Public Key Protocols over the Ring E_p(m)

In this paper we use the nonrepresentable ring E_p(m)to introduce public key cryptosystems in noncommutative settings and based on the Semigrouop Action Problem and the Decomposition Problem respectively.

exchange protocols based on noncommutative cryptographic platforms. A very good exposition of the problems underlying in this noncommutative approach can be found in [20] and some of them are the following, where G is a nonabelian group: • Conjugator Search Problem (CSP): Given (x, y) ∈ G × G, the problem is to find z ∈ G such that y = z −1 xz.
• Decomposition Problem (DP): Given (x, y) ∈ G × G and S ⊆ G, the problem is to find z 1 , z 2 ∈ S such that y = z 1 xz 2 .
• Symmetrical Decomposition Problem (SDP): Given (x, y) ∈ G × G and m, n ∈ Z, the problem is to find z ∈ G such that y = z m xz n .
• Generalized Symmetrical Decomposition Problem (GSDP): Given (x, y) ∈ G × G, S ⊆ G and m, n ∈ Z, the problem is to find z ∈ S such that y = z m xz n .
Note that for the DP we can assume that G is a semigroup, since in this case we do not need invertible elements.
Several authors have proposed and used certain nonabelian groups for key exchange problems. In [1,2,12,13], the authors suggest to use braid groups as platform groups for their respective protocols. In [21], the authors propose a public key cryptosystem whose security is based on the DLP for the automorphism defined by the conjugation operation and the difficulty to find the conjugate element on finite nonabelian groups. In [24], the authors suggest the use of a finite representation of a nonabelian group, called Thomson's group, to develop a public key cryptosystem, where they raised for the first time the difficulty to find a solution for the SDP. Finally, in [29], the authors propose a cryptosystem whose robustness is based on the difficulty to solve the CSP and SDP over any noncommutative algebraic structure.
In the noncommutative setting, we can find different implementations based on the Diffie-Hellman protocol in matrix rings, for different kind of matrices [4,27,30]. A detachable recent work in this setting is [16] where the author shows the usability of a certain class of matrices that arise a noncommutative framework to define the ElGamal cryptosystem and the corresponding Diffie-Hellman protocol as well as its eficiency. Another system based on the discrete logarithm problem in the authomorphisms group is the so-called MOR cryptosystem, recently described for authomorphisms of p-groups whose order is coprime to p in [15,17].
Moreover, the idea to develop systems of open distribution keys as well as session key exchange protocols, on the basis of noncommutative (semi)groups, is present in [14,23,26].
Finally, with the idea to generalize the protocols based on groups and take advantage of the difficulty of to solve the DLP in these groups, Shpilrain and Zapata in [25] give a general framework using actions of groups to define key exchange protocols. In this setting, Maze et al. [18] introduce the Semigroup Action Problem (SAP) as: Let G be a finite semigroup acting on a finite set S. Given x, y ∈ S with y = g · x for some g ∈ G, find h ∈ G such that y = h · x.
In this way, any Abelian semigroup G acting on a finite set S provides a Diffie-Hellman key exchange protocol and an ElGamal protocol (cf. [18]).
Our aim in this paper is to provide public key cryptosystems in a noncommutative setting given by the ring E (m) p based on the SAP and DP. The remainder of this paper is organized as follows. In Section 2 we remind some properties of the nonrepresentable ring E (m) p that will be used through this paper. In Section 3 we use an action of the ring E (m) p to introduce a public key cryptosystem based on the SAP. Finally, in Section 4 we use this ring to give a public key cryptosystem based on the DP and we relate security of both introduced cryptosystems.

The ring E (m) p
Bergman [3] proved that End(Z p × Z p 2 ) is a semilocal ring that cannot be embedded in matrices over any commutative ring. In [6] the authors showed that End(Z p × Z p 2 ) is isomorphic to a ring whose elements can be expressed as square matrices whose rows are given by elements in Z p and Z p 2 respectively and with an arithmetic that is similar to matrix addition and multiplication. Then they use this ring to define a key exchange protocol (see also [5,7]). However this was cryptoanalyzed in [11] using some invertible elements, which motivated the introduction of an extension of such a ring [8] such that almost all elements are noninvertible This new ring is defined as the set (see [8,Theorem 1]) with the addition and the multiplication defined, respectively, as follows Here Mat m×m (Z) denotes the set of m × m matrices with entries in Z, and p r Z p s denotes the set {p r u | u ∈ Z p s } for positive integers r y s. Moreover, E (m) p = p (2m 3 +3m 2 +m)/6 .
The following results on the ring E (m) p can be found in [8].

