4LINEARGROUPACTIONS394.1Linearityoverelds..................394.2Examp - PDF document

iv 4LINEARGROUPACTIONS394.1Linearityoverelds..................394.2Examples........................434.3Semiringsactingonsemi-modules...........474.4EndomorphismactionsontheabeliangroupsE(Fq)514.5Conclusion.......................565ACLASSOFC-SIMPLESEMIRINGS575.1ThesemiringsRn....................575.2Elementswithlargeorders...............645.3Anactionrelatedtoa owproblem.........695.4Atwo-sidedmatrixmultiplicationaction.......725.5Thechoiceoftheparameters.............745.6Conclusion.......................796ACTIONSINDUCEDBYCHEBYSHEVPOLY-NOMIALS816.1Chebyshevpolynomials................816.2ThediscreteChebyshevprobleminniteelds...866.3ThediscreteChebyshevprobleminMatn(Fq)....896.4ThediscreteChebyshevproblemandRSAintegers.976.5Conclusion.......................1007PAIGELOOPSANDSEMIGROUPACTIONPROB-LEMS1017.1Loops,MoufangloopsandPaigeloops........1017.2TheDLPinM(q)...................1077.3ExponentiationandconjugationinM(q).......1097.4Thecasetr(g)=2..................1167.5Conclusion.......................119vi viii x xii xiv 2Introductionyearshavebeenaperiodoftransitionasthedisciplinemovedfromanarttoascience.Moderncryptographyisthestudyofmathematicaltechniquesrelatedtoaspectsofinformationsecuritysuchascondentiality,dataintegrity,authentication,andnon-repudiation.Letusnowdeneforsakeofclaritywhatisunderstoodinthepreviouslist.1.Condentiality isaserviceusedtokeepsecretthecontentofinformationfromallbutthosesupposedtohaveaccesstoit.2.Dataintegrity isaservicethatdetectsdatamanipulationbyunauthorizedentities.3.Authentication isaservicerelatedtoidenticationsuchasentityauthenticationanddataoriginauthentication.4.Non-repudiation isaservicewhichpreventsanentityfromdenyingpreviouscommitmentoractions.Inotherwords,moderncryptographyisaboutthepreventionanddetectionofcheatingandothermaliciousactivitiesrelatedtose-crecy.Inordertoreachthesegoals,cryptographyprovidesbasictools,calledprimitives,suchasencryptionschemes,digitalsigna-tureschemesandhashfunctions.Theseprimitivescanbeunkeyed(mainlyhashfunctions)orcomewithasymmetric-keystructureorapublic-keystructure.Weshalltryinthesequeltodenethesenotionsandgiveexamplesofexistingprotocols.Unkeyedprim-itiveswillnotappearsincethisdissertationisaboutpublic-keycryptography.Ashortsectiononsecret-keyprimitiveswillhow-everbepresentedtogiveanideaofthemainstreamrelatedtosymmetricciphers. 4IntroductionDenition1.2Asymmetric-keyencryptionschemeisgivenbyM:amessagespaceK:akeyspaceC:acipherspaceandtwomaps':MK�!Cand :CK�!Msuchthat ('(m;k);k)=m,'(:;k):M�!Cisaone-wayfunctionforallk,'(m;:):K�!Cisaone-wayfunctionforallm.Theadjectivesymmetricofthepreviousdenitionndsitsori-gininthefactthatthekeyusedforencryptionisthesameastheoneusedfordecryption.Thisprivatekeymustbecommunicatedthroughacompletelysecurechannelinordertoreachsecurity.Thereexistsasymmetric-keyencryptionscheme,theone-timepad,thatisperfectlysecure,anotiondenedbyShannoninhisearlyworkonthesubject[81].Evenifthesystemisattractivethankstoitssecurityandeaseofencryptionanddecryption,itneverthelesshasthemajordisadvantageofhavingakeythatmustbecommunicatedsecurelywhichisatleastaslargeastheplaintext(c.f.[86]or[94]).Thehistoricaldevelopmentofcryptographyhasbeentodesigncryptosystemswhereonekeyofrelativelysmallsizecanbeusedtoencryptarelativelylongstringofplaintextandstillremainsecure.AgoodexamplewouldbetheDataEncryptionStandard(DES),a1975creationofIBM,thatwastheocialstandardforunclas-siedapplicationuntil1998.DESencryptaplaintextbitstringoflength64usingakeywhichisabitstringoflength56.Thekeysize 6Introduction 1)Aprimepandaprimitiveelement 2Zparemadepublic. 2)Alicechoosesa2f1;:::;p�1g,computes aandsendsit toBob.Hersecretkeyisa. 3)Bobchoosesb2f1;:::;p�1g,computes bandsendsit toAlice.Hissecretkeyisb. 4)Theelement ab=( a)b=( b)aisusedasacommon secretkey. Figure1.1:Die-HellmanprotocolSoonafter,Rivest,ShamirandAdlemancreatedthefamousRSAprotocol([74]and[75]).Beforegivingalistofexistingpublic-keycryptosystems,hereisthedenitionofabuildingblockofpublic-keycryptography:Denition1.3Aone-waytrapdoorfunctionisaone-wayfunctionffromasetXtoasetYwiththeadditionalpropertythatgivensomeextrainformation,thetrapdoor,itbecomesfeasibletondforanyy2Imf,anx2Xsuchthatf(x)=y.Thisnotionallowspublic-keytransmissionanddigitalsigna-ture:Ideaofpublic-keytransmission: SupposeBobwantstosendAliceamessagem.Alicepublishesherone-waytrapdoor 8Introduction 1)Alicechoosespubliclyaprimepandaprimitive element2Zp. 2)Shechoosesa2f1;:::;p�1gandcomputes=a. Herpublickeyis(;). 3)Bobchoosesk2f1;:::;p�1gandusestheencryption functionf:m7�!f(m)=(k;mk)=(c1;c2): 4)Alicedecryptsthemessagewithm=c2(ca1)�1. Figure1.2:ElGamalprotocolastheRSAproblem(RSAP),whichpreciselyaskstoinverttheone-waytrapdoorfunctionfoftheprotocol.Itisre-latedtothewell-knownfactoringproblem(FACTORING)thataskstofactoragivenintegernintoprimepowers.In-deedtheknowledgeofnand'(n)iscomputationallyequiva-lenttotheknowledgeofthefactorspandqofn.However,itisnotknownifFACTORINGisequivalenttoRSAPevenifthelatterreducestotheformer.Theequivalenceisstronglysuspected.Wewillnotgointothedetailsofanyfactoringalgorithmbutrathergivetheexpectedrunningtimeofthefastestknownalgorithm,i.e.,theNumberFieldSieveMethod([8]and[93]),whichisO(exp((1:923+o(1))(lnn)1=3(lnlnn)2=3)): 10Introduction 1)Alicechoosestwolargeprimesp;q=3mod4. Shecomputesn=pq,andmakesnpublic. 2)Bobusestheencryptionfunctionf:m7�!m2modn: 4)Alicedecryptsthemessagesolving x2=f(m)modpandy2=f(m)modq andusingtheChineseRemainderTheorem. Figure1.4:RabinprotocolhardproblemistheSquareRootProblemmoduloanRSAnumber(SQROOT)anditisknownthatSQROOTisequiv-alenttoFACTORING(see[57]).Thismakesthestrengthoftheprotocol.Notethatthetaskofndingsquarerootsinaniteeldiseasy(c.f.thediscussionbeforeProposition6.7).4.ThePollyCrackercryptosystemwascreatedbyN.Koblitzandisdescribedin[39],seeFigure1.5.Thereexistsmanyvariantsofit,thefollowingdescriptionisthesimplest.TheconstructionofthepolynomialsQiisfastsinceitsucestoconsiderpolynomialsoftypeQi=p(x1;:::;xn)�p(v1;:::;vn)foranyp2Fq[x1;:::;xn].TheunderlyinghardproblemistheMultivariatePolynomialEquation(MPE)whichaskstondarootofasystemofmnon-linearpolynomialsinnvariables.ThisproblemisknowntobeNP-hard(evenifthepolynomi-alsarerequiredtohavedegreeatmost2),see[17],andthis 12Introductionndinganinterpolatingsparsepolynomialofhighdegreeandthelatestversion[30]NSSbasedonalatticeversionofNTRUgiveanideaofthenewtrendincryptographytryingtousenewcomputationalhardproblemstobuildone-waytrapdoorfunctions.7.ThefamousbutyetbrokenMerkle-HellmanKnapsack[59]isagoodexampleofpublickeycryptosystemthatwasrevealedtobeweakaftersomeyears,eventhoughtheschemeisbasedonanNP-hardproblem.Wehaveoneconcludingremarkconcerningtheeectiveuti-lizationoftheaboveprotocols.Asamatteroffact,symmetric-keyciphersneedshorterkeysthanpublic-keyciphersandtheyaremuchfasterinpracticethananycurrentlyacceptedpublic-keycryptosystem.Butpublic-keyciphersoersomethingsymmetric-keycryptosystemswillneverbeabletogive.Thisiswhycurrentcryptographicsystemsexploitthestrengthofeach.Ingeneral,public-keyencryptiontechniquesareusedtoestablishakeythatwillbeutilizedbythecommunicatingentitiesinasymmetric-keysystem.1.5Overviewandgoalofthisdisserta-tionThegoalofthisdissertationistostudyageneralizationoftheDis-creteLogarithmProblem(DLP)bothfromacryptographicandconceptualpointofview.Onemotivationistondnewinstancesonwhichnewcryptosystemscouldbebased,moreecientthanex-istingprotocols.Eventhoughnosuchexampleshavebeenfoundsofar,thisworkalsodefendstheideathatourgeneralizationcould 14Introductiondenedviamapsthatdonotappearasmatrices.Anexamplecomingfromthetheoryofellipticcurvesoverniteeldswithcomplexmultiplicationisstudied.Chapter5isentirelydevotedtothestudyofaclassofsemir-ings.Weprovethateachofthesesemiringsarec-simpleandthattheypossessanegligibleportionofinvertibleelements.AstudyoftheseobjectswiththehelpofLandau'sgfunctionshowstheexistenceof\large"commutativesub-semiring.Agraph-theoreticinterpretationofthesesemiringsisgivenandtwoabelianactionsareanalyzed.Theseactionsdonotreducetoknownproblemsandseemhardtosolve.However,weshowthattheDLPovercer-taingroups(e.g.non-singularellipticcurve)isstillamoredicultproblem.ChebyshevpolynomialsTnarethenstudiedfromaSAPpointofviewinChapter6.Indeed,wedenetheDiscreteChebyshevProbleminanyniteringRwithidentityandproveseveralequiv-alenceresults.WhenRisaniteeldoramatrixalgebraoveraniteeld,weprovethattheDiscreteChebyshevProblemises-sentiallyequivalenttotheDLPintheniteeld.Aclassicationtheorem(Theorem6.10)onmatricesM2Matn(F)thatpossesssquarerootsisproveninthedevelopment.WhenRistheringofintegersmoduloanRSAnumbern,theproblemisshowntobeatleastashardasfactoringn.TheMoufangloopsM(q)andPaigeloopsM(q)arethesubjectofthelastchapter.Afterhavingdenedtheseobjects,weprovethattheDLPinM(q)reducestotheDLPinFq.Addingtotheexponentiationanactionbyconjugation,weinvestigatethedicultyofanewaction.WemanagetoreducethislastactionessentiallytotheDLPinFqforalmostallcases,exceptwhenatraceconditionisnotfullled.Weexplainwhythislastcaseseems 