3-2 A Functional Cryptosystem Using a

Group Action
YAMAMURA Akihiro

The main purpose of this paper is to examine applications of group theoretical concepts to
cryptography. We construct a backward deterministic system employing the action of the modu-
lar group on the upper half plane and the amalgamated free product structure of the group. We
invent a geometrical algorithm that finds the normal form of an element of the modular group
effectively. This algorithm makes our backward deterministic system tractable. Using the back-
ward deterministic system, we invent a public-key cryptosystem in terms of a functional cryp-
tosystem.
Keywords
Public-key cryptosystem, Functional cryptosystem, Backward deterministic system,
Modular group, Amalgamated free product

1 Introduction phy using new technologies from mathematics

other than number theory. We employ the
Many public-key cryptosystems depend on modular group and import several ideas from
the difficulty of solving a few specific prob- combinatorial group theory. The encryption
lems such as finding the prime factorization of and decryption of our cryptosystem are based
a composite number and the discrete loga- on the uniqueness of a certain expression of an
rithm problem. While the existing systems element of the modular group and its action on
depending on the hardness of these problems the upper half plane.
are considered secure, there is still deep con- First, we briefly review a functional cryp-
cern about the security of these systems. Shor tosystem which is the basic scheme of ours.
8 invented a fast algorithm for prime factor- We give the definitions of a backward deter-
ization and the discrete logarithm problem ministic system and a morphism between two
based on quantum computing. Adleman1 backward deterministic systems. Then we
also reported that a DNA computer solves a 7 demonstrate how to construct a backward
vertex and 14 edge instance of the Hamilton- deterministic system using a group action on a
ian path problem. An attempt to construct a certain space.
hardware specialized for factorization problem Secondly, we recall basic results on com-
is implementing. Therefore we should avoid binatorial group theory. An amalgamated free
the situation that all the cryptosystems in hand product of groups is introduced and explained.
depend on a few principles. Our intention is to The modular group is the group of 22 matri-
provide backup cryptosystems for the current- ces over rational integers with determinant
ly working cryptosystems depending on diffi- one. It is known that the modular group is an
culties of solving a few specific problems. We amalgamated free product of finite cyclic
propose a public-key cryptosystem as a first groups. We give a geometrical algorithm that
step toward inventing a scheme of cryptogra- finds the normal form of a matrix in the modu-

