Sunteți pe pagina 1din 9

Contemporary Volume 418,

Mathematics 2006

Designing Key Tbansport Protocols Using Combinatorial Group Theory G.Baumslag, T.Camps, B.Fine,G.Rosenberger, X.Xu and
Aesrn-q.cr' There have been several proposed cryptosystems translating the classical Diffie-Hellman public key exchange protocol into group theory - specifically nonabelian groups. Braid group based cryptography can be considered among these. Here we examine a somewhat simpler approach to developing key transport protocols based on a nonabelian group having either a large abelian subgroup or two large subgroups which commute elementwise. We then give some sample platform groups for use with this system.

1. Introduction Most common public key cryptosystems and public key exchangeprotocols presently in use, such as the RSA algorithm, Diffie-Heliman, and elliptic curve methods are number theory based and hence depend on the structure of abelian groups. The strength of computing machinery has made these techniques theoretically susceptible to attack and hence there has been a line of research to develop cryptosyste\nsand key exchangeprotocols in nonabelian groups. (See [AAG], [D]' IBFX 1,2], IKLCHKP], IPHKCP],[SU]). The important sourcesof nonabelian groups that can be used in cryptosystemsare combinatorial group theory and linear group theory. Braid group cryptography, where encryption is done within the classical braid groups, is one prominent example. The one way functions in braid group systemsare basedon the difficulty of solving group theoretic decisionprobiems such as the conjugacy problem. Although braid group cryptography had initial spectacular success,various potential attacks have been identified. Borovik, Myasnikov, Shpilrain IBMS] and others have studied the statistical aspectsof these attacks and have identitifed what are termed biack holes in the platform groups outside of which present cryptographic problems. In IBFX 1,2] and [X] potential cryptosystems using a combination of combinatorial group theory and linear groups were suggested and a general schemafor the these types of cryptosystemswas given. In [BFX 2] a public key version of this schema using the classicalmodular group as a platform was presented. A cryptosystem using the the extended modular group S L2(2,) was developed by Yamamura ([Y]) but was subsequently shown to have loopholes
2000 Matherna't'ics Subject Classi,fication. Primary 94460; Secondary 20G20, 20H05. Key words and phrases. Cryptosystem, Free Group, Linear Group, Modular Group, DiffieHellman, Braid group cryptography, Key TYansport protocol.
@)2006 American JO Mathematical

Society

G . B A U I v { S L A G ,T . C A M P S , B . F I N t r , G . R O S t r N I l E R G t r R , A N D X . X U

([BG],lS],[HGS]) I" IBFX 2] attacks based on these loopholeswere closed. It has been suggestedthat at this point further pure group theoretic research,with an eye towards cryptographic applications, is necessary. In particular, although the present braid group cryptosystems may be attackabie the basic group theoretic ideas are important. What is then necessaryis then to look at other (nonabelian) group theoretical methods as well as additional potential platform groups. There have been several proposed cryptosystems translating the classicalDiffie-Hellman public key exchangeprotocol into group theory. Braid group based cryptography can be consideredamong these. In this paper we examine a somewhat simpler approach based on a nonabelian group having either a large abelian subgroup or two large subgroups which elementwise commute. We then present some sample platform groups for use with this system. In the standard Diffie-Hellman system the roles of the communicating parties, Bob and Alice, are symmetric. In the group theoretic analogue that we propose the secret key is determined by one of the parties, say Bob, and then communicated to the other. Hence our method, although based on Diffie-Hellman, actually belongs to the class of key transport protocols (see [BM]). In the next section we describe this group theoretic key transport method and the necessaryconditions that a group must have to be considered as a potential piatform group. In section 3 we give five proposed platform groups that match these criteria. The first uses as a secret key an automorphism of a free group. The encryption is done within a free group and the the platform group for the key exchangeprotocol is Aut(F"), the automorphism group of the free group. The second proposed platform group is ,9Ia (Z) and the abelian subgroups are copies of SLz(Z) given as upper and lower blocks in the whole group. The key is an element of SL+(Z) and the encryption is done within free subgroups of the whole group. The next proposed class of platform groups are the surface braid groups. Part of this material is in the thesis of Xu [X] and the thesis work of Camps [C]. The final two exanlples are abstract - the free product of two free groups with commuting subgroups and residually free groups given as iterated HNN extensions of free groups with the free part part centralizing a given large subgroup. This work can be consideredas part of a general plan to determine appropriate algebraic objects (both commutative and noncom.mutative)that can serve as platof forms for cryptosystems. Security assessments the proposed methods are being consideredin the thesis work of Camps [C].

