K = V (n){a0,…,ak-1}. It is easy to see that Im(D ) Ž A and Im(E ) Ž A implies Im(D + E ) Ž A and Im(D ˜ E ) Ž A. This means that the simplex V (n){a0,…,ak-1} is a subsemiring of the semiring E . n

Let V (n){a0,…,ak-1} be a simplex. Then D  V (n){a0,…,ak-1} is an endomorphism of the type [m0,…,mk-1], where mi  {0,…, k–1}, mi d mj, provided that i < j, i, j = 0,…, k–1; it is convenient to denote D (ai ) am . i

We note that each endomorphism of this type is also a simplex endomorphism E V ( k ) {0,1,}, k  1} . The simplex E k is called a k coordinate simplex from V (n){a0,…,ak-1}. The interior of the simplex V(n){a0,…,ak-1}consists of endomorphisms K such that Im(K) = {a0,…,ak-1}.

Thus, we come to the fact that the interior of the simplex V {a0,a1,…,ak-1} is an additive semigroup; any of its faces is a left, but not a right ideal. Thus, the boundary w(V(n){a0, a1,…, ak-1}) is a multiplicative semigroup. (Note that the boundary and the interior of a random simplex are not semirings.) We will complete our theory notes with three important theorems. Theorem 1. [11] Let V(n){a0,…,ak-1} be a simplex and let R be a subsemiring of the coordinate semiring E k of V(n){a0,…,ak-1}. Then the (n)

set R of all endomorphisms of V(n){a0,…,ak-1} of type [m0,…,mk-1], where {m0,…,mk-1}  R, is a semiring. In the case when R is a right (left) ideal of the semiring E k , then R is a right (left) ideal of the simplex V(n){a0,…,ak-1}. Theorem 2. [11] The subset of E (n t 3), consisting of all n

idempotent endomorphisms with s fixed points k1, …, ks, 1 d s d n1, is a semiring of order:

Endomorphism Semirings and Certain Cryptographic Protocols Based on Them s 1

– (k

m 1

115

 km ) .

m 1

Let us note that all idempotent endomorphisms of the simplex V {a0,…,ak-1} are precisely the right identities of the given simplex. From Theorems 1 and 2 can be obtained the following Theorem 3. [11] The set of endomorphisms of the simplex V(n){a0,…,ak-1} that are right identities, is a semiring of order (n)

k 1

– (a

i 1

 ai ).

i 0

Finally, it can be concluded that there is at least one right identity of the simplex V(n){a0,…,ak-1} and there are no left identities of this simplex.

5.3.2 Three key-exchange protocols based on endomorphism semirings The three key-exchange protocols presented here are based on the endomorphism semirings described above. At the beginning of the protocols, both users have to agree on using a universal simplex V(n){1,…,n-1}. Protocol 1. [4] Alice and Bob select the common element x of the simplex V(n){1,…,n1} and agree that she will multiply to the left, and he will multiply to the right. In addition, they choose two endomorphisms V1(n){a0,…,ak} and V2(n){b0,…,bs} for k, s  (0,…,n1), such that {a0,…,ak} ˆ{b0,…,bs}= ‡. Then the protocol works as follows: 1. Alice chooses a random element DV1(n){a0,…,ak} as her secret key. She computes the composition A = D q x and sends her public key A to Bob. 2. Bob chooses a random element E  V2(n){b0,…,bs} as his secret key. He computes the composition B = x qE and sends his public key B to Alice. 3. Alice computes the composition kA = D q (x q E ). 4. Bob computes the composition kB = (D q x) q E . At the end of the protocol, both users obtain the same key, since D q (x q E) = (D q x) q E.

