Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside S_n

Abstract

In 2008, Doliskani et al. proposed an ElGamal-style encryption scheme using the symmetric group $S_n$ as mathematical platform. In 2012, an improvement of the cryptosystem’s memory requirements was suggested by Othman. The proposal by Doliskani et al. in particular requires the discrete logarithm problem in $S_n$, using its natural representation, to be hard. Making use of the Chinese Remainder Theorem, we describe an efficient method to solve this discrete logarithm problem, yielding a polynomial time secret key recovery attack against Doliskani et al.’s proposal.

1. Introduction

Discrete logarithm problems in certain representations of cyclic groups, such as subgroups of elliptic curves over prime fields, are a popular resource in the construction of cryptographic primitives. Widely deployed solutions for digital signatures and key establishment rely on the computational hardness of such discrete logarithm problems. Doliskani et al. proposed a cryptosystem in [1] which relies on the discrete logarithm problem inside the symmetric group $S_n$, using its standard representation, to be hard. The encryption scheme proposed in [1] is essentially an instantiation of the classic ElGamal [2] encryption scheme, but using a cyclic subgroup of $S_n$ in standard representation as platform instead of a more traditional platform choice.

We show that this particular discrete logarithm problem is problematic for cryptographic purposes by showing how to find such discrete logarithms in polynomial time. Consequently, in the proposal from [1], secret keys can be recovered from public data in polynomial time. Our algorithm exploits the permutation representation of a cyclic group that is used in [1]. Even though any finite cyclic group is isomorphic to a subgroup of a suitably large symmetric group, our algorithm does not imply an efficient solution for discrete logarithm problems in established cryptographic platform groups.

2. The Scheme of Doliskani et al.

In this section, we briefly recall the cryptosystem proposed by Doliskani et al. following the description given in [1] (Section 4). The scheme has the same basic structure as ElGamal encryption:

Key Generation.

The key generation algorithm, executed by the receiver, selects an appropriate index n and a suitable permutation $g\in S_n.$ The cyclic group generated by g will be denoted by $\langle g\rangle$, and we represent its order by $\left|g\right|$. Further, an integer $\alpha$ is selected uniformly at random from $\{1,\dots ,|g|-1\}$. The public key is the pair $(g,g^{\alpha }),$ while the private key is the secret “exponent” $\alpha$. (Even though these points are not clarified by the authors, as is customary, we assume n is chosen from an input security parameter ℓ, and is polynomial in ℓ.)

Encryption.

On input of a plaintext m, which we may assume belongs to $S_n$ (we omit the encoding described in [1] (Section 3), which is irrelevant for our purposes), an integer k is chosen uniformly at random from $\{1,\dots ,n\}$. The ciphertext is computed as the pair of group elements $(g_1,g_2):=(g^k,m{g}^{\alpha k})$.

Decryption.

The group element $g_1$ is raised to the secret exponent $\alpha$ and further inverted to compute $m:=g_2{\left(g_1^{\alpha }\right)}^{-1}$.

As made clear by the authors, this scheme essentially instantiates ElGamal encryption in the symmetric group $S_n$. As such, some of the security concerns of the original ElGamal over finite fields carry over. Given an encryption of m, one can trivially derive an encryption of $hm$ for any $h\in S_n$, so we observe that malleability is one such concern. Very limited plaintext leakage is another concern. It is known that in a straightforward ElGamal implementation over ${\mathbb{Z}}_{2q+1}^{*}$ for a Sophie Germain prime q, one bit of the message leaks. Indeed, if the cyclic group $\langle g\rangle$ has order q, it is possible to determine from the ciphertext whether the underlying plaintext m is a quadratic residue mod $2q+1$ or not, as the ciphertext leaks the Legendre symbol $\left(\frac{m}{2q+1}\right)$ of m.

