Abstract. In this paper we present a new key establishment protocol based on the decomposition problem in non-commutative groups which is: given two elements w, w1 of the platform group G and two subgroups A, B ⊆ G (not necessarily distinct), find elements a ∈ A, b ∈ B such that w1 = awb. Here we introduce two new ideas that improve the security of key establishment protocols based on the decomposition problem. In particular, we conceal (i.e., do not publish explicitly) one of the subgroups A, B, thus introducing an additional computationally hard problem for the adversary, namely, finding the centralizer of a given finitely generated subgroup. 1.

The purpose of the paper is to give new key agreement protocols (a multi-party extension of the protocol due to Anshel-Anshel-Goldfeld and a generalization of the Diffie-Hellman protocol from abelian to solvable groups) and a new homomorphic public-key cryptosystem. They rely on difficulty of the conjugacy and membership problems for subgroups of a given group. To support these and other known cryptographic schemes we present a general technique to produce a family of instances being matrix groups (over finite commutative rings) which play a role for these schemes similar to the groups Z ∗ n in the existing cryptographic constructions like RSA or discrete logarithm. Partially supported by RFFI, grants, 03-01-00349, NSH-2251.2003.1. The paper was done during the

There are several public key establishment protocols as well as complete public key cryptosystems based on allegedly hard problems from combinatorial (semi)group theory known by now. Most of these problems are search problems, i.e., they are of the following nature: given a property P and the information that there are objects with the property P, find at least one particular object with the property P. So far, no cryptographic protocol based on a search problem in a non-commutative (semi)group has been recognized as secure enough to be a viable alternative to established protocols (such as RSA) based on commutative (semi)groups, although most of these protocols are more efficient than RSA is. In this paper, we suggest to use decision problems from combinatorial group theory as the core of a public key establishment protocol or a public key cryptosystem. Decision problems are problems of the following nature: given a property P and an object O, find out whether or not the object O has the property P. By using a popular decision problem, the word problem, we design a cryptosystem with the following features: (1) Bob transmits to Alice an encrypted binary sequence which Alice decrypts correctly with probability “very close ” to 1; (2) the adversary, Eve, who is granted arbitrarily high (but fixed) computational speed, cannot positively identify (at least, in theory), by using a “brute force attack”, the “1 ” or “0 ” bits in Bob’s binary sequence. In other words: no matter what computational speed we grant Eve at the outset, there is no guarantee that her “brute force attack ” program will give a conclusive answer (or an answer which is correct with overwhelming probability) about any bit in Bob’s sequence.

Recent advances in wireless sensor networks (WSNs) have led to many new promising applications including habitat monitoring and target tracking. However, data communication between nodes consumes a large portion of the total energy consumption of the WSNs. Consequently, data aggregation techniques can greatly help to reduce the energy consumption by eliminating redundant data traveling back to the base station. The security issues such as data integrity, confidentiality, and freshness in data aggregation become crucial when the WSN is deployed in a remote or hostile environment where sensors are prone to node failures and compromises. There is currently research potential in securing data aggregation in the WSN. With this in mind, the security issues in data aggregation for the WSN will be discussed in this paper. Then, the adversarial model that can be used in any aggregation scheme will be explained. After that, the ”state-of-the-art ” proposed secure data aggregation schemes will be surveyed and then classified into two categories based on the number of aggregator nodes and the existence of the verification phase. Finally, a conceptual framework will be proposed to provide new designs with the minimum security requirements against certain type of adversary. This framework gives a better understanding of those schemes and facilitates the evaluation process.

The aims of this research are to give a precise description of a new homomorphic public-key encryption scheme proposed by Grigoriev and Ponomarenko [7] in 2004 and to break Grigoriev and Ponomarenko homomorphic public-key cryptosystem. Firstly, we prove some properties of linear fractional transformations. We analyze the Xn-representation algorithm which is used in the decryption scheme of Grigoriev and Ponomarenko homomorphic public-key cryptosystem and by these properties of the linear fractional transformations, we correct and modify the Xn-representation algorithm. We implement the modified Xn-representation algorithm by program-ming it and we prove the correctness of the modified Xn-representation algorithm. Secondly, we find an explicit formula to compute the X(n, S)-representations of ele-ments of the group Γn. The X(n, S)-representation algorithm is used in the decryp-tion scheme of Grigoriev and Ponomarenko homomorphic public-key cryptosystem and we modify the X(n, S)-representation algorithm. We implement the modified X(n, S)-representation algorithm by programming it and we justify the modified

Abstract Homomorphic encryption schemes on groups have been extensively studied and are impor-tant in many cryptographic protocols, such as, e. g., voting protocols. All known schemes are homomorphic on abelian groups. In this paper we initiate the study of homomorphic encryp-tion schemes on non-abelian groups. Our interest in non-abelian groups is motivated by the observation that a homomorphic encryption scheme on (the non-abelian) group S7, the sym-metric group on seven elements, allows to construct an algebraically homomorphic encryption scheme on (Z/2Z, +, *). Whether such an algebraically homomorphic scheme exists has beenan open question for more than 20 years. We can not settle this question here either, but we suggest in this paper a homomorphic encryption scheme on S3, the first encryption scheme ona non-abelian group we are aware of. An algebraically homomorphic encryption scheme can also be obtained from a homomorphicencryption scheme on the matrix group ( SL(3, 2), *). We also give candidate families of prob-abilistic homomorphic embeddings of ( SL(3, 2), *) into large matrix groups that appear not tobe easily invertible by, e. g., linear algebra techniques. The techniques used in this construction may be of independent interest. Keywords: Homomorphic encryption, Computing on encrypted data, Algebraically homo-morphic encryption schemes, Non-abelian groups 1 Introduction Rivest et al. asked already in 1978 in [16] for encryption schemes with additional homomorphic properties that allow for computation on encrypted data. An algebraically homomorphic encryption scheme is a homomorphic encryption scheme on (Z/2Z, +, *) and allows to compute E(x + y) and E(xy) from E(x), E(y). Such a scheme allows to evaluate general circuits on encrypted inputs. These schemes have explicitely been asked for in [5].

Abstract. Cryptography based on noncommutative algebra still suffers from lack of schemes and lack of interest. In this work, we show new constructions of cryptosystems based on group invariants and suggest methods to make such cryptosystems secure in practice. Cryptographers still cannot prove security in its cryptographic sense or even reduce it to some statement about regular complexity classes. In this paper we introduce a new notion of cryptographic security, a provable break, and prove that cryptosystems based on matrix group invariants and also a variation of the Anshel-Anshel-Goldfeld key agreement protocol for modular groups are secure against provable worst-case break unless NP ⊆ RP. 1