Conjugacy Systems Based on Nonabelian Factorization Problems and Their Applications in Cryptography

To resist known quantum algorithm attacks, several nonabelian algebraic structures mounted upon the stage of modern cryptography. Recently, Baba et al. proposed an important analogy from the integer factorization problem to the factorization problem over nonabelian groups. In this paper, we propose several conjugated problems related to the factorization problem over nonabelian groups and then present three constructions of cryptographic primitives based on these newly introduced conjugacy systems: encryption, signature, and signcryption. Sample implementations of our proposal as well as the related performance analysis are also presented.


Introduction
Background and Motivation.Although the idea of encryption has made it to the world thousands of years ago, the concept of public key cryptography (PKC) came to us no more than half of a century.To secure communications over insecure channels, the core idea of PKC is to exert a heavy burden, that is, computational cost in general, on eavesdroppers but meanwhile keep the additional workload of legitimate users as light as possible [1].This idea is always instantiated by certain challenging problems for which the legitimate users know at least one feasible solution, while it is infeasible to find a solution even if the attackers exhaust all available resources.Along this roadmap, the well-known Diffie-Hellman key exchange protocol [2] as well as many public key cryptosystems, such as RSA [3], ElGamal [4], and ECC [5,6], manifests their great success during the past four decades.However, considering that the famous problem  ?
=  remained open up to now, all these cryptographic protocols/schemes relay their security on assumptions of the intractability of certain problems, say integer factorization problem (IFP), discrete logarithm problem over finite fields (DLP), or elliptic curves (ECDLP).
Intractability assumptions of certain cryptographic problems themselves never mean the security of real systems.Instead, they must be embedded in implementing certain cryptographic primitives.In fact, security is a composite concept and it can be divided into several different properties.Among them, confidentiality, authenticity, and integrity attract a lot of attention in the community of PKC.Although the primitive of encryption is mainly intended to keep confidentiality, when an encryption scheme achieves indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2), the integrity of the ciphertexts is also granted.Similarly, the primitive of signature maintains the authenticity and integrity, simultaneously.Another cryptographic primitive, signcryption, is a data security technology by which confidentiality is protected and authenticity is achieved seamlessly at the same time [7][8][9].The primitive of signcryption, invented in 1996 but firstly disclosed to the public at CRYPTO 1997 [7,8], is now an international standard for data protection (ISO/IEC 29150, Dec 2011).Up-to-date, many constructions of signcryption were proposed, based on the intractability assumptions of IFP [10,11] or DLP/ECDLP [12,13].Some constructions further utilize the bilinear pairing to enhance the functionalities and performance [14,15], but the security of these constructions was also rooted in the intractability assumption of ECDLP.Unfortunately, IFP and DLP as well as ECDLP could be efficiently solved by Shor's quantum algorithms [16,17] and its extensions [18].Thus, there is an urgent requirement to develop new signcryption schemes that have the potential capability to resist Shor-like quantum attacks.Although two lattice-based signcryption schemes were claimed recently [19,20] to have the advantages in resisting known quantum algorithm attacks, the parameter size of these constructions is considerably large.Therefore, more efficient designs are expected.

