Survey on SAP and its application in public-key cryptography

Abstract The concept of the semigroup action problem (SAP) was first introduced by Monico in 2002. Monico explained in his paper that the discrete logarithm problem (DLP) can be generalized to SAP. After defining the action problem in a semigroup, the concept was extended using different mathematical structures. In this paper, we discuss the concept of SAP and present a detailed survey of the work which has been done using it in public-key cryptography.


Introduction
Before 1976, secret key cryptography was used to achieve the security for communication over an open communication channel. In 1976, Diffie and Hellman [4] gave a completely different and new direction to cryptography by introducing the concept of public key cryptography. Since then it became a noticeable area of research, and a lot of research made public key cryptography more advanced. The security of public key cryptography relies on the intractability of some computationally hard problems, like integer factorization [15], discrete logarithm problems (DLP) [4,6] and many others. DLP forms the basis for many cryptographic protocols.
In 2002, Monico generalized the concept of DLP and proposed a semigroup action problem (SAP) [13]. He defined the Diffie-Hellman key exchange protocol and ElGamal cryptosystem using this new computational problem SAP. After defining a semigroup action on an abelian group, the same concept was transferred to the action of a semiring on a semimodule in [10][11][12] and to the action of a quotient semiring on a semimodule in [1,5]. In [5,10,11], the ElGamal cryptosystem was defined whose security depends on the hardness of finding a control sequence which steers the initial vector to the final vector. The idea of two-sided matrix action over a semiring was proposed in [9], which seems to be intractable if a simple semiring is used and the size of the matrices used to define the action are chosen appropriately. The use of simple semiring avoids the chances of Pohlig-Hellman type reduction attack [14]. In [7,23], the idea of getting simple semiring was classified, and in [23], a classification of proper finite simple semirings with zero was given, which was further investigated in [7] to explain computational aspects of finite simple semiring.
Stolbunov presented the reductionist security argument for public-key cryptographic schemes based on group action in [21]. Some signature schemes were also proposed in [16][17][18], whose underlying hard problem comes from monoid and semiring action problems.
2 | N. Goel, I. Gupta and B. K. Dass, Survey on SAP The paper is organized in the following manner. In Section 2, mathematical preliminaries are given. In Section 3, the semigroup action in public-key cryptography is explained. In Section 4, the security of the SAP and cryptosystems based on it is discussed with a heuristic approach and with the help of a formal security model. In Section 5, the work based on action of algebraic structure is explained. In Section 6, the future scope of SAP is discussed. Finally, in Section 7, we conclude the paper.

Mathematical preliminaries
In this section some basic definitions are given which are required for the understanding of paper. Definition 2.1 (Group action). Let (G, ⋅ ) be a group and let S be a non-empty set. Then G is said to act on S if there exist a function ϕ : G × S → S, with ϕ(a, x) = ax, such that a(bx) = (ab)x and ex = x (e is the identity element of G) for all a, b ∈ G, x ∈ S. This mapping ϕ is called the group action of G on S. Definition 2.2 (Semigroup action). Let S be a finite set. Then the (left) action of the semigroup (G, ⋅ ) on S is defined as ϕ : G × S → S, with ϕ(g, s) = gs, such that (gh)s = g(hs) for all g, h ∈ G. This action is semigroup action on the set S. (A right action is similarly defined.) Definition 2.3 (Semiring). A non-empty set R equipped with two binary operations ( ⋅ ) and (+), termed as multiplication and addition, respectively, is called a semiring if it has following three properties: (a) (R, +) is an abelian semigroup, (b) (R, ⋅ ) is a semigroup, (c) ⋅ is distributive over +. Definition 2.4 (Congruence simple semiring (or c-simple semiring)). A semiring R that does not possess any congruence relation (except the trivial relations id R and R × R) is said to be congruence simple semiring or c-simple semiring. A congruence relation is an equivalence relation ∼ on R that satisfies the following properties: for every r, r 1 , r 2 ∈ R. Definition 2.5 (Semimodule). Let R be a semiring. A (left) semimodule is a commutative monoid (M, +) with the neutral element 0 ∈ M such that for all a, b ∈ M and r, s ∈ R, the following conditions are satisfied: If the elements of R act on right we call it a (right) semimodule. Definition 2.6 (Partitioning ideal). An ideal I of a semiring R is called a partitioning ideal (or Q-ideal) if there exists a non-empty subset Q of R such that (q) R = ⋃{q + I : q ∈ Q}, (q) if q 1 , q 2 ∈ Q, then (q 1 + I) ∩ (q 2 + I) ̸ = ⌀ if and only if q 1 = q 2 . Definition 2.7 (Quotient semiring). Let I be a Q-ideal of a semiring R and let R/I = {q + I : q ∈ Q}. Then R/I forms a semiring under the binary operation ⊕ defined as (q 1 + I) ⊕ (q 2 + I) = q 3 + I, where q 3 ∈ Q is the unique element such that q 1 + q 2 + I ⊆ q 3 + I, and (q 1 + I) ⊕ (q 2 + I) = q 4 + I, where q 4 ∈ Q is the unique element such that q 1 q 2 + I ⊆ q 4 + I. This semiring R/I is called the quotient semiring of R by I. Definition 2.8 (Discrete logarithm problem). Given a prime p, a generator α of Z * p and an element β ∈ Z * p , find an integer x, 0 ≤ x ≤ p − 2 such that α x ≡ β (mod p). Definition 2.9 (Diffie-Hellman problem). Given a prime p, a generator α of Z * p , and elements α a mod p, β b mod p, find α ab mod p.

