A CCA2 SECURE CRYPTOSYSTEM USING MATRICES OVER

GROUP RINGS

SEVERIN NGNOSSE

Abstract. In 1998, in their celebrated paper [1], R. Cramer and V. Shoup

proposed a new public key cryptosystem. Their scheme has been shown tobe provably secure against adaptive chosen ciphertext attack under standard

intractability assumptions, namely, the hardness of the Diffie-Hellman decisionproblem in the underlying group and a hash function H coming from a family

of unversal one way fucntion and whose output can be interpreted as a number

in Zq (for large prime q). Cramer-Shoup cryptosystem is a generalization ofElGamal’s protocol.

The majority of current cryptographic protocols rely on commutative groups,usually the integers mod n. There are many existing methods (or proposed new

ones) that can be used to attack commutative schemes. Recently Kahrobaei,

Koupparis, Shpilrain [3] proposed a new cryptosystem based on semigroup ofmatrices over group rings and claimed that it is secure against adaptive chosen

ciphertext attack. Our work will consist of presenting different progress made

in this area as well as giving a succinct detail of the aforementioned work

1. Introduction

Using non commutative groups as platform for cryptographic encryption can betraced back as early as 1984 to the work of N. Wagner and M. Magyarick [4]. Evenif these platforms are not currently the most popular, they have shown increasedinterest due to the limitations and weaknesses that abelian groups present. In fact,the majority of platforms currently used for cryptographic encryptions are that ofthe set of integers modulo p Zp, with p a large number. p is generally in the order10300 at least. This in itself is a problem for at least the following reasons: (1)Com-putation in such a big set is not efficient neither is reducing modulo p, (2)Usingsuch set as platform is not suitable for devices with limited computational resources.

To overcome these problems, the platform proposed here is that of semigroupof matrices (of a small size) over group ring, with the usual matrix multiplicationoperation.More specifically, focus is made on matrices over group ring Zn([Sm])where Zn is the ring of integers modulo n and Sm is the symmetric group of degreem. Thus we are looking at the semigroups of the type Mk×k(Zn([Sm])).

Special attention will be paid to the following semigroups M2×2(Z7([S5])) andM3×3(Z7[S5]) for the following reasons

• they provide for a large key space (7480 ∼ 10406 for 2 × 2 matrices and71080 ∼ 10913 for 3× 3 matrices),

Date: Sptember 5th, 2014.

1

2 SEVERIN NGNOSSE

• storing an element of M2×2(Z7([S5])) takes about 1440 bits, while storingan element of M3×3(Z7[S5]) takes about 3240 bits.• multiplication in our platform is simply reduce to a lookup table.• standard attacks known for Diffie-Hellman (baby-step giant-step, Pohlig-

Hellman, Pollard’s rho), do not work with these platforms

2. Group Rings

Definition 1. Let G be a multiplicative group and let R be a commutative ringwith nonzero unity. The set R[G] of all formal sums∑

gi∈Grigi

(where ri ∈ R, are almost all equal to zero.) is called group ring

We define the sum of two elements in R[G] by∑gi∈G

aigi

+

∑gi∈G

bigi

=∑gi∈G

(ai + bi)gi.

Note that ai and bi are almost all equal to zero, hence the above sum is in R[G].Thus (R[G],+) is an abelian group.

Multiplication of two elements of R[G] is defined as follow:∑gi∈G

aigi

∑gi∈G

bigi

=∑gi∈G

∑gjgk=gi

ajbk

gi.

3. Diffie-Hellman using matrices over group ring

Just as in the group of intergers mod p, we can describe a Diffie-Hellman keyexchange protocol using matrices over group ring as follow:

• Alice and Bob want to share a secret key. They both agree on a platform.(Here it will be a set of matrices over group ring)

• Alice chooses a public matrix M ∈M3(Z7[S5]), and a private large positiveinteger a.

• Alice computes Ma, and publishes (M,Ma).• Bob chooses another large integer b, and computes and publishes (M b).• Both Alice and Bob can now compute the same shared secret key K =

(Ma)b = (M b)a.

