Post-Quantum Cryptography: S381 Cyclic Subgroup of High Order

Currently there is an active Post-Quantum Cryptography (PQC) solutions search, which attempts to find cryptographic protocols resistant to attacks by means of for instance Shor polynomial time algorithm for numerical field problems like integer factorization (IFP) or the discrete logarithm (DLP). The use of non-commutative or non-associative structures are, among others, valid choices for these kinds of protocols. In our case, we focus on a permutation subgroup of high order and belonging to the symmetric group S381. Using adequate one-way functions (OWF), we derived a Diffie-Hellman key exchange and an ElGamal ciphering procedure that only relies on combinatorial operations. Both OWF pose hard search problems which are assumed as not belonging to BQP time-complexity class. Obvious advantages of present protocols are their conceptual simplicity, fast throughput implementations, high cryptanalytic security and no need for arithmetic operations and therefore extended precision libraries. Such features make them suitable for low performance and low power consumption platforms like smart cards, USB-keys and cellphones.

Security of an asymmetric cipher protocol always relies on a one-way function (OWF) [24].For instance, using the decomposition problem (DP) or the double coset problem (DCP) [7], both assumed to belong to AWPP time-complexity (but out of BQP) [34] problems, which lead to an eventual 1 Pedro Hecht: Maestría en Seguridad Informática, FCE-FCEyN-FI (Universidad Bs Aires) qubit101@gmail.combrute-force attack, thus yielding high computational security.The cryptographic use of combinatorial structures like permutations is a long-known matter, either in linear way [20] or in two-dimensional combination like Row Latin Squares (RLS) [21,22] or simply using quasigroups [23].There are also patented protocols about [35].Multidimensional tensor solutions are also conceivable, but their utility remains unclear.Other approaches into the same direction are the use of multiple orthogonal latin squares (MOLS) [36] and the use of non-group based latin squares [38].More information about PQC, NCC and NAC could be found at published works and their own references.

SOME STRUCTURAL DETAILS
Permutations are simple combinatorial structures [20,36].A convenient way to map them as integers is the use of Lehmer's factoradic representation [38,39].An optimal random permutation generation with an O(n) algorithm is described in [20] as Fisher-Yates-Durstenfeld Algorithm P.
It is a known fact that the order of any permutation is the least common multiple of it independent cycle lengths [40].So a simple way to construct a random high order group, is to embed any random permutation (say p) into prime length cycles using the increasing prime sequence [41] in random order.Summing those cycle lengths; one obtains the symmetric group orders into which the random permutation works as a generator of a cyclic subgroup, whose order is given by the respective primorial function [42].A valid choice for the dimension of those lists that guarantee at same time high GDLP cryptographic security and does not deter computational throughput, is the value 16. Figure 1 displays the sixteen prime cycles, the defined S381 group and the resulting 64-bits order of the cyclic subgroup <p>.The procedure is easy to follow with a numeric trial, as exposed separately in APPENDIX I, with same symbols as defined in Figure 2.
Using previous arguments and bearing in mind that neither polynomial time conventional DLP attack nor a quantum procedure against it is at hand; the computational security is assumed to be of 64-bits.
The protocol works fast, using a non-optimized Mathematica interpreted code implementing a "square and multiply" routine and working on a ® Core i5 PC @ 2.20GHz, the session mean time took 93,75 ms over a sample of 1000000 cycles.

ELGAMAL CIPHER
Our version has his cryptographic security based on the double coset problem (DCP) or respectively, the decomposition problem (DP) as the one-way functions [7].
DCP or DP are supposedly hard challenges in group theory.As no quantum attack algorithm over symmetric groups is on sight and probably does not exist, these solutions do not belong to BQP complexity set.Of course, this statement should be proven; a challenge outside the purpose of present work.
We present here both approaches.The general procedure is outlined at following figures.

CONCLUSIONS
We developed a PQC solution using the symmetric group as the embedding structure.This approach fits into noncommutative cryptography.The random selection of high order elements is easy to obtain and lead naturally into big cyclic subgroups, where the DCP or the DP are hard to solve.Permutation group operations like integer mapping, compositions (multiplications) and it powers, have easy solutions.It relies only on simple combinatorial operations, no need of arithmetic or big-number libraries.This feature would  Once the generator is concerted, the protocol follows as usual with the selection of random secret exponents for each entity and subsequent exchange of public tokens.

Figure 1 .
Figure 1.Parameter definitions.The last value of the second and third lists are respectively the selected order of the symmetric group and the order of the cyclic subgroup generated by a random permutation whose cycle lengths aregiven by the first list.

( 1 )Figure 1 .
Figure 1.Random permutation p, generator of the cyclic subgroup <p> belonging to S381.This public value could be concerted in advance or transferred to the second entity by the initiator.

Figure 2 .
Figure 2. Embedded cycle lengths of p and cyclic subgroup <p> order, both public and fixed parameters.

Figure 5 .
Figure 5. Bob public token tb=p b

( 2 )
Generalized ElGamal Cipher Here we use the Fig 3a.variation based on DCP.