Semigroup action in public key cryptography
In 2002, Monico presented the semigroup action problem by considering DLP as a special instance of an action by a semigroup. He defined the key-exchange protocol and the extended ElGamal cryptosystem whose security relies on the intractability of SAP. Definition 3.1 (Semigroup action problem (SAP)). Let G be a semigroup acting on a set S. Then, for given x ∈ S and y ∈ Gx, find g ∈ G such that g * x = y where, * is the operation between the elements of G and S.¹ Definition 3.2 (Semigroup action problem on two sides matrix action). Let R be a semiring (not necessarily commutative) with 0 and 1.
Then the following action is linear as explained in [9] and [11]: The semigroup action problem defined on this action is defined as follows: For given .

Now, according to DDHAP assumption [21], the advantage Adv DDHAP
A is negligible function of k for any polynomial-time distinguisher A, where k(= log ♯(Gx)) is the security parameter.

Applications of SAP to public-key cryptography
After the proposal of SAP, cryptographic protocols have been designed using SAP as trapdoor in different algebraic structures. 4 | N. Goel, I. Gupta and B. K. Dass, Survey on SAP

Key exchange protocols based on SAP using different algebraic structures
The key-agreement protocol whose security relies on the intractability of SAP and proposed by Monico in [13] is defined as follows. Key exchange protocol using action of semigroup over finite set.
(i) Domain parameters: Let (S, G, φ, s) be the domain parameters used to define the key exchange protocol.
Here, the abelian semigroup G is acting over a finite set S under the mapping φ and s ∈ S. (ii) Key exchange algorithm: Alice secretly chooses a ∈ G, computes as and sends it to Bob. Similarly, Bob chooses b ∈ G, computes bs and sends it to Alice. The common secret key is then a(bs) = (ab)s = (ba)s = b(as).
An interesting example is presented in [13] using the action of the semigroup Mat m (ℤ) over a ℤ-module is a finite abelian semigroup and for which the SAP may be considered hard. The cryptosystem defined over this action is discussed as follows. Key exchange protocol using matrix action.
, φ, s) be the domain parameters used to define the key exchange protocol. Here S is a finite abelian group of order k, In [11] Maze, Monico and Rosenthal extended the action of a semigroup over a semiring by defining the action of a simple ring over a simple module. The security of this system depends on the problem of steering the state of some dynamical system from an initial vector to some final position [11]. However, this system breaks down in the case where the rings and modules used for the system are more general as explained in [10]. Therefore, for security purposes, simple semirings are preferred. The system is defined as follows. Key exchange protocol using action of semiring over semimodule. In [5], Ebrahimi Atani et al. extend the semigroup action to the actions of quotient semirings on semimodule. The security of this system also depends on the problem of steering the state of some dynamical system from an initial vector to some final position. However, this system breaks down in some cases, for example, when R I = M = F, a finite field, i.e., if the quotient semiring is a field, then the system can be easily solved using [11,Theorem 3.1]. Key exchange protocol using action of quotient semirings over semimodule. In [5], a more generalized form is also defined using the action of matrix quotient semirings over semimodule.
The key exchange protocol using the semigroup action problem as two-sided matrix action [11] is defined as follows.
Key exchange protocol using two-sided matrix action.
and sends the result to Alice. The common key is then

