A small serving of mash: (Quantum) algorithms for SPDH-Sign with small parameters

1.1 Contributions

In this work, we provide four contributions to the study of SDLP. The first of these is to show that the structure of G p enables an adversary to recover x mod ( p − 1 ) from s g , ϕ ( x ) in SDLP instances defined on elements of G p . This allows one to recover x when x is defined modulo a small multiple of p . This is because of the semidirect product isomorphism

which is efficiently computable. We obtain

The intuition behind this result is that the second coordinate of multiplication in the semidirect product G p ≅ Z ⁄ p 2 Z ⋊ Z ⁄ p Z behaves like multiplication in Z ⁄ p Z , and this enables one to extract information about x from the second coordinate of the element s g , ϕ ( x ) .

We have a simple implementation of our attack, which can be made available upon request of the authors.

In a different approach, we then show that one can recover ϕ x ( g ) from the publicly available data g , ϕ , s g , ϕ ( x ) and that this also leaks information on x due to the structure of the automorphisms of G p . In both of the aforementioned cases, we can recover x only when it is defined modulo a small multiple of p . When the security parameter of a scheme is denoted by λ , one has p = exp ( λ ) ; so our attacks hold against exponentially large parameter sizes. However, the element x may be defined modulo a larger integer than p , prima facie modulo an integer up to the size of the group used to instantiate the SDLP problem. Since ∣ G p ⋊ Aut ( G ) ∣ = ( p − 1 ) p 6 , in the case of SPDH-Sign, one may take x to be defined in general as large as ( ( p − 1 ) ⁄ p i ) ⋅ p 6 , where p i is the smallest prime factor of p − 1 (see Theorem 3 for more details), and in these larger parameter instances, say x ∈ Z ⁄ ( p − 1 ) i p j Z for i + j ≥ 2 , we do not currently see how to recover all of x .

After this, we turn to abstract properties of the SDLP problem, which we consider as a group action problem. The action is of the abelian group Z ⁄ n Z acting on the set X g , ϕ ≔ { s g , ϕ ( i ) : i ∈ Z ⁄ n Z } ; more details can be found below. We consider the “linear hidden shift” (LHS) problem and find that, as a corollary to our cryptanalytic attack, we can solve a special case of the LHS in quantum polynomial time. The particular LHS problem we consider in G p , informally, is given ( g , ϕ ) ∈ G p ⋊ Aut ( G p ) , x i ∈ ( Z ⁄ n Z ) ℓ , and s g , ϕ ( ∑ j s j x i j + y ) for i = 1 , … , m and some unknown y , to recover s = ( s 1 s 2 … s ℓ ) T ← { 0 , 1 } ℓ . The assumption of the hardness of the LHS problem has been used to build advanced functionalities from group actions such as key-dependent message public key encryption [5], trapdoor claw-free functions [6], and pseudorandom generators [7]. We have

It may thus be the case that it is not possible, or significantly more difficult, to build the advanced functionalities mentioned earlier from the SDLP, and it would be of interest to show that such functionalities can be built, since it would imply that the LHS property is stronger than necessary to realise group action-based protocols with those properties.

We then turn to an open problem from the study of Battarbee et al. [4]. In addition to SDLP, another problem, semidirect computational Diffie-Hellman (SCDH), was considered. This is the problem, given g , ϕ , s g , ϕ ( x ) and s g , ϕ ( y ) , of computing s g , ϕ ( x + y ) . Of course, if one can solve SDLP, one may simply compute x from s g , ϕ ( x ) and y from s g , ϕ ( y ) and then compute s g , ϕ ( x + y ) directly; but it is unknown if a solution to SCDH implies a solution to SDLP. We partially resolve this problem by demonstrating a quantum algorithm, which, given an oracle for a particular form of SCDH, which returns s g , ϕ ( 2 a ) when given s g , ϕ ( a ) for any a (denoted SCDH g , ϕ , x 2 ), reduces SDLP to a hidden subgroup problem (HSP) instance, which can be efficiently solved with Shor’s period finding algorithm:

We close by discussing the obstacles to a direct solution to SDLP via Shor’s algorithm.