116

Chapter Five

It is easy to conclude that D q E V2 and E qD V1. In order to break this protocol, it is enough for an attacker to find an endomorphism D' such that D' q x = D q x (or solve the same problem for the endomorphism E ). We believe that this can be a difficult task, since the composition of this type of endomorphisms is not invertible. Therefore, to find a proper endomorphism D', the attacker must use the exhaustive search method, which is inefficient if the selected chain is large enough. Protocol 2. [4] This protocol adapts the idea of the Maze-MonicoRosenthal protocol (discussed in Section 2.3.4) for the case of endomorphism semirings of a finite chain. At the beginning of the protocol, both users have to choose two elements D, E  V (n){a0,…,ak-1}. Then the protocol is as follows: 1. Alice selects as her secret key two random polynomials p1(x), p2(x) (all coefficients must be 0 or 1). She computes her public key A = p1(D) q p2(E ) and transmits A to Bob. 2. Bob selects as his secret key two random polynomials q1(x), q2(x) (all coefficients must be 0 or 1). He computes his public key B = q1(D) q q2(E) and transmits B to Alice. 3. Alice computes kA = p1(D) q (q1(D) q q2(E))q p2(E). 4. Bob computes kB = q1(D) q (p1(D) q p2(E )) q q2(E ). Thus, since p1(D) q q1(D) = q1(D) q p1(D) and p2(E) q q2(E) = q2(E) q p2(E), at the end of the protocol Alice and Bob share the same secret key: k = k A = k B. The problem on which the security of this protocol is based is the following: for a given pair of elements D,E  V (n){a0,…,ak-1} and an endomorphism  = p1(D) q p2(E ), find the polynomials p1c(D ) and

p2c ( E ) such that J p1c(D ) p2c ( E ) (or solve the same problem for the polynomials q1 and q2). We do not know whether an attacker must solve this problem, but this will be sufficient for breaking the protocol. Protocol 3. [4] At the beginning of the protocol, Alice and Bob choose two endomorphisms V1(n){a0,…,ak} and V2(n){b0,…,bs}, which meet the requirement{a0,…,ak}ˆ{b0,…,bs} = ‡. In addition, they choose two

Endomorphism Semirings and Certain Cryptographic Protocols Based on Them

117

elements D  V1(n){a0,…,ak} and E  V2(n){b0,…,bs}. Here k, s {0,…,n–1}. Then the protocol works as follows: 1. Alice selects two random polynomials p1(x), q1(x) as her secret key (all the coefficients must be 0 or 1). She computes her public key A = p1(D) qE q q1(D) and sends A to Bob. 2. Bob selects two random polynomials p2(x), q2(x) as his secret key (all the coefficients are 0 or 1). He computes his public key B = p2(D)qE q q2(D) and sends B to Alice. 3. Alice computes kA = p1(D) q (p2(D) qE q q2(D)) q q1(D). 4. Bob computes kB = p2(D) q (p1(D) qE q q1(D)) q q2(D). By the end of the protocol, Alice and Bob obtain the same secret key:

k = kA = kB. The security of the protocol is due to the following problem, which must be hard: for the given two elements D  V1(n){a0,…,ak} and E  V2(n){b0,…,bs}, and an element  = p1(D)qE qq1(D), find the polynomials p1c(D ) and p2c ( E ) such that J p1c(D ) E q1c(D ) (or solve the same problem for the polynomials p2 and q2 ). We do not know if it is necessary for an attacker to solve this problem to break the protocol, but this will be sufficient.

5.3.3 Four key exchange protocols using right identities of the simplex At the beginning of all these protocols, both users agree to work with the universal simplex V (n){1,…, n-1}. Protocol 4. [4] Alice and Bob publicly agree on an endomorphism D  V (n){1,…, n1}. The protocol is as follows: 1. Alice chooses as the secret key a polynomial p (x) (whose coefficients are only 0 and 1) and a right identity DA. She transmits her public key A = DA q p(x) to Bob. 2. Bob chooses as the secret key a polynomial q(x) (whose coefficients are only 0 and 1) and a right identity DB. He transmits his public key B = DB q q(D) to Alice. 3. Alice computes