Similarly, the construction in [1] leaks one bit, corresponding to the sign of the plaintext permutation m. Recall that the sign of a permutation can be seen as a group homomorphism

$$\epsilon :S_n⟶\{-1,1\},$$

defined as $\epsilon \left(\sigma \right)=1$ if and only if $\sigma$ can be written as the product of an even number of transpositions. Otherwise, if $\sigma$ is odd (and can thus only be decomposed as a product of an odd number of transpositions), $\epsilon \left(\sigma \right)=-1.$ It is easy to see that $\epsilon$ is a group homomorphism, hence $\epsilon \left(m{g}^{\alpha k}\right)=\epsilon \left(m\right)\epsilon \left(g^{\alpha k}\right)$. If any of the (public) g, $g^{\alpha }$, or $g^k$ are in the kernel of $\epsilon$, then necessarily the sign of the “mask” $g^{\alpha k}$ is one, too, and the sign of the plaintext leaks. Information on the elements in $\{1,\dots ,n\}$ not stabilized by the permutation m, known as the support of plaintext m, may leak if the support of g is small. This follows from the fact that the elements in $\{1,\dots ,n\}$ not stabilized by any permutation from $\langle g\rangle$ is always a subset of the support of g.

We include these remarks to emphasize that, when considering a concrete ElGamal instantiation, a thorough analysis is essential. One must consider the specific group representation and parameters in use.

In [1], the order of the public group element g is identified by the authors as the main relevant parameter determining the security of the above scheme. Indeed, when approaching a generic instance of the discrete logarithm problem in an arbitrary cyclic group, the order of the generator gives us an idea of how successful standard methods such as those mentioned in [1] (Section 2) might be when it comes to solving the associated discrete logarithm problem. This, however, does not rule out the existence of more efficient algorithms for computing discrete logarithms exploiting a concrete representation of the underlying group. As we show in the next section, this is the case for the symmetric group.

3. Finding Discrete Logarithms in Cyclic Subgroups of ${\mathit{S}}_{\mathit{n}}$

Let $S_n$ be the symmetric group on n points, with elements $f\in S_n$ represented as a list of images $\left[f\right(1),\dots ,f(n\left)\right]$ (or in standard cycle notation). Moreover, let $g\in S_n$, and $h=g^{\alpha }$ some element in the cyclic group $\langle g\rangle$ generated by g. For the encryption scheme put forward in [1], the pair $(g,h)$ represents a public key, and being able to recover $\alpha$ from the public key yields a successful recovery of a user’s secret key. When applied to the input $(g,h)$, the following procedure returns $\alpha (mod|g\left|\right)$, thereby solving the discrete logarithm problem in $\langle g\rangle$.

Step 1.

Decompose g and h into disjoint cycles

$$\begin{array}{ccc}\hfill g& =& {\pi }_1\circ \dots \circ {\pi }_r\hfill \\ \hfill h& =& {\sigma }_1\circ \dots \circ {\sigma }_s.\hfill \end{array}$$

Here, we include length-one cycles if needed, so that each $i\in \{1,\dots ,n\}$ occurs in exactly one cycle.

Step 2.

Compute arrays G and H, such that the ith entry G[i] stores:

• the index j of the cycle ${\pi }_j$ containing i; and
• the position of i within this cycle ($1\le i\le n$).

That is, $\mathtt{G}[i]=(j,\mathrm{pos}\left(i\right))$ would indicate that element i appears in cycle ${\pi }_j$ at position $\mathrm{pos}\left(i\right)$. Similarly, in H[i], we store:

• the index k of the cycle ${\sigma }_k$ containing i; and
• the position of i within this cycle ($1\le i\le n$).

Thus, $\mathtt{H}[i]=(k,\mathrm{pos}\left(i\right))$ would indicate that element i appears in cycle ${\sigma }_k$ at position $\mathrm{pos}\left(i\right)$.

Step 3.

Store the first element of each cycle ${\sigma }_j$ of h as First[j] in an array. Analogously, store the second element of ${\sigma }_j$ as entry Second[j] in an array. (For a length-one cycle, we set Second[j] = First[j].) Note that First[j] and Second[j] belong to the same cycle ${\pi }_{j^{\prime }}$ of g.

Step 4.