It is important to remember that the security of the Diffie-Hellman key exchangerelies on the assumption that it is computationally hard to recover Mab from thepublic information (M,Ma,M b). From this assumption, we will derive two notions:Computational Diffie-Hellman and Decision Diffie-Hellman

A CCA2 SECURE CRYPTOSYSTEM USING MATRICES OVER GROUP RINGS 3

4. Computational Diffie-Hellman and Decision Diffie-Hellman

Definition 2 (Boneh). A CDH algorithm F for a group G is a probabilisticpolynomial time algorithm satisfying, for some fixed α > 0 and sufficiently largen ∈ N,

P[F (g, ga, gb) = gab] >1

nα.

The probability is over a uniformly random choice of a and b.

We say that a group G satisfies the CDH assumption if no such efficient algo-rithm (F ) exists for G

Just as in the classic platform,the following observations hold:

• CDH by itself is not sufficient to prove that the Diffie-Hellman protocol isuseful for practical cryptographic purposes.• For example, even if CDH is true, one may be able to predict 80% of the

bits of gab with reasonable confidence• One must be able to bound the information one can extract about secret

key from g, ga and gb. This is formally expressed by the much strongerDecision Diffie-Hellman (DDH) assumption.

Definition 3 (Boneh). A DDH algorithm, F for a group G, is a probabilisticpolynomial time algorithm satisfying, for some fixed α > 0 and sufficiently large n∣∣P[F (g, ga, gb, gab) = “True′′]− P[F (g, ga, gb, gc) = “True”]

∣∣ > 1

nα

The probability is over a uniformly random choice of a, b and c.

We say the group G satisfies the DDH assumption if there is no DDH algo-rithm for G. Essentially, DDH assumption implies that there is no efficient algo-rithm which can distinguish between two probability distributions (g, ga, gb, gab)and (g, ga, gb, gc), where a, b, c are chosen at random

5. Experimental Results

Some experimental results have been obtained using sets of matrices over grouprings as platform.Specifically, these results

• Show the time it takes to compute powers of a given random matrice inM2×2(Z2[S5]),M3×3(Z2[S5]),M3×3(Z2[S5]),M3×3(Z3[S5]).• show that given an invertible matrix M ∈M3(Z7[S5]) and random integersa, b, c in N, it is not possible to distinguish between the distributionsgenerated by (Ma,M b,Mab) and (Ma,M b,M c).• show that given an invertible matrix M ∈M3(Z7[S5]) and random integersa it is not possible to extract information about a from M and Ma. Inother words the distributions generated by (Ma) and random matrix (N)are indistinguishable.

These experimental facts make us comfortable in establishing upcoming theo-retical results. It is worth noticing that CDH assumption can only be answeredtheoretically while DDH assumption can be investigated experimentally.

4 SEVERIN NGNOSSE

• In order to test the DDH assumption two distributions are considered: onegenerated by (Mab) and the other generated by (M c); a and b are chosenrandomly from the interval [1025, 1026], while c is randomly chosen from[1050, 1052].• To get a clear picture of how elements are distributed in the matrices, a

table that shows how of elements of S5 for each entry of the matrix hasbeen distributed.• We produced Q-Q plots of entries of Mab versus entries of M c. (Q-Q

plots or Quantile-Quantile plots is a graphical method for comparing 2probability distributions by plotting their quantile against each other.)• If these distributions are indistinguishable, then the final Q-Q plots should

be straight lines.

Group Ring Exponent Time (s)M2(Z2[S5]) 1010 0.17M2(Z2[S5]) 10100 1.90M2(Z2[S5]) 101000 16.83M2(Z3[S5]) 1010 0.15M2(Z3[S5]) 10100 1.63M2(Z3[S5]) 101000 16.60M3(Z2[S5]) 1010 0.53M3(Z2[S5]) 10100 5.34M3(Z3[S5]) 1010 0.55M3(Z3[S5]) 10100 5.49

Figure 1. DDH results

A CCA2 SECURE CRYPTOSYSTEM USING MATRICES OVER GROUP RINGS 5

Figure 2. Randomness of Ma

6. Cramer Shoup cryptosystem

In 1998, Ronald Cramer and Victor Shoup proposed in a seminal paper [1] anencryption scheme that was not only provably secure against adaptive chosen ci-phertext attack, but was also practical! The proof of security relies on the hardnessof the Decision Diffie Hellman in the underlying group!