YAMAMURA Akihiro 101

lar group using the action of the modular backward deterministic systems to construct a
group on the upper half plane. The algorithm public-key cryptosystem. The most significant
is very efficient because of its geometrical point in making up a public-key cryptosystem
nature. is to supply a trapdoor. In the case of a func-
Thirdly, we provide a public-key cryp- tional cryptosystem, the idea is to find two
tosystem in terms of a backward deterministic backward deterministic systems with distinct
system using the action of the modular group complexities and an effectively computable
on the upper half plane. A similar cryptosys- morphism between them. We require that one
tem using the modular group was introduced of the backward deterministic systems ({ f i (i
in14. Our approach is different from them in I)}, x, ) to be harder than the other in the
that ours is based on functional cryptosystem following sense: Let p = f i 1 f i 2 ... f i n (x ).
and also our decryption algorithm is faster. We If we are given the point p on , we have no
explain the public key, the private key, the efficient way to find how we apply f i 's on x to
encryption and decryption methods. We dis- get the point p . We remark that there is a
cuss security issues of the system. unique way to obtain p by applying f i 's on x,
since ({f i (i I)}, x , ) is backward determin-
2 Functional cryptosystems istic. On the other hand, the other backward
deterministic system ({g i (iI)}, y, ) is fea-
The concept of a functional cryptosystem sible, that is, if we have q = gi 1 gi 2 ...
was introduced to build a public-key cryp- gi n (y), there is an efficient algorithm that finds
tosystem using grammar theoretical concepts how to apply gi 's on y to get q . A morphism
(see4510 11 12). In this section we of ({ f i (iI)}, x , ) into ({g i (i I)}, y, )
review several concepts and terminologies. is a part of the trapdoor of the cryptosystem.
Let be a set and f i a function of into We publicize the backward deterministic sys-
where I is a finite set. We suppose that there is tem ({ f i (iI)}, x, ) and keep ({g i (iI)}, y,
an element x such that if we have ) and secret. A message sender encrypts a
message i 1 i 2 ... i n into the composition f i 1 f i 2
... f i n of the mappings, computes the point
where i 1, i 2, ..., i n1, j 1, j 2 ..., j m I , k = 1, 2, ..., n p = f i 1 f i 2 ... f i n (x ) on and then sends p
then n = m and i k = j k . The triple ({f i (i I)}, to a legal receiver. The legal receiver operates
x , ) is called a backward deterministic sys- the trapdoor to the encrypted text p and get
tem. Now let ({ f i (i I )}, x , ) and ({g i (i q = (p). Since is a morphism of the back-
I )}, y, ) be backward deterministic systems. ward deterministic systems, we have q = gi 1
The morphism of ({ f i (i I )}, x , ) to gi 2 ... gi n (y). Then the legal receiver can
({g i (iI)}, y, ) is a mapping : sat- obtain the sequence of the mappings gi 1 gi 2
isfying (x) = y and also f i = g i for ... gi n using the efficient algorithm for ({g i (i
each i I . Assume that p = f i 1 f i 2 ... I)}, y, ). Hence, the original message i 1 i 2
f i n (x ). Let q = (p). ... i n can be obtained by the legal receiver. On
Then we have the other hand, an eavesdropper may be able
to get a message p and ({ f i (i I )}, x , ) is
public information.
However, the eavesdropper cannot obtain
the sequence of mappings f i 1 f i 2 ... f i n
from the information p and the backward
deterministic system ({ f i (i I )}, x , ), since
the system ({ f i (i I )}, x , ) is intractable.
Note that the morphism preserves infor- Therefore, the cryptosystem is secure in prin-
mation on the sequence i 1, i 2, ..., i n. We employ ciple. If we can find a pair of backward deter-

102 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005
ministic systems and a morphism satisfying and R a set of words on XX -1. A group G is
the computational complexity requirements, said to have a presentation Gp(XR) if G is a
we can employ them to build a public-key quotient group of a free group F(X) on the set
cryptosystem. This type of a cryptosystem is X by the normal subgroup N generated by the
called a functional cryptosystem. set R , that is, G = F(X)N. An amalgamated
We now propose a functional cryptosys- free product is one of the most important
tem using a group action on a certain object in constructions in combinatorial group theory.
mathematics. Let G be a group, a non- Intuitively, a free product of groups G 1 and G 2
empty set (or some other mathematical amalgamating a subgroup H is a group con-
object). We say that G acts on if there is a taining groups G 1 and G 2 such that the inter-
mapping of G into (we usually denote section of G 1 and G 2 is exactly H . We now
the image (g, x) of (g, x) under by gx ) sat- give the formal definition of an amalgamated
isfying the followings: free product of groups. Let G 1, G 2 be groups.
(i) For a, b G, and x, we have (ab) x Suppose that H 1 (resp. H 2) is subgroup of G 1
= a (bx ). (or G 2). We also assume that : H 1 H 2 is an
(ii) For x, we have 1x = x where 1 is isomorphism. Then the free product of G 1 and
the identity element of G. G 2 amalgamating H 1 and H 2 is the group pre-
Suppose that a group G acts on a set . sented by
Then each element g of G can be regarded as
a one-to-one function of onto under the
rule x g x . Now we consider a homomor- where this presentation is an abbreviated form
phism of a group G acting on a set to a of the following presentation
group H acting on a set . Assume that a map-
ping f of into satisfies f , (gx) = (g) f (x)
for each gG and x. Let g1G and x. provided that the groups G 1 and G 2 have the
Suppose that (( gi) (iI )} f ( x), ) is a back- presentations
ward deterministic system. Then clearly ({g i (i
and .
I )}, x , ) is also a backward deterministic
system. The mapping f is a morphism between The amalgamated free product is usually
two systems. We offer a concrete example of denoted by G 1* H1 = H 2 G 2. We usually identify
such a functional cryptosystem using the mod- the subgroups in the group G 1* H1 = H 2 G 2. The
ular group in Section 5. most important aspect of an amalgamated free
product is that every element in an amalga-
3 Amalgamated free products mated free product is expressed uniquely in a
certain fashion. We introduce the concept of
Combinatorial group theory is the research the normal form of an element of an amalga-
of presentations of groups by generators and mated free product of groups as follows: Let
relators. Many results concerning algorithms G be the free product of groups G 1 and G 2
on words or sequences on an alphabet have amalgamating H 1 and H 2, that is,
been obtained in this area of mathematics. This
.
simply implies that concepts in combinatorial
group theory meshes the theory of algorithms We consider coset decompositions of G 1
on words or sequences. In fact the modular by H 1 and G 2 by H 2, respectively. Choose a
group is employed in14 to construct a cryp- set of coset representatives for each decompo-
tosystem. In this section we introduce several sition. Suppose that {a i i I } is the set of

