# Дискретный логарифм для нильпотентных групп и криптанализ полилинейной криптографической системы

We present an efficient algorithm to compute a discrete logarithm in a finite nilpotent group, or more generally, in a finitely generated nilpotent group. Special cases of a finite p-group (p is a prime) and a finitely generated torsion free nilpotent group are considered. Then we show how the derived algorithm can be generalized to an arbitrary finite or finitely generated nilpotent group respectively. We suppose that group is presented by generating elements and defining relators or as a subgroup of a triangular matrix group over a prime finite field (in finite case) or over the ring of integers (in torsion-free case). On the base of the derived algorithm we give a cryptanalysis of some schemes of polylinear cryptography known in the literature.

Discrete logarithm for nilpotent groups and cryptanalysis of polylinear cryptographic system.pdf Introduction Let G be a group. We say that the discrete logarithm is (efficiently) computable in G if there is an efficient algorithm that finds an exponent x E Z for any expression of the form f = gx, where g, f E G. The problem of determining x given g and f = gx is called the discrete logarithm problem in G. The classical Diffie - Hellman exchange protocol, the ElGamal system and many other cryptographic schemes, protocols and systems are based on assumption about difficult solvability of the discrete logarithm problem in the groups chosen as platforms for them. See for examples [1-3]. Most of these schemes, protocols and systems use abelian groups as platforms. Multiplicative groups of finite fields and groups of elliptic curves over finite fields are most popular for this using. The security of currently popular algorithms relies on one of three hard mathematical problem: the integer factorization problem, the discrete logarithm problem on the multiplicative group of a finite field or the elliptic-curve discrete logarithm problem. It turned out that main of public-key algorithms can be efficiently broken by a sufficiently strong hypothetical quantum computer. Shor [4] and Grover [5] algorithms provided a quantum way to break a many of public-key protocols. Even though current, publicly known, quantum computers lack processing power to break any real cryptographic algorithm, the cryptographic community take a great attention on constructing of new so-called post-quantum cryptographic algorithms that based on non-commutative algebraic structures. Now the Post-Quantum Cryptography is a specific area for investigation. Most popular cryptographic platforms in this new area are: matrix groups, nilpotent and polycyclic groups, Artin braid groups, some other infinite abstract groups, and so on. See [6, 7] for survey of the current state of this area. Cryptographic analysis of the main algorithms of algebraic cryptography can be found in [8-13]. In this paper, we consider the discrete logarithm problem in a finite nilpotent group, specifically, in a group UT(n, Fp) of unitriangular nxn matrices over a prime finite field Fp of characteristic p. We introduce an efficient algorithm that solves the problem by computing the discrete logarithm in any finite nilpotent group. This approach can be applied to computing of the discrete logarithm in any finitely generated nilpotent group, in particular, this algorithm can be applied to a group UT(n, Z) of unitriangular matrices over the ring Z of integers. Since every finite nilpotent group G is a direct product of its Sylow p-subgroups for p G n(G), in the finite case, it is sufficient to describe an algorithm in the case when G is a finite p-group for a prime p. Then a corresponding version the Chinese Remainder Theorem allows to compute the discrete logarithm in any finite nilpotent group. Any finitely generated torsion free nilpotent group has a finite normal central series with free abelian of a finite rank quotients, also it embeds into UT(n, Z) for suitable n. All elements of finite orders in a finitely generated nilpotent group G forms a finite subgroup T = T(G) (torsion subgroup). Then G0 = G/T is torsion-free, and we can use G0 and T to obtain a generalization of the constructed algorithm to any finitely generated nilpotent group. Fundamentals of the theory of nilpotent groups see, for example, in [14-16], a short introduction can be found in [17]. Note that matrix groups, as one of the most widely studied classes of non-abelian groups, were considered as suitable platforms for algorithms of the group-based cryptography from the very begiinning. In [18] and in some of other papers, different authors proposed (using the Jordan theory) to reduce the discrete logarithm problem for a matrices to the simultaneous discrete logarithm problem for some extension of the underlined field. This approach does not work in the case when all characteristic numbers are 1, as in the case of unitriangular matrices. So we need in different approaches to solve this specific case. 1. The discrete logarithm in a nilpotent group Let G be a finite p-group. Consider a normal series (1) G - Go > Gi > ... > Gk - 1, where Gj+1 = GpGj, i = 0,... ,k - 1. Here Gp = gp(gp : g G Gj) and Gj is the derived subgroup of Gj generated by all commutators of the form [g, f ] = g-1f-1gf, g, f G Gj. Any quotient Bj = Gj/Gj+1 is an elementary abelian p-group of a rank rj, i.e., is a direct ri product П Cj (p), Cj (p) ~ Cp, where Cp is a cyclic group of order p. j=i For any g G G, we have that gp G G1, and inductively, that gp G G^, hence gp = 1. Suppose that gx = f, (2) where g, f are known elements of G and x (x G N, 1 ^ x < |g|) is unknown exponent. Here |g| denotes an order of g. We'll compute x in the form x = xo + x1p + ... + xfc-1pfc-1, where 0 ^ xj ^ p, i = 0,1,..., k - 1. Algorithm 1) For any h G G, h means a standard image of h in B0. Suppose that f = 1, then g = 1, and gXo = f. This exponent x0 is uniquely computed by usual computation with vectors in B0. Then we set g1 = gp, f1 = g-X0 f G G1 and reduce our computation to equation (x-xo)/p _ f g1 = f1 in G1. If f =1 and g =1, then g, f G G1 from the beginning and we continue with equation k_i X - Xk_ipk 1 gX-Xfc_lp" = f Jk-1 in G1 because in this case gp =1. If f = 1 (f G G1) and g =1, then we have x0 = 0, we set g1 = gp G G1 and continue with equation gX/p = f in G1. 2) Continuing this process we obtain a solution x = logg (f). In a specific case, when G = UT(n, Fp) series (1) is as follows: Gj (i = 1,..., n - 1) consists of all matrices with zero first i diagonals above the main diagonal. Since each finite p-group embeds into UT(n, Fp) for suitable n one can apply the described above algorithm to the corresponding matrix group UT(n, Fp). Note that we compute the minimal discrete logarithm x. Now let G be a finite nilpotent group. Then G is a direct product П Gp, where Gp p€n(G) denotes Sylow p-subgroup of G. Let g = П gp and f = П fp be expressions of g p€n(G) p€n(G) and f respectively as elements of this direct product. Let xp be a solution of gp^ = fp in Gp, p G n(G). A solution x of (2) can be efficiently computed by the Chinese Remainder Theorem as a solution of the following system of equations: x = xp (mod ptp), where ptp is order of gp, p G n(G). Similar algorithm works for any group UT(n, Z), and so for every finitely generated torsion free nilpotent group G, because every such group embeds into UT(n, Z) for sufficiently large n. Also, we can use a central series of G with torsion free quotients, that are free abelian groups of finite ranks. Let G be a finitely generated nilpotent group and let T = T(G) be its the torsion subgroup consisting of all elements of finite order, which is known is finite. The elements g and f in (2) simultaneously lie or not in T. If g, f G T, we apply the algorithm to compute x in finite group T .If g, f G T, then exponent x is uniquely determined for the corresponding equation gx = f in torsion free group G = G/T. Hence we succeeded again. 2. Applications In recent years polylinear (in other words, multilinear) maps attracted attention of cryptographers. Now it is a new hot topic in cryptography because they offer a significant number of applications. The main open problem in this area is constructing a secure and efficiently computable polylinear map. The idea has been first proposed by D. Boneh and A. Silverberg [19], see also [20-22]. In [23], the authors proposed two polylinear protocols using finite p-groups as platforms, in which the security is based on the chosen discrete logarithm problem. Below we describe these two protocols and give a cryptanalysis to show a vulnerability of them. At first, we will introduce the idea of a cryptographic polylinear map. Let Cp(1) and Cp(2) be two cyclic groups of prime order p. Let a : Ci(p) x ... x Ci(p) ^ C2(p) be a non-degenerate polylinear map. Here non-degenerate means that if g(1) is generator for Cp(1), then a(g(1),... ,g(1)) is a generator g(2) for C(2). Polylinear means that a(gk 1,... ) = a(gi,... ,gn)k b"kn for any gi,... ,gra G Cp(1). More generally, we can define a polylinear map as a : Gi x ... x Cn ^ G, where Gi,..., Gn, G are arbitrary groups such that