Cramer-Shoup encryption system is a generalization of El Gamal key exchangeproblem. We will first review these two cryptosystems, present established resultsunder some commutative platforms, then in our next section we will show howCrmer Shoup encryption scheme can be adapted to matrices of group ring.

6.1. Background and Results.

6.1.1. The El Gamal cryptosystem. Consider a group G of order p where p is a largeprime number. Let g ∈ G be a generator of our group.

• Alice chooses a random integer x ∈ Zp and publishes PK = < g, h = gx >• If Bob wants to send a message m ∈ G to Alice, he must randomly choose

an integer y ∈ Zp, and send to Alice the tuple (h = gy; (gx)ym)• Upon receipt of this tuple and assuming an honest execution of the proto-

col,the decrypted message is obtained simply through the product h−x(gx)y)m

It has been established that El Gamal encryption scheme is semanticallysecure under DDH assumption but it is not secure against adaptivechosen ciphertext attack. In fact, given an encryption ((h = gy; (gx)ym) of amessage m, one can feed the decryption oracle with the tuple (h = gy; ghxm) whichreturn gm.

6 SEVERIN NGNOSSE

6.1.2. Cramer Shoup cryptosystem. The basic scheme of this encryption works asfollow:Secret Key: random x1, x2, y1, y2, z ∈ ZqPublic Key:

g1, g2 in G (but not 1)

c = g1x1g2

x2

d = g1y1g2

y2

h = g1z

H = hash function chosen from a one-way universal family.

Encryption of m ∈ G: (u1, u2, e, v), where

u1 = g1r

u2 = g2r

e = hrm

v = crdrα

r ∈ Zq is random

α = H(u1, u2, e).

Decryption of (u1, u2, e, v):

If v = u1x1+αy1u2

x2+αy2

where α = H(u1, u2, e)

then m = e/u1z

else ”reject”

It is well established that under the platform G group of order p (prime), TheCramer-Shoup cryptosystem is secure against adaptive chosen ciphertext attackassuming that

(1) The hash function H is chosen from a universal one-way family.(2) The Diffie-Hellman decision problem is hard in the group G.

6.2. Provable security against adaptive chosen ciphertext attack. A formaldefinition of security against active attacks evolved in a sequence of papers by Naorand Yung, Rackoff and Simon, Dolev, Dwork and Naor. The notion is called chosenciphertext security or, equivalently, non-malleability.

The intuitive idea behind this definition is that even if an adversarycan get arbitrary ciphertexts of his choice decrypted, he still gets nopartial information about other encrypted messages.

This form of security is often described through a game, which is played betweenan adversary and the oracle.

• First, we run the encryption scheme’s key generation algorithm, with thenecessary input parameters.• In particular, one can input a binary string in {0, 1}n, which describes the

group G on which the algorithm is based.

A CCA2 SECURE CRYPTOSYSTEM USING MATRICES OVER GROUP RINGS 7

• The adversary is then allowed to make arbitrary queries to the decryptionoracle, decrypting ciphertexts of his choice, except the target one.• The adversary then chooses two messages, m0 and m1,submits them to the

encryption oracle. The oracle chooses a random bit b ∈ {0, 1}, encrypts mb

and submit the encrypted message to the adversary.• Upon receipt of the ciphertext, the adversary is allowed to continue querying

the decryption oracle.• At the end of the game, the adversary must output b′ ∈ {0, 1}, which is the

adversary’s best guess as to the value of b.

We know that by a simple guess the adversary can always find the correct messagewith probability of 1

2 . Here we define the notion advantage to be the function ε(n)such that

P(b′ = b) = 1/2 + ε(n)

ε(n) is the adversary’s advantage, and n ∼ |G|.