Contribution.
In this paper, we made efforts from two aspects.At first, we define several conjugated problems related to the factorization problem over nonabelian groups and we name these problems as conjugacy systems.Next, we explore the usefulness of these conjugacy systems via presenting three constructions of cryptographic primitives: encryption, signature, and signcryption.In addition, sample implementations of our proposal as well as related performance analysis are presented.
Related Work.Our work belongs to the line of the so-called noncommutative cryptography that has become noticeable recently [21].Considering that Shor's quantum algorithm and its extension work well over some commutative groups, such as the multiplication group Z *  , the multiplication group F *  , and the addition group over elliptic curves on finite field F  , and we have already known efficient quantum algorithms for hidden group problems (HSP) over all commutative groups, a lot of attempts on developing cryptosystems are based on noncommutative algebraic structures.During the past decade, braid groups [9,22,23], inner automorphism groups [24,25], Thompson's groups [26], linear groups and classical modular groups [27,28], random covers and logarithmic signatures [29], and so forth have already mounted upon the stage of modern cryptography.However, this area is considerably immature and at present there are no practical, both in efficiency and security, noncommutative cryptosystems [9].In particular, finding a secure nonabelian analogy of cryptosystems based on IFP remains open [21] until recently.In 2011, Baba et al. proposed a nonabelian factorization problem and presented associated cryptosystems [30].Although BKT's constructions failed to achieve semantic security, the insight embedded in the nonabelian factorization problem opens a new avenue for developing practical nonabelian cryptography [31].In 2012, Gu et al. [31] proposed an IND-CCA2 secure encryption scheme based on BKT's idea.Moreover, they gave the first arguments on resisting Shor's quantum algorithm attacks based on noncommutativity (see Remark 11).
Roadmap.The remaining content is organized as follows.In Section 2, we at first recall the definition of nonabelian factorization problem and related extensions, then define some new cryptographic problems (referred to as conjugacy systems), and finally present analysis on the hardness of these problems; in Section 3, we present new constructions on encryption, signature, andsigncryption based on the newly introduced conjugacy systems; in Section 4, we discuss the possible implementation platforms and related performance; finally, concluded remarks are given in Section 5.

Conjugacy Systems Based on Nonabelian Factorization Problems
Most public key cryptosystems are based on certain intractability assumptions and thus finding new intractable assumptions is an interesting cryptographic practice.In this section, we will at first review the so-called nonabelian factorization problem that was firstly formulated in [30] and then introduce some new cryptographic problems by coupling related problems with conjugate operations.This idea is in fact enlightened by braid cryptosystems [23] and the CSP-based constructions [32] where conjugacy related problems play center roles.For abbreviation, we refer to these problems as conjugacy systems.
The conjugated decisional Diffie-Hellman (CDDH) problem with respect to , , ℎ, denoted by CDDH  ,ℎ , is to distinguish the distribution (where , , , ∈  Z are drawn at random) and the distribution (where , , ∈  Z are drawn at random).

Hardness Assumptions.
Firstly, we should notice that the condition ⟨⟩ ∩ ⟨ℎ⟩ = {} implies that the FP problem is welldefined in the sense that the solution is unique for any given FP instance.In addition, if  is abelian and the orders of  and ℎ are coprime and known, then the FP problem can be reduced to the discrete logarithm problem in  according to [30].However, if the orders of  and ℎ have common factors or are kept unrevealed or  is nonabelian, then the FP problem seems much hard.In this case, the naive method of trying all different pairs (, ) is apparently infeasible if the orders of  and ℎ are large enough.Therefore, we would like to introduce the meta-assumptions as follows: (i) (, ) is a nonabelian finite group, where  is the identity; (ii) the orders of  and ℎ are large enough; (iii) ℎ ̸ = ℎ and ⟨⟩ ∩ ⟨ℎ⟩ = {}.
And then, based on this meta-assumption, our first hardness assumption states that the FP problem, and the Gap-DH  ,ℎ problem, respectively.Thirdly, the SCDP problem might be tractable for certain nonabelian groups, say matrix groups, considering that the trace of the matrix   ℎ   − is the same as the trace of ℎ  .However, even for matrix groups, it seems that both the CCDH problem and the CDDH problem are still intractable, since we have not found an easier way for solving them than using the naive method of enumerating all possible entries.Intuitively, it is hard to solve the CDDH problem without solving the SCSP problem when  is modeled as a generic semigroup model.In 2005, Maurer [33] proved that the discrete logarithm problem (DLP) and the corresponding decisional Diffie-Hellman (DDH) problem are polynomially equivalent in a generic cyclic group.By an analogical manner, we speculate that the SCSP problem and the CDDH problem in a generic noncommutative semigroup are polynomially equivalent.Furthermore, we do not know a better solution for the CDDH  ,ℎ problem and Gap-CCDH  ,ℎ problem other than solving the CCDH  ,ℎ problem.Therefore, our 5th, 6rd, 7th, and 8th hardness assumptions state the intractabilities of the SCSP  ,ℎ problem, the CCDH  ,ℎ problem, the CDDH  ,ℎ , and the Gap-CCDH  ,ℎ problem, respectively.Note that in this paper, we do not assume that SCDP  ,ℎ problem is hard.At present, we have no idea on whether (gap) conjugated computational (resp., decisional) Diffie-Hellman problem is harder than (gap) computational (resp., decisional) Diffie-Hellman problem or vice versa.
Finally, a solution to the FP  ,ℎ problem would imply a solution to all above problems [30].In addition, ℎ  is not required to be invertible in all above definitions; thus it is possible to instantiate these problems over nonabelian semigroups (see Figure 1).
Remark 10 (SCSP versus CSP).Note that the subgroup conjugator searching problem (SCSP) and the subgroup conjugacy deciding problem (SCDP) introduced in this paper are in general at least as hard as the conjugator searching problem (CSP) and the conjugacy deciding problem (CDP) given in [21] in the sense that SCSP and SCDP further require the potential conjugator   coming from a specified subgroup ⟨⟩ ⊂ .
Remark 11 (quantum attack resistant).Note that in [31], we give detailed analysis of the core role of noncommutativity on resisting Shor's quantum algorithm attacks.To make this paper self-contained, we briefly recall some points.We know that the main part of Shor's quantum algorithm is a quantum algorithm to solve the order-finding problem over the abelian group Z *  [16,17].Now, suppose that a quantum algorithm to solve the order-finding problem over the underlying group  is at hand and we have already worked out 's order  and ℎ's order .However, the following lifting reductions are blocked by noncommutativity: The above two inequalities are very important in our arguments.Without them, one can reduce the FP  ,ℎ problem to the DLP problems over the cyclic groups ⟨⟩ and ⟨ℎ⟩, which are quantumly tractable by using Shor's algorithm [31].In this sense, we can see that BKT's method pins down the true meaning of noncommutativity for resisting Shor's quantum algorithm attacks (see Section 7.1 of [31] for more details).

