arXiv:1507.07848v1 [cs.CR] 28 Jul 2015
PUBLIC-KEY CRYPTOSYSTEM BASED ON INVARIANTS OF DIAGONALIZABLE GROUPS ´ S, ˇ FRANTISEK ˇ MARTIN JURA MARKO, AND ALEXANDR N. ZUBKOV Abstract. We develop a public key cryptosystem based on invariants of diagonalizable groups. Theoretical results about degrees of invariants, which are related to the security of such cryptosystem, are derived. Further, we derive results on invariants of superanalogs of tori.
Introduction A new idea for a public-key cryptosystem based on the invariant theory was proposed by Grigoriev in [5]. His original idea was later developed in the paper [6]. The last paragraph of the paper [5] reads as follows: ”The current state of the art in cryptography does not allow one to prove the security of cryptosystems; this is usually a question of belief in the difficulty of a revelant problem and a matter of experience (that is why it is not quite unusual to have a paper on cryptography without theorems, for example, this paper). Quite the opposite, one can expect a ”disappointing” breaking of a particular cryptosystem. This can happen for any of the afforementioned examples (without solving the graph isomorphism problem, see the discussion above). On the other hand, such breaking could lead to interesting algorithms in the theory of group representations. Thus one can treat the above examples (and the general construction as a whole) just as a suggestion to play with cryptosystems based on the invariant theory.” The purpose of our paper is twofold. The first goal is to develop and design a public-key cryptosystem based on invariants of diagonalizable groups. For this part, we go beyond the philosophy of the preceeding quote and design a concrete public-key cryptosystem, present an algorithm for its implementation and show how to break systems based on invariants of some groups. Our second goal is related to the security of the invariant-based cryptosystem. In this connection, we will investigate and prove results about related mathematical conpcepts like minimal degrees of invariants. 1. Invariants of finitely-generated linear groups In this paper, we will consider only finitely generated groups G acting faithfully on a finite-dimensional vector space V = F n over a field F of arbitrary characteristic. Therefore we can asume that G ⊂ GL(V ). From the very beginning, assume that the representation ρ : G → GL(V ) is fixed, and the group G is given by a finite set of generators. With respect to the standard basis of V , each element g Key words and phrases. cryptosystem, invariants, diagonalizable group. This publication was made possible by a NPRF award NPRP 6 - 1059 - 1 - 208 from the Qatar National Research Fund (a member of The Qatar Foundation). The statements made herein are solely the responsibility of the authors. 1
2
´ S, ˇ FRANTISEK ˇ MARTIN JURA MARKO, AND ALEXANDR N. ZUBKOV
of G is therefore represented by an invertible matrix of size n × n, and g acts on vectors in V by matrix multiplication. Let F [V ] = F [x1 , . . . , xn ] be the algebra of polynomial functions on GL(V ). Then G acts on F [V ] via gf (v) = f (g −1 v), where g ∈ G, f ∈ F [V ] and v ∈ V . An invariant f of G is a polynomial f ∈ F [V ] which has a property that its values are the same on orbits of the group G. In other words, for every vector v ∈ V and for every element g ∈ G, we have f (gv) = f (v). We note that different representations of G lead to different invariants in general but this is not going to be a problem for us since our represantation of G is fixed. We will denote the algebra of invariants of G by F [V ]G . 2. Public key-cryptosystem based on invariants We start by recalling the original idea of the public-key cryptosystem based on invariants from the paper [5] and recalling its modification presented in [6]. 2.1. Design of cryptosystems based on invariants. To design a cryptosystem, Alice needs to choose a finitely generated subgroup G of GL(V ) for some vector space V = F n and a set {g1 , . . . , gs } of generators of G. Alice also needs to know an invariant f of this representation of G. Alice chooses two elements v0 and v1 from V and a ∈ GL(V ) such that av0 and av1 are separated by the invariant f , that is, f (av0 ) 6= f (av1 ). The matrix a will be part of her secret key, while v0 and v1 will be part of the public key. Alice also chooses a set of randomly generated elements g1 , . . . , gm of G (say, by multiplying some of the given generators of G), which generates a subgroup of G that will be denoted by Gs . Alice announces as a public key the elements v0 , v1 standing for plaintext symbols 0 and 1, respectively, and the group H = a−1 Gs a, conjugated to Gs , by announcing its generators hi = a−1 gi a for i = 1, . . . , m. In the first paper [5] its author assumes that the group G, its representation in GL(V ) and the invariant f are in the public key. We refer to this setup as variant one. However, the version in paper [6] assumes that G, its representation in GL(V ) and the invariant f are secret. We refer to this setup as variant two. We will comment on both variants later. For the encryption, every time Bob wants to transmit a symbol 0 or 1, he chooses a randomly generated element h of the group H (by multiplying some of the generators of H given as a public key), and computes u = hv0 if the symbol is 0 or u = hv1 if the symbol is 1. The vector u ∈ V is then transmitted to Alice. To decript the message, Alice first computes au and then applies the invariant f . If u = hvi , then f (au) = f (ahvi ) = f (aa−1 gavi ) = f (gavi ) = f (avi ). Since a was chosen so that f (av0 ) 6= f (av1 ), Alice can determine from the value of f (au) whether the symbol v0 or v1 was encrypted by Bob. 3. Security and possible attacks on invariant cryptosystems Let us note that it is important that during the encryption process by Bob he uses all generators hi for scrambling the message. If some generators are not involved, then to decode his message Charlie would succeed if he finds an invariant of a subgroup of H, which is an easier task.