We say the cryptosystem is CCA-2 secure if the adversary’s advantage negligibleAs a reminder, a negligible function is a function that grows slower than any

inverse polynomial, n−c, for any particular constant c and large enough n.

7. A CCA-2 Cryptosystem using matrices over group ring

In a paper by Kahrobaei-Koupparis and Shpilrain [?], the authors proposeda public key exchange using matrices over group rings. They offer a public keyexchange protocol in the spirit of Diffie-Hellman, but they use matrices over a groupring of a (rather small) symmetric group as the platform and discuss security ofthis scheme by addressing the Decision Diffie-Hellman (DDH) and ComputationalDiffie-Hellman (CDH) problems for that platform.Under the proposed platform,they show that an encryption scheme similar to the Cramer-Shoup scheme is CCA-2 secure. The protocol is as follows:Secret Key: random x1, x2, y1, y2, z ∈ ZnPublic Key: (M1,M2, c, d, h,H)

3× 3 random matrices M1,M2 ∈M3×3(Z7[S5]) such that M1 is invertible and

M1M2 = M2M1

c = M1x1M2

x2

d = M1y1M2

y2

h = M1z

H is chosen form a family of universal one way hash functions

Encryption of a message N ∈M3×3(Z7[S5]): E(N) = (u1, u2, e, v), where

u1 = M1r, u2 = M2

r,e = hrN, v = crdrα,r ∈ Zn is random,

and α = H(u1, u2, e).

Decryption of (u1, u2, e, v):

If v = u1x1+αy1u2

x2+αy2 ,then N = (u1

z)−1eotherwise ”reject”

8 SEVERIN NGNOSSE

We still have α = H(u1, u2, e).Notice that u1 is invertible since M1 is chosen to be invertible

The main result of this section is the following:

Theorem 1. The Cramer-Shoup cryptosystem using the semigroup G = M3×3Z7[S5]is secure against adaptive chosen ciphertext attack assuming that

(1) the hash function H is chosen from a universal one-way family, and(2) the Diffie-Hellman decision problem is hard in the group G.

Proof. To prove our theorem, we will construction a DDH algorithm D for ourplatform. This will be a direct contradiction with our original assumption.

7.1. Broad description of a DDH algorithm. Assume that there is an adver-sary A that can break the cryptosystem and that our hash function is still chosenfrom a universal family of one-way hash functions.Consider an algorithm D, whichis a joint distribution of

• the adversary’s view of the cryptosystem ,• a random bit generator b ∈ {0, 1} unknown to the adversary A

Our algorithm D receives as input a tuple (M1,M2,M3,M4) (where M1 6= 0 andM2 6= 0) and will have to determine whether this tuple comes from a DH distribu-tion or it is just a random distribution R.

Using its input (M1,M2,M3,M4), D constructs a public key for A to use, namelyit will make available to A a tuple PK = (M1,M2, c, d, h,H). ( c ,d, h and H tobe determined later).It is important to remember that during the attack game played between D andA,and upon A’s request, D can construct a challenge ciphertext C∗ = (u1, u2, e, v)that encrypts a randomly chosen plaintext mb ∈ {m0,m1} initially submitted byA (but the bit b hidden from A). The challenge ciphertext C∗ has the following 2

proprieties:

(1) If the input for D comes from DH then C∗ is a valid Cramer Shoupciphertext which encrypts mb under the pubic key PK and the adversarywill have a non negligible advantage in guessing the hidden bit b generatedby the oracle.

(2) if the input for D comes from a random distribution R then ciphertext C∗

is uniformly distributed in the entire ciphertext space.The adversary’s viewis independent of b, and therefore the adversary’s advantage is negligible.Ahas no advantage whatsoever! Here we can say that the cipher is secure inan information-theoretically secure sense (There is an independentbetween the distribution of plaintexts an ciphertexts)

Let’s recall how the attack game is played between adversary A and algorithmD.

(1) Once D receives input (M1,M2,M3,M4),it constructs the public key forthe Cramer Shoup cryptosystem and sends it to A

A CCA2 SECURE CRYPTOSYSTEM USING MATRICES OVER GROUP RINGS 9

(2) A can query any ciphertext at will and D should be able to provide theequivalent plaintext assuming that it is a valid ciphertext!