16Introduction 18ExistingconstructionsbasedontheDLPProblem2.1[TheDiscreteLogarithmProblem-DLP]LetGbeanitecommutativegroup.Giventwogroupelementsa(thebase)andbsuchthatb2hai,nd06nord(a)suchthatan=b.Wedenotesuchannbylogab.Forcryptographicpurposes,wewillalwaysassumethatthegroupGispresentedinsuchawaythatmultiplicationiscomputa-tionallyeasy.Notethatthisrequirementmakesexponentiationfea-sibleaswellusingwell-knownmethodsoftypesquare-and-multiply(see[57]or[93]).ThedicultyoftheDLPstronglydependsonthetypeofgroupthatisused:itgoesfromeasytonon-feasible.ForinstancetheDLPintheadditivegroupofanyniteeldFqistrivialsincedivisioncanbeperfomedinpolynomial-time.However,theDLPinthemultiplicativegroupFqisadicultproblemaswellastheDLPinthegroupE(Fq)ofanellipticcurvedenedoveraniteeld.Infactthelatterismuchmoredicultthantheformerandintuitiontellsusthatthelessstructurethegrouphas,themorediculttheDLPwillbe.Thisisoneofthereasonwhywe'vedevelopedtheideasofthenextchapter.Inthesequel,by\DLPinFq",wewillmeanthattheproblemtakesplaceinthemultiplicativegroupoftheniteeld.Computingdiscretelogarithmsisessentiallycomputinganiso-morphismbetweenhaiandZord(a).Itisalsotruethatanyalgo-rithmthatcomputesdiscretelogarithmsinbaseacanbeusedtocomputediscretelogarithmsinanyotherbase2hai.TheknownalgorithmstosolvetheDLPcanbecategorizedasfollows:1.Algorithmsthatworkinarbitrarygroups,e.g.,Shank'sbaby-step-giant-stepalgorithm,Pollard'srhoalgorithm,Pollard'slambdaalgorithm. 20ExistingconstructionsbasedontheDLPoneofthepreviousalgorithmsineveryquotient.Then,usingtheChineseReminderTheorem,onerecoversthediscretelogarithmnmodulotheorderofa,whichisclearlysucient.TheoverallcomplexityofthePohlig-Hellmanalgorithmisdeterminedbythelargestprimefactorqoftheorderofaandthealgorithmhascom-plexityO(p qlog2q).Index-calculusmethodsarefasterthanthepreviousalgorithms.Theyusespecialpropertiesoftherepresentationoftheelements.Indeedoneneedstondafactorbaseinthegroupinordertoapplythemethod.Suchanobjectmaynotbepossibletonddependingonthegrouprepresentation.Forinstance,thereexistmethodstobuildfactorbasesinanyniteeld,primeornot,butthereisevidencethatsuchabasewillbeextremelydiculttondinthecaseoftheabeliangroupofanellipticcurveoveraniteeld(e.g.[39]and[60]).ThemostpowerfultooltosolvetheDLPinaniteeldisthenumbereldsieve([24]and[25])whichhasanexpectedrunningtimeofO(exp((c+o(1))(lnn)1=3(lnlnn)2=3))(2.1)wherecdependsontheniteeld(c=1:92foraprimeeld).Notethatthisrunningtimeisessentiallythesameastherunningtimeofthefastestknownalgorithmusedtofactornumbers.Letusdiscusstheconsequencesoftherunningtimesregard-ingthekeysizeN,whichisthesizeinbitsofthegroup:N=dlog2(jGj)e.Inagroupwherethebestknownattackisasquare-rootattack,thenthecomplexityofitisO(p jGj)=O(2N=2).InaniteeldFp,Equation2.1givesthecomplexityofthebestknownattackasroughlyexp(1:92(N)1=3(ln(Nln2))2=3)(neglect-ingtheconstantfactor).Inordertoreachsimilarlevelsofsecurity(c.f.[4]),ifwedeneNFptobethekeysizewhenusingthegroup 22ExistingconstructionsbasedontheDLP2.2TheDie-HellmanprotocolAsexplainedintheintroduction,theDie-HellmanprotocolisakeyexchangeprotocolbasedonthedicultyoftheDLPinnitecommutativegroups.TheconditionthatthegroupGbeniteprovidesaboundonthekeysize,thekeybeinganelementofthegroup.Intheirimportantpaper[12],DieandHellmanworkedinthegroupofinvertibleelementsofaprimeniteeldZpwithaprimitiveelementasthebaseoftheexponentiationfunction.How-evertheexistenceofsub-exponentialalgorithmtosolvetheDLPinthesegroups,asexplainedabove,ledMiller[60]andKoblitz[38]toproposetoworkwiththegroupE(Fq)ofrationalpointsofanellipticcurvewheresofaronlyagenericalgorithmisknownasasolution.LetusrecalltheprotocolforagroupG: 1)AgroupGandanelementg2Garemadepublic. 2)Alicechoosesa2f1;:::;ordgg,computesgaand sendsittoBob. 3)Bobchoosesb2f1;:::;ordgg,computesgband sendsittoAlice. 4)Theyusetheelementgab=(ga)b=(gb)aasacommon secretkey. Figure2.1:Die-HellmanprotocolinagroupG 24ExistingconstructionsbasedontheDLPNotethatthisprotocolisarandomizedencryptionsinceBobisfreetochoosekbeforeeachencryption.Inotherwordsamessagemwillbeencryptedindierentciphertextaslongasdierentvaluesofkarechosen.Theprotocoldoesnotusethepreviousone-waytrapdoorfunctionexactlybutrathertherestrictionofitforeachparameterkchosenbyBob.ThebasicRSAschemedoesnotgivethisopportunity,butthereisawaytomodifytheRSAalgorithmtoturnitintoarandomizedencryption.ThemaindisadvantageoftheElGamalencryptionisthatthereismessageexpansionbyafactorof2.Namelytheciphertextistwiceaslongasthecorrespondingplaintext.2.4OtheruseofDLPThedicultyoftheDLPingroupshasbeenusedinmanydierentkindsofcryptographicprotocol,otherthantheabovekeyexchangeandencryptionscheme.Indeedthereexistsseveraldigitalsignatureschemesbasedonit,aswellassomegroupkeyexchangeschemesandidenticationprotocols(c.f.[86]and[57]).Wealreadymentionedintheintroductionhowaone-waytrap-doorfunctioncanbeturnedintoadigitalsignatureschemeswithmessagerecovery.HoweverthefunctionsusuallyusedinRSAorElGamalwithoutmodicationyieldsignaturelengthsofthesameordersasthemessages,whichcanbeavoided.In1991theNa-tionalInstituteofStandardandTechnologyproposedastandard,theDSA,basedontheDigitalSignatureStandard(DSS)(c.f.[57]).TheDSAisbasedonthedicultyoftheDLPinasubgroupofthemultiplicativegroupofaniteeldFp.Althoughtobreakthesystemitwouldsucetonddiscretelogarithmsinthesmallersubgroup,inpracticethisseemstobenoeasierthanndingarbi- 26ExistingconstructionsbasedontheDLP 28Die-HellmanandElgamalfromsemigroupactionslogarithmprobleminthesegroups.Oursettingwillusethenotionofabeliansemigroupactingonaset.ThisabstractviewpointhasbeendevelopedincollaborationwithJ.RosenthalandC.Monicoin[52],[54]and[53].Itisinessencetheleastrequirementneededtoextendtheprotocolsstudiedinthepreviouschapter.Theideaofusingalgebraicstructuressuchasgroupsorsemigroupsactingonasetincryptographyisnotnew;indeedYamamura[92]hasbeenconsideringagroupactionofSl2(Z)onthecomplexplaneandBlackburnandGalbraithhavebeenstudyingthesystemin[3].Howeverourstandpointisdierentandyieldsotherprotocols.Denition3.1AsemigroupGisasetequippedwithanassocia-tivebinaryoperation(a;b)7�!ab.Thesemigroupisabelianifab=baforalla;binG.Anidentityeisanelementthatsatisesea=ae=aforallainG.Anelementaisinvertibleifthereexistsb2Gsuchthatabandbaareanidentity.Itisinterestingtonotethatthereexistmanymoreniteabeliansemigroupsthanniteabeliangroups.Forinstancethereare2abeliangroupsoforder4,and58abeliansemigroupswiththesameorder.Thesenumbersbecome2vs.11,545,843whentheorderis9(c.f.[27]).Howeverthenumberofniteabeliansemigroupsthatseemtobeofanyuseincryptographyseemstobemuchsmaller.Denition3.2LetGbeasemigroupandSbeaset.Thesemi-groupGactsonSifthereexistsamapGS�!S(g;s)7�!g
ssuchthattheequality(gh)
s=g
(h
s)holdsforallg;h2Gandalls2S.IfthesemigroupGisabelian,theactioniscalledaG-actiononS. 30Die-HellmanandElgamalfromsemigroupactions3.2ThecryptographicpointofviewWearenowreadytostatethegeneralizedversionoftheDie-Hellmanprotocolinthecontextofsemigroupaction: 1)AG-actiononanitesetSismadepublicaswellas anelementsinS. 2)Alicechoosesa2G,computesa
sandsendsittoBob. 3)Bobchoosesb2G,computesb
sandsendsittoAlice. 4)Theyusetheelement a
(b
s)=(ab)
s=(ba)
s=b
(a
s) asacommonsecretkey. Figure3.1:Die-HellmanprotocolwithaG-actiononSThesetSisniteinordertohaveaboundonthekeysize.SupposethesetScomeswithanextragrouplawdenotedby.ThenthereisalsoageneralizedversionoftheElGamalprotocolinthecontextofsemigroupactions,seeFigure3.2.Thesecurityoftheseprotocolsliesofcourseonmanyaspectsoftheparameters.Inthisperspective,thereisananalogueversionoftheDLPforsemigroupaction.C.Monico[62]rstdeneditasfol-lows: 32Die-HellmanandElgamalfromsemigroupactionswhenmoregeneralactionsareconsidered.Ofcourse,thereisananalogueversionoftheDie-HellmanProblemstatedintermsofsemigroup:Problem3.6[TheDie-HellmanSemigroupProblem]LetGbeaniteabeliansemigroup,Sanitesetand
asemigroupactionofGonS.Givenx;y;z2Swithy=g
xandz=h
xforsomeg;h2G,nd(gh)
