Proceeding of the 3rd International Conference on Informatics and Technology, 2009

SEMIGROUP RINGS AS PLATFORM FOR CRYPTOSYSTEM

Wan Ainun Mior Othman1 , Wong Peng Choon2 , Wong Kok Bin3 , Steve J. Pride4 , Peter
H. Kropholler5
1,2,3
Institute of Mathematical Sciences, Faculty of Science, University of Malaya, 50603 Kuala
Lumpur, Malaysia. Email: 1 wanainun@um.edu.my, 2 wongpc@um.edu.my, 3 kbwong@um.edu.my
4,5
Department of Mathematics, University of Glasgow, University Gardens, Glasgow G12 8QW,
Scotland, United Kingdom. Email: 4 sjp@maths.gla.ac.uk, 5 p.h.kropholler@maths.gla.ac.uk
ABSTRACT
Most of the current public key cryptosystems and public key exchange protocols based their security on the
platform of Number Theory. With the advent of powerful new supercomputers, new and faster algorithms and
softwares, these cryptosystems are susceptible to brute force attacks. In the last ten or more years, there has
been a search for more secure and efficient public key cryptosystems based on new platforms of algebraic objects.
In this paper, we study the potential of certain semigroup rings as a platform for Diffie-Hellman key exchange.

Keywords: Semigroup rings, Diffie-Hellman, Discrete logarithm problem, Key exchange protocol,
Cryptosystems.

1 Introduction
Most of the public key cryptosystems and public key exchange protocols currently in use, like the Diffie-Hellman
key exchange protocol [5], the RSA public key cryptosystem [15], the ElGamal public key cryptosystem [6], the
digital signature scheme and the ElGamal’s signature scheme [6] based their security on the platform of Number
Theory. With the advent of powerful new supercomputers, new and faster algorithms and softwares, these
cryptosystems are susceptible to brute force attacks. In the last ten or more years, there has been a search
for more secure and efficient public key cryptosystems based on new platforms of algebraic objects like, groups
and semigroups where the security is based on hard search (algorithmic) problems [1], [4], [9]. Braid groups
[4], [9] [10], Thompson’s group [16] and certain formal power series rings [2], [12] has been proposed as possible
new platforms. Hard search problems which have proposed include the conjugacy search problem, the subgroup
membership search problem and the decomposition search problem. In the Braid group cryptosystem, the
security is based on the conjugacy search problem. Although Braid group cryptosystem have initial success,
several potential attacks have been identified [7],[8],[13]. Some of these attacks are based on the abstract
structure of the Braid groups. At this point it is clear that further research on the structure of groups and
semigroups with cryptographic applications are necessary.
The famous Diffie-Hellman key exchange protocol based its security on the discrete logarithm problem which
is supposely a very hard problem in Number Theory. In a recent paper [11], Maze, Monico and Rosenthal were
able to show that the discrete logarithm problem over a group can be considered as a special case of an action by
a semigroup. They showed that every semigroup action by an abelian semigroup gives rise to a Diffie-Hellman
key exchange. With an additional assumption it is also possible to extend the ElGamal protocol.
The idea of using semigroup actions for the purpose of building one-way trapdoor functions for cryptosystems
is not new and it had appeared in several papers. For example, Yamamura [17] has considered a group action
of Sl2 (Z). Blackburn and Galbraith [3] have analyzed the system of Yamamura [17] and they have shown that
it is insecure.
In this note we study the potential of certain semigroup rings as platform for Diffie-Hellman key exchange.
The Diffie-Hellman key exchange protocol is a protocol which allows two parties, Alice and Bob, to exchange a
secret key over some insecure channel. To do this Alice and Bob agree on a group G and a common element
g ∈ G. Then Alice chooses a random integer a and Bob chooses a random integer b. Alice sends g a to Bob
while Bob sends g b to Alice. Their common secret key is k := g ab . Following Maze, Monico and Rosenthal [11],
this protocol can be defined formally as follows.

