Research Article Conjugacy Systems Based on Nonabelian ...downloads.hindawi.com/journals/jam/2014/630607.pdf · Hellman(Gap-DH)problem)withrespectto ,, ,denoted byGap-CDH,,istosolvetheCDH,

Research ArticleConjugacy Systems Based on Nonabelian FactorizationProblems and Their Applications in Cryptography

Lize Gu and Shihui Zheng

Information Security Center State Key Laboratory of Networking and Switching Technology Beijing University ofPosts and Telecommunications Beijing 100876 China

Correspondence should be addressed to Shihui Zheng shihuizhgmailcom

Received 2 February 2014 Accepted 6 April 2014 Published 28 April 2014

Academic Editor Javier Oliver

Copyright copy 2014 L Gu and S ZhengThis is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

To resist known quantum algorithm attacks several nonabelian algebraic structures mounted upon the stage of moderncryptography Recently Baba et al proposed an important analogy from the integer factorization problem to the factorizationproblem over nonabelian groups In this paper we propose several conjugated problems related to the factorization problem overnonabelian groups and then present three constructions of cryptographic primitives based on these newly introduced conjugacysystems encryption signature and signcryption Sample implementations of our proposal as well as the related performanceanalysis are also presented

1 Introduction

Background andMotivationAlthough the idea of encryptionhas made it to the world thousands of years ago the conceptof public key cryptography (PKC) came to us no more thanhalf of a century To secure communications over insecurechannels the core idea of PKC is to exert a heavy burdenthat is computational cost in general on eavesdroppers butmeanwhile keep the additional workload of legitimate usersas light as possible [1] This idea is always instantiated bycertain challenging problems for which the legitimate usersknow at least one feasible solution while it is infeasible to finda solution even if the attackers exhaust all available resourcesAlong this roadmap the well-known Diffie-Hellman keyexchange protocol [2] as well as many public key cryptosys-tems such as RSA [3] ElGamal [4] and ECC [5 6] manifeststheir great success during the past four decades Howeverconsidering that the famous problem 119875

= 119873119875 remained openup to now all these cryptographic protocolsschemes relaytheir security on assumptions of the intractability of certainproblems say integer factorization problem (IFP) discretelogarithm problem over finite fields (DLP) or elliptic curves(ECDLP)

Intractability assumptions of certain cryptographic prob-lems themselves never mean the security of real systemsInstead they must be embedded in implementing certaincryptographic primitives In fact security is a compositeconcept and it can be divided into several different proper-ties Among them confidentiality authenticity and integrityattract a lot of attention in the community of PKC Althoughthe primitive of encryption is mainly intended to keep con-fidentiality when an encryption scheme achieves indistin-guishability against adaptive chosen ciphertext attacks (IND-CCA2) the integrity of the ciphertexts is also granted Sim-ilarly the primitive of signature maintains the authenticityand integrity simultaneously Another cryptographic prim-itive signcryption is a data security technology by whichconfidentiality is protected and authenticity is achieved seam-lessly at the same time [7ndash9] The primitive of signcryp-tion invented in 1996 but firstly disclosed to the public atCRYPTO 1997 [7 8] is now an international standard fordata protection (ISOIEC 29150 Dec 2011) Up-to-date manyconstructions of signcryption were proposed based on theintractability assumptions of IFP [10 11] or DLPECDLP [1213] Some constructions further utilize the bilinear pairingto enhance the functionalities and performance [14 15] but

Hindawi Publishing CorporationJournal of Applied MathematicsVolume 2014 Article ID 630607 10 pageshttpdxdoiorg1011552014630607

2 Journal of Applied Mathematics

the security of these constructions was also rooted in theintractability assumption of ECDLP Unfortunately IFP andDLP as well as ECDLP could be efficiently solved by Shorrsquosquantum algorithms [16 17] and its extensions [18] Thusthere is an urgent requirement to develop new signcryptionschemes that have the potential capability to resist Shor-likequantum attacks Although two lattice-based signcryptionschemes were claimed recently [19 20] to have the advantagesin resisting known quantum algorithm attacks the parametersize of these constructions is considerably large Thereforemore efficient designs are expected

Contribution In this paper wemade efforts from two aspectsAt first we define several conjugated problems related to thefactorization problem over nonabelian groups and we namethese problems as conjugacy systems Next we explore theusefulness of these conjugacy systems via presenting threeconstructions of cryptographic primitives encryption signa-ture and signcryption In addition sample implementationsof our proposal as well as related performance analysis arepresented

Related Work Our work belongs to the line of the so-callednoncommutative cryptography that has become noticeablerecently [21] Considering that Shorrsquos quantum algorithm andits extension work well over some commutative groups suchas the multiplication group Zlowast

119899 the multiplication group Flowast

119902

and the addition group over elliptic curves on finite field F119902

and we have already known efficient quantum algorithms forhidden group problems (HSP) over all commutative groupsa lot of attempts on developing cryptosystems are based onnoncommutative algebraic structuresDuring the past decadebraid groups [9 22 23] inner automorphism groups [24 25]Thompsonrsquos groups [26] linear groups and classical modulargroups [27 28] random covers and logarithmic signatures[29] and so forth have already mounted upon the stageof modern cryptography However this area is considerablyimmature and at present there are no practical both inefficiency and security noncommutative cryptosystems [9]In particular finding a secure nonabelian analogy of cryp-tosystems based on IFP remains open [21] until recently In2011 Baba et al proposed a nonabelian factorization prob-lem and presented associated cryptosystems [30] AlthoughBKTrsquos constructions failed to achieve semantic security theinsight embedded in the nonabelian factorization problemopens a new avenue for developing practical nonabeliancryptography [31] In 2012 Gu et al [31] proposed anIND-CCA2 secure encryption scheme based on BKTrsquos ideaMoreover they gave the first arguments on resisting Shorrsquosquantum algorithm attacks based on noncommutativity(see Remark 11)

Roadmap The remaining content is organized as followsIn Section 2 we at first recall the definition of nonabelianfactorization problem and related extensions then definesome new cryptographic problems (referred to as conjugacysystems) and finally present analysis on the hardness of theseproblems in Section 3 we present new constructions onencryption signature andsigncryption based on the newly

introduced conjugacy systems in Section 4 we discuss thepossible implementation platforms and related performancefinally concluded remarks are given in Section 5