Use the array G to find for each $i\in \{1,\dots ,n\}$ the cycle of g containing First[i] and Second[i], and store the difference D[i] between their positions in an array D. Then, $\mathtt{D}[i]=\mathrm{pos}(\mathtt{Second}[$i$\left]\right)-\mathrm{pos}(\mathtt{First}[$i$\left]\right)$, for each $i\in \{1,\dots ,n\}$. Further, compute the length of the cycle containing element i and store it in an array $\mathtt{L}$.

Step 5.

Step 5. The solution $\alpha$ is congruent to each residue $\mathtt{D}[i]$ modulo $\mathtt{L}[i]$ for $1\le i\le \left|\mathtt{D}\right|$. Compute $\alpha$ with the Chinese Remainder Theorem.

It may be worth noting that the last step of the above procedure uses a slightly more general version of the Chinese Remainder Theorem than is commonly discussed in introductory computer algebra courses. Instead of exploiting the availability of an efficiently computable isomorphism between $\mathbb{Z}/(m_1·\cdots ·m_r)$ and $\mathbb{Z}/\left(m_1\right)\times \cdots \times \mathbb{Z}/\left(m_r\right)$, with $m_1,\dots ,m_r$ being pairwise coprime natural numbers, we face the more general situation of a linear system of congruences of the form

$$\begin{array}{ccc}\hfill x& \equiv & x_1(mod{m}_1)\hfill \\ & ⋮& \\ \hfill x& \equiv & x_2(mod{m}_r)\hfill \end{array}$$

where $m_1,\dots ,m_r$ may have common factors. This situation is covered, e.g., in [3] (Theorem 3.12) and in [4], which show that a solution is unique modulo the least common multiple of $m_1,\dots ,m_r$, and for executing Step 5 we basically follow the proof given in [4]. Putting everything together, it turns out that the running time of the above procedure is polynomial. (As is common, we use the (bit) length of the group size as cost parameter. With the natural representation of $S_n$ used, the running time is also polynomial in the input length.)

Theorem 1.

Let $g\in S_n$. Then, the discrete logarithm problem in the group generated by g can be solved in time $\mathcal{O}\left({log}^4\left|g\right|\right)=\mathcal{O}\left(n^2{log}^{2}n\right).$

Proof. 

Let $g\in S_n$. It is easy to see that Step 1 from the above description can be completed in time $\mathcal{O}\left(n\right)$. Indeed, to express g in cycle notation, we assume (without loss of generality) it acts on $\{1,\dots ,n\}.$ Thus, we start from $i=1$, perform a look-up and find the image of i under g. If the image is equal to i, close the cycle and increment the index i moving ahead to $i+1$. Otherwise, append $g\left(i\right)$ at the end of the cycle and repeat the process for this index. There will be at most n look-ups and n stored integers between 1 and n. The arrays $\mathtt{G}$, $\mathtt{H}$ each contain $2n$ integers.

Further, Step 2 can also be completed in time $\mathcal{O}\left(n\right)$. As there are at most n cycles in $g^{\alpha }$, the arrays First, Second are at most n integers long. Thus, the construction of these two arrays requires storing at most $2n$ integers.

Let us now move ahead to Steps 3 and 4. For each $1\le i\le \left|\mathtt{First}\right|$, perform a look-up in array $\mathtt{G}$ to determine to which cycle of g the value $\mathtt{First}$[i] belongs. This requires at most n look-ups. Look up the position numbers of $\mathtt{Second}$[i] and $\mathtt{First}$[i] and subtract. This requires at most $\mathcal{O}\left(n\right)$ computations plus $\mathcal{O}\left(n\right)$ look-ups.

The final step requires that we solve a system with at most $\left|\mathtt{D}\right|$ modular arithmetic equations, where the moduli are not necessarily coprime. We have $\left|\mathtt{D}\right|\le n/2$, so let $k=\lceil n/2\rceil$, and let

$$\begin{array}{ccc}\hfill \alpha & \equiv & \mathtt{D}[1]mod\mathtt{L}[1]\hfill \\ \hfill \alpha & \equiv & \mathtt{D}[2]mod\mathtt{L}[2]\hfill \\ & ⋮& \\ \hfill \alpha & \equiv & \mathtt{D}[k]mod\mathtt{L}[k]\hfill \end{array}$$

denote the system of congruences found in Step 5, where each $\mathtt{L}[i]$ is the length of a cycle of g. As in [4], let $m=\mathrm{lcm}\left(\mathtt{L}[1\right],\mathtt{L}[2],\dots ,\mathtt{L}[k])$. Now, we can closely follow the the proof of [4]:

Compute the solution to the first two congruences

$$\begin{array}{cc}\hfill \alpha & \equiv \mathtt{D}[1]mod\mathtt{L}[1]\\ \hfill \alpha & \equiv \mathtt{D}[2]mod\mathtt{L}[2],\end{array}$$

and call this solution ${\alpha }_1$. There are $t,s\in \mathbb{Z}$ with $\gcd \left(\mathtt{L}[1\right],\mathtt{L}[2\left]\right)=t·\mathtt{L}[1]+s·\mathtt{L}[2]$. By [4], we know the solution is ${\alpha }_1=\mathtt{D}[1]+t·\mathtt{L}[1]$, which is unique $mod\mathrm{lcm}\left(\mathtt{L}[1\right],\mathtt{L}[2\left]\right)$. According to [5], this application of the Extended Euclidean Algorithm has a cost of $\mathcal{O}(log\mathtt{L}[1]·log\mathtt{L}[2\left]\right)$. We upper-bound this by $\mathcal{O}\left({log}^{2}n\right)$.

Next, consider the two equivalences

$$\begin{array}{ccc}\hfill \alpha & \equiv & {\alpha }_{1}mod\mathrm{lcm}\left(\mathtt{L}[1\right],\mathtt{L}[2\left]\right)\hfill \\ \hfill \alpha & \equiv & \mathtt{D}[3]mod\mathtt{L}[\mathtt{3}].\hfill \end{array}$$

Compute the solution to this pair of congruences as above, and call this solution ${\alpha }_2$. The cost of computing ${\alpha }_2$ is

$$\begin{array}{cc}\hfill \mathcal{O}(log(\mathrm{lcm}\left(\mathtt{L}[1\right],\mathtt{L}\left[2\right]\left)\right)·log\mathtt{L}[3\left]\right)& =\mathcal{O}(2lognlogn)\hfill \\ & =\mathcal{O}\left({log}^{2}n\right).\hfill \end{array}$$

Iterate this step until the k equivalences are reduced to 2. The solution to the last pair of equivalences is the solution, $\alpha$.

There will be at most $n-1$ applications of the Extended Euclidean Algorithm, with total complexity in $\mathcal{O}({\sum }_{k=1}^{n-1}k·{log}^{2}n)=\mathcal{O}\left(n^2{log}^{2}n\right)$. From [6,7,8], we know that, for any $g\in S_n$, it holds that $log\left|g\right|=\mathcal{O}\left(\sqrt{nlogn}\right)$, and the claim follows. ☐

Correctness of the above procedure is not hard to verify:

Proposition 1.

For any $g\in S_n$ and $h\in \langle g\rangle$ such that $h=g^{\alpha }$, the above procedure computes $\alpha (mod|g\left|\right)$, given g, h, and n.

Proof. 

Let $g={\pi }_1\circ \cdots \circ {\pi }_r$ and suppose the algorithm returns $\overline{\alpha }\equiv \mathtt{D}[i]mod\mathtt{L}[i]$ for all i as in the proof of Theorem 1. We proceed by showing that $g^{\overline{\alpha }}=h$. Since the ${\pi }_i$ are disjoint,

$$\begin{array}{cc}\hfill g^{\overline{\alpha }}& ={({\pi }_1\circ \cdots \circ {\pi }_r)}^{\overline{\alpha }}\hfill \\ & ={\pi }_1^{\overline{\alpha }}\circ \cdots \circ {\pi }_r^{\overline{\alpha }}.\hfill \end{array}$$

(1)

There exist $k_i\in \mathbb{Z}$ such that $\overline{\alpha }=k_i·\mathtt{L}[i]+\mathtt{D}[i]$ for all i, so (1) is equal to

$$\begin{array}{c}\hfill {\pi }_1^{k_1\mathtt{L}[1]+\mathtt{D}[1]}\circ \cdots \circ {\pi }_r^{k_r\mathtt{L}[r]+\mathtt{D}[r]}.\end{array}$$