A public key cryptosystem based on the SAP
Our aim in this section is to use the arithmetic of the ring E (m) p and an action of this ring to define a public key cryptosystem in a noncommutative setting.
Thus, based on the multiplication defined on the ring E (m) p and the structure of its elements we may define an action of the ring E (m) p over the set Z p × Z p 2 × · · · × Z p m . As we will show, this action will arise a public key cryptosystem based on the SAP (cf. [18]).
Let us consider the center Z(E be a public value and S ∈ Z p × Z p 2 × · · · × Z p m the message that Bob wants to send Alice. Then: 1. Alice chooses R ∈ Z p × Z p 2 × · · · × Z p m , F ∈ Cen(M) and computes T = F · R.
2. Alice makes public the pair (R, T ), keeping secret her private key F .

Bob chooses randomly
p ) and sends Alice the pair

Alice gets the secret by computing
Note that the commutativity of F and G gives the correctness of the preceding algorithm and that Alice and Bob could exchange the way they choose the elements appearing through it.
As it is asserted in the general case in [18] we can observe that breaking the preceding algorithm involves solving the SAP, i.e., given the values R and To understand the size of the underlying SAP, let p be a prime, consider x ∈ Z p m coprime to p, and let n be the order of where, by Theorem 2, Thus, accordingly to expression (1), for every possible choice of the element But the set given in expression (2) may be expressed as which gives all the elements of Z p m given that C 1 , . . . , C n may be chosen in such a way that we get the p-adic decomposition of every element in Z p m . Therefore, for every element in p ), there are as many elements G as elements in Z p m , which results that we have p m · p m = p 2m different possibilities to select the element G. we have that

An analogous result is obtained for
Thus it is crucial that the element G in step 3 of Algorithm 1 does not commute with the solution A of the SAP. Therefore to avoid that G commute with any such solution, we must require that G is not in the center of the multiplicative semigroup of E (m) p , which can be easily checked by requiring that there exists at least a nonzero element out of its main diagonal (see Theorem 2).
Now, from expression (4) and the fact that r 0 ≡ p 0, we obtain that a 0 ≡ p r −1 0 t 0 .
Assume now that j = 1, 2, . . . , m − 1. From expression (5) we have that (a 0 + pa 1 + · · · + p j a j )r j − t j = p j+1 h, for some h ∈ Z, so, p | (t j − a 0 r j ). Therefore, a 0 r j ≡ p t j and using the fact that r j ≡ p 0, we obtain that As an immediate consequence we get the following result. Our aim in this section is to give a trap-door function based on the DP in E (m) p following ElGamal's ideas in the case of the DLP. ElGamal [10] introduced his cryptosystem based on the Diffie-Hellman key exchange protocol [9]. Thus we provide a key exchange in the ring E To do so, given M ∈ E (m) p , we will consider the set where Z(E such that M / ∈ Cen(X).

Alice chooses two different elements A 1 , A 2 ∈ H(M) and transmits G
to Alice.