concepts from combinatorial group theory for coset representatives of G 1 by H 1 and that {bi
our later use. For more details we refer the jJ} is the set of coset representatives of G 2
reader to2
79. Let be a non-empty set by H 2. Therefore we have the coset decompo-

YAMAMURA Akihiro 103

sitions G 2 or vice versa. If there is no u j in the
and . sequence, we have a sequence of the form g =
s 1 s 2...s m vm where vm is in H. Set s m +1 { v m .
We suppose that an element g of the group Then we return the normal form g = s 1 s 2...s m
G is written as s1 s2 s3 ... sn-1 sn where sn is in H s m + 1 and the algorithm terminates.
= H 1 = H 2, each s k (k = 1, 2, ..., n-1) in not in Now we assume that s m is a representative
H, but belongs to either {a i iI} or { b
j jJ} of G 1. Then u t is in G 2 and we can write v m u t
such that if s k is in the former set of coset rep- = s m + v m +1 Where s m +1 is a representative of
resentatives then sk+1 is in the second set or G 2 and v m +1H.
vice versa. Then we say that g has the normal Step 2)
form s 1 s 2 s3 ... s n-1 s n, and that the expression If s m +1 H, then we have g = s 1 s 2...s m s m +1
s 1 s 2 s3 ... s n-1 s n is of the normal form. vm +1u t+1...u n. We should note that s m+1G 2 and
u t+1G 2. Then go to Step 1).
Proposition 1 If s m +1H, then we have s m s m +1vm +1u t+1
Every element of G 1*H1 =H 2 G 2 can be writ- G 1 since s m , u t+1G 1 and s m +1, v m +1HG 1.
ten uniquely as a normal form, that is, if an Then we have s m s m +1vm vm +1u t+1 = s'm v'm where
element g in G 1* H1 = H 2 G 2 has two normal forms s'm is a representative of G 1 and v'mH. Then
s 1 s 2 s3 ...s n-1 s n and t 1 t 2 t 3 ...t m-1 t m, then we set s m { s'm . and vm { v'm . . Then we have g
have n = m and s j = t j for each j = 1, 2, ..., n. = s 1 s 2...s m vm u t+2...u n. We should note that s m
G 1 and u t +2G 2 if it exists (as u t G 2).