Cryptographic Applications
Let us proceed to demonstrate the usefulness of the conjugacy systems defined above.Suppose that  is a nonabelian group.At first, the common setting on the public parameters of the proposed schemes are given by a quintuple ⟨D, , ℎ,  1 ,  2 ⟩, where (i) D is a description of .Without loss of generality, we assume the length of D is bounded by O(log ||) for finite .When  is infinite but admits a finite presentation, say  = ⟨ | ⟩, then the description of D is given by the description of  and .
(ii) , ℎ ∈  are two fixed elements that are picked at random so that (a)  and ℎ do not commute; that is, ℎ ̸ = ℎ; (b) ⟨⟩ ∩ ⟨ℎ⟩ = {}; (c) the order of  is large enough.Typically, we assume that the order of  is no less than the system security parameter  that will be specified later.
3.1.Encryption with IND-CPA Security.Now, as a warmingup, an Elgamal-like encryption scheme, denoted by  1 , is described as follows.
(i) KeyGen(1  ): this is the key generation algorithm that takes, as input, the system security parameter 1  , picks an integer  ∈ {0, 1}  at random and calculates  =   ℎ − ∈ , and finally outputs (  , ) ∈  2 as the private/public key pair.
(ii) Enc(; ): this is the encryption algorithm that takes as inputs the public key  ∈  and the message  ∈  and performs the following steps: (iii) Dec(  ;  1 ,  2 ): this is the decryption algorithm that takes as inputs the private key   ∈  and the ciphertext pair ( 1 ,  2 ) ∈  2 and then outputs the intended message  =  2 (   1  − ) −1 .
Correctness.The correctness of the scheme is granted by the following calculation: Security.The security of the above encryption scheme is essentially similar to the security of the well-known Elgamal encryption scheme [4].That is, it is indistinguishable against chosen plaintext attack (IND-CPA) under the assumption of the intractability of the CDDH  ,ℎ problem.One can also find similar proofs from either [9] or [32].In addition, since neither  1 nor  2 are used in this scheme, it is secure in the standard model.By using two random oracles  1 and  2 , one can easily convert it into an IND-CCA2 secure encryption scheme according to the well-known FO transformation theorem [34] (see the proof of Theorem 14).

