| Register
\(\newcommand{\Cat}{{\rm Cat}} \) \(\newcommand{\A}{\mathcal A} \) \(\newcommand{\freestar}{ \framebox[7pt]{$\star$} }\)

1. Cryptanalysis

Open problems in the analysis of some of the schemes discussed at the workshop.

    1. Parameter determination for post-quantum hash functions

          Ramón Flores presented a Tillich-Zémor-style hash function using the Cayley graph of special linear groups in arbitrary dimension. Questions remain, however, about the optimal choice of parameters for use with this protocol.

      Add remark

      Problem 1.1.

      In the design of the hash function one has control over two parameters; the dimension of the special linear group considered, and the characteristic of the underlying field. We would like to determine appropriate choices for both via two branches of cryptanalysis: first, by analysis of the multivariate system implied by long matrix products; and second by direct analysis of group-theoretic properties. We should also study the impact of the partial homomorphicity exhibited by the scheme.

        • Cryptanalysis of SDLP

              Various problems relating to the cryptanalysis, both quantum and classical, of SDLP remain open.

          Add remark

          Problem 1.2.

          On the quantum side the question of quantum equivalence of SDLP and the CDH-type problem underpinning semidirect product key exchange (SCDH) remains unproven, though we have strong cause to suspect their equivalence given the quantum equivalence of the heavily related vectorisation and parallelisation problems. The decomposition attack of Imran and Ivanyos, providing in some cases a reduction of SDLP to the abelian hidden subgroup problem, relies on the quantum ability to quickly compute a composition series of a solvable group. Whether similar quantum speedups in the computation series exist for non-solvable groups remains open.

          On the classical side, we would like to develop a kind of Sylow theory for the projected sets implied by the semidirect product structure. It would also be useful to develop a classical method of computing the size of the acting group when one considers the semigroup variant of SDLP (currently we have only quantum methods).

            • Quantum lower bounds for group-theoretic problems in the generic group model


              Add remark

              Problem 1.3.

              We would like to solidify the credentials of group-theoretic cryptography as post-quantum by developing lower bounds for the quantum complexity of problems arising in group theory. It would be especially nice to develop such a bound for the vectorisation problem, since this underpins many hardness problems in the area.

                • Machine learning-based cryptanalysis of group-theoretic protocols


                  Add remark

                  Problem 1.4.

                  There have been some results in the application of machine learning to the cryptanalysis of lattice-based schemes; whether these methods translate to the group-theoretic realm remains open.

                      Cite this as: AimPL: Post-quantum group-based cryptography, available at http://aimpl.org/postquantgroup.