2 Conjugacy Systems Based on NonabelianFactorization Problems

Most public key cryptosystems are based on certainintractability assumptions and thus finding new intractableassumptions is an interesting cryptographic practice Inthis section we will at first review the so-called nonabelianfactorization problem that was firstly formulated in [30]and then introduce some new cryptographic problems bycoupling related problems with conjugate operations Thisidea is in fact enlightened by braid cryptosystems [23] andthe CSP-based constructions [32] where conjugacy relatedproblems play center roles For abbreviation we refer tothese problems as conjugacy systems

21 Nonabelian Factorization Problem and NewCryptographic Problems

Definition 1 (factorization problem FP [30 31]) Let119866 be anynonabelian finite group with identity 119890 Let 119892 ℎ isin 119866 be tworandom elements so that ⟨119892⟩ cap ⟨ℎ⟩ = 119890 The factorizationproblem with respect to 119866 119892 ℎ denoted by FP119866

119892ℎ is to split

the given product 119892119909ℎ119910 isin 119866 into a pair (119892119909 ℎ119910) isin 1198662 where

119909 and 119910 are arbitrary integers picked at random

Definition 2 (computational Diffie-Hellman problem CDH[30 31]) Let 119866 be any nonabelian finite group with identity119890 Let 119892 ℎ isin 119866 be two random elements so that ⟨119892⟩ cap ⟨ℎ⟩ =

119890 The computational Diffie-Hellman (CDH) problem withrespect to 119866 119892 ℎ denoted by CDH119866

119892ℎ is to recover 119892119886+119888ℎ119887+119889

from the given pair (119892119886ℎ119887 119892119888ℎ119889) isin 1198662 where 119886 119887 119888 119889 are

arbitrary integers picked at random

Definition 3 (decisional Diffie-Hellman problem DDH [31])Let 119866 be any nonabelian finite group with identity 119890 Let119892 ℎ isin 119866 be two random elements so that ⟨119892⟩cap ⟨ℎ⟩ = 119890 Thedecisional Diffie-Hellman (DDH) problem with respect to119866 119892 ℎ denoted by DDH119866

119892ℎ is to distinguish the distribution

D0≜ (119892

119886ℎ119887 119892119888ℎ119889 119892119911ℎ119910) 119886 119887 119888 119889 119911 119910isin

119877Z (1)

and the distribution

D1≜ (119892

119886ℎ119887 119892119888ℎ119889 119892119886+119888

ℎ119887+119889

) 119886 119887 119888 119889isin119877Z (2)

Definition 4 (gap computational Diffie-Hellman problemGap-CDH [31]) Let 119866 be any nonabelian finite group withidentity 119890 Let 119892 ℎ isin 119866 be two random elements so that⟨119892⟩cap⟨ℎ⟩ = 119890The gap computational Diffie-Hellman (Gap-CDH) problem (In [31] this problem is called gap Diffie-Hellman (Gap-DH) problem) with respect to119866 119892 ℎ denotedby Gap-CDH119866

119892ℎ is to solve the CDH119866

119892ℎproblem given access

to an oracle that solves the DDH119866119892ℎ

problem

Journal of Applied Mathematics 3

Definition 5 (subgroup conjugator searching problem SCSP)Let 119866 be any nonabelian finite group with identity 119890 Let119892 ℎ isin 119866 be two random elements so that ⟨119892⟩cap ⟨ℎ⟩ = 119890 Thesubgroup conjugator searching problem (SCSP) with respectto119866 119892 ℎ denoted by SCSP119866

119892ℎ is to recover 119892119909 from the given

pair (ℎ119910 119892119909ℎ119910119892minus119909) isin 1198662 where 119909 119910 are arbitrary integers

picked at random

Definition 6 (subgroup conjugacy deciding problem SCDP)Let 119866 be any nonabelian finite group with identity 119890 Let119892 ℎ isin 119866 be two random elements so that ⟨119892⟩ cap ⟨ℎ⟩ =

119890 The subgroup conjugacy deciding problem (SCDP) withrespect to 119866 119892 ℎ denoted by SCDP119866

119892ℎ is to distinguish the

distribution

D2≜ (ℎ

119887 119892119886ℎ119887119892119888) 119886 119887 119888isin

119877Z (3)

and the distribution

D3≜ (ℎ

119887 119892119886ℎ119887119892minus119886) 119886 119887isin

119877Z (4)

Definition 7 (conjugated computational Diffie-Hellman prob-lem CCDH) Let 119866 be any nonabelian finite group withidentity 119890 Let 119892 ℎ isin 119866 be two random elements so that⟨119892⟩ cap ⟨ℎ⟩ = 119890 The conjugated computational Diffie-Hellman (CCDH) problem with respect to 119866 119892 ℎ denotedby CCDH119866

119892ℎ is to recover 119892119886+119888ℎ119887119892minus119886minus119888 from the given triple

(ℎ119887 119892119886ℎ119887119892minus119886 119892119888ℎ119887119892minus119888) isin 1198663 (5)

where 119886 119887 119888 119889 are arbitrary integers picked at random

Definition 8 (conjugated decisional Diffie-Hellman problemCDDH) Let119866 be any nonabelian finite groupwith identity 119890Let 119892 ℎ isin 119866 be two random elements so that ⟨119892⟩ cap ⟨ℎ⟩ = 119890The conjugated decisional Diffie-Hellman (CDDH) problemwith respect to119866 119892 ℎ denoted by CDDH119866

119892ℎ is to distinguish

the distribution

D4≜ (ℎ

119887 119892119886ℎ119887119892minus119886 119892119888ℎ119887119892minus119888 119892119889ℎ119887119892minus119889) (6)

(where 119886 119887 119888 119889isin119877Z are drawn at random) and the distribu-

tion

D5≜ (ℎ

119887 119892119886ℎ119887119892minus119886 119892119888ℎ119887119892minus119888 119892119886+119888

ℎ119887119892minus119886minus119888

) (7)

(where 119886 119887 119888isin119877Z are drawn at random)

Definition 9 (gap conjugated computational Diffie-Hellmanproblem Gap-CCDH) Let119866 be any nonabelian finite groupwith identity 119890 Let 119892 ℎ isin 119866 be two random elements sothat ⟨119892⟩ cap ⟨ℎ⟩ = 119890 The gap conjugated computationalDiffie-Hellman (Gap-CCDH)problemwith respect to119866 119892 ℎdenoted by Gap-CCDH119866

119892ℎ is to solve the CCDH119866

119892ℎproblem

given access to an oracle that solves the CDDH119866119892ℎ

problem

22 Hardness Assumptions Firstly we should notice that thecondition ⟨119892⟩cap⟨ℎ⟩ = 119890 implies that the FP problem is well-defined in the sense that the solution is unique for any given