PUBLIC-KEY CRYPTOSYSTEM BASED ON INVARIANTS
3
The attacks described below are mentioned in [5] and [6]. We are providing their description for the convenience of the reader and for further clarification. To break the encryption, it is enough for Charlie to find any invariant f ′ of the group H that separates v0 and v1 . Indeed if f ′ (v0 ) 6= f ′ (v1 ), then Charlie computes f ′ (u) = f ′ (hvi ) = f ′ (vi ) and then compares f ′ (u) with f ′ (vi ) to determine which symbol v0 or v1 was used by Bob. The security of the cryptosystem depends on the difficulty of finding an invariant f ′ of the group H. The condition that f ′ separates v0 and v1 might not be difficult to satisfy because the set of polynomials in F [V ], that take on different values when evaluated at v0 and v1 , is open in the Zariski topology. Therefore it is likely that a randomly chosen invariant f ′ of H will separate v0 and v1 . 3.1. Variant one. Consider variant one of the cryptosystem - that is, the group G, its representation in GL(V ) and an invariant f are known. We can assume that f is a homogeneous polynomial of degree d. In this case, it is known that there is a homogeneous invariant f ′ of H of degree d that is of the form f ′ (v) = f (bv) for some matrix b ∈ GL(V ). Then f ′ is an invariant of H if and only if f (bhi v) = f ′ (hi v) = f ′ (v) = f (bv) i = 1, . . . , m of H. for each generator hi , where n+d−1 Comparing coefficients at n+d−1 monomials we obtain m linear equations d d in n2 variables (entries of b). Any solution of this system produces an invariant of H. Another possible way to attack the system is to find a matrix b ∈ GL(V ) such that bHb−1 ⊂ G. This technique is related to the conjugacy problem for matrix groups and the graph isomorphism problem. 3.2. Variant two. In variant two of the cryptosystem, the group G, its representation in GL(V ) and the invariant f are secret. However, Charlie can attempt to find an invariant f ′ directly by choosing a possible degree d and solving linear systems derived from the equations f ′ (hi v) = f ′ (v) for each generator hi , where i = 1. . . . , m. This produces a linear system consisting of m n+d−1 equations in d ′ the n+d−1 unknowns that are the coefficients at monomials in f . d Another approach is to find a matrix h ∈ H such that hu = v0 or hu = v1 (attempting to recover the encryption done by Bob). This problem is related to the vector transporter problem and the graph isomorphism problem. 3.3. Guarding against the linear algebra attack. Denote by MG,V , or simply by MG or M if we need not emphasise the group G or the vector space V it is acting on, the minimal positive degree of an invariant from F [V ]G . That is G MG,V = min{d > 0|F [V ]G d 6= 0}. If F [V ] = F , then we set MG,V = ∞. The notion of the minimal positive degree of an invariant and the value of M = MG,V are important for the security of the invariant-based cryptosystem (both variants one and two) we For example, if we know that are considering. r MG is so small that m n+M−1 = O(n ) is polynomial in n, then Charlie can find M an invariant f ′ of G in polynomial time by solving consecutive linear systems for n+M−1 n+d−1 n+d−1 d = 1, . . . , , each consisting of m equations in the variM d d ables described in the previous section. For a fixed d, this can be accomplished 4 in time O(m( n+d−1 ) ) and the total search will take no more than time O(n8r ). d Therefore, for the security of the system it must be guaranteed that m n+M−1 is M not polynomial in n.