a(g^,... ) = a(gi,... ,g„)kl-kn for any gi G Gi, i = 1,..., n, with some natural non-degeneracy property. Obviously, that a polylinear map with good cryptographic properties, namely, efficient computability of main operations in both the groups Cp(i), i = 1, 2, efficient computability of a and difficult the discrete logarithm problem in Cp(1), can be used in constructing cryptographic schemes. For example, a version of the famous Diffie - Hellman protocol can be based on a polylinear map. Now we will consider two protocols proposed in [23]. Protocol 1. Let Ai,..., An+i be the users. They choose a public nilpotent group G of nilpotency class n > 1. Denote inductively simple commutators on elements of G as follows. An usual commutator [gi,g2] is said to be simple of length 2. Suppose that [gi,...,gq] is a simple commutator of length q, then [[gi,..., gq], gq+i] is simple commutator of length q + 1. A group G is nilpotent of nilpotency class n if every simple commutator of length n +1 is 1 and n is minimal with this property. Then the following identity is true. For any Zi G N, i = 1,..., n, and any tuple (gi,..., gn) of elements of G n [g!1 ,...,gn ] = [gi,...,gnf for i = n li. i=1 The key exchange works as follows: - The users Aj's choose in random positive integers kj, j = 1,..., n + 1, respectively, and transmit in public channel elements gkj for i = 1,..., n. k k n+1 The user Aj computes [g^,... j"!1 j^1,... ,g£n ]kj = [g1,..., gn]k, k = П kj. J=1 - K = g,..., gn]k is the exchanged-key. Cryptanalysis. By any pair of public elements gj , gk we efficiently compute / such that gkj = gkj by the algorithm described in Section 1. Then we can compute K as Aj's does. A possible difference between kj and / obviously does not matter. Protocol 2. Let the users A1,..., An+1 choose a public nilpotent group G of nilpotency class n > 1 as above. In addition, G should be non-n-Engel group. It means that there are elements f and g such that the simple commutator [f, g; n] = [f, g,... , g] of length n +1 is not 1. The key exchange works as follows. - The users Aj's choose in random elements kj, respectively, j = 1,..., n + 1, and transmit in public channel elements gkj for j = 1,..., n +1. - The user Aj computes n+1 [ffcj,gk1 ,...,gfcj-1 ,gfcj+1 ,...,gkn+1 ] = [f,g;n]k, k = П kj. j=1 - K = [f, g; n]k is the exchanged-key. Cryptanalysis. By any pair of elements g,gkj we efficiently compute kj such that gkj = gkj by the algorithm described in Section 1. Then we can compute K as Aj's does. A possible difference between kj and kj obviously does not matter in this case too. Remark 1. Considering the Protocols 1 and 2 above we supposed that elements of the plaform group are written either as words on given generators, or as matrices in the matrix setting. In [23], the authors do not explain what is the form of expression of an element. Note, that we assume that we can efficiently compute an exponent in any expression of the form gx = f in an elementary abelian p-group. Obviously, we can if elements of this group are written as vectors over Fp. It is possible for both of the forms of expressing of elements we talk about. In [23], the authors proposed the following group as platform. Take q = 2p3 + 1 where p and q are large primes. Let X = gp(x) and Y = gp(y) be the subgroups of F* of orders p3 and p2, respectively. Selecting a nontrivial automorphism a of X amounts to choose a positive integer m < p3, relatively prime to p, such that a(x) = xm. Define G = Y xia X, that is a semidirect product of X by Y. We identify x with (1, x) and y with (y, 1). Suppose that m = p + 1. Then we have for G the following presentation: G = (x,y : xp3 = yp2 = 1,xy = xp+1}. Then G is a finite p-group of order p5 and nilpotency class 3, which is not 2-Engel. The group G is suggested as a platform for Protocols 1 and 2 for 4 and 3 users, respectively. Consider for example Protocol 2. Then one can take f = x and g = y. Indeed, [x, y] = = x-1xy = xp, [x,y; 2] = xp , and [x,y; 3] = 1. The algorithm constructing above works if we can efficiently solve the discrete logarithm problem in Fq. Unfortunately, the authors of [23] do not explain details of expressions of the elements. Anyway, our the approach reduces the problem to the computations in abelian groups, hence Protocols 1 and 2 cannot be considered as pure post-quantum protocols. There are other approach as follows. Let Fq(z) be an extension of Fq, where zp = x. Then we define zy = zp+i and zx = z and obtain group G that contains G as a subgroup. We see that [z,ykl,yk2,yk3] = [x,y; 2]k, k = П kj, j=i that is the exchanged key.

