#
Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside S_{n}

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

## 2. The Scheme of Doliskani et al.

- Key Generation.
- The key generation algorithm, executed by the receiver, selects an appropriate index n and a suitable permutation $g\in {S}_{n}.$ The cyclic group generated by g will be denoted by $\langle g\rangle $, and we represent its order by $\left|g\right|$. Further, an integer $\alpha $ is selected uniformly at random from $\{1,\dots ,|g|-1\}$. The public key is the pair $(g,{g}^{\alpha}),$ while the private key is the secret “exponent” $\alpha $. (Even though these points are not clarified by the authors, as is customary, we assume n is chosen from an input security parameter ℓ, and is polynomial in ℓ.)
- Encryption.
- On input of a plaintext m, which we may assume belongs to ${S}_{n}$ (we omit the encoding described in [1] (Section 3), which is irrelevant for our purposes), an integer k is chosen uniformly at random from $\{1,\dots ,n\}$. The ciphertext is computed as the pair of group elements $({g}_{1},{g}_{2}):=({g}^{k},m{g}^{\alpha k})$.
- Decryption.
- The group element ${g}_{1}$ is raised to the secret exponent $\alpha $ and further inverted to compute $m:={g}_{2}{\left({g}_{1}^{\alpha}\right)}^{-1}$.

## 3. Finding Discrete Logarithms in Cyclic Subgroups of ${\mathit{S}}_{\mathit{n}}$

- Step 1.
- Decompose g and h into disjoint cycles$$\begin{array}{ccc}\hfill g& =& {\pi}_{1}\circ \dots \circ {\pi}_{r}\hfill \\ \hfill h& =& {\sigma}_{1}\circ \dots \circ {\sigma}_{s}.\hfill \end{array}$$Here, we include length-one cycles if needed, so that each $i\in \{1,\dots ,n\}$ occurs in exactly one cycle.
- Step 2.
- Compute arrays
`G`and`H`, such that the ith entry`G[`i`]`stores:- the index j of the cycle ${\pi}_{j}$ containing i; and
- the position of i within this cycle ($1\le i\le n$).

That is, $\mathtt{G}[i]=(j,\mathrm{pos}\left(i\right))$ would indicate that element i appears in cycle ${\pi}_{j}$ at position $\mathrm{pos}\left(i\right)$. Similarly, in`H[`i`]`, we store:- the index k of the cycle ${\sigma}_{k}$ containing i; and
- the position of i within this cycle ($1\le i\le n$).

Thus, $\mathtt{H}[i]=(k,\mathrm{pos}\left(i\right))$ would indicate that element i appears in cycle ${\sigma}_{k}$ at position $\mathrm{pos}\left(i\right)$. - Step 3.
- Store the first element of each cycle ${\sigma}_{j}$ of h as
`First[`j`]`in an array. Analogously, store the second element of ${\sigma}_{j}$ as entry`Second[`j`]`in an array. (For a length-one cycle, we set`Second[`j`]`=`First[`j`]`.) Note that`First[`j`]`and`Second[`j`]`belong to the same cycle ${\pi}_{{j}^{\prime}}$ of g. - Step 4.
- Use the array
`G`to find for each $i\in \{1,\dots ,n\}$ the cycle of g containing`First[`i`]`and`Second[`i`]`, and store the difference`D[`i`]`between their positions in an array`D`. Then, $\mathtt{D}[i]=\mathrm{pos}(\mathtt{Second}[$i$\left]\right)-\mathrm{pos}(\mathtt{First}[$i$\left]\right)$, for each $i\in \{1,\dots ,n\}$. Further, compute the length of the cycle containing element i and store it in an array $\mathtt{L}$. - Step 5.
- Step 5. The solution $\alpha $ is congruent to each residue $\mathtt{D}[i]$ modulo $\mathtt{L}[i]$ for $1\le i\le \left|\mathtt{D}\right|$. Compute $\alpha $ with the Chinese Remainder Theorem.

**Theorem**

**1.**

**Proof.**

`First`,

`Second`are at most n integers long. Thus, the construction of these two arrays requires storing at most $2n$ integers.

**Proposition**

**1.**

**Proof.**

## 4. Experimental Validation

## 5. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Doliskani, J.N.; Malekian, E.; Zakerolhosseini, A. A Cryptosystem Based on the Symmetric Group S
_{n}. IJCSNS Int. J. Comput. Sci. Netw. Secur.**2008**, 8, 226–234. [Google Scholar] - Gamal, T.E. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory
**1985**, 31, 469–472. [Google Scholar][Green Version] - Jones, G.A.; Jones, J.M. Elementary Number Theory; Springer Undergraduate Mathematics Series; Springer: Berlin, Germany, 1998. [Google Scholar]
- Bogomolny, A. Chinese Remainder Theorem from Interactive Mathematics Miscellany and Puzzles. 2012. Available online: http://www.cut-the-knot.org/blue/chinese.shtml (accessed on 1 May 2018).
- Von zur Gathen, J.; Gerhard, J. Chapter The Euclidean Algorithm. In Modern Computer Algebra; The Press Syndicate of the University of Cambridge: Cambridge, UK, 1999; pp. 50–55. [Google Scholar]
- Landau, E. Über die Maximalordnung der Permutationen gegebenen Grades. Arch. Math. Phys.
**1903**, 5, 92–103. [Google Scholar] - Massias, J.P. Majoration explicite de l’ordre Maximum d’un Élément du groupe symétrique. Ann. Fac. Sci. Toulouse Math.
**1984**, 6, 269–280. [Google Scholar] [CrossRef] - Massias, J.P.; Nicolas, J.L.; Robin, G. Effective Bounds for the Maximal Order of an Element in the Symmetric Group. Math. Comput.
**1989**, 53, 665–678. [Google Scholar] [CrossRef]

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

González Vasco, M.I.; Robinson, A.; Steinwandt, R. Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside *S _{n}*.

*Cryptography*

**2018**,

*2*, 16. https://doi.org/10.3390/cryptography2030016

**AMA Style**

González Vasco MI, Robinson A, Steinwandt R. Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside *S _{n}*.

*Cryptography*. 2018; 2(3):16. https://doi.org/10.3390/cryptography2030016

**Chicago/Turabian Style**

González Vasco, María Isabel, Angela Robinson, and Rainer Steinwandt. 2018. "Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside *S _{n}*"

*Cryptography*2, no. 3: 16. https://doi.org/10.3390/cryptography2030016