For the proof, the reader is referred to2 7 In the case that s m is a representative of G 2
9. We now suppose that we are given a free and u t is in G 1, we do the dual procedure.
product G of finite groups G1 and G 2 amal- Then go to Step 1).
gamating a subgroup H. We choose sets of At each stage of Step 2), the number of
coset representatives of G1 and G 2 by H. Sup- u k's is reduced. Hence, the algorithm ends
pose that g = u 1 u 2 ...u n, is a product of alter- within at most 2n+1 steps if the length of the
nate elements from G1 and G 2 , that is, if u i input is n. Therefore, Algorithm 1 takes only
G 1 then u i+1G 2 and vice versa. We give an linear time.
algorithm that finds the normal form s 1 s 2 ...s n
of g as follows: 4 The modular group
Algorithm 1
INPUT: A decomposition u 1 u 2 ...u n of an The group of 22 matrices over rational
element g in G 1 * H 1 = H 2 G 2 as a integers with determinant 1 is called the mod-
product of alternate sequence of ular group and denoted by SL (2, Z ), that is,
elements from G1 and G 2.
OUTPUT: The normal form s 1 s 2 ...s n of g.
Step 0) .
We note that u 1G 1 or u 2G 2. We now This group appears often in the literature
assume that u 1G 1. Then we have u 1 = s 1 v 1 of number theory, complex analysis, hyperbol-
where s 1 is a representative of H in G 1 and v 1 ic geometry, discrete group theory and combi-
H. We rewrite g as g = s 1 v 1u 2u 3... u n. We natorial group theory. The modular group has
note that s 1G 1 and u 2G 2. In the case that been studied profoundly, and hence, we have a
u 1G 2, we do the similar process. lot of technology provided in those areas of
Step 1) mathematics toward creating cryptosystems
We suppose that we have g = s 1 s 2...s m vm using it. For more information on the modular
u t u t+1...u n where v m H and s 1 is a representa- group, we refer the reader to6and13.
tive of G 1 or G 2 , such that if s 1G 1 then s i+1 Let A and B be the matrices in S L (2, Z )
G 2 or vice versa and also if s mG 1 then u t given by

104 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005
 and B 1 generating S L(2, Z ) and subject to the
6 4 3 2
relations A 1 = B 1 = 1and A 1 = B 1. We now
.
review the action of the modular group on the
Furthermore, it is known that A and B upper half plane of the Gaussian plane. We
generate S L (2, Z ). As a matter of fact,S L (2, denote the upper half plane by H, that is,
Z ) has the presentation
.
where C is the field of all complex numbers
This simply implies that S L (2, Z ) is the and Im(z) is the imaginary part of the complex
free product of the cyclic group < A> of order number z. Let M be a matrix in S L(2, Z ). A
6 and the cyclic group < B> of order 4 amal- fractional linear (Mbius) transformation f M
gamating the cyclic group H = < A 3> = < B 2> determined by the matrix M is given by:
= {I , -I}, of order 2. Therefore, every element For zC $z,
of S L (2, Z ) is uniquely written as a normal
form. We choose

where
as the set of coset representatives of H in
< A>. We choose

It is easy to see that for z H we have

as the set of coset representatives of H in f M (z) H. A group action of S L (2, Z ) on
< B >. Then every element in S L (2, Z ) is SL (2, Z ) is naturally induced as follows:
uniquely written as For M in SL(2, Z ) and zH,
.
where s n is in H and each s k (k = 1, 2, ..., n -1) Obviously S L(2, Z ) acts on H in terms of
is A, A 2 or B such that if s k is in {A, A 2}, then fractional linear transformation. The equiva-
sk+1 is in {B} and vice versa. We note that s n = lence relation on H is induced by the group
I since s n H = {I, -I }. action as follows: For z 1, z 2C, z 1~z 2 if there
We now note that there are infinitely many is MSL (2, Z ) such that Mz 1 = z 2. We refer
choices for matrices A and B. We show how the interested reader to6 and13 for the
to find matrices A 1 and B 1 that generate SL (2, details of the action of the modular group on
6 4 3
Z ) subject to the relations A 1 = B 1 = 1 and A 1 the upper half plane H. We now give a geo-
2
= B 1. The followings are proved in14. metrical algorithm that finds the normal form
(up to I ) for a given matrix MS L (2, Z )
Proposition 2 with respect to the matrices A and B. We
For a matrix M SL (2, Z ), the matrices A 1 define several regions on H(see Fig.1).
= M -1AM and B 1 = M -1BM generate SL (2, Z ) Let O be the region
6 4 3
and satisfy the relations A 1 = B 1 = 1 and A 1 =
2
B 1. .
Let P be the region
Proposition 3
There are infinitely many distinct conju- .
gates of A and B Let Q be the region

By the previous two propositions, there are .