2.

A Group Theoretic

Key Tlansport

Protocol

Public key exchangeprotocols can be developedusing nonabelian groups. Braid group cryptosystems and key exchange protocols have been developed by Anshel,Anshel,Goldfeld[AAG] and Ko,Lee et.al IKLCHKP]. The article by Dehorny [D] gives a nice discussionof the ideas, both mathematical and cryptographic in these systems. There have been various attacks on the AAG scheme. The key idea in this method is the difficulty of the conjugator search problem in the braid groups. Attacks on this system assume then that the platform group is a braid group. However the key exchange idea suggested by AAG is entirely general and can be applied in a wide variety of platform groups. As suggestedby Dehorny and

GR,OUP THEORETIC DIFFIE HEI,LN{AN

,n

others this calls not for a scrapping of the AAG system but actually calls for further mathematical researchon alternate platform groups and evaluations of these platforms relative to the known attacks. In this paper we use a slightly different method which is a general group theoretic analogueof the classicalDiffie-Hellman protocol. Historically this was the first proposed public key exchange. Recall that the Diffie-Hellman method depends on the difficulty of solving the discrete logarithm problem coupleclwith the fact that exponents commute (see [Xo]). That is given a primitive root g moclp the problem of finding g glen q'. The technique works as follows. Bob and Alice will use a c las s i c a l c ry p to s y s te mb a s e d o n a key k w i th I < k < p-1 w herepi s apri me. A l i ce and Bob must communicate this secret key. Recail that the multiplicative group of the finite field Z, is cyclic and let g be a multiplicative generator. Alice choosesan integer o with I < a Z-p- 1 and makes public g". Bob chooses integer b with an 1 < b < p - l a n d m a k e s p u b l i c A b T h e s e c r e tk e y k i s g " b . B o t h B o b a n d A l i c e , . but presumably no one else, can discover this key. Alice knows a and gb is pubiic from Bob. She can compute gob -- gbo : (gu)". An analogoussituation holds for Bob. An attacker only knows g" and gb. Unless the attacker can solve the discrete log probiem, that is find the base g, the key exchangeis secure. A group theoretic key transport protocol based on the Diffie-Hellman schemecan be developedin the following manner. Supposethat we have a finitely presentedgroup G that can be representedin a nice way - by this we mean either as a matrix group or as words relative to a nice presentation. Rrrther supposethat G has two large subgroups Ar, A, that commute elementwise. Alternatively we could use one large abelian subgroup A of G. The meaning of iarge is, of course, hazv but here means that within G it is difficult to determine when an arbitrary element is in A (or Ar, Ar) and further ,4 (or Ar, Az) is large enough so that random choicescan be made from them. Now supposethat Bob wants to communicate with Alice via an open airway. The secret key telling them which encryption system to use is encoded within the finitely generated group G with the properties given above. The two subgroups Ar, Az which commute elementwiseare kept secret by Bob and Alice. 41 is the subgroup for Bob and A2 the subgroup for Alice. Bob wants to send the key W e G to Alice. He chooses two random elementsBr, Bz Arand sends Alice the message( in encrypted form) BrW F,2. Alice now choosestwo random elements Ct,Cz Az and sendsC1B1WB2C2 back to Bob. These messages appear in the representation of G and hence for example as matrices or as reduced words in the generators so they don't appear as solely concatenation of letters. Since Ar commutes elementwisewith Acwe have c tB tw B 2c2 - B 1C IW C 2B 2. Further since Bob knows his chosen elements 81 and 82 he can multiply by their inverses to obtain CtWCz which he then sends back to Alice. Since Alice knows her chosenelements Or, C2 she can multiply by their inversesto obtain the key W. It is assumed that for each messageBob and Alice would choose different pairs of random elementsfrom either Ay or A2. Notice that although this is roughly based on the Diffie-Heilman method it is not symmetric in the communicating parties. In the present schemethe secret key is completely determined by Bob, who then communicatesit to Alice. The scheme 2.I. The Key Tbansport Protocol.