1.2 Prior work

There is a burgeoning literature on noncommutative variants of the DLP, or schemes based on similar problems [3,4,8–11]. Attacks on variants of this problem can be found in previous studies [12–14]. The literature on cryptographic group actions includes refs [5,15–18].

We note the result [3, Theorem 6], which gives a method to solve SDLP, given access to a group action discrete logarithm oracle. This contrasts our work insofar as we merely require a discrete logarithm oracle for finite abelian groups.

In a concurrent and independent work (uploaded to the IACR Eprint server shortly prior to this article), Imran and Ivanyos [19] also provided cryptanalysis of the SDLP problem, in the idealised setting of black-box groups with unique labellings. We note the similarity to our work and note the greater generality of their approach, which applies to a variety of finite groups. However, our article includes results (on outer automorphisms, and relating SDLP and SCDH, for example) not covered by Imran and Ivanyos [19], and we consider our methods tailored to the choice of group suggested for SPDH-Sign a valuable contribution to the study of SDLP.

2.1 Notations

We may write [ n ] to denote the set { 1 , … , n } . The arrow “←” may denote sampling from a set or sampling according to a distribution over a set; context will make which clear. If we write “ ← $ ,” we mean sampling uniformly at random. The identity element of a group G will be denoted by e .

2.2 Group endomorphisms

To any finite group G are attached endomorphisms:

If a group endomorphism ϕ is an isomorphism, we call ϕ an automorphism. The collection of all automorphisms of a finite group G forms a group, denoted Aut ( G ) . The set of endomorphisms of G is denoted End ( G ) .

2.3 Group actions

We define and give properties of group actions.

A group action is effective if ∣ G ∣ < ∞ and standard group-theoretic operations can be performed in polynomial time. The following are standard properties of group actions:

2.4 Semidirect product

We define the semidirect prodcuct of two groups.

2.5 SDLP and SCDH

Recall the DLP in a finite abelian group G . Fix g ∈ G , which we will consider to be public. A challenger selects an integer x , computes h = g x , and gives h to an adversary. The adversary has to recover x , which is defined modulo the order of g ∈ G . This can be solved in quantum polynomial time via Shor’s algorithm [2], but is classically only solvable in exponential time.

Battarbee et al. [4] replace G with G ⋊ H . Let ( g , ϕ ) ∈ G ⋊ H . Select, for instance, x = 2 , and compute

If a challenger gave an adversary the resulting group element, they could take the second component ϕ 2 , solve the (abelian) DLP in H , and find that x = 2 . Alternatively, they could solve a DLP in the cyclic group generated by ( g , ϕ ) , denoted ⟨ ( g , ϕ ) ⟩ . More generally, for an arbitrary choice of x , we have

Clearly, if x < ∣ H ∣ , an adversary could always solve an abelian DLP to find x . If x ≥ ∣ H ∣ , they could solve an abelian discrete logarithm to find x mod ∣ H ∣ . So one cannot release the second coordinate of ( g , ϕ ) x and maintain secrecy of x . This leads to

One can see that x is only defined modulo ∣ G ⋊ H ∣ = ∣ G ∣ × ∣ H ∣ . Moreover, it is in fact only defined modulo the order of the group element chosen, o ( g , ϕ ) , since if x > o ( g , ϕ ) , then ( g , ϕ ) x = ( g , ϕ ) x mod o ( g , ϕ ) . As a consequence, we may take x ∈ Z ⁄ n Z for some n ∣ o ( g , ϕ ) . When one fixes a choice of ( g , ϕ ) and sets n to be the smallest integer such that s g , ϕ ( n ) = 1 , the corresponding group action has particularly useful properties. We denote such a problem instance by SDLP g , ϕ , x .