4
´ S, ˇ FRANTISEK ˇ MARTIN JURA MARKO, AND ALEXANDR N. ZUBKOV
4. Finding a polynomial invariant of G Since the encryption is broken once Charlie finds an invariant f ′ of G, we will now discuss an algorithm that will enable us to find it. The algorithm works inductively, and as a special case, it works when G is a finite group and the characteristic of the ground field F is arbitrary. Assume that H is a subgroup of G of finite index in G. Assuming we know a nonzero invariant f of H, we will find a nonzero invariant of G. Lemma 4.1. Let H be a subgroup of G of finite index s in G such that f is an invariant of H of degree t. Then G has a nonzero invariant of degree not exceeding s+1 sMH that can be found in time O(snt+2 n+t−1 ). t
Proof. Denote by g1 , . . . , gs , where s = [G : H], representatives of all coset classes of G/H. Let f be an invariant of H of degree MH . Denote xi = gi f for i = 1, . . . s, and denote by ps (x1 , . . . , xs ) = x1 . . . xs the s-th elementary symmetric function in x1 , . . . , xs . It is easy to see that ps (x1 , . . . , xs ) is invariant with respect to G, because each element g ∈ G permutes coset classes of G/H, hence it permutes the set of polynomials {x1 , . . . , xs }. Also, the polynomial ps (x1 , . . . , xs ) = x1 . . . xs is nonzero and xi in time thas the degree sMH . We can evaluate all polynomials n+t−1 s O(sn2 n+t−1 n ). The product of all x can be computed in time O( ). i t t Corollary 4.2. If G is a group of finite order s, then the algorithm in the proof of the previous lemma (applied to H = 1) produces a nonzero invariant of G of order not exceeding s which can be computed in time O(sn3 ns+1 ).
Note that the time required to run the computation is exponential in the order of G if no invariant of a subgroup of G is known and when we attempt to find an invariant of G from H = 1. Nevertheless, there are cases when an invariant of H can be computed in polynomial time; see the next lemma. The following lemma is well-known, see [2]. Lemma 4.3. If G ⊂ GLn (R) and G is finite, then G has an invariant of degree two. Proof. Let g1 = 1, . . . , gs be all elements of G and R[V ] = R[t1 , . . . , tn ]. Denote by xi = gi (t21 + . . . + t2n ) for i = 1, . . . , s. Since values of each xi are non-negative when evaluated as polynomials in t1 , . . . , tn , the values of the invariant polynomial P s i=1 xi evaluated as polynomial in t1 , . . . , tn are non-negative and they can be equal Ps to zero only if each xi is zero. But x1 = 0 only if t1 = . . . = tn = 0. Therefore i=1 xi is a positive-definite quadratic form in t1 , . . . , tn , hence a non-zero invariant of G. It follows from the previous section that a quadratic invariant of the group H, within a context of our public-key cryptosystem, can be found using linear algebra techniques in the polynomial time in n. Therefore, for the security of the cryptosystem, we need to make sure that if H is finite, then it is not represented by matrices with real coefficients. 5. Lower bounds for degrees of polynomial invariants The significance of understanding the minimal degree MG,V of invariants for the security of the invariant-based cryptosystem was established above. In particular,
PUBLIC-KEY CRYPTOSYSTEM BASED ON INVARIANTS
5