FP instance In addition if 119866 is abelian and the orders of 119892and ℎ are coprime and known then the FP problem can bereduced to the discrete logarithm problem in 119866 accordingto [30] However if the orders of 119892 and ℎ have commonfactors or are kept unrevealed or 119866 is nonabelian then theFP problem seems much hard In this case the naive methodof trying all different pairs (119909 119910) is apparently infeasible if theorders of 119892 and ℎ are large enough Therefore we would liketo introduce the meta-assumptions as follows

(i) (119866 119890) is a nonabelian finite group where 119890 is theidentity

(ii) the orders of 119892 and ℎ are large enough(iii) 119892ℎ = ℎ119892 and ⟨119892⟩ cap ⟨ℎ⟩ = 119890

And then based on this meta-assumption our first hardnessassumption states that the FP 119866

119892ℎproblem is intractable

Secondly both the DDH119866119892ℎ

problem and the Gap-DH119866119892ℎ

problem are no harder than the CDH119866119892ℎ

problem But asfar as we know there is no better solution for the DDH119866

119892ℎ

problem and Gap-CDH119866119892ℎ

problem other than solving theCDH119866119892ℎ

problem (Note that if 119892 and ℎ commute (ie 119892ℎ =

ℎ119892) although the FP119866119892ℎ

problem is still meaningful but theCDH119866119892ℎ

problem the DDH119866119892ℎ

problem and the Gap-DH119866119892ℎ

problem become trivial thus the meta-assumption of non-commutativity of 119892 and ℎ is one of the crucial factors)Therefore our 2nd 3rd and 4th hardness assumptions statethe intractabilities of the CDH119866

119892ℎproblem the DDH119866

119892ℎ

problem and the Gap-DH119866119892ℎ

problem respectivelyThirdly the SCDP problem might be tractable for certain

nonabelian groups say matrix groups considering that thetrace of the matrix 119892

119886ℎ119887119892minus119886 is the same as the trace of ℎ119887

However even for matrix groups it seems that both theCCDH problem and the CDDH problem are still intractablesince we have not found an easier way for solving themthan using the naive method of enumerating all possibleentries Intuitively it is hard to solve the CDDH problemwithout solving the SCSP problem when 119866 is modeled as ageneric semigroup model In 2005 Maurer [33] proved thatthe discrete logarithm problem (DLP) and the correspondingdecisional Diffie-Hellman (DDH) problem are polynomiallyequivalent in a generic cyclic group By an analogical mannerwe speculate that the SCSP problem and the CDDH problemin a generic noncommutative semigroup are polynomiallyequivalent Furthermore we do not know a better solutionfor the CDDH119866

119892ℎproblem and Gap-CCDH119866

119892ℎproblem other

than solving the CCDH119866119892ℎ

problem Therefore our 5th 6rd7th and 8th hardness assumptions state the intractabilities ofthe SCSP119866

119892ℎproblem the CCDH119866

119892ℎproblem the CDDH119866

119892ℎ

and the Gap-CCDH119866119892ℎ

problem respectively Note that inthis paper we do not assume that SCDP119866

119892ℎproblem is hard

At present we have no idea on whether (gap) conjugatedcomputational (resp decisional) Diffie-Hellman problem isharder than (gap) computational (resp decisional) Diffie-Hellman problem or vice versa

4 Journal of Applied Mathematics

Finally a solution to the FP119866119892ℎ

problem would implya solution to all above problems [30] In addition ℎ119887 isnot required to be invertible in all above definitions thusit is possible to instantiate these problems over nonabeliansemigroups (see Figure 1)

Remark 10 (SCSP versus CSP) Note that the subgroup conju-gator searching problem (SCSP) and the subgroup conjugacydeciding problem (SCDP) introduced in this paper are ingeneral at least as hard as the conjugator searching problem(CSP) and the conjugacy deciding problem (CDP) given in[21] in the sense that SCSP and SCDP further require thepotential conjugator 119892119909 coming from a specified subgroup⟨119892⟩ sub 119866

Remark 11 (quantum attack resistant) Note that in [31] wegive detailed analysis of the core role of noncommutativityon resisting Shorrsquos quantum algorithm attacks To make thispaper self-contained we briefly recall some points We knowthat the main part of Shorrsquos quantum algorithm is a quantumalgorithm to solve the order-finding problem over the abeliangroupZlowast

119899[16 17] Now suppose that a quantum algorithm to

solve the order-finding problem over the underlying group119866is at hand and we have already worked out 119892rsquos order 119886 and ℎrsquosorder 119887 However the following lifting reductions are blockedby noncommutativity

(119892119909ℎ119910)119886

= 119892119909sdot119886ℎ119910sdot119886

= 119890 sdot ℎ119910sdot119886

= ℎ119910sdot119886

(119892119909ℎ119910)119887

= 119892119909sdot119887ℎ119910sdot119887

= 119892119909sdot119887

sdot 119890 = 119892119909sdot119887

(8)

The above two inequalities are very important in our argu-ments Without them one can reduce the FP119866

119892ℎproblem to

the DLP problems over the cyclic groups ⟨119892⟩ and ⟨ℎ⟩ whichare quantumly tractable by using Shorrsquos algorithm [31] Inthis sense we can see that BKTrsquos method pins down the truemeaning of noncommutativity for resisting Shorrsquos quantumalgorithm attacks (see Section 71 of [31] for more details)

3 Cryptographic Applications

Let us proceed to demonstrate the usefulness of the conjugacysystems defined above Suppose that119866 is a nonabelian groupAt first the common setting on the public parameters of theproposed schemes are given by a quintuple ⟨D 119892 ℎ119867

1 1198672⟩

where

(i) D is a description of 119866 Without loss of generalitywe assume the length of D is bounded by O(log |119866|)for finite 119866 When 119866 is infinite but admits a finitepresentation say119866 = ⟨119883 | 119877⟩ then the description ofD is given by the description of119883 and 119877

(ii) 119892 ℎ isin 119866 are two fixed elements that are picked atrandom so that