x2S.3.3ThesecurityThesecurityoftheaboveprotocolsinthecontextofsemigroupactionsisofcourseacrucialrequirementintheirstudy.Asmen-tionedearlierthestrengthofthesecryptosystemsstronglydependsonthedicultyoftheSAP.ConsidertheDie-Hellmankeyex-changewithaG-actiononS.SupposeAlicehassentBobthesetelementa
s.Eveknowsthe\seed"sandthepublicelementa
s.IfsheisabletosolvetheSAPwithparameterssanda
s,sheisinpossessionofasemigroupelement~asuchthat~a
s=a
s.ShecannowretrievethecommonsecretkeyusingBob'spublicsetelementb
ssince~a
(b
s)=(~ab)
s=(b~a)
s=b
(~a
s)=b
(a
s)=(ab)
s:WehaveseeninChapter2thatthereexistmanydierentparam-eterstoconsiderinchoosinga\secure"groupwhendealingwithDie-HellmanandElGamal.Asamatteroffact,thegrouporderhastocontainaprimefactorlargeenoughtomakethePohlig-Hellmanattackuseless.WehavealsosketchedPollard'srhoal-gorithmthatprovidesagenericalgorithmforsolvingadiscretelogarithmprobleminexpectedrunningtimeofroughlyO(p q),q 34Die-HellmanandElgamalfromsemigroupactionswiththequotientmapfromGtoG=,whereisacongruencerelation.However,inanycase,congruence-freestructuresseemtobedesirable.Butitturnsoutthatthisrestrictedperspectiveisquitepoor,asshownbythefollowingtheorem.Theorem3.7IfGisanitecongruence-freesemigroupwithiden-tityandjGj�2,thenGisanitesimplegroup.Aproofcanbefoundin[32].AdirectconsequenceisthatifonewantstoreducethestudyoftheSAPtothecaseofnitecongruence-freeabeliansemigroup,thentheonlyexamplesaretheonewithG=Z=pZforsomeprimepsincethesearetheonlyabeliansimplegroups.Notethatifweallowthesemigrouptopossessazero,i.e.,anelement0suchthat0a=a0=0foralla2G,thenthesituationisnotbetter.Indeedeveryelementiseitheridempotentornilpotent,adirectconsequenceofthenexttheoremduetoTamura[88].Theorem3.8LetI=f1;:::;mgandJ=f1;:::;ngbenitesetsandPanmmatrixof1sand0ssuchthatnotworowsareidentical,notwocolumnsareidenticalandnoroworcolumnisidentically0.LetG=IJ[f0gandsupposeabinaryoperationisdenedonGby(i;j)(k;l)=(i;l)ifpjk=10ifpjk=0(i;j)0=0(i;j)=0:ThenGisacongruence-freesemigroupofordermn+1.Con-versely,everynitecongruence-freesemigroupwithzeroisisomor-phictooneofthiskind.Sinceidempotentandnilpotentelementsareuselessinourcon-text,onceagainthisrestrictedviewpointisnotgoodenough.This 36Die-HellmanandElgamalfromsemigroupactionsisnon-invertible.Therefore,inthecaseofageneralsemigroup,thelowerboundsofagenericalgorithmmaynotbeintherangeofthesquarerootoftheinputsize.However,ifthesemigrouppossessesa\large"sub-group,thenadecentupperboundcanstillbereached.LetG1=fg2Gjg�1existsgandG0=GnG1.Inanycaseonemaytrytondasolutionoftheequationy=g
xinG0byexhaustivesearch.Ifnosolutionhasbeenfound,thenonecanrestricttheSAPinstanceinGtotheSAPinstanceinG1,whichisagroup.WecanthereforeapplythePollard'ssquarerootattackdescribedearlier.ClearlythisalgorithmhasanexpectedrunningtimeboundedbyjG0j+O(p jG1
xj).Thisgivesthenextproposition.Proposition3.9LetGbeacommutativesemigroupactingonSandconsidertheSAPinstancewithparametersxandy=g
x.LetG=G0tG1bethepartitiondescribedabove.IfjG0j=O(p jG
xj)thenthereexistsanalgorithmtosolvetheSAPinstanceinexpectedrunningtimeboundedbyO(p jG
xj).Inotherwords,ifGisnot\far"frombeingagroupandtheorbitofxis,asexpected,relativelylarge,thenthereisstillasquarerootattacktotheSAP.Letusconsideranexampleofsuchasituation:Example3.10LetFbeaniteeldwithjFj=q,A2Matn(F)andF[A]beitsmatrixalgebra.LetGbethemultiplicativeabeliansemigroupofthisalgebraandweletGactonasetS.LetmA(x)betheminimalpolynomialofAandmA(x)=p1(x)e1
:::
pk(x)ekitsdecompositionintoirreduciblefactors.ThenF[A]=fg(A)jg2F[x]anddeg(g)deg(mA)gbecauseofCayley-HamiltonTheorem.UsingtheChineseRemain- 38Die-HellmanandElgamalfromsemigroupactionsHowever,ifminf@pi+@pjji6=jg�@mA 2;thensincekYi=1�1�q�@pi
=1+Oq�minf@pi+@pjji6=jgwehavethatG0=q@ma
1�1+Oq�minf@pi+@pjji6=jg6q@ma
O(q�@ma=2)=O(p F[A]):Noticethattherelationisalwaystruewhenn=1;2andis\often"truewhenn=3;4.Noteaswellthatthepreviousexampledoesnottakeintocon-siderationanyinformationonhowtheabeliansemigroupactsonS.ForinstancewhenF[A]actsonFnthensimplelinearalgebratoolssolvetheproblemcompletely(seeExample4.3).WhenF=ZpthenthereisanactionofF[A]onanyabeliangroupH:::HwithHoforderp.Thisisaspecialcaseofthe\matrixactiononabeliangroups"describedin[62];thisinstancealwaysadmitsasquarerootattack.WehaveusedthefollowingLemma:Lemma3.11LetRbeanitering.Thenanelementiseitherinvertibleorazerodivisor.Proof:Leta2R.SinceRisnite,thesequenceai,i2N,eventuallyrepeats.Thereexistsnmwithan=am,i.e.,an
(1�am�n)=0.Ifaisnotazerodivisor,thenam�n=1,i.e.,am�n�1istheinverseofa. 40Lineargroupactionssolvedeasily.Letusdescribethesituationmorespecically.LetF=Fqbetheeldwithqelements.SupposewearegivenanactionGS�!S,withGaniteabeliansemigroupandSaniteset,asemigrouphomomorphism:G�!Matn(F)(withmultiplicationasoperation)andanembedding :S�!Fnsuchthatforallg2G;s2Sonehas (g
s)=(g) (s):So(G)isacommutativesub-semigroupofMatn(F).LetF[G]bethecommutativesubalgebraofMatn(F)generatedbytheelementsof(G).Supposethereexistspolynomialtimealgorithmsthatcomputethevaluesofthesemapsandpolynomialtimealgorithmsthatcom-pute�1(M)foreachM2(G)and �1(v)foreachv2 (S).Thenexttheoremdoesnottakeinconsiderationthespeedofthesealgorithms.Itonlydescribeswhatcanbedoneatthelevelofthelinearalgebrawithouttakingconsiderationofthereductionitself.Theorem4.1LetG,S,and beasaboveandletk=dimFF[G].Then:1.ThereexistsapolynomialtimereductionoftheDie-HellmansemigroupProblem,DHSP,toalinearalgebraproblemoverFthatcanbesolvedinO(k2n+n3)eldoperations.2.LetN=jF[G]j=jGj.ThereexistsapolynomialtimereductionoftheSAPtoalinearalgebraproblemoverFthatcanbesolvedinO(N(k2n+n3))eldoperations.Proof:Letx,y=g
xandz=h
xbethreeelementsofSwithu,vandwtheirimagesinFn.WeconsidertheSAPinstancewithparametersxandyandtheDHSPinstancewithadditionalparameterz. 42Lineargroupactionsandb=[b1;:::;bn]tthenEquations4.2areequivalenttothefollowing:[Mi1uj:::jMinu]a=vand[Mi1uj:::jMinu]b=w;andthereforebothpossessasolutionthatcanbefoundbysolvingannsystemoflinearequationsinF.Iftheprevioussystemsdonoteachhaveasolution,thenwechooseanotherfamilyM1;:::;Mkandrestarttheprocess;thenumberoftri-alsisexpectedtobelessthan4byInequality4.1.ThereforewecanndthevectorsaandbinO(n3)eldoperations.ThematricesMg=(a1Mi1+:::+anMin)andMh=(b1Mi1+:::+bnMin)satisfyMgMh=MhMg;Mgu=vandMhu=w:Let=MgMhu=MhMgu.SinceMgu=(g)uandMhu=(h)u,wehave=MgMhu=(g)(h)u= ((gh)
x)=) �1()=(gh)
xwhichshowsthattheDHSPinstancecanbesolvedafteraresolutionofafamilyofproblemsthattakeO(k2n+n3)op-erationsoverF.2.ThematrixMgabovebelongsto(G)withprobability1=N.ThereforethenumberoftrialsbeforereachingthisstateisO(N).IfMg2(G),then~g=�1(Mg)isasolutiontothesemigroupactionproblemsince (y)=Mg (x)= (~g
x). 44LineargroupactionsLetbethecanonicalembeddingofPSL2(F)intoMat2(F)and :F[f1g�!F2with (z)=z1; (1)=10and �1ab=a=bifb6=01ifb=0Notethat �1( (s))=s.Wedonothave (M
s)=(M)
(s)butratherM
s= �1((M)
(s))whichisenoughtoapplytheprevioustheorem.Notethatsincen=2,k63andboththeSAPandDHSPareeasytosolve.Example4.5Thisexamplecomesfrominvarianttheoryover-niteelds,asanapplicationofthecontragradientmatrixactiononpolynomials.Hereisthesetting:wexaniteeldF=Fq,adegreed,andanabeliansub-semigroupGofMatn(F).LetVdbethevectorspaceoverFofpolynomialsinF[x1;:::;xn]oftotaldegreelessorequaltod.TheconsideredactionisGVd�!Vd(A;f(x))7�!A
f=f((Ax)t)wherex=[x1;:::xn]tandAxistheusualmatrixmultiplication.ThisactionislinearsinceA
(f+g)=A
f+A
g.IfN=dimFVdthenwecannaturallyimbedVdinFNafterhavingchosenthebasisB=fxe11:::xennjPei6dgofVd.Thismakesthemap easytocomputeandtoinvert.Forsakeofclarity,wesupposethatB=fv1=x1;:::;vn=xn;vn+1;:::;vNg.Wedenethemap:G�!MatN(F)asfollows:(A)ij=(A
vj)i= NYk=1 nXl=1aklxl!ek!iwherevj=xe11:::xenn.Sogivesthematrixrepresentationofthelinearmapinducedbytheactionsincethejthcolumnof(A)is 46Lineargroupactionsoperatorsf@igi=1;:::;kiscommutative.Withthis,itisapparentthatF[x1;:::;xk]hasthestructureofaF[@1;:::;@k]-moduleaswellasthestructureofaF-vectorspace.TheringF[x1;:::;xk]isinnitebutthefollowinglemmashowshowaniteversioncanbebuilt:Lemma4.7ConsidertheidealImF[x1;:::;xk]generatedbyxpmi�aifori=1;:::;kandai2F,i.e.Im=xpm1�a1;:::;xpmk�akF[x1;:::;xk]:Then@jImImforallj=1;:::;k.Proof:Letp(x)=kXi=1fi
(xpmi�ai)2Im.Then@j(p(x))=kXi=1@j(fi
(xpmi�ai))=kXi=@fi @xj
(xpmi�ai)+fi
pm
xpm�1i| {z }0+fi
(xpmi�ai)@v @xj=kXi=1@fi @xj+fi
@v @xj
(xpmi�ai)2Im Clearly,bythepreviouslemma,thealgebraF[@1;


;@k]actsonthequotientF[x1;


;xk]=Imwhichisnite.Wecannowdenetheparametersofthesemigroupaction.WetakeapolynomialvinF[x1;:::;xk]andconsider 48Lineargroupactionsforalla2R;thiselementisthenunique.Wewriteabfora