it is important to find a nontrivial lower bound for MG,V . Unfortunately, we are not aware of any articles establishing lower bounds for the minimal degree of invariants, except in very special circumstances, e.g. [7]. On the other hand, there are numerous upper bounds for the minimal degree β(G, V ) such that F [V ]G is generated as an algebra by all invariants in degrees not exceeding β(G, V ). For example, a classical result of Noether [12] states that if the characteristic of F is zero and G is finite of order |G|, then β(G, V ) ≤ |G|. There is an extensive discussion of Noether bound and results about β(G, V ) in section 3 of [16]. It was conjectured by Kemper that for G 6= 1, and arbitratry ground field F , the number β(G, V ) is at most dim V (|G| − 1). Recently, this conjecture was proved by Symonds in [17]. When one wants to find an invariant of G, it seems natural to consider an upper bound β(G, V ). However, if we wants to show that there are no invariants of small degrees (as is our case), then we need to find lower bounds for MG,V . Until now, there was no real impetus to consider such problem. Assume again that G is a (finitely generated) subgroup of GL(V ), and denote MG,V just by MG . Denote by G = G the Zariski closure of G. We will assume that G is a linearly reductive subgroup in GL(V ) (in particular, this assumption is satisfied if G is a finite group and charF6 | |G|). According to [8] (see also [4]), F [V ]G = F [V ]G is a Cohen-Macaulay algebra. Therefore F [V ]G is a free module over its subalgebra F [p1 , . . . , ps ], freely generated by the (homogeneous) parameters p1 , . . . , ps , which are called the first generators. In other words, F [V ]G = ⊕1≤i≤l F [p1 , . . . , ps ]hi , where h1 , . . . , hl are called the second generators. If F [V ]G 6= F , then MG = min{{deg hi > 0}, {deg pj }}. In what follows we will denote by ζk a primitive root of unity of order k. If the order k is clear from the context, we will denote it just by ζ. Additionally, every time ζk is mentioned, we assume that it is an element of the ground field F . If a matrix g ∈ GL(V ) has a finite order k, then all eigenvalues λ1 , . . . , λn of g are roots of unity. If we denote ζ = ζk , then there are integers ki such that λi = ζ ki , where 0 ≤ ki < k and gcd(k1 , . . . , kn , k) = 1. For g 6= 1 denote by kg the positive integer kg = min{
n X i=1
ai > 0|
n X i=1
ai ki ≡ 0 (mod k), where integers a1 , . . . , an ≥ 0}.
The following lemma describes invariant polynomials and Mhti for a diagonal matrix t of finite order. Lemma 5.1. Assume that t is a diagonal matrix of the finite order k with diagonal entries λ1 = ζkk1 , . . . , λn = ζkkn , where the exponents ki are as above. Then the a1 an hti a invariant Pn subalgebra of F [V ] is generated by monomials x = x1 . . . xn such that i=1 ai ki ≡ 0 (mod k). Additionally, if t 6= 1, then Mhti = kt .
Proof. The properties of numbers ki follow immediately. Since t acts on the corresponding coordinate function as txi = λ−1 i xi , we P obtain that a monomial xa = xa1 1 . . . xann is an invariant of F [V ] if and only if ni=1 ai ki ≡ 0 (mod k). Because every monomial xb is a semi-invariant of t, monomials xa as above generate F [V ]hti . The formula for Mhti is then clear.
6
´ S, ˇ FRANTISEK ˇ MARTIN JURA MARKO, AND ALEXANDR N. ZUBKOV
For the next lemma we apply standard results from algebraic group theory, that can be found, for example, in the book [9]. For an element g ∈ G let g = gs gu be its Jordan-Chevalley decomposition. Let Gs and Gu denote the sets of semisimple and unipotent components of all elements from G, respectively. Lemma 5.2. Assume that a group H is abelian. Then MH = M . Proof. Since the algebraic group H = H is abelian, it can be written as a product H = Hs × Hu of its closed subgroups Hs and Hu . The inclusions Hs ⊆ Hs and Hu ⊆ Hu imply that Hs = < Hs > and Hu = < Hu >. Furthermore, F [V ]H = F [V ]H = (F [V ] ) . Since the group < Hu > ) 6= 0. This means is unipotent, F [V ]d 6= 0 implies F [V ]H d = (F [V ]d that MH = M = M . Since H ≤ G implies MH ≤ MG , we obtain immediately the following corollary. Corollary 5.3. If H is an abelian subgroup of G, then M ≤ MG . A subgroup G of GL(V ) is called small, if there is an abelian subgroup H of G such that MG = MH . Lemma 5.4. If g 6= 1 is of finite order, then M = kg . Proof. Lemma 5.2 implies