©Informatics '09, UM 2009 RDT6 - 215

 Proceeding of the 3rd International Conference on Informatics and Technology, 2009

Protocol 1.1. [Diffie-Hellman Key Exchange Protocol] Let G be a group.

1. Alice and Bob publicly agree on an element g ∈ G.
2. Alice chooses an integer a and computes g a . Alice’s private key is a, her public key is g a .
3. Bob chooses an integer b and computes g b . Bob’s private key is b, his public key is g b .
4. Their common secret key is then
(g a )b = (g b )a .

The Deffie-Hellman key exchange protocol use the discrete logarithm problem as the basis of their security.
Following Maze, Monico and Rosenthal [11], the discrete logarithm problem can be defined as follows.

Problem 1.2. [Discrete Logarithm Problem] Let G be a group and g, h ∈ G. Find an integer n such that
g n = h.

Problem 1.2 has a solution if and only if there is a unique integer n such that g n = h. This unique integer is
called the discrete logarithm of h with base g. Currently the multiplicative group (Z/nZ)∗ of integers modulo
n is widely used for the group G, now called the platform group. Suppose an adversary, Eve is able to capture
g a and g b and Eve is able to solve Problem 1.2. Then Eve can find an integer x such that g x = g a and she can
then compute (g b )x = (g x )b = (g ab ) which is the shared key. Thus it is clear that solving the discrete logarithm
problem is sufficient for breaking the Diffie-Hellman protocol. As a result there have been much research work
recently to find other platform groups and generalizations of the discrete logarithm problem to be used in the
Diffie-Hellman key exchange protocol.

2 Cryptanalysis of a certain protocol.

In this section we shall examine whether a semigroup ring is suitable as a platform for a Diffie-Hellman-type
key exchange protocol. The idea of using semigroup rings and formal power series rings has appeared in [2],
[12]. The following protocol is a special case of Protocol 2.1 of Maze, Monico and Rosenthal [11].

Protocol 2.1. Let S be a semigroup and R be a ring.

1. Alice and Bob publicly agree on an element K in the semigroup ring R[S].
2. Alice chooses A ∈ R[S] and computes AK. Alice’s private key is A, her public key is AK.
3. Bob chooses B ∈ R[S] and computes KB. Bob’s private key is B, his public key is KB.
4. Their common secret key is then

A(KB) = (AK)B.

As mentioned by Maze, Monico, and Rosenthal, (see Problem 2.2 of [11]), the security of Protocol 2.1 is
based on the following problem.

Problem 2.2. Given a ∈ R[S] and b ∈ aR[S], find a x ∈ R[S] such that ax = b.

Suppose the adversary, say Eve is able to solve Problem 2.2. Then Eve can find a B 0 ∈ S such that
KB 0 = KB and she can compute (AK)B 0 = A(KB 0 ) = A(KB) which is the shared key. Thus it is clear that
solving the Problem 2.2 is sufficient for breaking Protocol 2.1. We now give the following example.
P
Example 2.3. Let S =< s > be an infinite cyclic group and R = Z the ring of integers. Then R[S] = { n i=1 ri si
where ri ∈ R, si ∈ S}. Let a = s3 +4s−1 +s−5 ∈ R[S]. Suppose b = 3s7 +12s3 +2s5 +3s−1 −30s−3 −8s−7 ∈ aR[S].
To solve Problem 2.2 we have to find an element x ∈ R[S] such that ax = b.

In the next lemma we shall show that for certain ordered semigroup, Problem 2.2 can be solved easily.

Lemma 2.4. Let S be an ordered semigroup for which given any u, v ∈ S one can find z ∈ S easily such that
uz = v provided that z exists. Let R be a ring such that the equation rZ = t where r, t ∈ R and Z an unknown
can be solved easily and if there is a solution the solution is unique. Then Problem 2.2 can be solved easily.