118

Chapter Five

kA = p(D) q B = p(D) qDB q q(D) = p(D) q q(D). 4. Bob computes

kB = q(D) q A = q(D) qDA q p(D) = q(D) q p(D). By the end of the protocol Alice and Bob share the same secret key, since:

p(D) q q(D) = q(D) q p(D). The security of the protocol is due to the following problem, which is considered hard: let an endomorphism D  V(n){1,…,n1} and an element  = DA q p(D) be given; find a right identity D cA and a polynomial

p'(D), so that  = D'A q p'(D) (or solve the same problem for the element DB q q(D)). It is not known if it is necessary for an attacker to solve this problem in order to break the protocol, but this will be sufficient. Protocol 5. [4] Alice and Bob publicly agree on two endomorphisms

D, E  V(n){1,…, n1} with the property: DqE E qD.

1. Alice chooses as her secret keys two polynomials p1(x) and p2(x) (with coefficients 0 and 1), as well as a right identity DA. She transmits her public key A = DA q p1(D) q p2(E ) to Bob. 2. Bob also chooses as his secret keys two polynomials q1(x) and q2(x) (with coefficients 0 and 1), as well as a right identity DB. He transmits his public key B = DB q q1(D) q q2(E ) to Alice. 3. Alice computes

kA = p1(D) q B q p2(E ) = p1(D) q DB q q1(D) q q2(E ) q p2(E ) = p1(D) q q1(D) q p2(E ) q q2(E ). 4. Bob computes

kB = q1(D) q A q q2(E ) = q1(D) q DA q p1(D) q p2(E ) q q2(E ) = p1(D) q q1(D) q p2 (E ) q q2(E ). By the end of the protocol, they obtain the same secret key kA = kB. In order to break this protocol, an eavesdropper should solve the following problem: let two endomorphisms D, E  V(n){1,…,n1} and an element  = DA q p1(D) q p2(E ) be given; find a right identity D'A and two polynomials p1c(D ) and p2c ( E ) , so that the equality

Endomorphism Semirings and Certain Cryptographic Protocols Based on Them

119

D cA p1c(D ) p2c ( E ) holds (or solve the similar problem for the element D B q1 (D ) q2 ( E ) ). J

We do not know if it is necessary for an eavesdropper to solve this problem, but this will be sufficient. Protocol 6. [4] Alice and Bob publicly agree on three endomorphisms D, E,   V(n){1,…, n-1} such that D q   qD and E q    q E. 1. Alice selects as her secret keys two polynomials p1(x) and p2(x) (with coefficients only 0 and 1) and a right identity DA. She sends to Bob her public key A = DA q p1(D ) q q p2(E ). 2. Bob also selects as her secret keys two polynomials q1(x) and q2(x) (with coefficients only 0 and 1) and a right identity DB. He sends to Alice his public key B = DB q q1(D ) q q q2(E ). 3. Alice computes

kA = p1(D) q B q p2(E ) = p1(D) q DB q q1(D) q  q q2(E ) q p2(E ) = p1(D) q q1(D) q  q p2 (E ) q q2 (E ). 4. Bob computes

kB = q1(D) q A q q2(E ) = q1(D) q DA q p1(D) q  q p2(E ) q q2(E ) = p1(D) q q1(D) q  q p2 (E ) q q2 (E ). By the end of the protocol, the two users reach a common secret key k A = k B. The security of the protocol is based on the hardness of the following problem: let three endomorphisms D, E ,   V(n){1,…, n1} and an element  = DA q p1(D) q q p2(E ) be given; find a right identity D cA and two polynomials p1c(D ) , p2c ( E ), so that G

D cA p1c(D ) J p2c ( E ) (or

solve the similar problem for the element DB q q1(D) q q q2(E )). We do not know whether the hacker must solve this problem in order to break the protocol, but it is enough. Protocol 7 – a double exchange of public keys. At the beginning of this protocol Alice and Bob publicly agree on the following: x Alice will choose her secret element from the subsimplex  V ( n ) {1 {1,}, n  1} ; Bob will choose his secret element from the

 V ( n ) {1 {1,}, n  1} . x Elements that will select Alice and Bob do not belong to subsimplex

ˆ .