(3) A will choose 2 plaintexts m0 and m1 and submit them to D for encryption.(4) D will randomly chose b ∈ {0, 1} and will encrypt mb

(5) A can continue to query any ciphertext at will, except the target ciphertext,and D should be able to provide the equivalent plaintext assuming that itis a valid ciphertext!

(6) At the end of the game, D will receive from A an educated guess on the bitb;

This game will provide D with the ability to answer the question about the natureof input (M1,M2,M3,M4) i.e. whether it comes from DH or from D.

It is worth noticing that from D point of view, this game is a simulated onewhereas A cannot discern a simulation from a real attack (to be proved).

Let’s construct different elements of our game.

Public and Private key constructionUsing partial inputs M1 and M2(both M1 and M2 assumed to be 6= 1) that it

has received, D randomly picks x1, x2, y1, y2, z1, in Zn and a universal one wayhash function H as mentioned before.

The public key that the adversary A sees is: (M1,M2, c, d, h,H) where

c = M1x1M2

x2 ,

d = M1y1M2

y2 ,

h = M1z.

The private key chosen by A will be (x1, x2, y1, y2, z1)

Simulation of the encryption scheme procedureThe adversary chooses 2 messages m0,m1 and passes it to D.

D tosses an unbiased coin b ∈ {0, 1} and encrypts mb as follow: (M3,M4, e, v)where

e = Mz13 mb,

v = Mx1+αy13 Mx2+αy2

4

α = H(M3,M4,Mz3mb)

We must at this point ask ourselves if the encryption described above resem-ble that of Cramer Shoup, more precisely if we have a valid ciphertext as it wasintroduced in Cramer Shoup description? In fact,

10 SEVERIN NGNOSSE

(1) When D’s input (M1,M2,M3,M4) comes from DH, on can say that ∃r ∈mathbbZn such thatM3 = Mr

1 , M4 = Mr2 . Therefore

Mz3 = (Mr

1 )z) = hr So we can conclude that we have a valid Cramer Shoupencryption under the given public key. In this particular situation, A willuse its advantage at full capacity to break the encryption system.

(2) If instead D’s input (M1,M2,M3,M4) comes from R we are in a situationwhere our encryption is almost always invalid therefore even a computation-ally unbounded A has absolutely no idea whether the encrypted messageunder C∗ came from m0 or m1. In this case we can say that C∗ encryptsmb in Shannon’s information-theoretically security sense

Simulation of the decryption ProcedureUpon receipt of a ciphertext C = (U1, U2, E, V ) fromA, D will first verify that the

ciphertext itself is valid ciphertext by comparing quantities V and U1x1+αy1U2

x2+αy2 .In case of equality, the cipher is deemed valid. In the case of a valid ciphertext, Dwill compute m = E/Uz1 , and return m to A.When the ciphertext is deemed invalid, it will be rejected and D will return R asdecryption result.

It is worth noticing that - to be proved later- a valid cipher C = (U1, U2, E, V )implies that input (M1,M2,M3,M4) that D has received almost always comes fromDH except with negligible probability that means that a valid ciphertext sent byA will almost always holds when input from D is DHAssuming that our assertion holds, there exists almost always r such that:U1 = Mr

1 and U2 = Mr2

Therefore Uz1 = (Mr1 )z = hz

• It is time to point out that D’s ability to conduct correct decryption forvalid ciphertexts comforts A in its position of a CCA2 attacker.

• Let’s now show that even in this situation where any valid query submittedby A can obtained the correct plaintext message, this situation will still notcompromise the perfect quality of the challenge ciphertext C∗ that hides mb.

In fact for any valid ciphertext submitted by A, the distribution is in such away that A find itself with a hard problem (finding z from hzm) that basicallyconsists of solving at least discrete log problem which we know is already hard!Thus A doesn’t have any additional information about z besides what it alreadyknows from public key PK. We can conclude that any valid ciphertext submittedA provides useless information z!!!!