38

A G.BAUMSLAG,T.CAMPS, B.FINE, G.ROSENBERGER, ND X'XU

then falls into the ciass of key transport protocols rather than public key exchange protocois. Key transport protocols are in most casesdesigned assuming that an underlying encryption system (and usually also a signature verifi.cationsystem) is in place. The security of the key transport protocol will rely on the security of these auxillary schemes(see IBM Chapter 4]). In the group theoretic proposal, the encryption schemeis suggestedto be done within the same group as the key transport protocol alhtough this is not essential. In the group theortic key transport protocol an attacker Eve has knowledge of the The security lies in the difficulty overall group G and a view of encrypted messages. of determining the elementwise commuting subgroups Ar , A2, which are kept secret by Bob and Alice, and in the security of the actual encryption scheme. Security of assessments the method, relative to the particular proposed platform groups, is being carried out in the dissertation work of Camps lC]. Group Theory. The Schemes lJsing Combinatorial 2.2. Encryption problem now is in choosing appropriate platform groups and then encryption systems to which this group theoretic key transport protocol can be applied. We do this in the next section. The encryption systems that we propose to use are based on combinatorial group theory so before presenting these platform groups we briefly describe free group cryptography (seealso IBFX 1,2] or [X]). The basic idea in using combinatorial group theory for cryptography is that elementsof groups can be expressedas words in some alphabet. If there is an easy method to rewrite group elements in terms of these words and further the technique used in this rewriting processcan be supplied by a secret key then a cryptosystem can be created..The books by Baumslag lBl, Lyndon and Schupp ILS] and Magnus, Karrass and Soiitar [MKS], are standard referencesfor material on combinatorial group theory. Consider a free group F on free generatorstr,...,Tr.Then each element g a F h a s a u n i q r l ee x p r e s s i o n s a w o r d W ( r t , . . . , r r ) . L e t W r , . . - , W n w i t h W t : of W t.(rt,...,rr) b e a s e t o f w o rds i n the generators:1g1,..' ,tr, the free group F. A t the most basic level, to construct a cryptosystem, supposethat we have a plaintext alphabet ,4. For example supposeA: {a,b, ...} are the symbols neededto construct in meaningful messages English. To encrypt, use a substitution ciphertext

t - {wt....,wp}.
That is

rhen givena wordw(o,b,...;;#;rrHf';t;habet

formthe rreesroupword

an W (Wr,W2,....) tnis represents elementg F. Sendout g as the secretmessage. In order to implement this scheme we need a concrete representation of g and then for decryption a way to rewrite g back in terms of W1,...,Wk. This concrete representation is the idea behind homomorphic cryptosystems (seethe article of Grigoriev and Ponomarenko [GP]). The decryption algorithm then depends on the Reidemeister-Schreier rewriting process (see [MKS] for full details). Assume Wt,,...,W* are free generators for some subgroup H of F. A Schreier transversal for fI is a set for {hr, ....ht,...} of (left) coset representatives H in F of a special form (again see [MKS] for particular details). Ary subgroup of a free group has a Schreier process allows one to construct a set of transversal. The Reidemeister-Schreier

GROUP THEORETIC DIFFIE HELLMAN

39

generatorsWt,-..,Wk, ... for H by using a Schreiertransversal.Further given the Schreier transversal from which the set of generators for -FI was constructed, the Reidemeister-Schreier Rewriting Process allows us to algorithmically rewrite an element of H. Given such an element expressed a word W : W(-rr,..,rr) as in the generatorsof F this algorithm rewrites w as a word w.(wr,,...,wn) in thi generators of 11. The actual algorithm is described in detail in and [B]. IMKSI What is important from the point of view of making codes secure is that given a set of generatorsit is easy to multiply them as strings in the whole free group. On the other hand even though the membership problem in a free group is solvable, that is it can determined if an element is in a subgroup, it is relalively difficult to determine a Schreiertransversal. Although there are algorithms to accomplishthis these are based for the most part on the knowledge of a homomorphic image of the subgroup and make it harder to determine a transversal given a set of generators than to rewrite using a known transversal. This is analogousto the situation for Grobner bases. Given a Grobner basis the explicit membership problem is computationally relatively easy. On the other hand it is computationally difficult to actually determine a Grobner basis. Work on the vulnerability of Grobner basis based schemesand word rewriting schemesin general can be found in the paper of Gonzalez-Vascoand Steinwandt [GS]. We note that rewriting in terms of the subgroup generatorscan also be accomplishedin a free group via the Stalling foldings method and the construction of a subgroup graph (see [KM]). In a general the free group f' or general overgroup G is-public. The subgroup 11, where the encryption occurs, as well as the Schreier transversal, are t ept secret. There are various attacks on the basic free group system (again see [GS]) so the method must be modified somewhat to thwart these. m 1,2]' ani fnff lX] severai ways to handle such attacks and a general schema for encrypting using free subgroups of finitely presentedgroups was discussed. In particular a random noise method to make them puiblically securewas introduced. This random noise method involved sehding out as messages,not elements of the subgroup lI, but rather elementsin random right cosetsof H (see [BFX 1,2]). 3. Some Proposed Platform Groups