(a) 119892 and ℎ do not commute that is 119892ℎ = ℎ119892(b) ⟨119892⟩ cap ⟨ℎ⟩ = 119890(c) the order of 119892 is large enough Typically we

assume that the order of 119892 is no less than

FP

SCSP

CDH

DDH

Gap-CDH

CCDH

CDDH

Gap-CCDH

SCDP

Seems intractable

Tractable over matrix groups

Figure 1 Cryptographic problems over nonabelian semigroups

the system security parameter 119896 that will bespecified later

(iii) 1198671

119866 rarr 1198662 and 119867

2 1198662

rarr 119866 are twocryptographic hash functions that are modeled asrandom oracles

31 Encryption with IND-CPA Security Now as a warming-up an Elgamal-like encryption scheme denoted by 119881

1 is

described as follows

(i) KeyGen(1119896) this is the key generation algorithm thattakes as input the system security parameter 1119896 picksan integer 119904 isin 0 1

119896 at random and calculates 119909 =

119892119904ℎ119892minus119904

isin 119866 and finally outputs (119892119904 119909) isin 1198662 as the

privatepublic key pair

(ii) Enc(119909119898) this is the encryption algorithm that takesas inputs the public key 119909 isin 119866 and the message119898 isin 119866

and performs the following steps

(a) pick 119905 isin 0 1119896 at random

(b) compute 1198881= 119892119905ℎ119892minus119905 and 119888

2= 119898119892119905119909119892minus119905

(c) output (1198881 1198882)

(iii) Dec(119892119904 1198881 1198882) this is the decryption algorithm that

takes as inputs the private key 119892119904

isin 119866 and theciphertext pair (119888

1 1198882) isin 119866

2 and then outputs theintended message119898 = 119888

2(1198921199041198881119892minus119904)minus1

Journal of Applied Mathematics 5

Correctness The correctness of the scheme is granted by thefollowing calculation

1198882(1198921199041198881119892minus119904)minus1

= 119898119892119905119909119892minus119905(119892119904119892119905ℎ119892minus119905119892minus119904)minus1

= 119898119892119905119909119892minus119905(119892119905119892119904ℎ119892minus119904119892minus119905)minus1

= 119898(119892119905119909119892minus119905) (119892119905119909119892minus119905)minus1

= 119898

(9)

Security The security of the above encryption scheme isessentially similar to the security of the well-known Elgamalencryption scheme [4] That is it is indistinguishable againstchosen plaintext attack (IND-CPA) under the assumptionof the intractability of the CDDH119866

119892ℎproblem One can also

find similar proofs from either [9] or [32] In addition sinceneither119867

1nor119867

2are used in this scheme it is secure in the

standardmodel By using two randomoracles1198671and119867

2 one

can easily convert it into an IND-CCA2 secure encryptionscheme according to the well-known FO transformationtheorem [34] (see the proof of Theorem 14)

32 Signature with the Lowest Security Next let us describea signature scheme denoted by 119881

2 that can be viewed as a

simplified variant of the noncommutative signature schemegiven in [35]

(i) KeyGen(1119896) it is the same as in Section 31(ii) Sign(119892119904 119898) this is the signing algorithm that takes as

inputs the private key 119892119904 isin 119866 and the message119898 isin 119866

and performs the following steps

(a) pick 119905 isin 0 1119896 at random

(b) compute 119906 = 119892119905ℎ119892minus119905 V = 119867

2(119898 119906) and 119908 =

1198672(119906 V)119892minus119905119892119904

(c) output the signature 120590 = (119906 119908) isin 1198662

(iii) Verify(119909119898 120590) this is the verifying algorithm thattakes as inputs the public key 119909 isin 119866 and the message-signature pair (119898 120590) and then performs the followingsteps

(a) parse 120590 into (119906 119908) isin 1198662

(b) compute V = 1198672(119898 119906) and verify whether the

following equality holds

119908119906119908minus1

= 1198672 (119906 V) 1199091198672(119906 V)

minus1 (10)

(c) if so accept this signature otherwise reject it

Correctness The correctness of the scheme is granted by thefollowing calculation

119908119906119908minus1

= 1198672 (119906 V) 119892

minus119905119892119904(119892119905ℎ119892minus119905) 119892minus1199041198921199051198672(119906 V)

minus1

= 1198672 (119906 V) (119892

minus119904ℎ119892119904)1198672(119906 V)

minus1

= 1198672 (119906 V) 1199091198672(119906 V)

minus1

(11)

Security On one hand under the assumptions of theintractability of the SCSP119866

119892ℎproblem and119867

2being a random

oracle this signature scheme merely achieves unforgeabilityagainst no message attacks (UF-NMA)mdashthis is the lowestsecurity level for a signature scheme where adversaries aremerely given the public key and asked to output a successfulforgery The arguments are similar to the security analysisgiven in [35] On the other hand taking this scheme as abuilding block we can design a signcryption scheme thatachieves existential unforgeability against external adaptivelychosen message attack (see the next subsection)

33 Signcryption with IND-CCA2 Security Based on theencryption scheme 119881

1and the signature scheme 119881

2 let us

proceed to present a signcryption scheme denoted by 1198813

(i) KeyGen(1119896) it the same as in Section 31(ii) SignCrypt(119892119904 119910 119898) this is the signcryption algo-

rithm that takes as inputs the senderrsquos private key 119892119904 isin119866 the receiverrsquos public key 119910 isin 119866 and the message119898 isin 119866 and performs the following steps

(a) pick 119905 isin 0 1119896 at random

(b) compute

1198881= 119892119905ℎ119892minus119905

120591 = 1198672(119898 1198881)

120590 = 1205911198881119892119904119892minus119905

120574 = 1198671(119892119905119910119892minus119905)

1198882= (119898 || 120590) oplus 120574

(12)

where operator ldquooplusrdquo should be viewed as XORoperation over bit-strings that are encodingresults of a pair in 119866

2(c) output (119888

1 1198882)

(iii) UnSignCrypt (119892119903 119909 1198881 1198882) this is the unsigncryption

algorithm that takes as inputs the receiverrsquos privatekey 119892

119903isin 119866 the senderrsquos public key 119909 isin 119866 and

the ciphertext pair (1198881 1198882) and performs the following

steps

(a) compute1198981015840 || 1205901015840 = 1198882oplus 1198671(1198921199031198881119892minus119903)

(b) let 1205911015840 = 1198672(1198981015840 1198881)

(c) output 1198981015840 if 120590101584011988811205901015840minus1

= (12059110158401198881)119909(12059110158401198881)minus1 and perp

otherwise

Remark 12 The above signcryption scheme inherits the sameframework from [9] However the construction given here isfeatured by the following differences

(i) Different platforms with different security bases In[9] the platform is the braid group 119861