Signature with the Lowest Security.
Next, let us describe a signature scheme, denoted by  2 , that can be viewed as a simplified variant of the noncommutative signature scheme given in [35].
(i) KeyGen(1  ): it is the same as in Section 3.1.
(iii) Verify(; , ): this is the verifying algorithm that takes as inputs the public key  ∈  and the messagesignature pair (, ) and then performs the following steps: (a) parse  into (, ) ∈  2 , (b) compute V =  2 (, ) and verify whether the following equality holds (c) if so, accept this signature; otherwise, reject it.
Correctness.The correctness of the scheme is granted by the following calculation: Security.On one hand, under the assumptions of the intractability of the SCSP  ,ℎ problem and  2 being a random oracle, this signature scheme merely achieves unforgeability against no message attacks (UF-NMA)-this is the lowest security level for a signature scheme where adversaries are merely given the public key and asked to output a successful forgery.The arguments are similar to the security analysis given in [35].On the other hand, taking this scheme as a building block, we can design a signcryption scheme that achieves existential unforgeability against external adaptively chosen message attack (see the next subsection).

Signcryption with IND-CCA2 Security.
Based on the encryption scheme  1 and the signature scheme  2 , let us proceed to present a signcryption scheme, denoted by  3 .
(i) KeyGen(1  ): it the same as in Section 3.1.
(ii) SignCrypt(  , ; ): this is the signcryption algorithm that takes as inputs the sender's private key   ∈ , the receiver's public key  ∈ , and the message  ∈  and performs the following steps: (a) pick  ∈ {0, 1}  at random, (b) compute where operator "⊕" should be viewed as XOR operation over bit-strings that are encoding results of a pair in  2 , (c) output ( 1 ,  2 ).
(iii) UnSignCrypt (  , ;  1 ,  2 ): this is the unsigncryption algorithm that takes as inputs the receiver's private key   ∈ , the sender's public key  ∈ , and the ciphertext pair ( 1 ,  2 ) and performs the following steps: Remark 12.The above signcryption scheme inherits the same framework from [9].However, the construction given here is featured by the following differences.
(i) Different platforms with different security bases.In [9], the platform is the braid group   and the underlying intractability assumption is the conjugator searching problem (CSP), while in this paper, the platform could be any nonabelian group and the underlying intractability assumption is the subgroup conjugator searching problem (SCSP) that is based on the intractability assumption of the nonabelian factorization problem.In general, we think the SCSP problem is at least as hard as the CSP problem (see Remark 10).In particular, based on nonabelian factorization related problems, noncommutativity plays a core role in resisting Shor's quantum algorithm attacks.
(ii) Different settings with different trade-off in computational/storage cost.As suggested in [9], with the braid group  50 , we need about 4 Kbits to represent a braid with canonical length ℓ ≤ 10.This is a bit inefficient in storage.Therefore, instead of keeping a braid as the private key, we merely use a positive integer  ∈ {0, 1}  to indicate the private key.Considering that the braid exponentiation can be finished very efficiently, the real private key   ∈  50 can be reconstructed whenever it is required.However in this paper, our proposal could be instantiated over arbitrary nonabelian groups only if the related intractability assumptions remain reasonable.Thus, we directly use   ∈  as the private key.To deploy our proposal in real systems, the engineers are responsible for making proper trade-off choice between the storage cost and the computational cost.
Correctness.The correctness of the above scheme is given by the following theorem.
Theorem 13.The proposed signcryption is consistent.
Proof.Suppose the sender and the receiver perform honestly and their inputs are well formed.That is,  =   ℎ − and  =   ℎ − .Then, since we have that Then,   =  will be output correctly.
Security.As for a signcryption scheme, the security includes two aspects: indistinguishability and unforgeability.
Theorem 14. Suppose that  1 and  2 are random oracles.The proposed signcryption is indistinguishable against adaptive chosen ciphertext attack (IND-CCA2) assuming that the CDDH  ,ℎ problem is intractable.
Proof (sketch of the proof).The proof threads are similar to what is given in [9].At first, we can apply the well-known Fujisaki-Okamoto transformation theorem [34] to conclude the IND-CCA2 security of the following encryption scheme, denoted by  4 .
(i) KeyGen(1  ): it is the same as in Section 3.1.
