Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside S n

In 2008, Doliskani et al. proposed an ElGamal-style encryption scheme using the symmetric group Sn as mathematical platform. In 2012, an improvement of the cryptosystem’s memory requirements was suggested by Othman. The proposal by Doliskani et al. in particular requires the discrete logarithm problem in Sn, using its natural representation, to be hard. Making use of the Chinese Remainder Theorem, we describe an efficient method to solve this discrete logarithm problem, yielding a polynomial time secret key recovery attack against Doliskani et al.’s proposal.


Introduction
Discrete logarithm problems in certain representations of cyclic groups, such as subgroups of elliptic curves over prime fields, are a popular resource in the construction of cryptographic primitives.Widely deployed solutions for digital signatures and key establishment rely on the computational hardness of such discrete logarithm problems.Doliskani et al. proposed a cryptosystem in [1] which relies on the discrete logarithm problem inside the symmetric group S n , using its standard representation, to be hard.The encryption scheme proposed in [1] is essentially an instantiation of the classic ElGamal [2] encryption scheme, but using a cyclic subgroup of S n in standard representation as platform instead of a more traditional platform choice.
We show that this particular discrete logarithm problem is problematic for cryptographic purposes by showing how to find such discrete logarithms in polynomial time.Consequently, in the proposal from [1], secret keys can be recovered from public data in polynomial time.Our algorithm exploits the permutation representation of a cyclic group that is used in [1].Even though any finite cyclic group is isomorphic to a subgroup of a suitably large symmetric group, our algorithm does not imply an efficient solution for discrete logarithm problems in established cryptographic platform groups.

The Scheme of Doliskani et al.
In this section, we briefly recall the cryptosystem proposed by Doliskani et al. following the description given in [1] (Section 4).The scheme has the same basic structure as ElGamal encryption: Key Generation.The key generation algorithm, executed by the receiver, selects an appropriate index n and a suitable permutation g ∈ S n .The cyclic group generated by g will be denoted by g , and we represent its order by |g|.Further, an integer α is selected uniformly at random from {1, . . ., |g| − 1}.The public key is the pair (g, g α ), while the private key is the secret "exponent" α.
(Even though these points are not clarified by the authors, as is customary, we assume n is chosen from an input security parameter , and is polynomial in .) Encryption.On input of a plaintext m, which we may assume belongs to S n (we omit the encoding described in [1] (Section 3), which is irrelevant for our purposes), an integer k is chosen uniformly at random from {1, . . ., n}.The ciphertext is computed as the pair of group elements (g 1 , g 2 ) := (g k , mg αk ).Decryption.The group element g 1 is raised to the secret exponent α and further inverted to compute m := g 2 (g α 1 ) −1 .As made clear by the authors, this scheme essentially instantiates ElGamal encryption in the symmetric group S n .As such, some of the security concerns of the original ElGamal over finite fields carry over.Given an encryption of m, one can trivially derive an encryption of hm for any h ∈ S n , so we observe that malleability is one such concern.Very limited plaintext leakage is another concern.It is known that in a straightforward ElGamal implementation over Z * 2q+1 for a Sophie Germain prime q, one bit of the message leaks.Indeed, if the cyclic group g has order q, it is possible to determine from the ciphertext whether the underlying plaintext m is a quadratic residue mod 2q + 1 or not, as the ciphertext leaks the Legendre symbol m 2q+1 of m.Similarly, the construction in [1] leaks one bit, corresponding to the sign of the plaintext permutation m.Recall that the sign of a permutation can be seen as a group homomorphism and only if σ can be written as the product of an even number of transpositions.Otherwise, if σ is odd (and can thus only be decomposed as a product of an odd number of transpositions), ε If any of the (public) g, g α , or g k are in the kernel of ε, then necessarily the sign of the "mask" g αk is one, too, and the sign of the plaintext leaks.Information on the elements in {1, . . ., n} not stabilized by the permutation m, known as the support of plaintext m, may leak if the support of g is small.This follows from the fact that the elements in {1, . . ., n} not stabilized by any permutation from g is always a subset of the support of g.
We include these remarks to emphasize that, when considering a concrete ElGamal instantiation, a thorough analysis is essential.One must consider the specific group representation and parameters in use.
In [1], the order of the public group element g is identified by the authors as the main relevant parameter determining the security of the above scheme.Indeed, when approaching a generic instance of the discrete logarithm problem in an arbitrary cyclic group, the order of the generator gives us an idea of how successful standard methods such as those mentioned in [1] (Section 2) might be when it comes to solving the associated discrete logarithm problem.This, however, does not rule out the existence of more efficient algorithms for computing discrete logarithms exploiting a concrete representation of the underlying group.As we show in the next section, this is the case for the symmetric group.