119899and the

underlying intractability assumption is the conjugatorsearching problem (CSP) while in this paper the

6 Journal of Applied Mathematics

platform could be any nonabelian group and theunderlying intractability assumption is the subgroupconjugator searching problem (SCSP) that is basedon the intractability assumption of the nonabelianfactorization problem In general we think the SCSPproblem is at least as hard as the CSP problem (seeRemark 10) In particular based on nonabelian fac-torization related problems noncommutativity playsa core role in resisting Shorrsquos quantum algorithmattacks

(ii) Different settings with different trade-off in computa-tionalstorage cost As suggested in [9] with the braidgroup 119861

50 we need about 4 Kbits to represent a braid

with canonical length ℓ le 10 This is a bit inefficientin storage Therefore instead of keeping a braid asthe private key we merely use a positive integer 119904 isin

0 1119896 to indicate the private key Considering that the

braid exponentiation can be finished very efficientlythe real private key 119886

119904isin 11986150

can be reconstructedwhenever it is required However in this paperour proposal could be instantiated over arbitrarynonabelian groups only if the related intractabilityassumptions remain reasonableThus we directly use119892119904isin 119866 as the private key To deploy our proposal in

real systems the engineers are responsible formakingproper trade-off choice between the storage cost andthe computational cost

Correctness The correctness of the above scheme is given bythe following theorem

Theorem 13 The proposed signcryption is consistent

Proof Suppose the sender and the receiver perform honestlyand their inputs are well formed That is 119909 = 119892

119904ℎ119892minus119904 and 119910 =

119892119903ℎ119892minus119903 Then since

1198921199031198881119892minus119903

= 119892119903119892119905ℎ119892minus119905119892minus119903

= 119892119905119892119903ℎ119892minus119903119892minus119905

= 119892119905119910119892minus119905

1198981015840|| 1205901015840= 1198882oplus 1198671(1198921199031198881119892minus119903)

= (119898 || 120590) oplus 1198671(119892119905119910119892minus119905) oplus 119867

1(119892119905119910119892minus119905)

= 119898 || 120590

1205911015840= 1198672(1198981015840 1198881) = 119867

2(119898 1198881) = 120591

120590 = 1205911198881119892119904119892minus119905

(13)

we have that

120590101584011988811205901015840minus1

= 120590 (119892119905ℎ119892minus119905) 120590minus1

= (1205911198881119892119904119892minus119905) (119892119905ℎ119892minus119905) (1205911198881119892119904119892minus119905)minus1

= (12059110158401198881) (119892119904ℎ119892minus119904) (12059110158401198881)minus1

= (12059110158401198881) 119909(12059110158401198881)minus1

(14)

Then1198981015840 = 119898 will be output correctly

Security As for a signcryption scheme the security includestwo aspects indistinguishability and unforgeability

Theorem 14 Suppose that 1198671and 119867

2are random oracles

The proposed signcryption is indistinguishable against adap-tive chosen ciphertext attack (IND-CCA2) assuming that theCDDH119866

119892ℎproblem is intractable

Proof (sketch of the proof) The proof threads are similar towhat is given in [9] At first we can apply the well-knownFujisaki-Okamoto transformation theorem [34] to concludethe IND-CCA2 security of the following encryption schemedenoted by 119881

4

(i) KeyGen(1119896) it is the same as in Section 31(ii) Enc1015840(119910119898) this is the encryption algorithm that takes

as inputs the receiverrsquos public key119910 and amessage119898 isin

119866 and then performs the following steps

(a) pick 119906 isin 119866 at random(b) let (119888

1 1198882) larr Enc(119910 119906) where Enc is the

encryption algorithm in Section 31(c) let 119888

3= 119898 oplus 119867

1(119906) and 119888

4= 1198672(119898 119906)

(d) output (1198881 1198882 1198883 1198884)

(iii) Dec1015840(119892119903 1198881 1198882 1198883 1198884) this is the decryption algorithm

that takes as inputs the receiverrsquos private key 119892119903 isin 119866

and the ciphertext quadruple (1198881 1198882 1198883 1198884) and then

performs the following steps

(a) let 1199061015840

larr Dec(119892119903 1198881 1198882) where Dec is the

decryption algorithm in Section 31(b) let1198981015840 larr 119888

3oplus 1198671(1199061015840)

(c) output1198981015840 if 1198884= 1198672(1198981015840 1199061015840) and perp otherwise

Apparently 1198814is an FO-like variant of 119881

1and its security is

enhanced to IND-CCA2 assuming that both 1198671and 119867

2are

random oracles [34]Now let us show that with the same random oracles if

there exists a probabilistic polynomial time adversaryA thatcan break the IND-CCA2 security of the proposed signcryp-tion scheme 119881

3 then there also exists another probabilistic

polynomial time adversaryB that can break the IND-CCA2security of 119881

4

In fact since B controls the response of the randomoracles 119867

1and 119867

2 it can break the IND-CCA2 security of

1198814easily whenever seeing a ciphertext (119888

1 1198882 1198883 1198884) it can

retrieve the message 119898 and random salt 119906 by looking up theresponse list of119867

2under the reasonable assumption that the

probability for different pair (1198981015840 1199061015840) with same hash value

Journal of Applied Mathematics 7

with the pair (119898 119906) is negligible The thing left is to showhow B without knowing the receiverrsquos private key 119892

119903isin 119866

can simulate the response on decryption queries for A by aperfect manner

WheneverA invokes an unsigncryption query by submit-ting a signcryption pair (119888

1 1198882)B responds as follows

(1) Lookup (lowast 1198881 lowast) in 119867

2-list where lowast indicates a

wildcard that can be matched with arbitrary inputsIf there is no matched triple B sends perp to A as theresponse

(2) For each matched triple (119898119894 1198881 120591119894) B performs the

following steps

(a) for each (119906 120574) in1198671list do the following steps

(i) extract a possible 120590119894according to the fol-

lowing formula

1198882= (119898119894|| 120590119894) oplus 120574 (15)

(ii) test whether the equality

1205901198941198881120590minus1

119894

= (1205911198941198881) 119909(1205911198941198881)minus1 (16)

holds If so reply A with 119898119894and end the

response otherwise continue

(3) If up to nowB has no output response toA yet thenB sends perp to A as the response and then end theresponse

Finally without accessing hash queries on randomoracles1198671and119867

2Arsquos probability for submitting a valid signcryption

pair (1198881 1198882) is negligible Thus whenever A invokes hash

queries on 1198671and 119867

2for forming a valid signcryption pair

related materials are recorded andB can retrieve them andfinally sendA a perfect response