infinitely many choices for the matrices A 1

YAMAMURA Akihiro 105

Fig.1 Upper Half Plane

Let R be the region

.
and push A into L from the right hand side,
We note that O is the fundamental domain. that is,
(See6 or13) for more details of the funda-
mental domain.
We now describe the algorithm that for a if L = (X 1, X x, ..., X n) where X i is A, A2 or B.
given point zH which is equivalent to yO If z is in Q, then set
finds the matrix N such that Nz = y and its nor-
mal form using geometry on the upper half
plane. and push A2 into L from the right hand side,
Algorithm 2 that is,
INPUT: A point zH which is equivalent
to the point y in the interior of O.
OUTPUT: The matrix N such that Nz = y if L = (X 1, X x, ..., X n).
and its normal form with If z is in R, then set
respect to A and B.
Step 0)
Let z be the given point. Let L be the and push B into L from the right hand side,
empty list ( ). that is,
Step 1)
If z is in O, then return L and the algorithm
ends. Otherwise go to Step 2). if L = (X 1, X x, ..., X n).
Step 2) Then go to Step 1).
If z is in P, then set

106 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005
Proposition 4 rithm 2 consecutively within linear time.
The algorithm above stops within 2n + 1
steps if the length of the normal form for N is 5 A functional cryptosystem using
n. Moreover, if L = (X 1, X x, ..., X n) where X k is the modular group
A, A2 or B, then the normal form for N with
respect to A and B is X 1, X x, ..., X n up to I. Let us define two backward deterministic
systems using the action of S L (2, Z ) on the
Proof: We note that A and B generate upper half plane and apply the scheme of
S L (2, Z) and that O is a fundamental domain functional cryptosystems in Section 2. Let A 1
6
of H. It follows that every point p on the upper and B 1 be generators of SL (2, Z) subject to A 1
4 3 2
half plane can be written as = B 1 = 1 and A 1 = B 1. We have seen that there
are infinitely many choices for A 1 and B 1. We
choose a word V 1, V 2 on letters A 1 and B 1 such
where q is in O and MSL (2, Z). that V 1 and V 2 generate a free subsemigroup of
Furthermore, it is easy to verify that SL (2, Z ), that is, if two words X 1 and X 2 on V 1
coincides with V 2 as elements of S L (2, Z ),
then X 1 and X 2 are identical as words on V 1
and and V 2. Furthermore, we require that every
concatenation of V 1 and V 2 is in the normal
.
form with respect to A 1 and B 1, that V 1 is not
Suppose that N is in SL(2, Z) and that its an initial segment of V 2 and that V 2 is not an
normal form is X 1, X x, ..., X n where X k is A, A2 initial segment of V 1. For example, the matri-
2
or B for each k = 1, 2, ..., n up to I . Take an ces (B 1 A 1) i and (B 1 A 1) j form a freesubsemi-
arbitrary point y from O. We can obtain infor- group of S L (2, Z ) for all positive integers i
mation of the first letter of the normal form by and j and satisfy our requirements. It is easy to
the position of the point Ny on the upper half find such a pair of matrices in general using
plane. If X 1 is A, then Ny must lie in P. If X 2 is the combinatorics on words. We choose a
A2, then Ny must lie in Q. If X 1 is B , then Ny matrix M arbitrarily from GL (2, C ) and set
must lie in R. For instance, if X 1X 2 = AB , then
Ny must be in P and we obtain X 1 = A and X 2 =
B. Similarly we can deduce in other cases. We Recall that GL (2, C ) is the group of all
should note that the algorithm ends exactly in 22 invertible matrices on the complex num-
n steps if the length of the normal form is n. ber field C. We note that W 1 and W 2 are SL (2,
To find the matrix N and its normal form C ) since for each i = 1, 2 we have
with respect to A and B, one can employ the
standard reduction algorithm (Algorithm
7.4.2. in2) to find a decomposition of the
matrix into some matrices and Algorithm 1,
however, Algorithm 2 seems much faster than We should note that S L(2, C ) acts on the
the combination of the reduction algorithm upper half plane H in the same way as SL (2,
and Algorithm 1. We should also remark that Z ) acts on H in terms of fractional linear trans-
since we can find the normal form for a matrix formations. Let = M-1H = {M-1qqH}. Let
MS L (2, Z ) with respect to the matrices A p be a point on such that the point Mp is in
and B within liner time using Algorithm 2, we the interior of the fundamental domain O.
can also find the normal form for M with Therefore S L (2, Z ) acts faithfully on Mp
respect to the other generators A1 and B1 of up to I , that is, if LMp = NMp for L, N
6 4
S L (2, Z ) satisfying the relations A 1 = 1 = B 1 SL (2, Z) then we have L = N. Let fM : H
3 2
and A 1 = B 1 by using Algorithm 1 and Algo- be the fractional linear mapping defined by