ElGamal cryptosystem based on SAP
The ElGamal cryptosystem based on SAP [13] is defined as follows.
ElGamal cryptosystem using action of semigroup over finite group. Let G be the subgroup generated by these three points, i.e., G = ⟨P 1 , P 2 , P 3 ⟩ and Mat 3 (ℤ 5 ) is a group of 3 × 3 matrices over ℤ 5 . Now, using these parameters, the key exchange protocol is defined as follows: (i) Domain parameters: Let (G, H, φ, A, x) be the domain parameters used to define the cryptosystem. Here, φ is the mapping used to define the action of H over

Security of SAP and cryptographic protocols based on SAP
The security of SAP and cryptographic protocols based on SAP is explained in this section.

Security of SAP and cryptographic protocols against brute force attack
To break SAP using Brute force attack, the attacker will try all possible g i ∈ G, 0 ≤ i ≤ |G| to get an appropriate g i which satisfies g i s = gs, where G is an abelian semigroup acting over a finite set S and s ∈ S. Therefore, the size of the abelian semigroup G should be chosen in such a way that it is computationally hard for the attacker to find g i (see [10,11]). When G is a cyclic group instead of an abelian semigroup, then the total number of operations required to break SAP using square root attack are O√|G|. If G is not a cyclic group, then the overall complexity of applying Pollard's rho attack is O(√|O s |), where O s is the orbit of s ∈ S.
If the semigroup G has a large subgroup G 1 , it may be partitioned in the form . Now, the attacker will try to find the solution of the equation y = gs in G ∘ using an exhaustive search algorithm. If no solution is found in G ∘ , the attacker will restrict the SAP to G 1 and apply Pollard's square root attack. The overall complexity of applying this attack is |G ∘ | + O(√|G 1 s|) (see [10]), where G 1 s = {gs|g ∈ G 1 }. In case when G is not a group and not a set theoretic union of a small number of cyclic sub-semigroups, then the attacks applicable to DLP are not applicable to SAP. It is suggested in [11] that when G is a group where no attack is applicable except the square root attack, then 160 bit orbit size is sufficient for achieving practical security. Also in the case where no attack is not possible, 80 bit orbit size is sufficient for achieving practical security. Now, we analyze the security of the two-sided matrix multiplication action discussed in Definition 3.2 and Section 3.1.1. For the security of the two-sided matrix multiplication action, the c-simple semirings of the type R m = Mat m ({0, 1}, max, min) had been used in [9], where Mat m ({0, 1}, max, min) is a max-min algebra. The use of these types of semirings makes the two-sided matrix multiplication action secure against Pohlig-Hellman attack and square-root attacks.
If R 1 (for m = 1) is used as semiring, then the brute force complexity of the two-sided matrix multiplication action defined in Section 3.1.1 will be O(|R According to the consequence of [9, Assumption 5.19], the complexity of the two-sided matrix multiplication action can be reduced to O((ord(M 1 )ord(M 2 )) d ) for some d ∈ ℕ. This bound can also be given in terms of the size of the matrix Z, where Z = p(M 1 )Sq(M 2 ) and p, q, S are defined in Definition 3.2 and Section 3.1.1. If the input size of Z is m 2 (= N say) bits, then the expected running time of the algorithm in terms of the key size will be O(exp( √ 2d + o(1))N 1/4 √ln(N)). But this bound is not good comparative to the bound of the best known algorithm used to solve DLP, which is O(exp(1.92 + o(1))N 1/3 p (ln(N p ) 2/3 )). However, by applying some restrictions on the parameters, a competitive bound can be achieved. For this, M 1 , M 2 and S are considered to be permutation matrices and it is assumed that the polynomials p, q have l monomials. Then the matrix Z can be encoded with N α = ml log 2 (m) bits and according to [9,Proposition 5.21], the expected running time complexity of the algorithm will be O(exp(μ + o(1))√N α ), where μ = √2d √ln (2)l . This bound is assumed to be competitive to the bound of the best known algorithm used to solve DLP.
One particular example of two-sided matrix multiplication action is given in [11], in which the size of the matrices M 1 , M 2 is taken greater than 420, and a particular semiring is used, which gives the maximum possible size of Z. With these choice of parameters, Alice has more than 2 420 choices to select the polynomial p for which p(M 1 ) can be computed with at most 420 matrix multiplications and additions. However, Alice may restrict the choice of p to reduce the number of multiplications and additions. If the degrees of p, q are restricted in the range of 50, then the complexity of brute force attack will depend on the size of the The upper bound for the size of this set is 2 100 and the least value is 2 25 . The cryptanalysis of this example has been done in [20] and the choice of the above parameters is considered insufficient for practical use. According to the cryptanalysis discussed in [20], if the above parameters are used, then a complete session key can be recovered easily. Therefore, the parameters choices prescribed in [11] is not suggested for practical use and further research is required to achieve a good bound with better choice of parameters.