Finding Discrete Logarithms in Cyclic Subgroups of S n
Let S n be the symmetric group on n points, with elements f ∈ S n represented as a list of images [ f (1), . . ., f (n)] (or in standard cycle notation).Moreover, let g ∈ S n , and h = g α some element in the cyclic group g generated by g.For the encryption scheme put forward in [1], the pair (g, h) represents a public key, and being able to recover α from the public key yields a successful recovery of a user's secret key.When applied to the input (g, h), the following procedure returns α (mod |g|), thereby solving the discrete logarithm problem in g .
Step 1. Decompose g and h into disjoint cycles Here, we include length-one cycles if needed, so that each i ∈ {1, . . ., n} occurs in exactly one cycle.
Step 2. Compute arrays G and H, such that the ith entry G[i] stores: • the index j of the cycle π j containing i; and • the position of i within this cycle (1 That is, G[i] = (j, pos(i)) would indicate that element i appears in cycle π j at position pos(i).Similarly, in H[i], we store: • the index k of the cycle σ k containing i; and • the position of i within this cycle (1 It may be worth noting that the last step of the above procedure uses a slightly more general version of the Chinese Remainder Theorem than is commonly discussed in introductory computer algebra courses.Instead of exploiting the availability of an efficiently computable isomorphism between Z/(m 1 • • • • • m r ) and Z/(m 1 ) × • • • × Z/(m r ), with m 1 , . . ., m r being pairwise coprime natural numbers, we face the more general situation of a linear system of congruences of the form x ≡ x 1 (mod m 1 ) . . .
where m 1 , . . ., m r may have common factors.This situation is covered, e.,g., in [3] (Theorem 3.12) and in [4], which show that a solution is unique modulo the least common multiple of m 1 , . . ., m r , and for executing Step 5 we basically follow the proof given in [4].Putting everything together, it turns out that the running time of the above procedure is polynomial.(As is common, we use the (bit) length of the group size as cost parameter.With the natural representation of S n used, the running time is also polynomial in the input length.) Theorem 1.Let g ∈ S n .Then, the discrete logarithm problem in the group generated by g can be solved in time O(log Proof.Let g ∈ S n .It is easy to see that Step 1 from the above description can be completed in time O(n).Indeed, to express g in cycle notation, we assume (without loss of generality) it acts on {1, . . ., n}.Thus, we start from i = 1, perform a look-up and find the image of i under g.If the image is equal to i, close the cycle and increment the index i moving ahead to i + 1.Otherwise, append g(i) at the end of the cycle and repeat the process for this index.There will be at most n look-ups and n stored integers between 1 and n.The arrays G, H each contain 2n integers.Further, Step 2 can also be completed in time O(n).As there are at most n cycles in g α , the arrays First, Second are at most n integers long.Thus, the construction of these two arrays requires storing at most 2n integers.
Let us now move ahead to Steps 3 and 4. For each 1 ≤ i ≤ |First|, perform a look-up in array G to determine to which cycle of g the value First[i] belongs.This requires at most n look-ups.Look up the position numbers of Second[i] and First[i] and subtract.This requires at most O(n) computations plus O(n) look-ups.
The final step requires that we solve a system with at most |D| modular arithmetic equations, where the moduli are not necessarily coprime.We have |D| ≤ n/2, so let k = n/2 , and let denote the system of congruences found in Step 5, where each L[i] is the length of a cycle of g.As in [4], ).Now, we can closely follow the the proof of [4, Theorem 2]: Compute the solution to the first two congruences and call this solution α 1 .There are t, s ∈ Z with gcd(L . By [4], we know the solution is ).According to [5], this application of the Extended Euclidean Algorithm has a cost of O(log Iterate this step until the k equivalences are reduced to 2. The solution to the last pair of equivalences is the solution, α. There will be at most n − 1 applications of the Extended Euclidean Algorithm, with total complexity in O(∑ n−1 k=1 k • log 2 n) = O(n 2 log 2 n).From [6][7][8], we know that, for any g ∈ S n , it holds that log |g| = O( n log n), and the claim follows.
Correctness of the above procedure is not hard to verify: Proposition 1.For any g ∈ S n and h ∈ g such that h = g α , the above procedure computes α (mod |g|), given g, h, and n.
Proof.Let g = π 1 • • • • • π r and suppose the algorithm returns ᾱ ≡ D[i] mod L[i] for all i as in the proof of Theorem 1.We proceed by showing that g ᾱ = h.Since the π i are disjoint, Thus, H[i] = (k, pos(i)) would indicate that element i appears in cycle σ k at position pos(i).Step 3. Store the first element of each cycle σ j of h as First[j] in an array.Analogously, store the second element of σ j as entry Second[j] in an array.(For a length-one cycle, we set Second[j]=First[j].)Note that First[j] and Second[j] belong to the same cycle π j of g.Step 4. Use the array G to find for each i ∈ {1, . . ., n} the cycle of g containing First[i] and Second[i], and store the difference D[i] between their positions in an array D.Then, D[i] = pos(Second[i]) − pos(First[i]), for each i ∈ {1, . . ., n}.Further, compute the length of the cycle containing element i and store it in an array L. Step 5.The solution α is congruent to each residue D[i] modulo L[i] for 1 ≤ i ≤ |D|.Compute α with the Chinese Remainder Theorem.