Theorem 15 Suppose that 1198671and 119867

2are random oracles

The proposed signcryption scheme is existential unforgeableagainst external adaptive chosen message attacks (EUF-ext-CMA) assuming that the SCSP119866

119892ℎproblem is intractable

Proof Here the term ldquoexternalrdquo means that the forger isneither the singer nor the intended receiver Let us showthat whenever an external attacker A outputs a successfulforgery then this must mean a contrary against the UF-NMAsecurity of the signature scheme 119881

2given in Section 32 At

first without invoking any queryArsquos successful forgery itselfmeans an attack against the UF-NMA security Next supposethat A invokes many polynomial signcryption queries orunsigncryption queries Let us show that the responsesfor these queries have no help to A for making a forgedsigncryption

Suppose A invokes a signcryption query on some mes-sage119898 and receives a pair (119888

1 1198882) as the response After then

A invokes a random oracle query on 1198672with inputs 119898 and

1198881and then heshe obtains 120591 Now A still has no means to

obtain a valid signature from (119898 1198881 1198882 120591) since both 119892

119904119892minus119905

and 120574 remain unknown Suppose A can get 120574 via invokinga random oracle query on 119867

1with input 119892119905119910119892minus119905 Then its

query input gives a solution to the SCSP instance (1198881

=

119892119905ℎ119892minus119905 119910 = 119892

119903ℎ119892minus119903) This is a contrary to the assumption of

the intractability of the SCSP problemNow suppose A invokes an unsigncryption query on

some signcryption pair (1198881 1198882) Similar to the response of B

given in the proof of Theorem 14 A gets either a symbolperp or a message 119898

119894 In the former case Arsquos query is invalid

and rejected In the latter case Arsquos query is valid and thereexists a matched entry 120574 in 119867

1list This in turn implies that

there exists a matched entry 119892119905119910119892minus119905 in 1198671list However this

is impossible since it again means a solution to the SCSPinstance (119888

1= 119892119905ℎ119892minus119905 119910 = 119892

119903ℎ119892minus119903)

This concludes the theorem

Remark 16 To proof the unforgeability of a signature schemeit is reasonable to exclude the signer from forgeries But justas what was done in [9] the so-called external attacker modelenables us to further exclude the intended receiver from theforgeries Unlike the primitive authenticated encryption theauthenticity embedded in the primitive of signcryption isunidirectional to some extent That is it seems that thereis no reason for an intended receiver to forge a signatureon behalf of some signer and then encrypt the signaturefor himselfherself except for planting false evidence againstsome senders Otherwise an existentially unforgeable signa-ture scheme such as the noncommutative signature schemein [36] should be embedded therein

4 Sample Implementations andPerformance Evaluation

In [30] the authors suggested to consider the intractabilityassumption of the FP119866

119892ℎproblem over three kinds of plat-

forms(1) GL

119899(F119902) that is the general linear group over finite

field(2) UT

119899(F119902) that is the nonabelian subgroup of GL

119899(F119902)

consisting of unitriangular matrices(3) braids set 119861

119899(119897) that is the set of braids in the braid

group 119861119899with 119897 canonical factors

At first a braid 119861119899(119897) can be represented by a bit string

of size lceilln log 119899rceil [23] and the complexities of the braidoperations such as multiplication inversion and canonicalform computation are bounded by O(1198972119899 log 119899) in the senseof bit operations [9] Thus if we follow Maffrersquos suggestionsby setting 119899 = 50 and 119897 = 10 [37] then the number ofbit operations for implementing these braid operations isproportional to 215 and the sizes of the systemparameters theprivate key the public key and the ciphertexts are 5650 bits80 bits 2822 bits and 8466 bits respectively More detailedevaluation on the performance of braid-based cryptosystemscan be found either in [36] or in [9]

Next let us pay attention to GL119899(F119902) and UT

119899(F119902) In

particular wemainly focus on two aspects the time complex-ity of exponentiation and the related parameter sizes Since

8 Journal of Applied Mathematics

the classical techniques for matrix multiplicationinversionin GL

119899(F119902) (resp UT

119899(F119902)) take about 1198993 (resp 119899(119899 + 1)(119899 +

2)6) F119902-operations while each F

119902-operation needs O(log2119902)

bit operations [38] thus by employing the idea of ldquosquare-multiplyrdquo the time complexity of calculating an exponen-tiation 119892

119904 with 119904isin1198770 1119896 in both GL

119899(F119902) and UT

119899(F119902) is

O(1198993119896 log2119902) in sense of bit operations To represent a matrixinGL

119899(F119902) (respUT

119899(F119902)) we need 1198992 (resp 119899(119899minus1)2) F

119902-

elements while each F119902-element occupies exactly log 119902 bits

In practice 119899 need not to be too large Typically we set 119899 = 4

and then collect our analysis in Table 1 From this table wecan see that the computationalstorage cost of cryptosystemsoverUT

119899(F119902) is about merely 13 times of those overGL

119899(F119902)

when 119899 = 4 (Note that since both the encryption scheme1198811and the signature scheme 119881

2are embedded into the

signcryption scheme 1198813 we merely present performance

analysis on 1198813)

5 Conclusion

The booming of quantum algorithm casts distrust on manypublic key cryptosystems based on integer factorizationproblem discrete logarithm and other assumed intractableproblems over certain abelian groups Some breakthrough indeveloping newpublic key cryptography based onnonabelianalgebraic structures has been made during the past decadeIn particular Baba et al made the first step toward constructcryptographic schemes based on nonabelian factorizationproblems In this paper we at first present several conjugacysystems based on the factorization problem over nonabeliangroups and then present new construction of encryptionsignature and signcryption based on the newly introducedcryptographic intractable assumptions Some possible imple-mentation platforms and the related performance analysis arealso given Two possible future perspectives are to investigatemore efficient platforms for implementing our proposal andto investigate possible reductions from the hardness of therelated conjugated problems to the hardness of the underlyingproblems

Appendix

Existential Forgery on the NoncommutativeSignature Scheme in [35]

In 2012 Kahrobaei and Koupparis [35] introduced a non-commutative digital signature scheme denoted by KK12 forshort In KK12 a highly smooth composite number 119899 wasintroduced and the authors claimed it is necessary to usethe exponent 119899 for resisting existential forgery The KK12signature scheme can be summarized as follows