b.IfRhasamultiplicativeidentity,itisuniqueandwedenoteitby1R=1.Denition4.9AsemiringRiszero-sumfreeifa+b=0=)a=b=08a;b:Azero-sumfreesemiringpossessesnoelementsthatareoppo-sitesexcept0.Denition4.10AcongruencerelationonasemiringRisanequivalencerelationsuchthatab=)8��&#x]TJ ;� -1;.93; Td;&#x[000;&#x]TJ ;� -1;.93; Td;&#x[000;:acbccacba+cb+cc+ac+bforallpossiblechoiceofa,bandc.AsemiringRiscongruence-free,orc-simple,iftheonlycongruencerelationsareRRandf(a;a)ja2Rg.AnycongruencerelationgivesthesetR=anaturalstructureofsemiringandthequotientmapR�!R=becomesasemir-inghomomorphism.Thenextlemmagivesawaytobuildnewsemiringsfromexistingones.Weomittheproof.Lemma4.11LetRbeasemiringwith1andn2N.ThenMatn(R),thesetofnnmatriceswithentriesinRisasemiringwith1.Denition4.12LetRbeasemiringand(M;+)beacommuta-tivesemigroupwithidentity0M.Misasemi-moduleoverRifthereisa(left)action
ofRonMsuchthat(a+b)
m=a
m+b
m;a
(m+n)=a
n+a
manda
0m=0m; 50LineargroupactionsProof:ThestatementistrueifoneconsidermatriceswithentriesinZandtheusualmultiplication,i.e.thereexisttwopermutationmatrices(thereforewithentriesinf0;1g)suchthatM0=S
M
Pwith
beingtheusualmatrixmultiplication.Itisthenstraight-forwardtoverifythatthesameistruewiththeoperationinRbecauseofthepropertiesof0and1. Theorem4.14LetRbeanadditivelycommutativesemiringwith1and0andletbeacongruencerelationonMatn(R).Thenthereexistsacongruencerelation0onRsuchthatAB2MatnR()aij0bij;806i;j6n:Proof:Clearlythetheoremistrueifn=1.Supposen�1.Letf:R�!Matn(R)bethemapthatsendsa2Rtothediagonalmatrixwithrstdiagonalelementaandzeroseverywhereelse.Themapfisasemiringhomomorphism.Let0betherelationonRdenedbya0binRifandonlyiff(a)f(b)inMatn(R).Observethat0isacongruencerelationonR(seealso[62]).Weprovenowthatthestatementofthetheoremistruefor0.LetA;B2Matn(R)andJ=f(1).Let06i;j6nandSij;Pij2Matn(R)bepermutationmatricessuchthat(SijAPij)11=aijand(SijBPij)11=bij:NotethatthematricesSijandPijexistsinMatn(R)bythepre-viousLemma.ThereforeJSijAPijJ=f(aij)andJSijBPijJ=f(bij).Proofof): IfABthenJSijAPijJJSijBPijJandthereforeaij0bij.Proofof(: ClearlyA=Xi;jS�1ijf(aij)P�1ijandB=Xi;jS�1ijf(bij)P�1ij 52LineargroupactionswiththeusualactionofZsinceinthatcaseanyendomorphismofHisobtainasamultiplicationbyaconstant.Anothertrivialcaseappearswhenonechoosestheidentityasendomorphism.Thissettingisconceptuallynodierentfromthematrixactionoftheprevioussection.Howevertherearecasesofalgebraicgroupswhereendomorphismsdonotappearasmatrices.ExamplesaregroupsofellipticcurvesoverniteeldsormoregenerallytheJacobiansofabelianvarieties.Thissectionisdevotedtobringevidencethatthesituationwithellipticcurvesisnon-trivialandinteresting,althoughcompetitiveexamplesseemtobehardtond.NotethatTheorem4.1cannotbeusedsincethemapsand arehardtocompute.LetFqbetheniteeldwithqelementsandEanellipticcurveoverFqdenedbyitsWeierstrassnormalform0=F(x;y)=y2+xy+x3+ax2+bifcharF=2;y2�x3�ax�botherwise,wherea;b2Fqhavetosatisfysomediscriminantconditions.RecallthatthesetsE(Fqk)=f(x;y)2FqkjF(x;y)=0g[Oarenitecommutativegroups(c.f.[4],[56]andmoregenerally[84]).AllthegroupsE(Fqk)andtheirringsofendomorphismsarewelldened.TheringofendomorphismsEndEofE,i.e.thesetofallisogeniesfromEtoitselftogetherwiththezeromap,containsEndE(Fqk)forallkandhasoneofthefollowingforms[4,ChapterIII]:EndEisthemaximalorderinaquaternionalgebra,EndE=ZZwhereisacomplexalgebraicnumberofdegreetwolyingintheupperhalfofthecomplexplane.Suchcurvesaresaidtohavecomplexmultiplication. 54Lineargroupactions2.IfordP=dthen'(P)=[s]P()sk�10moddProof:1.c.f.[4,SectionIII.3.].2.If'(P)=[s]P,thensince'k=[1]overFqk,wehave0=[s]kP�[1]P=[sk�1]Pandthensk�10modordP.Clearlytheconverseistrue. ThepreviousLemmahasthefollowingconsequences:1.SincejE(Fqk)j=u2v,lkmustbedivisiblebyasquareinordertohaveacomplexaction.Fromacryptographicpointofview,thissquarecannotbenegligiblewithrespecttolk.IndeedareductioninthespiritofPohlig-HellmanwouldleadtotheresolutionoftheSAPintwosteps:rstmodulou2,i.e.,ausualDLPinacyclicgroupandthenmodulov,whichinordertobedicultforcesutoberatherlarge.2.TheintegerordPdividesuv.3.Tobuildcomplexactions,onecouldtrytondexamplesofcurveswherelkisdivisiblebyasquareandthentestfordierentpointsPif'(P)6=[s]P;8s2DwhereD=fsjsk�10modjPjg.Hereisanexampleofsuchacomplexaction.Example4.17Wechoosetheellipticcurveandprime:E:Y2=X3+86X+61;p=101: 56Lineargroupactionsdistributedintheinterval[q+1�p q;q+1+p q].Ontheotherhandtheintegerlkhastobedivisiblebyaratherlargesquare(c.f.consequence2.above).IfwexalowerboundB2forthelargestsquaredividinglk,followingSection18.6of[28],thenumberofintegerslessorequaltoxwhoseleastsquarefactorislargerthanB2isgivenbyr(x;B)=x�Xd6BQ(x=d2)=6x 2B+O(p x);xB;whereQ(y)countsthenumberofsquarefreeintegersnotexceedingy.Therefore,theprobabilitythatarandomintegerintheinterval[q+1�p q;q+1+p q]isdivisiblebyasquarelargerthatB2isr(q+1+p q;B)�r(q+1�p q;B) 2p q6 2B:Thismakestherandomsearchofsuchannumberintheintervalnon-feasibleforlargeB,sincetheexpectednumberoftrialbeforendingacandidateislinearinB.4.5ConclusionInthischapter,weprovedTheorem4.1whichgivesabasisforalllinearactionsoverniteeldsfromasemigroupactionpointofview.Exampleshavebeenpresentedtoexposeitsutility.Asaconsequences,atheoryofactionsinducedbysemiringactingonsemi-modulesispresented.Thenextchapterisentirelydevotedtoit.AnextensionofECDLPwasdenedusingtheFrobeniushomomorphismofellipticcurvesoverniteelds.Evidencethatsuchactionsarediculttondinarandommannerwasgiven. 58Aclassofc-simplesemirings+ 01 0 011 11
01 0 001 01Itisnotdiculttocheckthatitisacommutativec-simplesemiringwith1and0whichiszero-sumfree.Theoperationssatisfythefollowing:a+b=maxfa;bga
b=minfa;bg;i.e.(R;+;
)=(f0;1g;max;min).TheseoperationscanalsobedenedasOR/AND.Remark5.1ThesetR=f0;1;:::;mgwiththesamemax-minoperationsisalsoazero-sumfree,commutativesemiringwith1R=mand0R=0.Thisfamilyofsemiringsissometimescalledmax-minalgebras.Thenextdiscussionshowsthataslongasm�1,theyarenotc-simple.IndeedthefollowingequivalencerelationsonRarenon-trivialcongruencerelations.Letf0;1;:::;mg=Gi[ai;bi]beanon-trivialpartitionoff0;1;:::;mginsegments[ai;bi]=fxjai6x6big.Bynon-trivialwemeanthatthepartitionisnotreducedtoonlyonesegmentandatleastonesegmentcontainsmorethanoneelement.WedeneinRwithxy()9isuchthatai6min(x;y)6max(x;y)6bi:(5.1)Thentheequivalencerelationsdescribedabovegivethefollowingclassicationofcongruencerelationsinsuchasemiring:Proposition5.2Theequivalencerelationgivenin5.1isanon-trivialcongruencerelationinR=(f0;1;:::;mg;max;min).More-overanynon-trivialcongruencerelationinRisofthisform. 60Aclassofc-simplesemiringsThesemiringsRnhavebeenstudiedindierentcontexts.Sev-eralcomputationalaspectshavebeendevelopedbyM.Gavalecin[19],[20],[21]and[22].Thesepapersstudythequestionofcom-putingorbitperiodsinRnandorbitperiodsinRn1viatheactionofRn(seeDenition5.11andSection5.3).Thesequestionswillbeusefulinthefollowingdiscussion.ThesemiringsRnpossessacharacterizationusingorientedgraphtheory.LetGnbethesetoforientedgraphswithnverticesandatmostoneorientededgefromavertextoanother.Eachvertexisnumberedonceandforall.Wecandenetwooperationsand inGnasfollows:LetG1andG2betwographsinGn.ThenG1G2istheorientedgraphinGnsuchthatthereexistsanorientededgefromvertexitovertexjifandonlyifsuchanorientededgeexistseitherinG1orinG2.TheorientedgraphG1 G2possessanorientededgefromvertexitovertexjifandonlyifthereexistsavertexkwithanorientededgefromitokinG1andanorientededgefromktojinG2.ItisnotdiculttoseethatthereisabijectionbetweenGnandRngivenbytheincidencematrixofeachgraph.Moreprecisely,wedenetheincidencematrixmapasfollows:F:Gn�!RnG7�!M=F(G)withMij=1ifthereexistsanorientededgefromitojinG;0otherwise.NotethatthetransposeofamatrixMinRnistheincidencematrixofthethegraphobtainedbyinvertingallthearrowsofthegraphassociatedtoM.Infact,theoperationsand behavenicelywithrespecttothisbijection,asshowninthenextproposition: 62Aclassofc-simplesemiringsqqqq ? - - Nqqqq - 6 -=qqqq - - correspondto0BB@10100010000100001CCA