Here we give some proposals for platform groups to be used with the group theoretic key transport protocol described in section 2. A group G is a candidate if it has either a nice finite presentation G:(X;R) or a nice linear representation and has either a iarge abelian subgroup A or two large subgroupsAr, A, that commute elementwise.Although the word large here is ambiguous we mean large enough so that random choices can be made from them. In particular, for example, cyclic subgroupsare inappropriate. There also should be some tie between the group used for the key exchangeand the encryption method although this is not essential. Our first proposed platform group G is Aut(Fi), the automorphism group of a free group Fn of rank n. We assume that n is rather large, say at ieast 5, in order to get reasonablecommuting subgroups. The secret key will be p, a given automorphism of Fn. The encryption itself is in the free group Fn. We assume that we have a representationof Fn and an algorithm to go between the eiements

40G.BAUNISLAG,T.CAMPS,B.FINE,G.ROSENBERGER,ANDX.

of Fn and the representing objects. For exampie a linear representation and the representingmatrices. As in the description of a free group cryptosystem given in the previous section we assumethat we have a free subgroup H : (Wr,...,Wpl and we encrypt by

can This freesubgroup be ffi

is W(a,b,...) written in the plaintext alphabet we form the free group element W(Wr,W2,...).W" then apply our secretautomorphism p to compute ,p(W): W (p(Wt), p(Wr), ...) in the free group Fn. We send out the representedform of this group element. If Alice is the decoder she rewrites the messagein terms of the free group, computes for decryption. e-7 of the transmitted element and then has the appropriate form to steal the message. An attacker must find the appropriate automorphism G : Aut(4) ir an appropriate platfrom group for the proposedgroup theoretic Diffie-Hellman. There is a nice finite presentationfor this group with the generators given by the Whitehead automorphisms(see [Mc I,2]or [LS]).Further if the rank of tn" ambient free group Fn is large enough there is an abundant supply of large elementwisecommuting subgroups in Aut(F-). For example suppose{r1 ,r2,fr3,r 4,Ib,r6} is a free basis. Then those automorphisms which fix {r1 , 12} commutewith those that fi'x {r3, r+, rs}' This is the same idea exploited in braid group cryptography (see [AAG] or [D]). Our second proposed platform group is SLa(Z). The secret key is a 4 x 4 unimodular integral matrix. For Bob's secret subgroup we take the subgroup isomorphic Io S L2(Z) formed by considering those matrices that have elements of SL2(V,) in the upper left hand corner. That is:

hr,1*[';0""",

if our plain text message

Ar : ( (sL'z(z) ?) ) \/

For Alice's secret subgroup we take the correspondingsubgroup formed by placing SL2@) isn the lower right hand corner

^ . 2 - , )/ o r-:'t ( ! s L0 ,@ ) ) ) \o
To hide the special form of these subgroups Bob and Alice actually conjugate each of these subgroupsby a fixed 4 x 4 unimodular integral matrix M. Actual encryption can be done in a free subgroup of SLa(Z) or with any other system. We note that there is a nice algorithni to determine free subgroupsof SLa(Z) and free subgroups of GL,(Z) in general. For n > 3 all the groups GL,(Z) are polycyclic-by-finite. In IBCRS] it was shown that there is an algorithm within poiycyclic-by-finite groups that determines given a finite set of generators a presentation for the subgroup they generate. This From various resuits (see [C]) it follows algorithm can be applied in GL,(Z). of.GL,(Z), generated by m randomly chosen that for a given rn most subgroups matrices, are actually free with those matrices as a basis. Hence to generate a rank m free subgroup within GL.(V,), randomly choosem matrices in this group. Use the algorithm cited above to determine if these are a free basis. If yes we are done. If not randomly chooseanother set. From the probability considerationsthe probability is one that eventually a free subgroup will be chosen.