120

Chapter Five

x At the second exchange of keys, Alice will multiply to the left, and Bob will multiply to the right. The protocol works as follows: and a right identity D B  . 1. Alice chooses аn element D  She sends to Bob her public key: A1 = DB qD. 2. Bob chooses аn element E  and a right identity E A 

. He

sends to Alice his public key: B1 = E A qE . 3. Alice computes her second public key: A2 = D q B1 q D = D q E q D and sends it to Bob. 4. Bob computes his second public key: B2 = E q A1 q E = E q D q E and sends it to Alice. 5. Alice computes: kA = D q B2 = D q E qD qE . 6. Bob computes: kB = A2 qE = D qE qD qE . By the end of the protocol, both users obtain a common secret key: k = kA = kB. Note. Taking into account that each subsimplex (wall) of a simplex is its left ideal, then if Bob exchanges the order of the multipliers, he will not get an element of the subsimplex B to which must belong the common secret key. Note that on the one hand, the double exchange of public keys slightly extends the key-exchange session, but on the other hand, different procedures that both users must perform do not require a very large resource.

BIBLIOGRAPHY TO CHAPTER FIVE

[1] Björner A., Topological methods, Chapter 34 in Handbook of Combinatorics, Edited by R. Graham, M. Grötschel and L. Lovász, 1995. [2] Bruns W., Herzog J., Cohen–Macauley rings, Cambridge University Press, 1998. [3] Desbrun M., Hirani A., Leok M., Marsden J., Discrete Exterior Calculus, arXiv:math/0508341v2 [math.DG] 18 Aug 2005. [4] Durcheva M., Trendafilov I., Rachev M., Public key cryptosystem based on endomorphism semirings of a finite chain, AIP Conference Proceedings 1631, 330 (2014). [5] Ferrario D., Piccinini R., Simplicial Structures in Topology, Springer, New York, USA, 2011. [6] Hatcher A., Algebraic topology, Cambridge University Press, 2002. [7] Kim K., Roush F., Markowsky G., Representation of inclines, Algebra Colloquim 4:4, 1997, pp. 461–470. [8] Kozlov D., Combinatorial Algebraic Topology, Springer-Verlag Berlin, Heidelberg, 2008. [9] Moore E. H., A definition of abstract groups, Trans. Amer. Math. Soc, 3, 1902, pp. 485 – 492. [10] Munkres J., Elements of Algebraic Topology, Perseus, Cambridge, Massachusetts, 1984. [11] Trendafilov I., Simplices in the Endomorphism Semiring of a Finite Chain, Algebra, vol. 2014, Article ID 263605, 2014. doi:10.1155/2014/263605 [12] Trendafilov I., Vladeva D., Idempotent Elements of the Endomorphism Semiring of a Finite Chain, Comptes rendus de l’Académie bulgare des Sciences, T. 66, No 5, 2013, pp. 621–628. [13] Trendafilov I., Vladeva D., The Endomorphism Semiring of a Finite Chain, Proceedings of the Technical University of Sofia, vol. 61, no. 1, 2011, pp. 9–18. [14] Trendafilov I., Vladeva D. (2013), Nilpotent Elements of the Endomorphism Semiring of a Finite Chain and Catalan Numbers, Proc. of the 42nd Spring Conf. of the Union of Bulgarian Mathematicians, Borovetz, April 2–6, 2013, pp.265–271.

122

Bibliography to Chapter Five

[15] Trendafilov I., Vladeva D. (2013), Idempotent Elements of the Endomorphism Semiring of a Finite Chain, ISRN Algebra Volume 2013, Article ID 120231, pp. 1–9. [16] Wachs M. (2006), Poset Topology: Tools and Applications, IAS/Park City Mathematics Series Vol. 00, 2004.