0BB@00000100100000011CCA=0BB@10001000000100001CCA;andqqqq ? - - Lqqqq - 6 -=qqqq ? - - - 6 -correspondto0BB@10100010000100001CCA+0BB@00000100100000011CCA=0BB@10100110100100011CCA: 64Aclassofc-simplesemiringsandingeneral,Prob(Misinvertible)n�1=2:ThenextcorollarygivesagraphtheoreticinterpretationoftheentriesofthepowersofanelementinRn.Recallthatthelengthofapathinadirectedgraphisthenumberofedges(countedwithmultiplicity)containedinthepath:Corollary5.9LetM2RnwithassociatedgraphG2Gnandk2N.Then(Mk)ij=8:1ifthereexistsanorientedpathoflengthkfromitojinG,0otherwise.HereisanotherkeypropertyofthefamilyofsemiringsRn:Theorem5.10ThesemiringsRnarec-simple.Proof:SinceR1isc-simple,theresultisaconsequenceofCorollary4.15. 5.2ElementswithlargeordersInthissectionwestudythe\sizes"oftheorbitofpowersofele-mentsinRn.NotethatsincethesemiringRnisniteanysequencefMkgk2Nwilleventuallyrepeat,i.e.,createacollisionoftheformMk=Mk0suchthatMk+t=Mk0+tforallt2N.Denition5.11Letabeasequenceinanitesetsuchthatan=am=)an+1=am+1.Theorderord(a)ofaistheleastpositiveintegermsuchthatthereexistsk6mwithak=am.Thepreperiodpr(a)ofaisthelargestnon-negativeintegermsuch 66Aclassofc-simplesemiringsItwasrststudiedbyLandau[40]in1903whoprovedthatln(g(n))p nln(n)asn�!1:(5.2)In1984,Massias[46]showedthatforsucientlylargen,p nln(n)6ln(g(n))6p nln(n)1+lnln(n) 2ln(n);(5.3)thesecondinequalityin5.3beingtrueforalln.Clearly,thefunc-tiongisincreasing.Italsosatisesanequalityrelatedtothemaximaldegreeoftheeldextensionneededtofactorizeapoly-nomialoveraniteeld.Indeed,ifFqisanyniteeldandKpisthesplittingeldofapolynomialp(x)theng(n)=maxf[Kp:Fq]jp2Fq[x];pofdegreeng=minf[K:Fq]janynnmatrixinFqisdiagonalisableinKg:Wewillnotneedtheseresultsandthereforewewillnotprovethem,butitisworthmentioningthattheresultofMenezesandWuin[58]ontheDLPinGln(Fq)isnottrivialmainlybecauseoftheexponentialgrowthofg(n).Inanycase,wehavemaxflcmfa1;::;amg;ja1j+:::+jamj=ng=exp(1+o(1))p nlnn:Ontheotherhand,theperiodofanySCCHG=F�1(M)islessorequaltojHjandXHSCCGjHj6n: 68Aclassofc-simplesemiringsTable5.1:SomevaluesofLandau'sfunctiong n g(n) Associatedpartition 256 4243057729190280 8,9,5,7,11,13,17,19,23, 29,31,41,43 512 70373028815644182n 1,1,1,4,9,5,7,11,13,17, 5899620 19,23,29,31,37,41,43,47, 53,59,61 1024 855674708268439827n 1,1,1,16,27,25,7,11,13, 7434193536488991600 17,19,23,29,31,37,41,43, 47,53,59,61,67,71,73,79, 83,89 hasperiod420inR19.0BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB@010000100001100000000100000001000010000000000100000000000010000000000001000000000000100000001000000000000000001000000000000000000010000000000000000000100000000000000000001000000000000000000010000000000000000000100000000000010000001CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCA 70Aclassofc-simplesemiringsThesizeord(Miv)oftheorbitsequenceMiviscrucialsinceAlgorithm5.15solvestheSAPofthepreviousactionwithpa-rameterM;vandwinessentiallyO(ord(Miv))semiringoper-ation.Firstanotation:ForanyrectangularmatricesMandNofsamedimensionwithentriesinR1,M6Nmeansthatmin(mij;nij)=mij
nij=mijforalliandj.Algorithm5.15GivenM2Rn,v2Rn1andw=Pi2JMivforsomeniteJN,thisalgorithmndsasetIwithw=Pi2IMiv.1.SetI=;andt=1.2.IfPi2IMiv+Mtv6wandMtv66Pi2IMivthensetI �I[ftg.3.IfPi2IMiv�wthenoutputIandstop.4.Sett �t+1andgotostep2.Remark5.16TheconditionMtv66Pi2IMivinstep2.isnotnecessaryinordertomakethealgorithmwork.HoweveritgivestheinsurancethattheindexsetIdoesnotcontaintoomanyindicesthatareuseless.Afterkloops,thealgorithmhasbuiltasetofindicesIkwiththepropertyPi2IkMiv6w.Loopk+1strictlyincreasesIkifandonlyifthevectorMk+1v+Pi2IkMivhaschangedfromPi2IkMivandhasthepropertyMk+1v+Pi2IkMiv6w.Thealgorithmes-sentiallytestscombinationsoftypePi2IMivandcombinesthoseforwhichPi2IMiv6w.Thesearchbeingexhaustive,theal-gorithmmuststopbeforeord(Miv)+1loops.Letusstateonceagaintheresult: 72Aclassofc-simplesemiringsii)OnecouldtrytondavectorvleadingtoasequenceMivwithlargeorder,saythesameorderasM.ButitturnsoutthatthissearchproblemisNP-hard.IndeeddecidingiftheorderofM2RncanbereachedbytheorderofsomesequenceMivisaNP-completedecisionproblem[19].5.4Atwo-sidedmatrixmultiplicationac-tionLetRbeanadditivelycommutativesemiringwith0and1.AsusualifM2Matn(R),thenR[M]isthemultiplicativelycommu-tativesemiringgeneratedbyMinMatn(R),i.e.,thesetofallpoly-nomialp(M)inMwithcoecientsinR.LetM1;M22Matn(R)andconsiderthefollowingaction:(R[M1]R[M2])Matn(R)�!Matn(R)((p(M1);q(M2));A)7�!p(M1)
A
q(M2):Thisactionislinearsincep(M1)
(A+B)
q(M2)=p(M1)
A
q(M2)+p(M1)
B
q(M2):Becauseofthislinearity,weavoidthecasewhenRaniteeld(seeTheorem4.1)eveniftheinitialSAPinstancerelatedtothissemigroupactionlooksdicult.Indeed,anaiveapproachwouldleadtotheresolutionofafamilyofquadraticequationsoveraniteeld.Asmentionedintheintroduction,thisproblemisNP-hardingeneral.Inthesequel,wechoosetoworkwiththec-simplesemiringsRn.Inparticular,bypolynomialinR1wemeananyexpressionoftypePi2IxiforsomeniteIN.OnceagaintheordersofthematricesM1andM2chosentoactonthematrixAontheleft 74Aclassofc-simplesemiringsThisassumptionisreasonable.First,computationalsearchshowedthatthesetStendstobequitesmallincomparisontoord(M1)
ord(M2).Second,C.Monico[61]hasdevelopedanal-gorithmthatseemstoverifytheassumption.5.5ThechoiceoftheparametersThepreviousactionledtoaninterestingsemigroupactionprob-lem.Indeed,asimplicationoftheprobleminthespiritofPohlig-Hellmanattackisavoidedbythefactthattheproblemtakesplaceinac-simplesemiring:nocongruencerelationexistsinthesetweareworkinginthatcouldbeusedtosimplifytheresolutionoftheSAP.Ontheotherhand,wehaveseenthatthenegligibleproportionofinversesinRnmakestheknownsquare-rootattacksnon-reproducibleinthiscontext,evenconceptually.WediscussnowthecomplexityofsolvingthesemigroupactionproblemofthelastsectionwithrespecttothesizeoftheinputandtakinginconsiderationtheassumptionthatthereexistsanalgorithmthatsolvestheSAP,withparameterM1;M2andAasabove,inexpectedrunningtimeO((ord(M1)
ord(M2))d)asinEquation5.4.Moreover,wewillassumethatthematricesM1andM2havebeenchosenwithlargeordersusingProposition5.13,i.e.,ord(M1)=ord(M2)=exp(1+o(1))p nln(n)ForxedmatricesM1;M2andA,theinputsizeofBisclearlyn2ifnoassumptionismaderegardingtheproportionof0'sand1'sinB.Therefore,buildingacryptosystemonthisSAPwouldleadustoconsiderkeyswithsizeofN=n2bits.UsingthepreviousassumptionswearetoconsideranalgorithmthatsolvestheSAP 76Aclassofc-simplesemiringsTable5.2:NFpandN NFp N 256 6892 512 19111 1024 52475 withsparsematricesinsteadoffullones.SupposethatwechoosethematricesM1;M2andAassparsematrices.Wehaveseenthatevenwiththisrestriction,thematricesM1andM2canstillhavethedesiredorders.ThenifonechoosessparsepolynomialpandqwecertainlygetamatrixBwhichissparseaswell.Hereisapos-siblechoice:takeAanypermutationmatrixinRn,chooseM1andM2twopermutationmatricesinRnwithlargeordersandrestrictthechoiceofthepolynomialspandqtopolynomialswithexactlykmonomialseach.SinceanymatrixofthetypeMs1
A
Mt2isalsoapermutationmatrix,thematrixB=p(M1)
A
q(M2)=Xi;j=1:::kMsi1
A
Mtj2willhaveatmostk2onesineachrow,i.e.,thematrixBcontainsatmostk2nones.Aslongask=o(p n),thematrixBissparse.Nowcomesthequestionofthenumberofbitsneededto\describe"suchanobject.Arstwayissimplytousethesetofcouples(i;j)suchthatBij=1.Thismethodissimpleandonecaneasilyencodesuchamatrixusingk2npairs,eachofthembeingapairofnumbersoflog2(n)bit-length.Theoverallbit-lengthneededtocompletelydescribeBusingthismethodisNs=O(k2nlog2(n)).Infactmorecanbesaid.WecanseeBasarandomvariableofwordsmadeoutofthesymbols0and1,wherethesymbol1appearsindependently 78Aclassofc-simplesemiringsthepolynomialpandqusedintheactionpossesseachkmonomi-als.ThenanymatrixB=p(M1)
A
q(M2)canbeencodedwithNs=nk2log2(n)bitsandunderAssumption5.19,thereexistsanalgorithmthatsolvestheprobleminexpectedtimeboundedbyOexp(+o(1))p Nswhere=p 2d p ln(2)kandd2N.Letusdiscusstheconsequencesoftheboundgivenbytheprevi-ousproposition.SupposethatAssumption5.19yieldsanalgorithmthatsolvetheSAPintimelinearinord(M1)
ord(M2),i.e.,d=1inthepreviousproposition.Onceagainthissuppositionputusonasafesideregardingthepowerofanadversarywillingtobreakacryptosystembasedonthedicultyofthesemigroupactionprob-lem.Soifd=1then=1:69
k�1.TheboundofProposition5.21behavesnowmoreliketherunningtimeofthefastestknownalgo-rithmthatsolvesDLPsinniteeldthantheboundofProposition5.20,andevenprovidesabiggerupperboundasymptotically.Inotherwords,forlargen,thenewsituationseemstobecompeti-tivewithcryptosystemsbasedonthedicultyoftheDLPinniteeldsandRSA.Atthispoint,wemustmakeclearthatthisdiscussionisvalidonlyifnofasteralgorithmthatsolvestheSAPisknown.Prudencetellsusthatsuchasuppositionmaynotbetrue.Moreover,evenforsmallvaluesofk,thesamelevelofsecurityforcryptosytemsbasedontheDLPoverFpandbasedonthedif-cultyoftheprevioussemigroupactionproblemisnotreachedfortheusualvaluesofthekeysize.Notethatasimilarlevelofsecurityisobtained(neglectingtheconstantfactor)whenNs=1:27
k2
N2=3Fp
ln(NFp)4=3: 80Aclassofc-simplesemirings 82ActionsinducedbyChebyshevpolynomialsdenethem.First,usingdeMoivre'sformulacos(n)+isin(n)=(cos+isin)n=nXk=0nkikcosn�ksinkandcollectingtherealparts,wehavecos(n)=bn=2cXl=0n2l(�1)lcos2l
(1�cos2)l:Denition6.1Forallnon-negativeintegersn,thenthChebyshevpolynomialTnisTn(x)=bn=2cXl=0n2l(�1)lx2l