GROUP THEORETIC DIFFIE HELLMAN

41

As a third possibility for a platform group \Mepropose the surface braid groups. There are various kinds depending on the genus of the surface and whether it is orientable and/or punctured. The number of strands have to be considered too. The presentation of the surface group is finite and easy, the word problem is solvable. The pure braid group on a disc is a subgroup of the surface braid group, therefore its generators and pure braid relations appear in the presentation of the surface braid group. In addition to that we have generators that describe a strand going "through a wall." For a geometric interpretation we identify the surfacegroup of genus g with a polygon with either 49 (orientable surface) or 29 (non-orientable surface) sides. A strand can go through the side of a polygon and either "reappear,, from the opposite side (orientable case) or the adjacent side (non-orientabte). We thus get 2S ( g respectively) additional generators and many new relations. For details see [G] and [Be]. Like SLI(Z) tlne surface braid group also allows various systems for encryption. The surface braid group contains a free group and thus allows the use of the algorithm in free groups as mentioned above. Furthermore it contains commuting subgroups, not only the ones using the pure braid group generators but also ones where the additional generators occur. This provides more complexity for cryptographic computations than the pure braid group, For details see [C]. The final two proposed platforms are more theoretical in nature. The first is a free product of two free groups with commuting subgroups H,K. This has the presentational form \ Ft, Ft;lH, Kl: I)

where F1 and F2 are free groups and 11 and K are arbitrary subgroups of F1 and f'2, respectively. For cryptographic purposes we assume that fI and 1( are noncyclic. Group theoretically such groups are free products with amalgamation (see [FRW]) and thus have nice normal forms. The commuting subgroups ff and K can be used as the elembntwisecommuting subgroupsfor Bob and Alice. The structure of such groups was studied in [FRW] where a geometric Nielsen reduction theory was developed. The final proposed platform group is a fully residually free group with a distinguished abelian subgroup B. This can be constructed in the following manner. Let -F be a free group, / F with / not a proper power. Then G: (t,F; tft-, : f )

is called a rank one extension of centralizers of F. This is a fully residually free group (see [KhM] or IFMGRS] for terminology) and (t, f) generate a free abelian subgroup. We can iterate this procedure and keep track of the structure. We then obtain a fully residually free group with a large abelian subgroup. The theory of fuily residually free groups, both structurally and algorithmically is well developed and played a role in the solution of the Tarski problem (see lKhM]). Becauseof the algorithmic similarities these groups seem to provide good possible extensions to free group cryptography. We would like to thank the referee for many heipful comments as well as some very pertinent references.

A G.BAUMSLAG,T.CAMPS, B.FINE, G.ROSENBERGER, ND X.XU 4. References

[AN] R. Anderson and R. Needham, "RobustnessPrincipie for Public Key Protocols,," Crypto 95 Key [AAG] I.Anshel,NI.Ansheland D.Goldfeid, "An Algebraic Method for Public Cryptography," Math.Res. Lett 6 (1999), 287-291,Springer Verlag fB] G.Baumslag, Top'icszn Combinatorial Group Theory ,,Birkhauser, 1993 of [Be] P.Bellingeri,"On Presentations SurfaceBraid Groups," J. Algebra,274 (2), (2 0 0 4 ),5 4 3 -5 6 3 [BMS] A.Borovik,A.Myasnikov and V. Shpilrain, "Measuring Sets in Infinite Groups," Cont. Math., 298, (2002),2I-42 [BM] C.Boyd and A. Mathuria, Protocols for Authenttcation and Key Establi'shment, Springer-Verlag,2003 IBFX 1] G.Baumslag, B.Fine,and X.Xu, "Cryptosystema Using the Linear Groups," of Proceedi,ng Algebraic Cryptography, ( 2005) IBFX 2] G.Baumslag, B.Fine,and X.Xu, "A Proposed Public Key Cryptosystem Using the Modular Group," Cont. Math, ( 2006),to appear "The Algorithmic Theory IBCRS] G.Baumslag,F.Cannonito,D.Robinson,D.Segal, (1991), 118-149 of Polycyclic-by-FiniteGrouPS," /. Alg. , L42 , IBG] AS.R. Blackburn and S. Galbraith, "Cryptanalysis of Two Cryptosystems Nased on Group Actions," Aduancesi,n CryptologyASIACRYPT 99, Lecture Notes , i n C o mp u te r S c i e n c e1 .7 1 6 ,(1999) ,52-61 [C] T.Camps, "Cryptography Using the Surface Braid Groups," thesis University of Dortmund, In Progress ,,B ra i dB a s e dcryptography," cont. Math.,360 ,(2004),5-34 f D ] P .D e h o rn o y , Groups, Marcel Dekker, 1990 [F] B.Fine, The Algebrai,cTheory of the Bzanchr, and B.Fine,A.Gaglione,A.Myasnikov,G.Rosenberger D.Spellman, "A IFGIVIRS] Free Groups i' J. of Algebra , 200, (1998)' 571-605 Classificationof Fully Residually and R.Weidmann, "Two Generator Subgroupsof Free [FRW] B.Fine,G.Rosenberger Products with Commuting Subgroups," J.Pure and Appli'edAlgebra ,172, (2002)' r93-204 "New Presentationsof Surface Braid Groups," J. Knot [G] PJ.GonzaIez-Meneses, (3), (2001), 43I-451 Theory Algebra,10 and R. Steinwandt, "Chosen Ciphertext Attacks as Com[GS] M.I. Gonzalez-Vasco of Some Group and Polynomial Based Encryption Schemes," mon Vulnerabiiity (2005), to appear Mathematical Publicatr,ons. Tatra MounLa'ins and I. Ponomarenko, "Homomorphic Public-Key Cryptosystems [GP] D.Grigoriev dd Over Groups and Rings," Quaderni, Matemat'ico.(2005),to appear I. Goldberg, B. Schneier, "Reaction attacks Against Several PubIHGS] C.Hall, Security of Iic Key Cryptosystems," Proceed'ings Informati,on and Commun'icati,ons (1999) Springer-Verlag IUCS 99, ,2-I2 Free IKM] I. Kapovich and A. Myasnikov, "stallings Foldings and Subgroups of J. Algebra,248,(2002),608-668 Groups," fKhM] O.Kharlampovich and A. Myasnikov, Algebraic Geometry ouer Free Groups, to appear IKL C H K P] K.H .Ko , S.J . L e e , J.H . C heon,J.W .H an, J.K ang and c.P ark, " N ew Public Key Cryptosystem Using Braid Groups," Aduancesi,n Cryptology CRYPTO 1880, ( 2000), 166-183 2000, Lecture Notes in Computer Science,