Formal security model of cryptographic schemes based on SAP
In [21] Stolbunov presented the security model of the key-exchange protocol and the ElGamal encryption scheme based on SAP. For defining the security of the key-exchange protocol, he used the security model proposed by Canetti and Krawczyk in [2].
The security of the ElGamal encryption scheme is defined using the indistinguishability of encryptions in chosen plain-text attack. The computational Diffie-Hellman group action problem (CDHAP), decisional Diffie-Hellman group action problem (DDHAP) and DDHAP assumption are presented in the paper for defining the security of scheme (defined in Section 3).
The following two theorems are proved in the paper [21] for defining the security of the key-exchange protocol and the ElGamal encryption scheme.

Some work based on action of algebraic structure
In [17] Sakaluskas proposed a signature scheme based on the semiring action problem. To define this scheme he used two hard problems in his paper, which can be treated as one-way function, one is the multiple factor's search problem (MFSP) and the other is the operator and operand search problem (OOPS). He also used two operand search problems as an one-way function, denoted as * and ⊕. It is proved in the paper that the scheme has provable security. He postulated three kind of attacks in his paper covering other possible attacks on the proposed signature scheme.
In [18] a digital signature scheme is defined using the action of infinite ring over module. The scheme is defined to be secure against data forgery, signature repudiation and existential forgery.
In [16] a digital signature scheme is defined using the Gaussian monoid. The proposed scheme is based on different hard problems which are linked to an one way function. The scheme is proved to be secure against existential forgery, data implied forgery and data implied forgery in module action level.
In [22] a bi-semigroup action problem (BSAP) is proposed and using this computational hard problem a new key exchange protocol is defined. In [8] some properties of semigroups are discussed which are useful for designing the public key cryptosystem. In [3] an efficient quantum algorithm is described by using Shor's algorithm [19] for computing discrete logarithms in semigroups. It is shown that some generalizations of DLP 8 | N. Goel, I. Gupta and B. K. Dass, Survey on SAP are hard in semigroups but easy in groups. It is discussed in the paper how SAP for a cyclic semigroup action can be considered as an instance of shifted DLP.

Future scope of SAP
It is explained in the previous sections how SAP can be considered the generalization of DLP. The semigroup action problem (SAP) is considered to be more secure because the structures used to define it do not contain invertible elements, and the semirings used to define the extension of SAP are simple, which reduces the probability of applying the Pohlig-Hellman attack. Therefore, using such algebraic structures, SAP can be used to define other public-key cryptographic schemes also, like authentication scheme, zero knowledge undeniable signature scheme, signcryption scheme etc.

Conclusion
In this paper, we have explained the SAP and summarized the work related to it. It is explained that how SAP is extended on different algebraic structures like semirings, semimodule, quotient semirings, quotient semimodule etc. To the best of our knowledge, in our paper we have covered almost all the work proposed in the literature related to cryptography based on SAP.