(1�x2)l:TherstChebyshevpolynomialsareT0(x)=1T1(x)=xT2(x)=2x2�1T3(x)=4x3�3xT4(x)=8x4�8x2+1ClearlythepolynomialsTnhaveintegercoecients,andsatisfytheequationTn(cos())=cos(n)whichwillgiveProperty1.below.TheyalsosatisfyTn(1)=1andTn(�1)=(�1)n.GivenaringRwithunity1R,onecanalwaysseeTn(x)asapolynomialwithcoecientinRbyusingthewelldenedringhomomorphismfromZ[x]toR[x]inducedbythehomomorphismdenedviathecanonicalhomomorphismfrom 84ActionsinducedbyChebyshevpolynomialsAproofcanbefoundin[41].Property2.givesthefollowingpropositionthatcharacterizethecomputationalcomplexityoftheevaluationofTn(a):Proposition6.4LetRbearingwithunity,abeanelementinRandnbeaninteger.ThecomputationofTn(a)canbereducedtoO(log2(n))arithmeticaloperationsinR.Proof:Property2.gives01�12a
Tn�2(a)Tn�1(a)=Tn�1(a)Tn(a);andbyinduction,01�12an�1
1a=Tn�1(a)Tn(a):Byrepeatingsquare-and-multiplymethod,O(log2(n))matrixmul-tiplicationssucetocomputetheleft-hand-sideandthereforeTn(a).Indimension2,amatrixmultiplicationcosts8multiplicationsand4additions,whichkeepsthecomplexitytoO(log2(n))arithmeticaloperationsinR. LetusnowdenethesemigroupactioninducedbytheCheby-shevpolynomials.LetRbeaniteringwithunity.TheChebyshevactiononRisthemapNR�!R(n;a)7�!Tn(a)Thismapisasemigroupactionby(N;
)onRbecauseofProperty1.above.Thepreviouspropositionshowsthatthisactioniscom-putationallyfeasibleifarithmeticisfeasibleinR.NamelythereexistsapolynomialtimereductionofcomputingthevalueofTn(a) 86ActionsinducedbyChebyshevpolynomials6.2ThediscreteChebyshevprobleminniteeldsInthissectionweconsiderthecasewhereR=Fq,theniteeldwithq=pdelements.TheissueistodetermineifChebyshevpolynomialsbehaveinniteeldsinamannerthatfulllscrypto-graphicrequirementssuchasmixingpropertyanddicultyoftheunderlyingmathematicalproblem.Arstthingtonoteisthatcharacteristic2hastobeavoided.Indeed,usingProperty2.of6.2,weseethatTn(x)mod2=1ifnisevenxifnisoddTherefore,wewillalwaysassumethatp6=2.Next,mostofCheby-shevpolynomialshaveanicemixingpropertyinsuchalgebraicstructure.Moreprecisely,wehave:Proposition6.6Letnbeanintegerandq=pd.Then(n;q2�1)=1ifandonlyifTn2Fq[x]isapermutationpolynomial,i.e.,thefunctioninducedbyTnonFqisapermutation.Aproofcanbefoundin[41]asaspecialcaseofTheorem9.43.NowcomethequestionofdeterminingthedicultyofthediscreteChebyshevprobleminaniteeld.ItturnsoutthattheproblemiscomputationallyequivalenttotheDLPinFq,aslongasp6=2(Corollary6.8below).Thereforethisactiondoesnotyieldsomemoresecuresystem,butrathergivesanotherpointofviewofthelongstandingDLPinniteeldsofoddcharacteristic.AkeypointintheequivalenceisthefactthatSQROOTisaneasyprobleminanyniteeld.IndeedthereexistsarandomizedalgorithmtosolveSQROOTinFqthathasanexpectedrunningtimeofO((log2q)4)bitoperations.TheideaofitgoesbacktoA.Tonelliinan1891 88ActionsinducedbyChebyshevpolynomialssub-groupgeneratedbya.Letusdenetheelementsxandyasfollows:x=1 2(a+a�1)andy=1 2(b+b�1):BecauseofProperty3.of6.2,y=Tn(x)isequivalentto1 2(b+b�1)=1 2(an+a�n);i.e.,b�an=1 an�1 b=b�an ban;whichisequivalentto(b�an)
1�1 ban=0:Theequalityisfullledifandonlyifeitheran=boraq�1�n=b.AfterhavingsolvedthediscreteChebyshevproblemwithparame-tersxandy,wehaveanintegern0thatfullledoneofthepreviousequalities.Ifan0=bthenwedenen=n0andifaq�1�n0=bthenwedenen=q�1�n0.InbothcasestheDLPisreducedtothediscreteChebyshevproblemwithparametersxandy. Corollary6.8LetFqbeasabove.ThediscreteChebyshevprob-lemandtheDLPinFqarecomputationallyequivalent.Proof:Thereremainsonlyonereductiontostudy.ThepreviouspropositionshowsthatthediscreteChebyshevproblemsinFqisatmostashardastheDLPinFq2.WehaveseenthatthePohlig-HellmanreductionsolvestheDLPinFq2bysolvingafamilyofDLPsinquotientsofFq2andtheoverallcomplexityisdeterminedbythelargestprimedividingq2�1=(q�1)(q+1).Thislargestprimeislessthan(q+1)=2,i.e.,theproblemisnomoredicultthattheDLPinFq,computationallyspeaking. 90ActionsinducedbyChebyshevpolynomialsthatdoesnothaveasquarerootinanyeld.Letusrecallthenotionneededtostateandprovethetheoremofclassicationofmatricesthataresquares.Thistheoremisnotfundamentallyuse-fulinourcontextsincewewillseethatinfactthediscreteCheby-shevprobleminMatn(Fq)isnomoredicultthantheDLPinsomesmallextensioneldofFq,buttheresulthasanintrinsicmathematicalvalueanddeservesassuchtogureinthesepages.AJordanblockoforderdcorrespondingto,J(;d),isanupper-triangularsquarematrixofdimensiondwithsinthemaindiagonal,1'sintherstupper-diagonaland0'severywhereelse.TwomatricesAandBwithentriesinaeldFareequivalent,writtenAB,ifthereexistsaninvertiblematrixSwithentriesinFsuchthatA=SBS�1.Inaddition,Jordan'stheoremsaysthatifthecharacteristicpolynomialofamatrixAsplitinFthenAisequivalent(asamatrixinMatn(F))toamatrixoftheformDiag(J(1;d1);:::;J(k;dk))=0B@J(1;d1)0...0J(k;dk)1CA(6.1)where1;:::;karetheeigenvaluesofA(notnecessarilydistinct)andPki=1di=n.Thismatrix,theJordancanonicalform,isuniqueuptoapermutationofthecomponentJordanblocks(seee.g.[9]or[31]).Lemma6.9LetFbeaeldandZ2Matn(F)havingallitseigen-valuesinF.ThenforeacheigenvalueofZandallintegerk�1,thenumberofJordanblocksJ(;d)withd�kisrank(Z�I)k�1�rank(Z�I)k:HencethenumberofJordanblocksofsizeexactlykisrank(Z�I)k+1�2rank(Z�I)k+rank(Z�I)k�1 92ActionsinducedbyChebyshevpolynomialsClearlyM2=J(;d)ifandonlyif(M2)1j=(J(;d))1;j.Thisequalityholdsifandonlyif(M2)11=a21=;(M2)12=2a1a2=1andforallj�3(M2)1j=jXi=1aiaj�i+1=0:(6.2)Letin Fwith2=.Ifa1=theninordertosatisfytheaboveequations,a2=(2a1)�1andonecandenebyinductioneachaj,j�2,usingtheknowledgeofthepreviousa1;:::;aj�1sinceusingEquations6.2,aj=1 2a1j�1Xi=2aiaj�i+1:Hence,thematrixMcanbebuiltandJ(;d)isasquare.Proofof2):First,wedeneZasZ=J(0;l)2=0BBBBBB@001:::000.........10001CCCCCCA:ThegoalistondtheJordancanonicalformofZ.Clearlyallitseigenvaluesare0.ItsucestodeterminethesizeofitsJordanblocks.Forall16k6bl=2c,Zkisamatrixwith1sinthe2kth 94ActionsinducedbyChebyshevpolynomialsAlltheeigenvaluesofthismatrixare2andasbefore,letusndthesizeoftheJordanblocksassociatedtoit.IfW=J(;l)2�2
I,thenW=Z(c.f.2))andthesameresultisstilltrue.Thisproves3).LetMbeamatrixwithN=M2,i.e.,MDiag(J(1;d1);:::;J(k;dk));NDiag(J(1;d1)2;:::;J(k;dk)2):IfcharF=2thenweapply3)toeachJordanblockwithdi�1andifcharF6=2thenweapply2)toeachJordanblockassociatedto0withdi�0.Ineachcaseweseethattheconditionsstatedinthetheoremarenecessary.Toseethattheyarealsosucient,supposethattheJordancanonicalformofNsatisesthem.Withoutlossofgenerality,wecanassumethatNDiag(J1;J2;J3)where:J1isablockthatcontainsalltheJordanblockswithnon-zeroeigenvalues(ifany)placedsuchthattheelementsofeverycouple(J(;d);J(;d))or(J(;d);J(;d�1))areconsecutive,J2containsalltheJordanblockswitheigenvalueszeroplaced(ifany)suchthattheelementsofeverycouple(J(0;d);J(0;d))or(J(0;d);J(0;d�1))areconsecutive,andnallywhereJ3isadi-agonalmatrix.IfcharF6=2:Becauseof1),thereexistsablockM1,builtfromma-triceswhosesquarearetheJordanblocksofJ1suchthatM21=J1.Becauseof2),thereexistsablockM2,builtfrommatriceswhosesquarearetheJordanblocksofJ2suchthatM22=J2.J3beingdi-agonal,thediagonalmatrixM3whosediagonalelementsaresquarerootsofthediagonalelementsofJ3satisesM23=J3.ThereforeDiag(M1;M2;M3)2=Diag(J1;J2;J3)andNisequivalenttothe 96ActionsinducedbyChebyshevpolynomialsandtheproblemofndingnsuchthatTn(a)=bsimplyreducestondnsuchthatT0n(1)=b22.Lemma6.13Foralln�1,Tn(1)0=n2andTn(�1)0=(�1)nn2.Proof:Theproofisaninductiononn.First,thestatementistrueforn=1;2;supposeitistrueforallk6n.ThenusingProperty2.of6.2andtheinductionhypothesis,wehaveT0n+1(1)=2Tn(1)+2T0n(1)�T0n�1(1)=2+2n2�(n�1)2=(n+1)2:Theproofisthesamewith�1. Now,itisclearthatthediscreteChebyshevprobleminanyniteeldwiththisparticularaisaneasyproblem,sinceitsucestosolven2=b22inordertosolvethisinstanceofdiscreteChebyshevproblem.ThisparticularexamplealsogivestheideathatanydiscreteChebyshevprobleminMatn(Fq)willalwaysboildowntoeitherasquarerootprobleminFqorseveralDLPinsomesmallextensioneld.Indeed,ifthematrixapossessesasquareroot,thentheproofofProposition6.7showsthatitsucestosolveaDLPinMatn(F)whereFisasmallextensioneldsofFq.Ontheotherhand,ifthematrixadoesnotpossessasquarerootinanyeldextensionthenbecauseofTheorem6.10,ithasatleastoneJordanblockofdimensionatleast2associatedtotheeigenvalue1.UsingJordandecompositiontechniquesandthefactthat(e.g.