M = M . With respect to a basis of V , consisting of eigenvectors of gs , gs is represented by a diagonal matrix. By Lemma 5.1 we obtain M = kgs . Since k = k , the lemma follows. Corollary 5.5. If G is finite, then max{kg ; g ∈ G, g 6= 1} ≤ MG . Lemma 4.3 has the following interesting consequence. Corollary 5.6. Let g 6= 1 correspond to a matrix from GLn (R) of finite order. Then either one of the eigenvalues of g equals 1 or there are two eigenvalues λ and µ of g, both different from 1 such that λµ = 1. To illustrate the difficulty of finding a lower bound for MG,V , we will determine the value of MG,V explicitly for certain finite subgroups G of GL2 (C). The list of all finite subgroups of GL2 (C) is presented in [7]. Let G be a finite group from Lemma 2.1 of [7]. The group G has two generators v g λ 0 λ1 0 A= , , B = 0 λjv2 0 λdg where λ is an e-th primitive root of unity, v1 , v2 > 1, v1 v2 |g, g|e, d|e, gcd(v1 , v2 ) = gcd(e, j) = gcd(v1 , d) = gcd(v2 , d) = 1. Additionally, the number d is square-free and each prime factor of e divides one of the numbers v1 , v2 or d. In particular, G ≃< A > × < B >= Ze × Z eg . To calculate MG , we need to consider the following system of congruencies: v1 a1 + jv2 a2 ≡ 0 (mod e), ga1 + dga2 ≡ 0 (mod e),
where a1 , a2 ≥ 0 are such that a1 + a2 > 0. The second congruence implies that a1 = et g − da2 , where t is a positive integer. Substituting the value of a1 into the first congruence we receive ev1 t = (dv1 − jv2 )a2 (mod e). g
PUBLIC-KEY CRYPTOSYSTEM BASED ON INVARIANTS
7
Since gcd(e, dv1 − jv2 ) = 1, we obtain that evg1 divides a2 , which implies that ev2 e g divides a1 . Since both a1 and a2 are multiples of g , the second congruence ga1 + dga2 ≡ 0 (mod e) can be eliminated from the system since it is automatically satisfied. Define a1 = evg2 a′1 , a2 = evg1 a′2 . Then a′1 + ja′2 = 0 (mod v1gv2 ), or equivalently, a′1 + ja′2 = v1gsv2 for some s > 0. This congruence has the solution a′1 =
gs(j + 1) gs − jt, a′2 = − + t. v1 v2 v1 v2
Since a′1 , a′2 ≥ 0, the parameter t satisfies gs gs gs ≤t≤ +[ ]. v1 v2 v1 v2 jv1 v2 Additionally, a1 =
es ev1 t es(j + 1) ev2 jt − and a2 = − + . v1 g v2 g
Thus
es(j + 1) es et − − (v2 j − v1 ). v1 v2 g ≤ t ≤ v1gsv2 + Finally, observe that for every s > 0 and for every t such that vgs 1 v2 ], the right-hand-side of the above formula for a1 + a2 is greater than zero. [ jvgs 1 v2 Now are are ready to determine the values of MG,V . a1 + a2 =
Proposition 5.7. Assume G is a finite group from Lemma 2.1 of [7], as above. Then the value of MG,v is given as follows. If jv2 < v1 , then MG = ve1 . If jv2 > v1 , 1) }, ve2 }. ] e(v2 j−v then MG = min{ min { vs1 − [ jvgs g 1 v2
0 0, then the minimum for such a1 + a2 is attained for l = 0 and it equals to s′ gs′ e(v2 j − v1 ) min { − [ ] }. 0 j. Since g |J|+1 = g |J|−1 , this implies the following proposition. P Proposition 9.2. A (super)polynomial f = l,J al,J f0l f1J belongs to F [V ]Dg,x if and only if the following conditions are satisfied. (1) If al,J 6= 0, then hl hJ g |J| = 1, (2) The polynomial X X X l−ǫ l+ǫ J\j al,J ( (−1)kj,J∪j lj x(hj )f0 j f1J∪j + (−1)kj,J f0 j f1 ) j6∈J
l,J
j∈J
vanishes. We can rewrite the polynomial X X X l−ǫ l+ǫ J\j al,J ( (−1)kj,J∪j lj x(hj )f0 j f1J∪j + (−1)kj,J f0 j f1 ) l,J
j6∈J
j∈J
from the second condition of the above proposition as X X X f0l f1J ( (−1)kj,J (lj + 1)x(hj )al+ǫj ,J\j + (−1)kj,J∪j al−ǫj ,J∪j ), l,J
j∈J
j6∈J
where lj = 0 implies al−ǫj ,J∪j = 0. P Corollary 9.3. A polynomial f = l,J al,J f0l f1J belongs to F [V ]Dg,x if and only if its coefficients al,J , for all pairs (l, J), satisfy the following equations. (1) If hl hJ g |J| 6= 1, then al,J = 0,
´ S, ˇ FRANTISEK ˇ MARTIN JURA MARKO, AND ALEXANDR N. ZUBKOV
18
(2)
P
kj,J (lj j∈J (−1)
+ 1)x(hj )al+ǫj ,J\j +
P
kj,J∪j al−ǫj ,J∪j j6∈J (−1)
= 0.