(i) KeyGen the private key is a pair (119904 119899) with 119904isin119877119866

and 119899 = prod119897

119896=1119901119890119896

119896(where 119901

119896are prime and 119890

119896isin

N) while the public key is set to 119909 = 119892119899119904 (For

arbitrary 119904 isin 119866 and 119899 isin N 119892119904 and 119892119899 represent

119904minus1119892119904 isin 119866 and 119892 sdot sdot sdot 119892⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟

119899 timesisin 119866 resp In addition

although neither 119899119904 nor 119904119899 is well-defined we havethat 119892

119899119904= 119904minus1119892119899119904 = (119892

119904)119899= 119892119904119899 holds without any

ambiguity)(ii) Sign to sign a given message 119898 the signer with

private key (119904 119899) performs the following steps

(a) pick 119905 isin 119866 at random and a random factoriza-tion of 119899 = 119899

119894119899119895

(b) compute

119910 = 119892119899119895119905 ℎ = 119867 (119898 119910) 120572 = 119905

minus1119904ℎ119910 (A1)

(c) output the signature 120590 = (119910 120572 119899119895)

(iii) Verify 119910119899119895120572 = 119909ℎ119910 where ℎ = 119867(119898 119910)

Unfortunately we find that this is not true and the newlyintroduced exponent 119899 did not bring to bear upon existentialforgery In fact the authors [35] had already realized thisproblem and suggested to let the signer keep a public list thatcontains all 119899

119895s that is random factors of 119899 heshe has used

thus far But we think this solution is impractical this wouldmake the signature verification process very inefficient sinceone has to check the freshness of 119899

119895This needs to go through

all existing 119899119895s from the list

Now let us proceed to describe our cryptanalysis onKK12 Upon obtaining a valid signature triple 120590 = (119910 120572 119899

119895)

on message 119898 by reusing the exponent 119899119895 our existential

forgery 1205901015840= (1199101015840 1205721015840 119899119895) on arbitrary message 1198981015840 is formed

as follows

1199101015840= 1199101199051015840

ℎ1015840= 119867(119898

1015840 1199101015840) 120572

1015840= 1199051015840minus1

120572119910minus1ℎminus1ℎ10158401199101015840

(A2)

where 1199051015840 isin 119866 is picked at random and ℎ = 119867(119898 119910) The leftthing is to show that this forgery can pass the verification Infact we have

1205721015840= 1199051015840minus1

120572119910minus1ℎminus1ℎ10158401199101015840

= 1199051015840minus1

(119905minus1119904ℎ119910) 119910

minus1ℎminus1ℎ10158401199101015840

= (1199051199051015840)minus1

119904ℎ10158401199101015840

1199101015840= 1199101199051015840

= 1199051015840minus1

(119905minus1119892119899119894119905) 1199051015840

= 1198921198991198941199051199051015840

(A3)

Thus

11991010158401198991198951205721015840

= (1198921198991198941199051199051015840

)

1198991198951205721015840

= 1198921198991199051199051015840(1199051199051015840)minus1

119904ℎ10158401199101015840

= (119892119899119904)ℎ10158401199101015840

= 119909ℎ10158401199101015840

(A4)

That is the above existential forgery attack is successful

Journal of Applied Mathematics 9

Table 1 Performance of signcryption scheme 1198813(119899 = 4)

Platforms Operationslowast and complexitiesdagger Parameters and sizesDagger

KeyGen SignCrypt UnSignCrypt pksect sk Ciphertext119866 1119890 + 2119898 + 1119894 1119890 + 7119898 + 1119894 7119898 + 3119894 log |119866| log |119866| 2 log |119866|GL119899(F119902) sim64119896log2119902 sim640log2119902 sim16log 119902 sim16log 119902 sim32log 119902

UT119899(F119902) sim20119896log2119902 sim200log2119902 sim6log119902 sim6log 119902 sim12log 119902

11986150(10) sim215 5730 2822 8466

lowast119890119898119894 exponentiationmultiplicationinversion in the nonabelian group 119866daggerIn the sense of bit operationsDaggerIn the sense of bit lengthsectIncluding system parameters shared by all users

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work is partially supported by the National NaturalScience Foundation of China (NSFC) (no 61121061 61370194)and the Fundamental Research Funds for the Central Univer-sities (no BUPT2012RC0219) Finally the authors would liketo thank the anonymous referees for their very careful andinstructive comments

References

[1] R C Merkle ldquoSecure communications over insecure channelsrdquoCommunications of the ACM vol 21 no 4 pp 294ndash299 1978

[2] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[3] R L Rivest A Shamir and L Adleman ldquoA method forobtaining digital signatures and public-key cryptosystemsrdquoCommunications of the Association for Computing Machineryvol 21 no 2 pp 120ndash126 1978

[4] T ElGamal ldquoA public key cryptosystem and a signature schemebased on discrete logarithmsrdquo IEEE Transactions on Informa-tion Theory vol 31 no 4 pp 469ndash472 1985

[5] V SMiller ldquoUse of elliptic curves in cryptographyrdquo inAdvancesin Cryptology (CRYPTO rsquo85) vol 218 of Lecture Notes inComputer Science pp 417ndash426 Springer Berlin Germany 1986

[6] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 pp 203ndash209 1987

[7] A Dent and Y Zheng Practical Signcryption InformationSecurity and Cryptography Springer Berlin Germany 2010httpwwwsigncryptionorg

[8] Y Zheng ldquoDigital signcryption or how toachieve Cost(Signature amp Encryption) ≪

Cost(Signature) +Cost(Encryption)rdquo in Advances inCryptologymdashCrypto rsquo97 vol 1294 of Lecture Notes in ComputerScience pp 165ndash179 Springer Berlin Germany 1997

[9] L Gu Y Pan M Dong and K Ota ldquoNoncommutativelightweight signcryption for wireless sensor networksrdquo Interna-tional Journal of Distributed Sensor Networks vol 2013 ArticleID 818917 10 pages 2013

[10] R Steinfeld and Y Zheng ldquoA signcryption scheme based oninteger factorizationrdquo in Information Security WorkshopmdashISWrsquo00 vol 1975 of Lecture Notes in Computer Science pp 308ndash322Springer Berlin Germany 2000

[11] J Malone-Lee and W Mao ldquoTwo birds one stone signcryptionusing RSArdquo in Cryptographersrsquo Track at the RSA ConferencemdashCT-RSA rsquo03 vol 2612 of Lecture Notes in Computer Science pp211ndash225 Springer Berlin Germany 2003