[16])Tn(J(1;d))=0BBBBBB@Tn(1)T0n(1)Tn(1)T0n(1)...0...T0n(1)Tn(1)1CCCCCCA; 98ActionsinducedbyChebyshevpolynomialstheproofofProposition6.7isclearlynotcomputationallyfeasi-blebecauseofthedicultyofSQROOT.ThereforethediscreteChebyshevprobleminRseemstobedierentthantheDLPinR.Foranintegerb,anyintegere6=0withthepropertythatbe1modniscalledanexponentforbmodulon.HereisakeypointofthisstudybasedontherelationshipofcomputationofexponentsandDLP:Lemma6.15LetnbeanRSAnumber.Ifthereexistsapolyno-mialtimealgorithmthatprovidesforeachb2Znanexponentforbmodulon,thenonecanfactorninexpectedpolynomialtime.TheLemmaisanextensionofaresultof[1]andisinessenceTheorem6.6of[56].ThisresultisusuallyusedinthereductionofthefactoringproblemtotheDLPinZn.Theorem6.16LetnbeanRSAnumber.Then1.IfonecanfactornandsolvetheDLPmoduloeachprimefactorofninpolynomialtime,thenonecansolvethediscreteChebyshevprobleminZninpolynomialtime.2.IfonecansolvethediscreteChebyshevprobleminZninpoly-nomialtime,onecanfactorninexpectedpolynomialtime.Proof:Theproofof1.comesfromthefeasibilityofthereductionofthediscreteChebyshevproblemtotheDLPusedintheproofofProposition6.7(NotethatsincenisanRSAnumber,nisoddand1 2hasameaning).LetusnowprovethesecondpointbyshowingthatifonecansolvethediscreteChebyshevprobleminpolynomialtimethenonecanndeitherexponentsmodulonorafactorization 100ActionsinducedbyChebyshevpolynomials6.5ConclusionInthischapter,wehavestudiedtheactionofChebyshevpolyno-mialsondierentniteringsR.WehavestudiedthedicultyofthediscreteChebyshevproblemintheserings.1.WhenR=Fq,wehaveshownthatthediscreteChebyshevproblemiscomputationallyequivalenttotheDLPinFq.2.WhenR=Matn(Fq),WehaveshownthatthediscreteCheby-shevproblemisnomoredicultthantheDLPinsomesmallextensioneldofFq.3.WhenR=Zn,withnanRSAinteger,wehaveshownthatifonecansolvethediscreteChebyshevprobleminpolynomialtime,oncanfactorninexpectedpolynomialtime. 102PaigeloopsandsemigroupactionproblemsItcanbeshownbyastandardargumentthattheneutralele-mentisunique.Theimportantpointinthepreviousdenitionistheabsenceofrulesconcerningtheassociativityofthebinaryoper-ation.Aloopisassociativewhenitisspeciedthattheassociativelawappliestotheoperation.Evenwithoutthisrequirement,looptheoryisveryclosetogrouptheory.Thenextconceptsareexam-plesofsuchasimilarity.Aloophomomorphismisdenedinthesamewayasingrouptheory.Asub-loopPofaloopLisasubsetofLthatisclosedundertheoperationandsuchthattherestrictionoftheoperationgivesPthestructureofaloop.Asub-loopPisnormalifaP=Pa;(aP)b=a(Pb);a(bP)=(ab)Pforalla;binL.AcongruencerelationinaloopLisanequivalencerelationsuchthatab=)acbc8c2L;cacb8c2L:Thisnotionisclosertothenotionofcongruencerelationingroupsthaninsemigroups.Indeed,thefollowingpropositionshowsthatbothareequivalent,contrarytothecaseofsemigroupswherethenotionofc-simplicityhadtobecreatedtocapturetheessencewewerelookingfor.Proposition7.2LetLbealoop.IfPisanormalsub-loopofLthentherelationsuchthatab()a2bPisacongruencerelationinL.Reciprocally,ifisacongruencerelationinL,thenP=fa2Ljaegisanormalsub-loopofL.Sincenoproofofthisresulthasbeenfoundintheliteratureandbecauseofitsimportancefromourpointofview,wegivehereaproofofit: 104PaigeloopsandsemigroupactionproblemsProposition7.5LetMbeaMoufangloop.Then1.AnytwoofthethreeMoufangidentitiesimplythethird.2.EveryelementinMhasauniqueboth-sidedinverse.3.(MoufangTheorem[63])Leta;b;cbeelementsinM.Thesmallestsub-loopcontaininga;b;c,ha;b;ci,isassociativeifandonlyif(ab)c=a(bc).4.Anysub-loopthatistwo-generated,i.e.,oftypeha;bi,isas-sociative.Thus,itisagroup.Statement4:ofthepropositionshowsthattheorderordxofanelementxinaMoufangloopiswell-dened.Wearenowreadytodenethemainsubjectofthischapter:Denition7.6AMoufangloopMisaPaigeloopifitisnon-associative,niteandsimple.Statement2:ofProposition7.5showsthatPaigeloopscanbeconsideredassimplegroups,withouttheassociativelaw.NotethatbecauseofTheorems3.7and3.8,studyingsimplenon-associativeobjectsis\alastchance"todiscoverinterestingactionsfromcon-ceptuallynewobjects.PaigeloopshavebeendiscoveredbyL.Paigein1956[67]whoconstructedsuchaloopbasedoneveryniteeldFq.Thirtyyearslater,M.Liebeck[44]provedthattherearenootherPaigeloops.WewilldenotetheuniquePaigeloopconstructedoverFqbyM(q),asin[89].ThefollowingconstructivedescriptionofM(q)isduetoM.Zorn. 106PaigeloopsandsemigroupactionproblemsAneasyargumentshowsthatifanelementxpossessesaninverseinZ(q),thenx�1=xordx�1.AlltheelementsinZ(q)withnonzerodeterminantformaMoufangloop,aswellasallelementswithdeterminant1.LetusdenotethislatterloopbyM(q).Theneutralelementisclearlye=1(0;0;0)(0;0;0)1andthesetfe;�egistheuniquenormalsub-loopofM(q),whichisalsothebiggestcommutativeandassociativesub-loopofM(q)[89].Denition7.7ForeachniteeldFq,thePaigeloopM(q)isdenedasthequotientloopM(q)=,whereisthecongruencere-lationinducedbythenormalsub-loopfe;�eggivenbyProposition7.2.ItwillbeconvenienttoworkwithM(q)insteadofM(q),keep-inginmindthattheoperationsaretobeconsideredmodulo.Fromacomputationalpointofview,workingeitherinM(q)orinM(q)isequivalent.Indeed,foreachclassinM(q),thereisatmosttwopossibleelementsinitinM(q)andeachcomputationinM(q)canbeliftedtoatmosttwocomputationsinM(q).L.PaigegavethecardinalityofM(q)[67]withjM(q)j=(q3(q4�1)ifqiseven,q3(q4�1) 2ifqisodd.P.VojtechovskyshowedthatanyPaigeloopisthree-generated,i.e.,isoftypeha;b;ci,andgavedierentfamiliesofgenerators[89].ThetraceofanelementintheZornalgebraisdenedbytrab=a+b: 108PaigeloopsandsemigroupactionproblemsLemma7.9LetxbeinM(q)andy2hxi.Thenx=ab=)y=cssdforsomec;d;s2Fq.If==0,thenbysettings=0,everyelementy2hxihasauniquerepresentationasabove.Proof:UsingtheZornmultiplicationformula(7.1)andthefactthat==0,itiseasytocheckbyinductiononnthatabn=cnsntndn(7.2)withcn;dn2Fq[a;b;
]andsn;tn2Fq[a;b].Inparticular,thecoecientssnandtndonotdependontheparametersand.Thuswemayreplace;byanyothervariablesandthevaluesofsnandtnwillnotchangein(7.2).Thereforesntn=a11bnandtheright-hand-sidebeingasymmetricmatrix,sn=tnforalln.Thelastpartofthestatementisclear. Proposition7.10LetxandybeasinLemma7.9anddene!:hxi�!L2(q)by!(y)=!cssd=cs
sd:Then!isaninjectivegrouphomomorphism.Proof:First,!iswelldenedbyLemma7.9.Astraightforwardcomputationshowsthat!isagrouphomomorphism.ItisalsoinjectivesincetherepresentationofyinLemma7.9impliesthat!(y)=1L2(q)=)y=e: 110PaigeloopsandsemigroupactionproblemspresentedintheprevioussectionliesintheresolutionoftheDLPinSL2(Fq)thatcanbeaccomplishedusingtheeigenvaluesofthematricesinthislineargroup.Here,usingconjugation,weavoidthepossibleuseofthehomomorphism!.TheuseofM(q)insteadofM(q)isjustiedmainlybecauseoftheabsenceofchoiceofclasselements.Sinceeveryclasspossessesatmost2elements,theuseofM(q)hasnocomputationalconsequences:M(q)isnotsimple,butitisuptoaquotientbyfIg.LetCbeacommutativeandassociativesub-loopofZ(q).ForexampleC=hziorC=faz+beja;b2Fq;det(az+be)6=0g:Thenthecurrentactionwillbethefollowing(c.f.Example3.4):(CZ)M(q)�!M(q)(c;n);g7�!cgnc�1(7.3)NotethattheconjugationusesthefullpoweroftheZornmulti-plication,i.e.,theproductcgnc�1makesappearthe\twist"ofthevectorproductin7.1.Noteaswellthattheconjugationiswellde-nedaccordingtoMoufang'stheorem.Indeedthesub-loophc;giistwo-generated,andtheoperationisassociativeinsideit.Wewantheretopointoutthatthesituationisdierentthanwhentheactualobjectsarematricesoverelds.ThepossibilitytotransformamatrixintoatriangularoneviaconjugationcanbeusedoverGl2(F)inordertosolvetheanaloguesemigroupactionproblemof7.3inthisalgebraicgroupsolvingatmosttwoDLPsinF.Indeed,ifabcdn=rstuandabcd=Mw0M�1 112Paigeloopsandsemigroupactionproblems2.Ifqisodd,thenthesequencefungn2Nsatisesun=2=Tn(=2)whereTnisthenthChebyshevpolynomialandisasabove.Proof:1.ByProposition7.8andEquation7.4,wehave0=tr(gn(g2�tr(g)g+1| {z }=0))=tr(gn+2�tr(g)gn+1+gn)=tr(gn+2)�tr(gn+1)+tr(gn)=tr(cgn+2c�1)�tr(cgn+1c�1)+tr(cgnc�1)=un+2�un+1+un:2.ThesequenceTn(=2)satisesthesecondorderlinearrecur-rencerelationstatedin1:(seeProposition6.2).ItsucesthereforetocheckthatTi(=2)=ui=2,i=0;1.ThisisdonewithT0(=2)=1=u0=2andT1(=2)==2=u1=2: Proposition7.15Forxedg2M(q)withtrg6=2and2Fq,thereisatmosttwosolutionsoftheequationtr(gn)=with06nordg.Proof:Supposetheequationpossessesatleastonesolution.UsingProposition7.8andtheconditiontr(g)6=2,weseethateachelementinhgihasauniquerepresentationinFqg+Fqe.Ifwewritegn=ag+bewitha;b2Fq,theproofwouldfollowfromthe 114Paigeloopsandsemigroupactionproblemsrelationandisequaltou0andu1whennis0and1.Therefore,combiningEquation7.5wehave2n�tr(y)n+1=0:Inotherwords,nisoneoftherootsofthequadraticequationx2�tr(y)x+1=0.WeseebythewaythattherootsofthepreviousequationareinFq().Letn1andn2bethesolutionsofthesetwoDLPsin.Notethatn2=jFq()j�n1andthereforeonlyoneDLPhastobesolvedinordertocomputebothn1andn2.UsingProposition7.15,weseethatoneofthenigivesthedesiredn.TheelementcisthenfoundbysolvingthelinearsystemofequationsintheentriesofcinFqthatisequivalenttotheequationyc=cgnwithknownn;gandy. Remark7.17Whenqisodd,theproofofthepreviousproposi-tioncouldhavebeenbasedontheresolutionofaDiscreteCheby-shevProblemusingthesecondpointofProposition7.14.Onthewayoftheproof,wehadtosolvequadraticequationsinF2dwhenniseven.Sincetheusualschoolformuladoesnotholdwhenthecharacteristiciseven,letusexplainhowthiscanbedone.Wefollow[4]and[7].RecallthatthetraceofanelementinF2distheelementinF2denedbyTr2dj2()=2+4+:::+2d�1=d�1Xj=12j:Lemma7.18ConsiderthefollowingquadraticequationoverF2d:x2+x+=0:(7.6)Then7.6possessessolutionsinF2difandonlyifTr2dj2()=0.Inthiscasethesolutionsx0andx0+1aregivenby 