Alice computes
Now it is clear that both Alice and Bob share a common value and that they could exchange their roles in the way they choose their corresponding private information. The latter is a particular case of [25,Example 3], where the authors illustrate a protocol based on the DP in a general semigroup.
Trying to break the preceding protocol, in its general setting as it is shown in [25, Example 3] gives rise to the following problem directly related to the DP.
Definition 1: Let G be a semigroup, A, B ⊆ G two subsemigroups such that ab = ba for every a ∈ A and b ∈ B and assume that x ∈ G. The DH Decomposition Problem (DHDP) consists in given two elements a 1 xa 2 and b 1 xb 2 , with a 1 , a 2 ∈ A and b 1 , b 2 ∈ B such that provide a DHDP key exchange as above, find the element a 1 b 1 xb 2 a 2 .
It is immediate that being able to solve the DP implies that we will be able to solve the DHDP.
On the other hand, in [6] (see also [5,7]) the authors introduce a key exchange protocol over the noncommutative ring End(Z p × Z p 2 ) that fits with the previous protocol. In [11] the authors solve the DHDP problem using some invertible elements in End(Z p × Z p 2 ) resulting a cryptanalysis of that proposal.
From the key exchange based on the DP, and analogously to the ElGamal cryptosystem, we can derive a public key cryptosystem whose cryptanalysis is computationally equivalent to the DHDP. We will give it in a general setting for semigroups, but let us introduce first the following notation. Let t ∈ Z + and consider a one-to-one map β : G −→ Z t 2 ; so, for x ∈ G, β(x) is the binary representation of t digits of x. Moreover, we denote by ⊕ the bitwise xor operation in Z t 2 .
Protocol 2 (ElGamal DP protocol (EGDP protocol)): Let G be a semigroup and assume that A, B ⊆ G are two subsemigroups such that ab = ba for every a ∈ A and b ∈ B. Let m be the message that Bob desires to send Alice.
1. Alice chooses x ∈ G such that xa = ax, for every a ∈ A, and chooses a 1 , a 2 ∈ A.
Part 4 of the above protocol is correct because We point out that if we are considering a ring R instead of a semigroup G, then we can substitute the map β : G −→ Z t 2 by the identity map in R and the xor operation ⊕ by the addition in R. Here we need the existence of a zero element in order to get Example 1: 1. If the semigroup G is commutative, then we have that EGDP corresponds to the ElGamal public key cryptosystem defined by the action of G over itself (cf. [18]). In this case, as we pointed out in Section 1, the security of the cryptosystem is based on the difficulty of what the authors in [18] called the SAP. The following result shows the relation between the cryptanalysis of the EGDP and DHDP protocols.

Let us consider the ring E
Theorem 4: Breaking the EGDP protocol is equivalent to solve the DHDP.
Since Eve is able to solve the DHDP, then she gets b 1 a 1 xa 2 b 2 from b 1 xb 2 and the Alice's public key a 1 xa 2 . Thus she can recover Now assume that Eve can solve the EGDP. Then she can obtain any message m from the information x, a 1 xa 2 , b 1 xb 2 , β −1 (β(m) ⊕ β(b 1 a 1 xa 2 b 2 )). If Eve wishes to get b 1 a 1 xa 2 b 2 from x, a 1 xa 2 , b 1 xb 2 , then she encrypts m using b 1 xb 2 as random element in step 3 of Protocol 2, to get d = β −1 (β(m) ⊕ β(b 1 a 1 xa 2 b 2 )) and thus, she gets the solution to the DHDP.
Let us show how an analogous reasoning to the one used in the cryptanalysis introduced in [11] may apply to break the EGDP protocol. Let us assume that Bob sends Alice the pair (f, d) = (b 1 xb 2 , β −1 (β(m) ⊕ β(b 1 a 1 xa 2 b 2 ))) as in the EGDP algorithm and that Eve is able to find w 1 , w 2 commuting with every element in A and such that f w 2 = w 1 x. Suppose also that w 2 is invertible in the semigroup G. Then w 1 a 1 xa 2 w −1 2 = a 1 w 1 xw −1 2 a 2 = a 1 f a 2 and thus β −1 (β(d) ⊕ β(w 1 a 1 xa 2 w −1 2 )) = m.
Therefore, the further the subgroup of units in G is from being G, the more difficult will be to apply this reasoning to break the EGDP protocol. This applies to the case of E (m) p since as we mentioned previously, a suitable choice of p and m provides a ring such that almost all its elements are not units.
We will finish this paper by giving some conditions on the public key used for the EGDP protocol in the case of the ring E (m) p in order to avoid an attack by reducing it to find a solution to a certain SAP.
Let us assume that Alice's public key is given by the pair (X, A 1 XA 2 ) and let Eve be an attacker. If Eve is able to find M ∈ Z(E with h 0 ≡ p 0 (cf. [8]). Thus Eve writes MH −1 H and gets that A 1 XA 2 = MX = MH −1 XH, solving the DP and therefore she solves the DHDP.
As previously noted, the next result gives conditions on the public key of the EGDP protocol that avoid breaking it by reducing the DP to a SAP as above explained. Its proof is a direct application of Corollary 1.

Corollary 2:
In the precedent situation, let (X, P ), with P = A 1 XA 2 , be the public key of some user of the EGDP protocol over the ring E (m) p . If there exists k = 1, 2, . . . , m such that X i,k ≡ p 0 for every i = 1, 2, . . . , m and there exists j such that X −1 j,k P j,k ≡ p X −1 1,k P 1,k , then an attacker cannot break the EGDP by reducing it to solve a SAP over the ring E