GROUP THEORtrTIC DIFFIE HELLMAN

43

fKo] N.Kobritz, Algebraic Method,sof cryptography, springer , lggg [LS] R.Lyndon and P.Scupp, comb,inatorial Group Theory, springer , 1g7g [MKS] W. Nfagnus,A. Karass and D. Solitar, Combi,natorialGroup Theory, Wiley Interscience,New York , 1968 lMc 1l J. I\{cCooi, "A Presentation for the Automorphism Group of a Free Group o f F i n i t e R a n k , " J . L o n d o nM a t h . S o c . , 8 , ( 1 9 7 4 ) , 2 5 9 - 2 6 6 [Mc 2] J. McCool, "On Nielsen's Presentation for the Automorphism Group of a F r e eG r o u p : ' J . L o n d o n M a t h . S o c . , 1 0 , ( 1 9 7 5 ) , 2 6 b - 2 7 0 K.C.Ha,J.H.Kim,S.Chee and C. park, ,,Newpublic Key CrypIPHKCP] S.H.Paeng, tosystem using Finite NonAbelian Groups," Aduances,in cryptotogy - crEpto 2001, Springer, (2001), 470-483 [SU] V.Shpilrain and A. Ushakov, "Thompson's Group and Public Key Cryptography," ACIVS 2005 LecturelVotesin Computer Science,JbJr, (2005), rst-ioa[S] R. Steinwandt, "Loopholes in two public key cryptosystems using the modular groups," preprint Univ. of Karlsruhle, (2000) lX] Xiaowei Xu, "Cryptography and Infinite Group Theory Ph.D. Thesis CUNY, 2005 [Y] A.Yamamura, "Public Key cryptosystems using the modular groups," Lech.tre IVotesi,n Comput. Sci. I43I , (1gg8),,20J-216
DppaRrueNT oF N{arsnttartcs, Crrv Cor,locp oF Npw YoRx, Npw yonx, N\. 10031

FacnepRntcn MRrupl\{ATIK, UNrveRsrrer DonrnruNo, 44227 Donrl,ruNn, FpooRel RppueLrc oF GoRM,qNy DspaRrltnNT oF MarnpuArtcs, FarRrrplo UtrrvBRsrr\., FArRrrElo, CT 06430

FacneBRptcs N{ernnMATIK, UNrynRsrrar DoRrtruNo, 4422T DoRrri,ruwo, FpnpRar, RepueLrc oF GpRvaNy DppenrrrpNT oF Maruol,rarrcs, crrv cor,r,pco or, Npw yonx, Now yoRx, N\' 10031