(2)

The order of ${\pi }_i$ is $\mathtt{L}[i]$ for each i, so Equation (2) simplifies to

$${\pi }_1^{\mathtt{D}[1]}\circ \cdots \circ {\pi }_r^{\mathtt{D}[r]}.$$

To show that $g^{\overline{\alpha }}=h$, we evaluate $g^{\overline{\alpha }}\left(\mathtt{First}[i\right])$ and show that the result is $\mathtt{Second}[i]$ for all i. Let $\mathtt{G}[\mathtt{First}[i\left]\right]=(l,\mathrm{pos}(\mathtt{First}[i\left]\right))$. As $\mathtt{First}[i]$ and $\mathtt{Second}[i]$ belong to the same cycle of g, then $\mathtt{G}[\mathtt{Second}[i\left]\right]=(l,\mathrm{pos}(\mathtt{Second}[i\left]\right))$. It follows that

$$\begin{array}{c}\hfill {\pi }_1^{\mathtt{D}[i]}\circ \cdots \circ {\pi }_r^{\mathtt{D}[r]}\left(\mathtt{First}[i\right])={\pi }_l^{\mathtt{D}[i]}\left(\mathtt{First}[i\right]).\end{array}$$

The image of $\mathtt{First}[i]$ under ${\pi }_l^{\mathtt{D}[i]}$ is found by moving (cyclically) right by $\mathtt{D}[i]$ positions inside ${\pi }_l$. Thus, $\mathtt{First}[i]$ ends up being mapped to the cycle entry at position $\mathrm{pos}\left(\mathtt{First}[i\right])+(\mathrm{pos}\left(\mathtt{Second}[i\right])-\mathrm{pos}(\mathtt{First}[i\left]\right)\left]\right)=\mathrm{pos}\left(\mathtt{Second}[i\right])$. Consequently, ${\pi }_l^{\mathtt{D}[i]}\left(\mathtt{First}[i\right])=\mathtt{Second}[i]$. As this holds for all i, the resulting permutation satisfies $g^{\overline{\alpha }}=h.$ ☐

4. Experimental Validation

The proposed attack was implemented in Magma V2.21 on a personal computer. An example of the attack in $S_{100}$ is as follows. Let

$$\begin{array}{ccc}\hfill g& =& (1,12,90,19,7,30,44,72,57,55,34,81,82,17,54,21,80,94,35,11,85,100)\hfill \\ & & (2,9,83,87,45,13,67,24,78,4,16,32,65,51,29,33,22,59,50,69,56,58,43,\hfill \\ & & 31,47,96,91,92,15,75,86,49,68,88,95,36,63,23,71,98,42,28,64,8,38,40)\hfill \\ & & (3,10,97,48,74,39,46,60,89,5)(6,26,79,25,20,76)(14,84,37,53,61,70,73)\hfill \\ & & (18,99,93,66,62,27,77,41).\hfill \end{array}$$

The order of g is 212,520. Given $(g,g^{178,705})$, let us try to recover the secret exponent $\alpha$ = 178,705. Following the procedure presented above, we store

$$\begin{array}{ccc}\hfill \mathtt{D}& =& [21,41,5,-5,1,5,2,1,5,-5,0]\mathrm{and}\hfill \\ \hfill \mathtt{L}& =& [22,46,10,10,6,10,7,8,10,10,1].\hfill \end{array}$$

Further, we know that $\alpha$ is congruent to $\mathtt{D}[i]$ modulo $\mathtt{L}[i]$ for each i. Applying the Chinese Remainder Theorem yields the solution $\alpha$ = 178,705, as expected.

5. Conclusions

The above discussion provides a polynomial time solution for the discrete logarithm problem inside the symmetric group $S_n$, using its standard presentation. On suitable elliptic curves, efficient implementations of ElGamal are available, where (in the absence of quantum computers) no polynomial time attacks on the secret key are known. With the availability of a polynomial-time secret key recovery, it seems fair to consider the security assumption underlying Doliskani et al.’s proposal as problematic.