YAMAMURA Akihiro 107

f M (q) = Mq. Let G = M -1 SL(2, Z )M. The
homomorphism : GSL(2, Z ) is given by
(N ) = MNM -1. Then it is easy to see that where j k is 1, if X k is A and j k is 2, if X k is B.
fM (Nx) = (N ) fM (x) for each NG and x. Employing Algorithm 1, the legal receiver
We can easily verify that ({W 1, W 2}, p, ) and obtains the normal form of N with respect to
({V 1, V 2}, f M (p), H) are backward determinis- A 1 and B1. By the uniqueness of expression of
tic using the uniqueness of normal forms of a the normal form and our requirements on V 1
matrix in the modular group. Obviously f M is a and V 2, the legal receiver obtains the sequence
morphism between them. We follow the Vi 1, Vi 2 ... Vi n, and hence, the original plain-
scheme described in Section 2 to build a func- text i 1 i 2 ... i n .
tional cryptosystem using these backward
deterministic systems. 6 Security issues
Public-key:
The public-key is the backward determin- We briefly discuss security issues in this
istic system ({W 1, W 2}, p, ). section. Since the encryption and decryption
Private-key: depend on the free semigroup structures of
The private-key is the backward determin- subsemigroups of corresponding groups and
istic system ({V 1, V 2}, f M (p), H). the conjugation by the elements of GL (2, C )
We suppose that the plaintext to be sent is preserves the freeness of subsemigroups, an
the sequence i 1 i 2 ... i n where i k{1, 2} for k eavesdropper may want to find a matrix N
= 1, 2, ..., n . such that NW 1 N -1, NW 2 N -1 are in SL(2, Z). If
Encryption method: the eavesdropper may be able to use Algo-
Compute the matrix Wi 1, Wi 2, ..., Wi n and rithm 1 and Algorithm 2 to break the cryp-
call this matrix E. We note that tosystem. To find such a matrix N it is neces-
sary to solve a system of matrix equations

Then, let E act the point p on by the

fractional linear mapping determined by the where U, V, N are unknown such that U, V
matrix E. Compute the point f E (p) = Eq and SL(2, Z) and N GL(2, C ). This system con-
call it q, that is, q = Ep. Since G acts on , sists of 11 equations of 12 variables over the
the point q is on . Now the point q is sent to field of complex numbers. We note that if N is
a legal receiver. Therefore q is the cryptotext found then V U, are automatically derived.
for the original message i 1 i 2 ... i n. There are infinitely many solutions for this
Decryption method: system of equations in principle, because the
Employing Algorithm 2, the legal receiver number of the variables is larger than the
finds the normal form X 1, X x, ..., X l where X k number of the equations. We know a solution,
is A or A 2 or B for k = 1, 2, ..., l such that Mq that is, the matrices M, V 1 and V 2 form one of
= X 1 X 2 ... X l (MP). We denote the matrix X 1, the solutions. There is no known algorithm to
X x, ..., X l by N. Hence, Mq = N(MP). Since solve the system of equations of this type as
S L(2, Z ) is generated by A and B, both A and far as the author knows. Numerical analysis
B are written as products of matrices A 1 and method may be able to work to solve the sys-
B1. We suppose that A = Z 1(A 1, B1) and B = tem of equation, however, it gives just an
Z 2(A 1, B1) where Z 1(A 1, B1) and Z 2 (A 1, B1) are approximation of the solution N. Hence, we
words on A 1 and B1. By substituting Z 1(A 1, B1) do not know whether or not numerical analy-
for A and Z 2(A 1, B1) for B , respectively, the sis method really works. Moreover, we can
legal receiver gets possibly avoid such an attack by restrict the