We are left to notice that the only way A somehow obtains information aboutz will be to submit ciphertexts C = (M3,M4, E, V ) that will pass the validationintegrity test and at the same time input (M1,M2,M3,M4) will come from R.Ifthis situation ever occurs, meaning the ciphertext C = (M3,M4, E, V ) submittedby A passes the validation test, and input (M1,M2,M3,M4) came from R, the de-cryption result obtained can provided A with some insight about z or the challengemessage mb. Should that be the case, we can no longer confirm that encryption of

A CCA2 SECURE CRYPTOSYSTEM USING MATRICES OVER GROUP RINGS 11

mb is exactly under Cramer Shoup or that it is information theoretically secure.

Fortunately, ifA somehow manages to come up with a ciphertext C = (M3,M4, E, V ),such that (M1,M2,M3,M4) in R, it will almost always be rejected!!! This is be-cause of the the same assertion we stated earlier, and that we shall prove lateron! This rejection probability is close to 1! Thus instead of using its cleverness tosubmit a bad cipher and hoping not to get rejected, A is better off just guessingthe hidden bit b.

Let’s now state and prove our earlier assertion!

Theorem 2. Let (M1,M2, c, d, h,H) be a public key for the Cramer Shoup schemein our semi group G of size q when input (M1,M2,M3,M4) is from R then

P(C = (M3,M4, E, V )is deemed a valid ciphertext) ≤ 1

qBasically, the chances of constructing a bad cipher and escaping rejection is

bounded by the inverse of the size of G.

Proof. To construct a valid ciphertext from input values, the validation data test

V = Mx1+αy13 Mx2+αy2

4

(where x1, x2, y1, y2 and α are the same values as described earlier) must hold true.Let’s consider the following values

r1 = logM1M3

r2 = logM2M4

w = logM1M2

From public key PK,and validation data test the following information are avail-able:

c = Mx11 Mx2

2 ,

d = My11 My2

2 ,

V = Mx1+αy13 Mx2+αy2

4

If we apply log to each term above, we have the following system of equations 1 0 w 00 1 0 wr1 r1α wr2 wr2α

x1x2y1y2

=

logM1c

logM1d

logM1V

Applying Gaussian elimination, the above system is equivalent to1 0 w 0

0 1 0 w0 0 w(r2 − r1) wα(r2 − r1)

12 SEVERIN NGNOSSE

Since D’s input comes from R, we have r1 6= r2 and w 6= 0 by assumption. There-fore our matrix is of rank 3. Thus we have non unique sets of solutions (x1, x2, y1, y2)

We have proved that for input values satisfying the theorem’s conditions, eachelement (q of them) in G is a valid candidate for V , i.e. for the input values,each element V ∈ G makes (M3,M4, E, V ) a valid ciphertext.However, for the keyowner,among these q possibilities there is only one single element V ∈ G satisfyinghis/her choice of the private key component (x1, x2, y1, y2).

�

We have, by this construction been able to build a DDH algorithm D thatdistinguishes a DH tuple from a random R.

�

8. Parameters for the Cramer-Shoup-like scheme using matrices overgroup rings

Two problems relevant to key generation in the scheme need to be addressed

(1) How to sample invertible matrices(2) How to sample commuting matrices.

Sampling invertible matrices can be done using various techniques. The firstmethod is to construct a matrix which is a product of elementary matrices,

M =

n∏i=1

Ei,

where Ei is any elementary matrix from M3×3(Z7[S5]). Elementary matrices arechosen to be one of the three types below.In the matrix Ti(u), the element u should be invertible in Z7[S5].

Ti,j =

1. . .

0 1. . .

1 0. . .

1

A CCA2 SECURE CRYPTOSYSTEM USING MATRICES OVER GROUP RINGS 13

Ti(u) =

1. . .

1u

1. . .

1

Ti,j(v) =

1. . .

1. . .

v 1. . .

1

With such a choice, it is easy to compute M−1 as

M−1 =

n∏i=1

E−1n−i+1

The drawback of generating an invertible matrix this way is that wedo not have a good grasp of the randomness embedded in this process.In particular, how large must n be to generate a truly random matrix?