116Paigeloopsandsemigroupactionproblems7.4Thecasetr(g)=2LetuscomebacktothefamilyofSAPinstancesin(7.3)withtr(g)=2.WehaveseenthatthereductionusedinProposition7.16leadingtoAlgorithm7.19viaProposition7.15stronglyusedthefactthatthesquareofthetraceofgisnot4.Therearestillsomecaseswheretheproblemcanbesolved.Lemma7.20Iftr(g)=�2andqisodd,theny=cgnc�1=)n=2�tr(y) 4:Therefore,theSAPinducedbytheaction(7.3)istrivialwiththeseparameters.Proof:Theresultcomesfromthefactthatun=�4n+2isthesolutionoftherecurrencerelationofProposition7.14withu0=2andu1=tr(g)=�2.InviewoftheendoftheproofofProposition7.16,thestatementisclear. Thissettlesthecasetr(g)=�2,qodd.Whenthetraceofgis2andqisodd,therecurrencerelationofProposition7.14becomesun+2�2un+1+un=0;u0=2;u1=2whichgivesun=2foralln.Inthesamespirit,whenqisevenandtr(g)=2=0thenun=0isthesolutionoftherecurrencerela-tionandtherecurrencerelationisnothelpfulanymore.Howeverthestrongconditiononboththedeterminantandthetracecanbeusedinadierentmannerwhenqiseven:Lemma7.21Iftr(g)=0andqiseven,thenordg2f1;2g.ThereforetheSAPinducedbytheaction(7.3)istrivialwiththeseparameters. 118Paigeloopsandsemigroupactionproblemsisomorphism,F[g]isthequotientringF[t]=((t�1)2).IndeedthekerneloftheringepimorphismF[t]�!F[g]p(t)7�!p(g)istheidealgeneratedby(t�1)2byProposition7.8.MoreovertheorderofginM(q)istheorderofginF[g].Thusord(g)=minfe2Nnf0gjte1mod(t�1)2inFqg:Butsincetp�1=(t�1)p0mod(t�1)2incharacteristicp�2,wehaveordgjp.Howeverordg6=1sinceg6=eandthereforeordg=p. Corollary7.23Letq=pdbeoddandg2M(q)withtr(g)=2andg6=e.Considerthesemigroupactionprobleminducedby7.3whereCisacommutativeandassociativesub-loopofZ(q).IfH=fc2Cjcgc�1=ggthenthecardinalityoftheorbitofgisgivenbyj(CZ)
gj=p
jCj jHj:Proof:Accordingtothepreviousproposition,itisenoughtocon-sidertheactionofCCpongwhereCpisthemultiplicativecyclicgroupoforderp.TheloopCbeingagroup,weknowfromclassicalgroupactiontheorythatj(CCp)
gj=jCCpj jH0j=jCj
p jH0jwhereH0=f(c;m)jcgmc�1=ggCCp.HoweversinceCpissimpleandg6=e,wehaveH0=fc2Cjcgc�1=ggf12Cpg.ThislastgroupisisomorphictoHandthestatementisproven. 120PaigeloopsandsemigroupactionproblemsshowntoreducetotheusualDLPinFqusingthegroupmonomor-phism!ofProposition7.10.ThesemigroupactionprobleminM(q)hasbeenreducedtotheDLPinanextensioneldofFqofdegreeatmost2whenatraceconditionisfullled.Thereductionusedthetheoryoflinearrecurrencerelation.Whenthetracecon-ditionisnotsatised,theSAPiseithereasytosolveorpresentsdicultieswhoserelationtotheDLPinniteeldsisunclear. [7]ChinLongChen.Formulasforthesolutionsofquadraticequa-tionsoverGF(2m).IEEETrans.Inform.Theory,28(5):792{794,1982.[8]HenriCohen.Acourseincomputationalalgebraicnumberthe-ory,volume138ofGraduateTextsinMathematics.Springer-Verlag,Berlin,1993.[9]CharlesG.Cullen.Matricesandlineartransformations.Addison-WesleyPublishingCo.,Reading,Mass.-London-DonMills,Ont.,secondedition,1972.[10]CipherDeavours,DavidKahn,LouisKruh,GregMellen,andBrianWinkel,editors.Cryptology:machines,history&meth-ods.ArtechHouseInc.,Boston,MA,1989.[11]CipherA.Deavours,DavidKahn,LouisKruh,GregMellen,andBrianWinkel,editors.Cryptology.ArtechHouseInc.,Boston,MA,1987.Yesterday,today,andtomorrow.[12]W.DieandM.E.Hellman.Newdirectionsincryptography.IEEETrans.Inform.Theory,IT-22(6):644{654,1976.[13]T.ElGamal.Apublickeycryptosystemandasignatureschemebasedondiscretelogarithms.IEEETrans.Inform.Theory,31(4):469{472,1985.[14]J.D.EmeraldandK.G.Subramanian.AnoteonPollyCrackerpublic-keycryptosystems.InGraphtheoryanditsapplications(Tirunelveli,1996),pages63{69.TataMcGraw-Hill,NewDelhi,1997.[15]MichaelFellowsandNealKoblitz.Combinatorialcryptosys-temsgalore!InFiniteelds:theory,applications,andalgo-122 [25]DanielM.Gordon.DiscretelogarithmsinGF(p)usingthenumbereldsieve.SIAMJ.DiscreteMath.,6(1):124{138,1993.[26]JonGrantham.ThelargestprimedividingthemaximalorderofanelementofSn.Math.Comp.,64(209):407{410,1995.[27]P.A.Grillet.CommuativeSemigroups.AdvancesinMathe-matics.KluwerAcademicPublishers,Dordrecht,2001.[28]G.H.HardyandE.M.Wright.Anintroductiontothetheoryofnumbers.TheClarendonPressOxfordUniversityPress,NewYork,fthedition,1979.[29]JereyHostein,JillPipher,andJosephH.Silverman.NTRU:aring-basedpublickeycryptosystem.InAlgorithmicnumbertheory(Portland,OR,1998),volume1423ofLectureNotesinComput.Sci.,pages267{288.Springer,Berlin,1998.[30]JereyHostein,JillPipher,andJosephH.Silverman.NSS:anNTRUlattice-basedsignaturescheme.InAdvancesincryptology|EUROCRYPT2001(Innsbruck),volume2045ofLectureNotesinComput.Sci.,pages211{228.Springer,Berlin,2001.[31]R.A.HornandCh.R.Johnson.MatrixAnalysis.CambridgeUniversityPress,Cambridge,1985.[32]JohnM.Howie.Fundamentalsofsemigrouptheory,volume12ofLondonMathematicalSocietyMonographs.NewSeries.TheClarendonPressOxfordUniversityPress,NewYork,1995.OxfordSciencePublications.[33]T.W.Hungerford.Algebra.GraduateTextsinMathematics.Springer,NewYork,1980.124 [44]MartinW.Liebeck.TheclassicationofnitesimpleMo-ufangloops.Math.Proc.CambridgePhilos.Soc.,102(1):33{47,1987.[45]D.LindandB.Marcus.AnIntroductiontoSymbolicDynam-icsandCoding.CambridgeUniversityPress,1995.[46]Jean-PierreMassias.Majorationexplicitedel'ordremaximumd'unelementdugroupesymetrique.Ann.Fac.Sci.ToulouseMath.(5),6(3-4):269{281(1985),1984.[47]Jean-PierreMassias,Jean-LouisNicolas,andGuyRobin.Ef-fectiveboundsforthemaximalorderofanelementinthesymmetricgroup.Math.Comp.,53(188):665{678,1989.[48]UeliMaurer.Cryptography200010,volume2000ofLectureNotesinComputerScience,pages63{85.Springer-Verlag,2001.[49]UeliMaurerandStefanWolf.OnthecomplexityofbreakingtheDie-Hellmanprotocol.TechnicalReport244,InstituteforTheoreticalComputerScience,ETHZurich,1996.[50]UeliMaurerandStefanWolf.Lowerboundsongenericalgo-rithmsingroups.InAdvancesincryptology|EUROCRYPT'98(Espoo),volume1403ofLectureNotesinComput.Sci.,pages72{84.Springer,Berlin,1998.[51]UeliM.MaurerandStefanWolf.Die-Hellmanoracles.InAdvancesincryptology|CRYPTO'96(SantaBarbara,CA),volume1109ofLectureNotesinComput.Sci.,pages268{282.Springer,Berlin,1996.[52]G.Maze,C.Monico,andJ.Rosenthal.Apublickeycryp-tosystembasedongroupactions.Preprint,October2001.126 [60]V.S.Miller.Useofellipticcurvesincryptography.InAd-vancesincryptology|CRYPTO'85(SantaBarbara,Calif.,1985),pages417{426.Springer,Berlin,1986.[61]C.Monico.personalcommunication,2002.[62]C.Monico.SemiringsandSemigroupActionsinPublic-KeyCryptography.PhDthesis,UniversityofNotreDame,May2002.Availableathttp://www.nd.edu/~rosen/preprints.html.[63]R.Moufang.ZurStrukturvonAlternativkorpern.Math.Ann.,110:416{430,1935.[64]Jean-LouisNicolas.Calculdel'ordremaximumd'unelementdugroupesymetriqueSn.Rev.FrancaiseInformat.RechercheOperationnelle,3(Ser.R-2):43{50,1969.[65]NIST.Advancedencryptionstandard(aes)developmenteort,2001.Availableathttp://csrc.nist.gov/encryption/aes/index2.html#overview.[66]NIST.Federalinformationprocessingstan-dardspublication197,aes,2001.Availableathttp://csrc.nist.gov/publications/ps/ps197/ps-197.pdf.[67]L.J.Paige.AclassofsimpleMoufangloops.Proc.Amer.Math.Soc.,7:471{482,1956.[68]HalaO.P ugfelder.Quasigroupsandloops:introduction,vol-ume7ofSigmaSeriesinPureMathematics.HeldermannVerlag,Berlin,1990.[69]StephenC.PohligandMartinE.Hellman.Animprovedal-gorithmforcomputinglogarithmsoverGF(p)anditscryp-128 [78]Hans-GeorgRuck.Anoteonellipticcurvesoverniteelds.Math.Comp.,49(179):301{304,1987.[79]C.-P.Schnorr.Ecientidenticationandsignaturesforsmartcards.InAdvancesincryptology|CRYPTO'89(SantaBar-bara,CA,1989),volume435ofLectureNotesinComput.Sci.,pages239{252.Springer,NewYork,1990.[80]R.Schoof.personalcommunication,2002.[81]C.E.Shannon.Communicationtheoryofsecrecysystems.BellSystemTech.J.,28:656{715,1949.[82]VictorShoup.Lowerboundsfordiscretelogarithmsandre-latedproblems.InAdvancesincryptology|EUROCRYPT'97(Konstanz),volume1233ofLectureNotesinComput.Sci.,pages256{266.Springer,Berlin,1997.[83]IgorE.Shparlinski.Computationalandalgorithmicproblemsinniteelds,volume88ofMathematicsanditsApplica-tions(SovietSeries).KluwerAcademicPublishersGroup,Dordrecht,1992.[84]JosephH.Silverman.Thearithmeticofellipticcurves,volume106ofGraduateTextsinMathematics.Springer-Verlag,NewYork,1994.Correctedreprintofthe1986original.[85]SimonSingh.TheCodeBook:TheEvolutionofSecrecyfromMary,QueenofScotstoQuantumCryptography.DoubledayBooks,1999.[86]D.Stinson.Cryptography,TheoryandPractice.CRCPress,1996.130