[12] Y Zheng and H Imai ldquoHow to construct efficient signcryptionschemes on elliptic curvesrdquo Information Processing Letters vol68 no 5 pp 227ndash233 1998

[13] M Toorani and A A B Shirazi ldquoA directly public verifiablesigncryption scheme based on elliptic curvesrdquo in Proceedings ofthe IEEE Symposium on Computers and Communications (ISCCrsquo09) pp 713ndash716 Sousse Tunisia July 2009

[14] L Zhang andTMo ldquoA signcryption scheme forWEP inWLANbased on bilinear pairingsrdquo in Proceedings of the InternationalConference on Computer Application and System Modeling(ICCASM rsquo10) vol 8 pp 126ndash130 IEEE Computer SocietyTaiyuan China October 2010

[15] J Zhang Y Yang and X Niu ldquoA novel identity-based multi-signcryption schemerdquo International Journal of Distributed Sen-sor Networks vol 1 no 5 pp 28ndash28 2009

[16] P W Shor ldquoAlgorithms for quantum computation discretelogarithms and factoringrdquo in Proceedings of the 35th AnnualSymposium on Foundations of Computer Science (FOCS rsquo94)pp 124ndash134 IEEE Computer Society Santa Fe NM USANovember 1994

[17] PW Shor ldquoPolynomial-time algorithms for prime factorizationand discrete logarithms on a quantum computerrdquo SIAM Journalon Computing vol 26 no 5 pp 1484ndash1509 1997

[18] J Proos and C Zalka ldquoShorrsquos discrete logarithm quantumalgorithm for elliptic curvesrdquo Quantum Information amp Compu-tation vol 3 no 4 pp 317ndash344 2003

[19] F Li F Muhaya M Khan and T Takagi ldquoLattice-basedsigncryptionrdquo Concurrency and Computation Practice andExperience vol 25 no 14 pp 2112ndash2122 2013

[20] F Wang Y Hu and C Wang ldquoPost-quantum secure hybridsigncryption from lattice assumptionrdquo Applied Mathematics ampInformation Sciences vol 6 no 1 pp 23ndash28 2012

[21] A Myasnikov V Shpilrain and A Ushakov Non-CommutativeCryptography and Complexity of Group-Theoretic Problemsvol 177 of Mathematical Surveys and Monographs AmericanMathematical Society Providence RI USA 2011

[22] I Anshel M Anshel andD Goldfeld ldquoAn algebraic method forpublic-key cryptographyrdquoMathematical Research Letters vol 6no 3-4 pp 287ndash291 1999

10 Journal of Applied Mathematics

[23] K H Ko S J Lee J H Cheon J W Han J-s Kang andC Park ldquoNew public-key cryptosystem using braid groupsrdquoin Advances in Cryptology (CRYPTO rsquo00) M Bellare Ed vol1880 of LectureNotes in Computer Science pp 166ndash183 SpringerBerlin Germany 2000

[24] S H Paeng K C Ha J H Kim S Chee and C Park ldquoNewpublic key cryptosystem using finite nonabelian groupsrdquo inAdvances in Cryptology (CRYPTO rsquo01) vol 2139 of Lecture Notesin Computer Science pp 470ndash485 Springer Berlin Germany2001

[25] A Mahalanobis ldquoA simple generalization of the ElGamal cryp-tosystem to non-abelian groupsrdquo Communications in Algebravol 36 no 10 pp 3878ndash3889 2008

[26] V Shpilrain and A Ushakov ldquoThompsonrsquos group and public keycryptographyrdquo in Applied Cryptography and Network Security(ACNS rsquo05) vol 3531 of Lecture Notes in Computer Science pp151ndash163 Springer Berlin Germany 2005

[27] G Baumslag B Fine and X Xu ldquoA proposed public keycryptosystem using the modular grouprdquo in CombinatorialGroup Theory Discrete Groups and Number Theory vol 421 ofContemporary Mathematics pp 35ndash44 American Mathemati-cal Society Providence RI USA 2006

[28] G Baumslag B Fine and X Xu ldquoCryptosystems using lineargroupsrdquoApplicable Algebra in Engineering Communication andComputing vol 17 no 3-4 pp 205ndash217 2006

[29] S S Magliveras D R Stinson and T van Trung ldquoNewapproaches to designing public key cryptosystems using one-way functions and trapdoors in finite groupsrdquo Journal ofCryptology vol 15 no 4 pp 285ndash297 2002

[30] S Baba S Kotyada and R Teja ldquoA non-abelian factorizationproblem and an associated cryptosystemrdquo Cryptology EPrintArchive Report 2011048 2011

[31] L Gu L Wang K Ota M Dong Z Cao and Y Yang ldquoNewpublic key cryptosystems based on non-abelian factorizationproblemsrdquo Security and Communication Networks vol 6 no 7pp 912ndash922 2013

[32] L Wang L Wang Z Cao E Okamoto and J Shao ldquoNewconstructions of public-key encryption schemes from conju-gacy search problemsrdquo in Information Security and Cryptology(Inscrypt rsquo10) vol 6584 of Lecture Notes in Computer Science pp1ndash17 Springer Berlin Germany 2011

[33] U Maurer ldquoAbstract models of computation in cryptographyrdquoin Cryptography and Coding N P Smart Ed vol 3796 of Lec-ture Notes in Computer Science pp 1ndash12 Springer HeidelbergGermany 2005

[34] E Fujisaki and T Okamoto ldquoHow to enhance the securityof public key encryption at minimum costrdquo in Public KeyCryptography (PKC rsquo99) vol 1560 of Lecture Notes in ComputerScience pp 53ndash68 Springer Berlin Germany 1999

[35] D Kahrobaei and C Koupparis ldquoNon-commutative digitalsignaturesrdquoGroups Complexity Cryptology vol 4 no 2 pp 377ndash384 2012

[36] L Wang L Wang Z Cao Y Yang and X Niu ldquoConjugateadjoining problem in braid groups and new design of braid-based signaturesrdquo Science ChinamdashInformation Sciences vol 53no 3 pp 524ndash536 2010

[37] S Maffre ldquoA weak key test for braid based cryptographyrdquoDesigns Codes and Cryptography vol 39 no 3 pp 347ndash3732006

[38] A J Menezes and Y-H Wu ldquoThe discrete logarithm problemin GL (119899 119902)rdquo Ars Combinatoria vol 47 pp 23ndash32 1997

Submit your manuscripts athttpwwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Discrete MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of