©Informatics '09, UM 2009 RDT6 - 216

 Proceeding of the 3rd International Conference on Informatics and Technology, 2009

Pn Pm
Proof. Let a ∈ R[S] and b ∈ aR[S]. Then a = i=1 ri si and b = i=1 ti ui where ri , ti ∈ R, si , ui ∈ S,
s1 < s2 < · · · < sn and uP 1 < u2 < · · · < um . We prove it by induction on the ordering of um . Since
p
b ∈ aR[S],Pthere is a yP=
P i=1 ei vi where ei ∈ R, vi ∈ S and v1 < v2 < · · · < vp such that ay = b. So
n p m
i=1 r i s i i=1 e i vi = i=1 ui . Since S is an ordered semigroup, by comparing the highest term, we must
t i
have rn ep sn vp = tm um , i.e. rn ep = tm and sn vp = um .
Now by the hypothesis, we can find a w ∈ S such that sn w = um . We show that w = vp . Suppose w 6= vp .
Then either w < vp or vp < w. If w < vp then um = sn w < sn vp = um , a contradiction. Similarly we cannot
have vp < w. Thus w = vp .
By the hypothesis
P we can
Pn−1find a unique c ∈ R such
Pp−1that rn c = tm . Therefore we have c = ep .
Let b0 = m−1 i=1 ti ui −
0
i=1 ri csi w and y =
0 0
i=1 ei vi . Note that ay = b . Furthermore si w < um for
i = 1, . . . , n − 1 since sn w = um . So the ordering of each term in b0 is less than the ordering of the highest term
in b. By induction, we can find a x0 ∈ R[S], easily such that ax0 = b0 . Let x = x0 + cw. Then ax = b. Hence
Problem 2.2 can be solved easily.

We shall illustrate this for the above example.

Example 2.5. Let S =< s > and R as in Example 2.3. Then S becomes an ordered group if we define:
si < sj if i < j. Hence R and S satisfy the hypothesis of Lemma 2.4. Let a = s3 + 4s−1 + s−5 and b =
3s7 + 12s3 + 2s5 + 3s−1 − 30s−3 − 8s−7 as in Example 2.3. By looking at the highest power of s in a and b, we see
that if ax0 = b then x0 = 3s4 +x1 . So ax0 = 3s7 +12s3 +3s−1 +ax1 = b and ax1 = 2s5 −30s−3 −8s−7 = b1 . Then
x1 = 2s2 + x2 . So ax1 = 2s5 + 8s + 2s−3 + ax2 = b1 and ax2 = −8s − 32s−3 − 8s−7 = b2 . Then x2 = −8s−2 + x3 .
So ax2 = −8s − 32s−3 − 8s−7 + ax3 = b2 and ax3 = 0. Therefore x3 = 0 and x0 = 3s4 + 2s2 − 8s−2 .

3 Security Implementation
Although certain ordered semigroup rings is not a good platform for cryptography but for unorderable semi-
groups, the result looks promising.
To achieve greater security, we use semi group ring as our platform in our encryption device and placed it to
support either link encryption or end-to-end encryption. Then as a countermeasures for traffic confidentiality,
we implement traffic padding, which involves sending random bits during periods when no encrypted data are
available for transmission.

4 Conclusion
From Lemma 2.4, we see that the ordered semigroup ring is not a good platform for the Protocol 2.1 discussed
in Section 2. However we are not able to detect any flaws in the Protocol 2.1 when the semigroup ring is
unorderable. Indeed for certain unorderable semigroups the rewriting system may be infinite. For example
we can consider the semigroup with presentation S =< x, y; y 2 xy 2 = x, x2 yx2 = y >. This presentation
S =< x, y; y 2 xy 2 = x, x2 yx2 = y > when considered as a group, was shown by Promislow [14] to have the
non-unique product property. Furthermore S is torsion-free but is not right orderable even though it is the
amalgamated product of two right orderable groups (see [14]). As a semigroup S the rewriting system is
infinitely presented.
In this paper we have examined using semigroup rings as platform only from the security viewpoint. The
implementation and efficiency aspects are still to be examined.