To address this issue,an alternative solution has been proposed, that of consid-ering as starting point an already “somewhat random” matrix, for which it is easyto compute the inverse.For example upper or lower triangular where diagonal ele-ments are known to be invertible and the remainder elements are randomly chosen.Finding the inverse of such matrices is just solving a system linear equations usinga substitution method.Since these matrices are more complex than elementary matrices, it seems reason-able to assume that we arrive at a more uniform distribution sooner than by simplyusing elementary matrices.

M =

u1 g1 g20 u2 g30 0 u3

.

14 SEVERIN NGNOSSE

M ·M−1 = I

⇒

u1 g1 g20 u2 g30 0 u3

·u−11 g4 g5

0 u−12 g60 0 u−13

=

1 0 00 1 00 0 1

⇒ g4 = −u−11 g1u

−12

g5 = u−11 g1u−12 g3u

−13 − u

−11 g2u

−13

g6 = −u−12 g3u−13 .

As mentioned previously, the benefits of this method are that inverses are easyto compute and that the chosen matrix already has large degree of randomnessbuilt in. In particular, any element of Z7[S5] can be used off the diagonal, and anyinvertible elements of the group ring can be used on the diagonal. These of courseinclude elements such as λu ∈ Z7[S5], where u ∈ S5 and λ ∈ Z7.

Finally, it is important to notice that the order of the group GL3Z7[S5] of invert-ible 3× 3 matrices over Z7[S5] is at least 10313. Indeed, if we only count invertibleupper and lower triangular matrices that we described above, then we already have(7 · 120)3(7120)3 ∼ 10313 matrices. Once a sample matrix M1 has been obtained,

one way of choosing the matrix M2 that commutes with M1 is to just define M2 as

M2 =∑ki=1 aiM

i1, where ai ∈ Z7 are selected randomly. Clearly M1M2 = M2M1.

A reasonable choice for k is about 100 as this would yield 7100 ∼ 1085 choicesfor M2, which is a sufficiently large key space

8.1. Other Parameters.

(1) As mentioned in the introduction of the Cramer-Shoup algorithm adaptedto the chosen platform (i.e matrices over group rings), it is important tospecify the value of n for Zn. Based on experiments it has been suggestedthat n ∼ 10100. This seemed a reasonable choice of exponent since it bothallowed quick computations and ensured that the power a matrix was raisedto could not be figured out by brute force methods alone.

(2) The only requirement made on the hash function H used in this scheme isthat it is drawn from a family of universal one-way hash functions. This is aless stringent requirement than to be collision resistant. The latter impliesthat it is computationally hard for an adversary to find two different inputsx and y such that H(x) = H(y).

(3) A weaker notion of second preimage resistance implies that upon choosingan input x, it is infeasible to find a different input y such that H(x) = H(y).

A CCA2 SECURE CRYPTOSYSTEM USING MATRICES OVER GROUP RINGS 15

(4) As a reminder, Cramer and Shoup in their original paper also gave details ofthe same encryption scheme without requiring the use of any hash functions.The modified algorithm is only slightly more complicated but relies on thesame principles.

References

[1] R. Cramer, V.Shoup A Pratical Public Key Provably Secure Against Adaptive Chosen Cipher-

text Attack, In Adv in Cryptology 1998 – CRYPTO 1998.[2] D. Kahrobaei, C. Koupparis, and V. Shpilrain, Public key exchange using matrices over group

rings, Groups, Complexity, and Cryptology 5 (2013), 97–115.[3] D. Kahrobaei, C. Koupparis, and V. Shpilrain, A CCA secure cryptosystem using matrices

over group rings, Contemporary Mathematics, American Mathematical Society, 9 pages, to

appear in 2015, http://arxiv.org/abs/1403.3660.[4] Neal Wagner, Marianne Magyarik, A public Key Cryptosystem based on the Word Problem,

Advances in Cryptology, Proceedings of CRYPTO ’84, Santa Barbara, California, USA, Au-

gust 19–22, 1984, Proceedings.

Graduate Center City University of New York