If s = 1, then F [V ]Dg,x = F . Therefore, from now on we will assume that s > 1. Define the partial operator Pj acting on the set of all pairs (l, J) by Pj (l, J) = (l + ǫj , J \ j) in the case when j ∈ J, and Pj (l, J) is undefined if j ∈ / J. Also define the partial operator Qj acting on the set of all pairs (l, J) by Qj (l, J) = (l−ǫj , J ∪j) in the case j 6∈ J and lj > 0, and Qj (l, J) is undefined if j ∈ J or lj = 0. Lemma 9.4. The operators Pj and Qj satisfy the following conditions. (1) If Pj is defined on (l, J), then Qj Pj (l, J) = (l, J). Also, if Qj is defined on (l, J), then Pj Qj (l, J) = (l, J), (2) If j 6= j ′ and Pj Qj ′ is defined on (l, J), then Pj Qj ′ (l, J) = Qj ′ Pj (l, J). Alo, if j 6= j ′ and Qj ′ Pj is defined on (l, J), then Qj ′ Pj (l, J) = Pj Qj ′ (l, J).
Two pairs (l, J) and (l′ , J ′ ) are called equivalent if there is a chain (l, J) = (l0 , J0 ), . . . , (lk , Jk ) = (l′ , J ′ ) such that (li+1 , Ji+1 ) = Si (li , Ji ) for 0 ≤ i ≤ k − 1 and each Si is an operator of type P or Q. Lemma 9.4 implies that this relation is an equivalence and the set of equations from Corollary 9.3 is a disjoint union of subsets corresponding to these equivalence classes. Moreover, each such equivalence class has a unique representative of the form (l, s) or (0, J), where the cardinality of J is maximal over this class. In the first case, all pairs from the equivalence class of (l, s) can be obtained from this representative by appplying operators of type Q only. In the second case, all pairs from the equivalence class of (0, J) can be obtained from (0, J) by applying operators of type P only. Example 9.5. Let D = Gm . Since X(D) ≃ Z, we can fix a generator h of X = X(D). Then x ∈ Lie(D) is determined by the value x(h) = α ∈ F . We will describe invariants of D1,x correposponding to the partial case when s = 2. Denote h1 = hk1 , h2 = hk2 . The subset of equations in Corollary 9.3 corresponding to the pair (0, {1}) is given as αk1 a(1,0),∅ = 0 = a(0,0),{1}
and the subset corresponding to the pair (0, {2}) is given as αk2 a(0,1),∅ = 0 = a(0,0),{2} .
The subset of equations, which corresponds to the pair ((l1 , l2 ), {1, 2}), consists of the equations α(−(l1 + 1)k1 a(l1 +1,l2 ),{2} + (l2 + 1)k2 a(l1 ,l2 +1),{1} ) = 0, α(l2 + 1)k2 a(l1 +1,l2 +1),∅ − a(l1 ,l2 ),{1,2} = 0, α(l1 + 1)k1 a(l1 +1,l2 +1),∅ + a(l1 ,l2 ),{1,2} = 0 and a(l1 +1,l2 ),{2} + a(l1 ,l2 +1),{1} = 0. If α = 0 and k1 , k2 6= 0, then the superspace F [V ]D1,x is generated by the elements {2} {1} and f0l+ǫ1 f1 − f0l+ǫ2 f1 such that (l1 + 1)k1 + (l2 + 1)k2 = 0. If α 6= 0 and k1 , k2 6= 0, then the superspace F [V ]D1,x is generated by the elements {1,2} {1,2} {2} l+ǫ1 +ǫ2 f0 − α(l1 + 1)k1 f0l f1 = f0l+ǫ1 +ǫ2 + α(l2 + 1)k2 f0l f1 and f0l+ǫ1 f1 − {1} f0l+ǫ2 f1 such that (l1 + 1)k1 + (l2 + 1)k2 = 0. The remaining cases, when k1 = 0 or k2 = 0, are left for the reader. f0l+ǫ1 +ǫ2
PUBLIC-KEY CRYPTOSYSTEM BASED ON INVARIANTS
19
