Why you cannot even hope to use Gr\uf6bner bases in cryptography: an eternal golden braid of failures

In 1994, Moss Sweedler\u2019s dog proposed a cryptosystem, known as Barkee\u2019s Cryptosystem, and the related cryptanalysis. Its explicit aim was to dispel the proposal of using the urban legend that \u201cGr\uf6bner bases are hard to compute\u201d, in order to devise a public key cryptography scheme. Therefore he claimed that \u201cno scheme using Gr\uf6bner bases will ever work\u201d. Later, further variations of Barkee\u2019s Cryptosystem were proposed on the basis of another urban legend, related to the infiniteness (and consequent uncomputability) of non-commutative Gr\uf6bner bases; unfortunately Pritchard\u2019s algorithm for computing (finite) non-commutative Gr\uf6bner bases was already available at that time and was sufficient to crash the system proposed by Ackermann and Kreuzer. The proposal by Rai, where the private key is a principal ideal and the public key is a bunch of polynomials within this principal ideal, is surely immune to Pritchard\u2019s attack but not to Davenport\u2019s factorization algorithm. It was recently adapted specializing and extending Stickel\u2019s Diffie\u2013Hellman protocols in the setting of Ore extension. We here propose a further generalization and show that such protocols can be broken simply via polynomial division and Buchberger reduction

Weyl Gröbner Basis Cryptosystems

In this thesis, we shall consider a certain class of algebraic cryptosystems called Gröbner Basis Cryptosystems. In 1994, Koblitz introduced the Polly Cracker cryptosystem that is based on the theory of Gröbner basis in commutative polynomials rings. The security of this cryptosystem relies on the fact that the computation of Gröbner basis is, in general, EXPSPACE-hard. Cryptanalysis of these commutative Polly Cracker type cryptosystems is possible by using attacks that do not require the computation of Gröbner basis for breaking the system, for example, the attacks based on linear algebra. To secure these (commutative) Gröbner basis cryptosystems against various attacks, among others, Ackermann and Kreuzer introduced a general class of Gröbner Basis Cryptosystems that are based on the difficulty of computing module Gröbner bases over general non-commutative rings. The objective of this research is to describe a special class of such cryptosystems by introducing the Weyl Gröbner Basis Cryptosystems. We divide this class of cryptosystems in two parts namely the (left) Weyl Gröbner Basis Cryptosystems and Two-Sided Weyl Gröbner Basis Cryptosystems. We suggest to use Gröbner bases for left and two-sided ideals in Weyl algebras to construct specific instances of such cryptosystems. We analyse the resistance of these cryptosystems to the standard attacks and provide computational evidence that secure Weyl Gröbner Basis Cryptosystems can be built using left (resp. two-sided) Gröbner bases in Weyl algebras

Homomorphic encryption in algebraic settings

PhD ThesisCryptography methods have been around for a long time to protect sensitive data. With data sets becoming increasingly large we wish to not only store sensitive data in public clouds but in fact, analyse and compute there too. The idea behind homomorphic encryption is that encryption preserves the structure and allows us to perform the same operations on ciphertext as we would on the plaintext. A lot of the work so far restricts the operations that can be performed correctly on ciphertexts. The goal of this thesis is to explore methods for encryption which should greatly increase the amount of analysis and computation that can be performed on ciphertexts. First of all, we will consider the implications of quantum computers on cryptography. There has already been research conducted into quantum-resistant encryption methods. The particular method we will be interested in is still classical. We are assuming these schemes are going to be used in a post-quantum world anyway, we look at how we can use the quantum properties to improve the cryptosystem. More speci cally, we aim to remove a restriction that naturally comes with the scheme restricting how many operations we can perform on ciphertexts. Secondly, we propose a key exchange protocol that works in a polynomial ideal setting. We do this so that the key can be used for a homomorphic cryptography protocol. The advantage of using key exchange over a public key system is that a large proportion of the process needs to be carried out only once instead of needing a more complicated encryption function to use for each piece of data. Polynomial rings are an appropriate choice of structure for this particular type of scheme as they allow us to do everything we need. We will examine how we can perform computation correctly on ciphertexts and address some of the potential weaknesses of such a process. Finally after establishing a fully homomorphic encryption system we will take a more in-depth look at complexity. Measuring the complexity of mathematical problems is, of course, crucial in cryptography, but the choice of measure is something we need to consider seriously. In the nal chapter we will look at generic complexity as its gives us a good feel for how di cult the typical instances of a problem are to solve.Engineering and Physical Sciences Research Council, Centre for Doctoral Training in Cloud Computing for Big Dat

CRYPTOSYSTEMS.

Abstract. In [2], Stanislav Bulygin presents a chosen-ciphertext attack against certain instances of noncommutative polly cracker-type cryptosystems which were proposed in [7] and [9]. In this article, we present generalized versions of this attack, which can be used against virtually all polly cracker-type cryptosystems. We then present a simple but effective techique to counter these attacks. We also present a technique to counter an adaptive chosen-ciphertext attack which was first described by Neil Koblitz in [8]. 1. Preliminaries 1.1. Noncommutative Gröbner bases. We begin with some background on the theory of noncommutative Gröbner bases, on which noncommutative polly crackertype cryptosystems are based. Most of the theory is analagous to commutative Gröbner basis theory. However one significant difference is that unlike the commutative case, most ideals of noncommutative algebras do not have finite Gröbner bases. We refer the reader to [6] for details. Let K be a finite field, and let K � � x1,x2,...,xn be the free associative algebra in n non-commuting variables. By a monomial, we mean a (finite) noncommutative word in the alphabet {x1,x2,...,xn}. We use the letter B to denote the set of monomials, and note that if f ∈ K � � x1,x2,...,xn,thenfcan be represented as f = � i αibi, whereαi∈Kwith only finitely many αi � = 0,andbi∈B. If the coefficient of bi in f = � γjbj is not zero, then bi is said to occur in f. Next, we define multiplication in B by concatenation, and note that B is a multiplicative K-basis of R. i.e. B is a K-basis of R and b, b ′ ∈ B implies that b · b ′ ∈ B. We say that an ideal I in K � � x1,x2,...,xn is a monomial ideal, ifitcan be generated by elements of B. A well-order> on B is said to be admissible if it satisfies the following conditions for all p, q, r, s ∈ B: 1. if p<qthen pr < qr 2. if p<qthen sp < sq and 3. if p = qr then p ≥ q and p ≥ r. If> be an admissible order on the monomials and f ∈ K � � x1,x2,...,xn, we say that bi is the tip of f, denoted tip(f), if bi occurs in f and bi ≥ bj for all bj occurring in f. We denote the coefficient of tip(f) byCtip(f). Furthermore, if X ⊆ K � � x1,x2,...,xn, then we write Tip(X) = {b ∈ B: b = tip(f) for some nonzero f ∈ X} and NonTip(X) =B − Tip(X)