## Ключевые слова

discrete logarithm,

nilpotent group,

polylinear system,

cryptanalysis## Авторы

Романьков Виталий Анатольевич | Омский государственный университет им. Ф.М. Достоевского | доктор физико-математических наук, профессор, заведующий кафедрой | romankov48@mail.ru |

Всего: 1
## Ссылки

Menezes A. J., van Oorchot P. C., and Vanstone S. A. Handbook of Applied Cryptography. N.Y., CRC Press, 1997.

Koblitz N. A Course in Number Theory and Cryptography. N.Y., Springer, 1987.

Roman'kov V. A. Vvedenie v kriptografiyu [Introduction to Cryptography]. Moscow, Forum Publ., 2012 (in Russian).

Shor P. Polynomial-time algorithm for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput., 1997, no. 5, pp. 1484-1509.

Grover L. K. A fast quantum mechanical algorithm for database search. Proc. 28th Ann. ACM Symp. on Theory of Comput., 1997, no. 5, pp. 212-219.

Myasnikov A., Shpilrain V., and Ushakov A. Group-Based Cryptography. Barselona-Basel, CRM, 2008 (Advances Courses in Math.).

Myasnikov A., Shpilrain V., and Ushakov A. Non-commutative Cryptography and Complexity of Group-Theoretic Problems. With Appendix by Natalia Mosina. Math. Surveys and Monographs, 2011, vol. 177, Providence RI, AMS.

Roman'kov V. A. Algebraicheskaya kriptografiya [Algebraic cryptography]. Omsk, OmSU Publ., 2013. (in Russian)

Myasnikov A. and Roman'kov V. A linear decomposition attack. Groups, Complexity, Cryptology, 2015, vol. 7, pp. 81-94.

Roman'kov V. A non-linear decomposition attack. Groups, Complexity, Cryptology, 2015, vol. 8, pp. 197-207.

Roman'kov V. A. Essays in Algebra and Cryptology. Algebraic Cryptanalysis. Omsk, OmSU Publ., 2018.

Tsaban B. Polynomial-time solutions of computational problems in noncommutative-algebraic cryptography. J. Cryptology, 2015, vol.28, pp. 601-622.

Ben-Zvi A., Kalka A., and Tsaban B. Cryptanalysis via algebraic spans. LNCS, 2018, vol.109991, pp. 1-20.

Kargapolov M. I. and Merzlyakov Y. I. Fundamentals of the Theory of Groups. N.Y., Springer Verlag, 1979.

Hall P. Nilpotent Groups. Edmonton Notes on Nilpotent Groups. Queen Mary College Math. Notes Math. Dept., London, Queen Mary College, 1969.

Lennox J. C. and Robinson D. J. S. The Theory of Infinite Soluble Groups. Oxford, Clarendon Press, 2004 (Oxford Math. Monographs).

Roman'kov V. A. and Khisamiev N. G. Nil'potentnye grruppy [Nilpotent Groups]. Ust-Kamenogorsk, EKSTU Publ., 2013. (in Russian)

Menezes A. J. and Vanstone S. A. A note on cyclic groups, finite fields and discrete logarithm problem. AAECC, 1992, vol. 3, pp. 67-74.

Boneh D. and Silverberg A. Applications of multilinear forms in cryptography. Contemporary Math., 2003, vol.324, pp. 71-90.

Lin H. and Tessaro S. Indistinguishability Obfuscation from Trilinear Maps and Block-Wise Local PRGs. Cryptology ePrint Archive, Report 2017/250, 2017. https://eprint.iacr.org/ 2017/250

Huang M. A. Trilinear Maps for Cryptography. arXiv: 1803.10325, 2018.

Mahalanobis A. The Diffie - Hellman key exchange protocol and non-abelian nilpotent groups. Israel J. Math., 2008, vol.165, pp. 161-187.

Kahrobaei D., Tortora A., and Tota M. Multilinear Cryptography Using Nilpotent Groups. arXiv: 1902.08777v1 [cs. CR] 23 Feb 2019. 8 p.