108 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005
field of complex numbers to a finite extension the decomposition and then checking whether
field of the field of rational numbers. It is pos- or not it gives the correct answer. However,
sible to realize the field operation of a splitting this is a non-deterministic polynomial time
field of an irreducible polynomial over the algorithm and so takes exponential time.
field of rational numbers on computers. We Hence, it is slow for the breaking the system.
should also note that N is not necessarily Therefore, the backward deterministic system
equal to M and that if N is distinct from M, (W 1, W 2, p, ) is considered intractable. On
the eavesdropper still has a problem to decrypt the other hand, the backward deterministic
the message because N does not necessarily system (V 1, V 2, f M (p), H) is tractable because
yield free generators of a free subsemigroup of we can employ geometry of the upper half
SL(2, Z ) satisfying our requirements. For, plane. In mathematics, geometry often pro-
even if matrices U 1 and U 2, words on genera- vides a fast algorithm as Algorithm 2. The
tors A 2 and B2 of SL(2, Z ) subject to the rela- first backward system is associated to the
6 4 3 2
tions A 2 = 1 = B 2 and A 2 = B 2, form a set of space which is intractable, on the other
free generators of a free subsemigroup, a con- hand, the second system is associated to the
catenation of them is not necessarily in the upper half plane that we have good under-
normal form with respect to A 2 and B2, and standing. The difference between the two sys-
hence, there is still a trouble to retrieve the tems lies in geometry.
plain text.
Another possible attack is to find the 7 Conclusion
matrix E and decompose it directly to the
product of W 1 and W 2. There might be a smart We explain attempts in1415. There are
way to find and decompose the matrix E. Of several research on attacks on the proposed
course, if the matrix E is found, then the systems. We would like to take into considera-
eavesdropper can decompose E by guessing tion such attacks and make a progress.

References
01 L.M.Adleman, Molecular computation of solutions to combinatorial problems, Science, Vol.266,
pp.1021-1024, Nov.11, 1994.
02 D.E.Cohen, Combinatorial Group Theory : A Topological Approach, Cambridge University Press,
1989.
03 H.Cohen, A Course in Computational Algebraic Number Theory, Springer-Verlag, New York, 1996.
04 J.Kari, A cryptoanalytic observation concerning systems based on language theory, Discr. Appl.
Math., Vol.21, pp.265-268, 1988.
05 J.Kari, Observations concerning a public-key cryptosystem based on iterated morphisms, Theor.
Compt. Sci., 66, pp.45-53, 1989.
06 N.Koblitz, Introduction to Elliptic Curves and Modular Forms, Springer-Verlag, New York, 1991.
07 R.C.Lyndon and P. E. Schupp, Combinatorial Group Theory, Springer-Verlag, New York, 1976.
08 P.Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum com-
puter, SIAM J. Comp., Vol.26, pp.1484-1509, 1997.
09 J.J.Rotman, An Introduction to Theory of Groups, Springer, New York, 1995.
10 A.Salomaa, A public-key cryptosystem based on language theory, Computers and SecurityVerlag,
Vol.7, pp.83-87, 1988.
11 A.Salomaa, Public-Key Cryptography, Springer-Verlag, Berlin, 1990.
12 A.Salomaa and S. Yu, On a public-key cryptosystem based on iterated morphisms and substitutions,
Theor. Compt. Sci., Vol.48, pp.283-296, 1986.

YAMAMURA Akihiro 109

 13 J-P.Serre, A Course in Arithmetic, Springer-Verlag, New York, 1973.
14 A.Yamamura, Public-key cryptosystems using the modular group, International Workshop on Practice
and Theory in Public Key Cryptography, LNCS, Vol.1431, Springer-Verlag, pp.203- 216, 1998.
15 A.Yamamura, A functional cryptosystem using a group action, Information Security and Privacy
(ACISP99), LNCS, Springer-Verlag, Vol.1587, pp.314-325, 1999.

YAMAMURA Akihiro, Ph.D.

Group Leader, Security Fundamentals
Group, Information and Networks Sys-
tems Department
Information security, Cryptography,
Algebraic systems and their algorithms

110 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005