(ii) Enc  (; ): this is the encryption algorithm that takes as inputs the receiver's public key  and a message  ∈  and then performs the following steps: (iii) Dec  (  ;  1 ,  2 ,  3 ,  4 ): this is the decryption algorithm that takes as inputs the receiver's private key   ∈  and the ciphertext quadruple ( 1 ,  2 ,  3 ,  4 ) and then performs the following steps: (a) let   ← Dec(  ;  1 ,  2 ), where Dec is the decryption algorithm in Section 3.1, (b) let Apparently,  4 is an FO-like variant of  1 and its security is enhanced to IND-CCA2 assuming that both  1 and  2 are random oracles [34].Now, let us show that, with the same random oracles, if there exists a probabilistic polynomial time adversary A that can break the IND-CCA2 security of the proposed signcryption scheme  3 , then there also exists another probabilistic polynomial time adversary B that can break the IND-CCA2 security of  4 .
In fact, since B controls the response of the random oracles  1 and  2 , it can break the IND-CCA2 security of  4 easily: whenever seeing a ciphertext ( 1 ,  2 ,  3 ,  4 ), it can retrieve the message  and random salt  by looking up the response list of  2 under the reasonable assumption that the probability for different pair (  ,   ) with same hash value with the pair (, ) is negligible.The thing left is to show how B, without knowing the receiver's private key   ∈ , can simulate the response on decryption queries for A by a perfect manner.
Whenever A invokes an unsigncryption query by submitting a signcryption pair ( 1 ,  2 ), B responds as follows.
(1) Lookup ( * ,  1 , * ) in  2 -list, where * indicates a wildcard that can be matched with arbitrary inputs.If there is no matched triple, B sends ⊥ to A as the response.
(2) For each matched triple (  ,  1 ,   ), B performs the following steps: (a) for each (, ) in  1 list, do the following steps: (i) extract a possible   according to the following formula: (ii) test whether the equality holds.If so, reply A with   and end the response; otherwise, continue.
(3) If up to now B has no output response to A yet, then B sends ⊥ to A as the response and then end the response.
Finally, without accessing hash queries on random oracles  1 and  2 , A's probability for submitting a valid signcryption pair ( 1 ,  2 ) is negligible.Thus, whenever A invokes hash queries on  1 and  2 for forming a valid signcryption pair, related materials are recorded, and B can retrieve them and finally send A a perfect response.
Theorem 15.Suppose that  1 and  2 are random oracles.The proposed signcryption scheme is existential unforgeable against external adaptive chosen message attacks (EUF-ext-CMA) assuming that the SCSP  ,ℎ problem is intractable.
Proof.Here, the term "external" means that the forger is neither the singer, nor the intended receiver.Let us show that whenever an external attacker A outputs a successful forgery, then this must mean a contrary against the UF-NMA security of the signature scheme  2 given in Section 3.2.At first, without invoking any query, A's successful forgery itself means an attack against the UF-NMA security.Next, suppose that A invokes many polynomial signcryption queries or unsigncryption queries.Let us show that the responses for these queries have no help to A for making a forged signcryption.Suppose A invokes a signcryption query on some message  and receives a pair ( 1 ,  2 ) as the response.After then, A invokes a random oracle query on  2 with inputs  and  1 and then he/she obtains .Now, A still has no means to obtain a valid signature from (,  1 ,  2 , ) since both    − and  remain unknown.Suppose A can get  via invoking a random oracle query on  1 with input    − .Then, its query input gives a solution to the SCSP instance ( 1 =   ℎ − ,  =   ℎ − ).This is a contrary to the assumption of the intractability of the SCSP problem.Now, suppose A invokes an unsigncryption query on some signcryption pair ( 1 ,  2 ).Similar to the response of B given in the proof of Theorem 14, A gets either a symbol ⊥ or a message   .In the former case, A's query is invalid and rejected.In the latter case, A's query is valid and there exists a matched entry  in  1 list.This in turn implies that there exists a matched entry    − in  1 list.However, this is impossible since it again means a solution to the SCSP instance ( 1 =   ℎ − ,  =   ℎ − ).
This concludes the theorem.
Remark 16.To proof the unforgeability of a signature scheme, it is reasonable to exclude the signer from forgeries.But just as what was done in [9], the so-called external attacker model enables us to further exclude the intended receiver from the forgeries.Unlike the primitive authenticated encryption, the authenticity embedded in the primitive of signcryption is unidirectional to some extent.That is, it seems that there is no reason for an intended receiver to forge a signature on behalf of some signer and then encrypt the signature for himself/herself, except for planting false evidence against some senders.Otherwise, an existentially unforgeable signature scheme, such as the noncommutative signature scheme in [36], should be embedded therein.

