Algebraic cryptography: new constructions and their security against provable break?

Very few known cryptographic primitives are based on noncommutative algebra. Each new scheme is of substantial interest, because noncommutative constructions are secure agains many standard cryptographic attacks. On the other hand, cryptography does not provide security proofs that would allow to base the security of a cryptographic primitive on structural complexity assumptions. Thus, it is important to investigate weaker notions of security. In this paper we introduce new constructions of cryptographic primitives based on group invariants and o er new ways to strengthen them for practical use. Besides, we introduce the notion of provable break which is a weaker version of the regular cryptographic break. In this version, an adversary should have a proof that he has correctly decyphered the message. We prove that cryptosystems based on matrix groups invariants and a version of the Anshel-Anshel-Goldfeld key agreement protocol for modular groups are secure against provable break unless NP = RP. 1 Algebraic cryptography Public-key cryptography, since its very beginning [16, 53], has been actively employing algebraic constructions. The RSA protocol, for example, is based on number theory; the very construction of the protocol requires computing the Euler totient, φ(n). Its security is based on factoring a number into prime divisors, or, more precisely, on the hardness of the so-called 3⁄4RSA problem¿: nd roots of a given degree modulo a number n = pq, where p and q are prime (this task may not be equivalent to factoring; see [14,15,54] for more information). However, usually the term algebraic cryptography is used in a narrower meaning. Algebraic cryptography deals with constructions where encoding and decoding are both group homomorphisms. In [29] Grigoriev and Ponomarenko give the following de nition of a homomorphic cryptosystem (compare with De nition 2, where we introduce the general notion of a cryptosystem). De nition 1 Let H be a nite nonidentity group, G a nitely generated group, and f : G→ H an epimorphism. Assume that R is a set of distinct representatives of the right cosets of ? The research was done during the stay at the Max-Planck-Institut f ur Mathematik, Bonn, Germany. The second and third authors were supported in part by INTAS (YSF fellowship 05-109-5565) and RFBR (grants 05-01-00932, 06-01-00502).