We have outlined the procedure to determine vector-space generators of the space of invariants of the supergroup Dg,x and completed this goal in some particular cases above. It would be desirable not only to find the vector-space generators in general but also to describe algebra generators of invariants of the supergroup Dg,x . This task and the design of the cryptosystem based on invariants of supergroups will be a subject of our future work. References [1] Agarwal, S. and Frandsen, G.S.: Binary GCD like algorithms for some complex quadratic rings, Algorithmic number theory, 57–71, Lecture Notes in Comput. Sci., 3076, Springer, Berlin, 2004. [2] Burnside, W., On groups of linear substitutions of finite order which possess quadratic invariants, Proc. London Math. Soc. S2-12 no. 1, 89–93. [3] Conforti, M., Cornu´ ejols, G. and Zambelli, G.: Integer programming. Graduate Texts in Mathematics, 271. Springer, Cham, 2014. [4] Derksen, Harm; Kraft, Hanspeter, Constructive invariant theory, Algebre non commutative, groupes quantiques et invariants (Reims, 1995), 221–244, Semin. Congr., 2, Soc. Math. France, Paris, 1997. [5] D. Grigoriev, Public-key cryptography and invariant theory, Journal of Mathematical Sciences 126 (2005), no.3, 1152–1157, translated from Zapiski Nauchnych Seminarov POMI, 293 (2002), 26–38. [6] D. Grigoriev, A. Kojevnikov and S.J. Nikolenko, Algebraic Cryptography: New constructions and their security against provable break, St. Peterburg Math. J. 20 (2009), no.6, 937–953, translated from Algebra i Analysis 20 (2008), no.6. [7] Huffman, W. Cary, Polynomial invariants of finite linear groups of degree two. Canad. J. Math. 32 (1980), no. 2, 317–330. [8] Hochster, M., Roberts, J., Rings of invariants of reductive groups acting on regular rings are Cohen-Macaulay, Adv. Math. 13 (1974), 115–175. [9] Humphreys, James E. Linear algebraic groups. Graduate Texts in Mathematics, No. 21. Springer-Verlag, New York-Heidelberg, 1975. xiv+247 pp. [10] Kaltofen, E. and Rolletschek, H.: Computing greatest common divisors and factorizations in quadratic number fields, Math. Comp., 53(188):697720, 1989. [11] Akira Masuoka and Alexandr N. Zubkov, Solvability and nilpotency for algebraic supergroups, submitted to Pacific.J.Math., see also arXiv: 1502.07021v1. [12] Noether, E., Der Endlichkeitssatz der Invarianten endlicher Gruppen, Math. Ann. 77 (1916), 89–92. [13] Pan, Victor Y.: Solving a polynomial equation: some history and recent progress. SIAM Rev. 39 (1997), no. 2, 187–220. [14] Shub, M. and Smale, S.: Computational complexity. On the geometry of polynomials and a theory of cost. I. Ann. Sci. Ecole Norm. Sup. (4) 18 (1985), no. 1, 107–142. [15] Shub, M. and Smale, S.: Computational complexity: on the geometry of polynomials and a theory of cost. II. SIAM J. Comput. 15 (1986), no. 1, 145–161. [16] Smith, Larry, Polynomial invariants of finite groups - a survey of recent results, Bull. Amer. Math. Soc. 34 (1997), no. 3, 211–250. [17] Symonds, Peter, On the Castelnuovo-Mumford regularity of rings of polynomial invariants, Ann. of Math. (2) 174 (2011), no. 1, 499–517. [18] J.G.Thompson, Invariants of finite groups, J.Algebra, 69 (1981), 143–145. [19] W.C. Waterhouse, Introduction to affine group schemes, Springer-Verlag, New York, 1979. E-mail address:
[email protected] Qatar University, Department of Mathematics and Physics, College of Arts and Sciences, P. O. Box 2713, Doha, Qatar E-mail address:
[email protected]
20
´ S, ˇ FRANTISEK ˇ MARTIN JURA MARKO, AND ALEXANDR N. ZUBKOV
Penn State Hazleton, 76 University Drive, Hazleton, PA 18202, USA E-mail address:
[email protected] Omsk State Polytechnic University, Mira 11, 644050, Russia