A related problem to SDLP is the SCDH problem:

In the study of Battarbee et al. [3], a subexponential quantum algorithm was given for SDLP over semigroups. In the following, a family of (semi)groups indexed by κ is “easy” if for a fixed κ , pairs ( g , ϕ ) , ( g ′ , ϕ ′ ) ∈ G κ ⋊ End ( G κ ) , and values f ( κ ) , f ′ ( κ ) (resp. g ( κ ) , g ′ ( κ ) ) denoting the number of operations required to solve SDLP (resp. SCDH) for ( g , ϕ ) and ( g ′ , ϕ ′ ) , respectively, then we have f ( κ ) = O ( f ′ ( κ ) ) (resp. g ( κ ) = O ( g ′ ( κ ) ) ) . Then:

In this work, we consider groups, rather than semigroups. We also note a group action interpretation of SDLP. Define

Then,

This group action is free and transitive. We call this group action the semidirect product group action (SDPGA).

2.6 SPDH-sign

In the study of Battarbee et al. [4], a signature scheme was designed based on SDLP. The key generation and signing algorithms require multiple instances of SDLP to be published; we denote the number of samples by N , and refer to SPDH - Sign g , ϕ ( N ) below. The key generation and signing algorithms are given by

Note that it suffices to solve SDLP to break the scheme: if one can solve the SDLP problem, one can take the public key p k = ( ( X 1 , … , X N ) , ( Y 1 , … , Y N ) ) of SPDH-Sign and extract the s i , which comprise the secret key. For more on the security of SPDH-Sign, we refer the reader to the study of Battarbee et al. [4].

For the use of SPDH-Sign, one has to pick a particular group with which the scheme will be instantiated; the authors propose the use of the group

We note that we have G p ≅ Z ⁄ p 2 Z ⋊ Z ⁄ p Z , where Z ⁄ p Z acts on Z ⁄ p 2 Z via a ⋆ b = b 1 + p a . This isomorphism and its inverse are plainly efficiently computable.

When using such a group, p would be chosen to be a cryptographic prime, i.e., p = exp ( λ ) , where λ is the security parameter of a SLDP-based scheme, such as SPDH-Sign.

Finally, in this section, we note an incorrect statement in the study of Battarbee et al. [4]. The authors write:

The reasoning runs as follows. Since n ∣ ord ( ( g , ϕ ) ) , and ord ( ( g , ϕ ) ) ∣ G p ⋉ Aut ( G ) , we must have n ∣ ( p − 1 ) p 6 for some odd prime p , and n ≠ ( p − 1 ) p 6 since this would imply G p ⋊ Aut ( G p ) were cyclic.

The reasoning is sound; the conclusion of the theorem statement, however, is false when p ≠ 3 : since p is prime, p − 1 is not prime, and thus, the set of possibilities for n includes all elements of the set of divisors of p − 1 multiplied by powers of p , up to p 6 – not just the 12 values stated earlier. For instance, n = 2 p is a possibility for all p . The statement should read:

We point this out for its relevance to our results in Section 4. If the number of prime factors of p − 1 is bounded, one can compute n efficiently (quantumly) given p , g , and ϕ , using the methods of [4, Section 5] or [3, Algorithm 1].

3.1 Inner automorphisms of G p

We first consider inner automorphisms. Note that ( s c r n ) − 1 = ( r n ) − 1 ( s c ) − 1 = r − n s − c = s p c n s − c r − n , since s p c n s − c r − n ⋅ s c r n = s p c n s − p c n r 0 = 1 . The inner automorphisms act on s b r m by conjugation; i.e., if ϕ ∈ Inn ( G p ) , then for some c and n ,

We summarise this as

We note that there are ∣ Inn ( G p ) ∣ = ∣ G p ∣ ∣ Z ( G p ) ∣ = p 3 p = p 2 inner automorphisms, since the centre of G p is

3.2 Outer automorphisms of G p

The form of the outer automorphisms is less obvious than that of the inner automorphsims; we have

We conclude this section with the important observation.