References
[1] I. Anshel, M. Anshel, and D. Goldfeld, An algebraic method for public-key cryptography, Math. Res. Lett.,
6 (3-4), (1999) 287–291.
[2] G. Baumslag, Y. Brukhov, B. Fine and G. Rosenberger, Encryption methods using formal power series
rings preprint
[3] S.R. Blackburn, and S.D. Galbraith, Cryptanalysis of two cryptosystems based on group actions, In Ad-
vances in Cryptology - ASIACRYPT ’99, volume1716 of Lecture Notes in Computer Science, Springer
Verlag, Berlin, (1999) 52–61.

©Informatics '09, UM 2009 RDT6 - 217

 Proceeding of the 3rd International Conference on Informatics and Technology, 2009

[4] J.C. Cha, K.H. Ko, S.J. Lee, J.H. Cheon, J.W. Han and J.H.Cheon An Efficient Implimentation of Braid
Groups, In ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, Springer, Berlin, (2001)
144–156.
[5] W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, IT-22 (6),
(1976) 644-654.
[6] T. ElGamal, A public key crytosystem and a signature scheme based on discrete logarithms, IEEE Trans.
Inform. Theory, 31 (4), (1985) 469-472.
[7] D. Hofheinz and R. Steinwandt, A practical attack on some braid group based cryptographic primitives, In
Public Key Cryptography, 6th International Workshop on Practice and Theory in Public Key Cryptography
PKC 2003 Proceedings, volume2567 of Lecture Notes in Computer Science, Springer Verlag, Berlin, (2002)
187–198.
[8] J. Hughes, A linear algebraic attack on the AAFG1 braid group cryptosystem, In 7th Australasian Con-
ference on Information Security and Privacy ACISP, volume2384 of Lecture Notes in Computer Science,
Springer Verlag, Berlin, (2002) 176–189.
[9] K.H. Ko, S.J. Lee, J.H. Cheon, J.W. Han, J.S. Kang, and C. Park, New public-key cryptosystem using braid
groups, Advances in Cryptology - CRYPTO 2000 (Santa Barbara, CA), volume 1880 of Lecture Notes in
Computer Science, Springer, Berlin, (2000) 166–183.
[10] E. Lee and J.H. Park, Cryptanalysis of the public key encryption based on braid groups, In Advances in
Cryptology EuroCrypt 2003, volume2332 of Lecture Notes in Computer Science, Springer Verlag, Berlin,
(2002) 14–28.
[11] G. Maze, C. Monico, and J. Rosenthal, Public Key Cryptography based on Semigroup Actions, Adv. Math.
Commun. 1 (4) (2007) 489–507.
[12] G. Maze, C. Monico, and J. Rosenthal, Public key cryptography based on simple modules over simple
rings, In D. Gilliam and J. Rosenthal, editors, Proceedings of the 15-th International Symposium on the
Mathematical Theory of Networks and Systems, University of Notre Dame, August 2002.
[13] A.G. Myasnikov, V. Shpilrain and A. Ushakov, A practical attack on some braid group based cryptographic
protocols,In CRYPTO 2005 volume 3621 of Lecture Notes in Computer Science, Springer Verlag, Berlin,
(2005) 86–96.
[14] D. Promislow, A simple example of a torsion-free non unique product group, Bull. London math. Soc. (20)
(1988) 302–304.
[15] R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryp-
tosystems Communications of the ACM, 21 (1978) 120-126.
[16] V. Shpilrain and A. Ushakov, Thompson’s group and public key cryptography, volume 3531 of Lecture
Notes in Computer Science, Springer Verlag, Berlin, (2005) 151–164.
[17] A. Yamamura, Public-key cryptosystems using the modular group, Public Key Cryptography, volume 1431
of Lecture Notes in Computer Science, Springer, Berlin, (1998) 203–216.

©Informatics '09, UM 2009 RDT6 - 218