Sample Implementations and Performance Evaluation
In [30], the authors suggested to consider the intractability assumption of the FP  ,ℎ problem over three kinds of platforms: (1) GL  (F  ), that is, the general linear group over finite field, (2) UT  (F  ), that is, the nonabelian subgroup of GL  (F  ) consisting of unitriangular matrices, (3) braids set   (), that is, the set of braids in the braid group   with  canonical factors.
At first, a braid   () can be represented by a bit string of size ⌈ln log ⌉ [23] and the complexities of the braid operations such as multiplication, inversion, and canonical form computation are bounded by O( 2  log ) in the sense of bit operations [9].Thus, if we follow Maffre's suggestions by setting  = 50 and  = 10 [37], then the number of bit operations for implementing these braid operations is proportional to 2 15 and the sizes of the system parameters, the private key, the public key, and the ciphertexts are 5650 bits, 80 bits, 2822 bits, and 8466 bits, respectively.More detailed evaluation on the performance of braid-based cryptosystems can be found either in [36] or in [9].
Next, let us pay attention to GL  (F  ) and UT  (F  ).In particular, we mainly focus on two aspects: the time complexity of exponentiation and the related parameter sizes.Since the classical techniques for matrix multiplication/inversion in GL  (F  ) (resp., UT  (F  )) take about  3 (resp., ( + 1)( + 2)/6) F  -operations, while each F  -operation needs O(log 2 ) bit operations [38], thus by employing the idea of "squaremultiply, " the time complexity of calculating an exponentiation   with ∈  {0, 1}  in both GL  (F  ) and UT  (F  ) is O( 3  log 2 ) in sense of bit operations.To represent a matrix in GL  (F  ) (resp., UT  (F  )), we need  2 (resp., ( − 1)/2) F elements, while each F  -element occupies exactly log  bits.In practice,  need not to be too large.Typically, we set  = 4 and then collect our analysis in Table 1.From this table, we can see that the computational/storage cost of cryptosystems over UT  (F  ) is about merely 1/3 times of those over GL  (F  ) when  = 4. (Note that since both the encryption scheme  1 and the signature scheme  2 are embedded into the signcryption scheme  3 , we merely present performance analysis on  3 .)

Conclusion
The booming of quantum algorithm casts distrust on many public key cryptosystems based on integer factorization problem, discrete logarithm, and other assumed intractable problems over certain abelian groups.Some breakthrough in developing new public key cryptography based on nonabelian algebraic structures has been made during the past decade.In particular, Baba et al. made the first step toward construct cryptographic schemes based on nonabelian factorization problems.In this paper, we at first present several conjugacy systems based on the factorization problem over nonabelian groups and then present new construction of encryption, signature, and signcryption based on the newly introduced cryptographic intractable assumptions.Some possible implementation platforms and the related performance analysis are also given.Two possible future perspectives are to investigate more efficient platforms for implementing our proposal and to investigate possible reductions from the hardness of the related conjugated problems to the hardness of the underlying problems.
, is to recover   from the given pair (ℎ  ,   ℎ   − ) ∈  2 , where ,  are arbitrary integers picked at random.

Table 1 :
Performance of signcryption scheme  3 ( = 4).//: exponentiation/multiplication/inversion in the nonabelian group .† In the sense of bit operations.‡ In the sense of bit length.§ Including system parameters shared by all users. *