Gaussian elimination in split unitary groups with an application to public-key cryptography ∗

Gaussian elimination is used in special linear groups to solve the word problem. In this paper, we extend Gaussian elimination to split unitary groups. These algorithms have an application in building a public-key cryptosystem, we demonstrate that. 2010 MSC: 20H30, 94A60


Introduction
Gaussian elimination is a very old theme in computational mathematics.It was developed to solve linear simultaneous equations.The modern day matrix theoretic approach was developed by John von Neumann and the popular textbook version by Alan Turing.Gaussian elimination has many applications and is a very well known mathematical method.We will not elaborate on it any further, but will refer an interested reader to a nice article by Grcar [10].The way we look at Gaussian elimination is: it gives us an algorithm to write any matrix of the general linear group, GL(d, K), of size d over a field K as the product of elementary matrices and a diagonal matrix with all ones except one entry, using elementary operations.That entry in the diagonal is the determinant of the matrix.There are many ways to look at this phenomena.One simple way is: one can write the matrix as a word in generators.So in the language of computational group theory the word problem in GL(d, K) has an efficient algorithm -Gaussian elimination.
We write this paper to say that one can have a very similar result with split unitary groups as well.It is well known that unitary groups over a finite field are split.So we completely solve the problem for unitary groups over finite fields for most characteristics.However, over infinite fields, our algorithm works only for the split case.Split unitary groups are defined by the Hermitian form with maximal Witt index.From now on, by a unitary group we mean a split unitary group.We define elementary matrices and elementary operations for unitary groups.These matrices and operations are similar to that of elementary transvections and elementary row-column operations for special linear groups.Using these elementary matrices and elementary operations, we solve the word problem in unitary groups in a way that is very similar to the general linear groups.Similar algorithms are being developed for other classical groups and will be presented elsewhere.
Unitary groups are of interest in computational group theory, in the matrix group recognition project.In this paper, we work with a different set of generators than that is usual in computational group theory.The usual generators are called the standard generators [14, Tables 1 & 2].Our generators, we call them elementary matrices and are defined later, have their root in the root spaces in Lie theory [6,Sections 11.3,14.5]and have the disadvantage of being a larger set compared to that of the standard generators.However, standard generators being "multiplicative" in nature, depends on the primitive element of a finite field, works only for finite fields.On the other hand, our generators, work for arbitrary fields.Using standard generators, one needs to solve the discrete logarithm problem often.No such need arises in our case.In the current literature, the best row-column operations in unitary groups is by Costi [8] and implemented in Magma [3] by Costi and C. Schneider.Using their magma function ClassicalRewriteNatural, we show that our algorithm is much faster, see Figure 1.In Costi's algorithm one needs to compute various powers of ω a primitive element of the finite field.This makes his algorithm slower.
A need for row-column operations in classical groups was articulated by Seress [20, Page 677] in 1997.Computational group theory and in particular constructive recognition of classical groups have come a long way till then.We will not give a historical overview of this, an interested reader can find such an overview in the works of Brooksbank [5, Section 1.1], Leedham-Green and O'Brien [14, Section 1.3] and O'Brien [18].Two recent works that are relevant to our work are Costi [8] and Ambrose et.al. [1].Brooksbank [4, Section 5] deals with a similar algorithm which only works for finite fields.
In coming years, public key cryptography will go through a major change because of quantum computers.The ubiquitous public key cryptosystems like the ElGamal cryptosystem over elliptic curves and RSA will become obsolete.The need of the day are new public key cryptosystems whose security does not rely on the discrete logarithm problem or factoring integers.We study MOR cryptosystem on various groups with the hope to discover new quantum-secure cryptographic primitives.
In this paper, we only deal with unitary groups defined by the Hermitian form β defined later.The Hermitian form for the even-order case works for all characteristic.However, in the odd-order case the 2 in the upper-left makes it useless in the even characteristic.One can change this 2 to a 1 in β, however, then one needs to compensate that by putting 1  2 in the generators.We tried, but were unable to extend our algorithm for the odd-order unitary group to even characteristic.For even-order unitary groups, the algorithm developed in this paper works for all characteristic.However, for the odd-order case only odd characteristic will be considered.

Notations
For the rest of the paper, let K be the quadratic extension of a field k with an automorphism σ : x → x of order two that fixes k elementwise.In the case of C : R, σ is the complex conjugation.In the case of a finite field F q 2 : F q , σ is the map x → x q .We define Two important examples of K : k pairs that we have in mind for this work are C : R and F q 2 : F q .
The main result that we prove in this paper follows.The result is well known, however the algorithmic proof of the result is original.Moreover, this algorithm is of independent interest in other areas, for example, constructive recognition of classical groups.For a definition of elementary matrices and elementary operations, see Section 3.
Theorem A. For d ≥ 4, using elementary operations, one can write any matrix A in U(d, K), the unitary group of size d over K, as product of elementary matrices and a diagonal matrix.The diagonal matrix is of the following form: where λ λ−1 = det A and d = 2l.
Here λ is the image of λ under the automorphism σ.
A trivial corollary (Theorem 6.1) of our algorithm is very similar to a result by Steinberg [21,§6.2],where he describes the generators of a projective-unitary group over odd characteristic.Our work is somewhat similar in nature to the work of Cohen et.al. [7], where the authors study generalized rowcolumn operations in Chevalley groups.They did not study twisted groups.
We use the algorithm developed to construct a MOR cryptosystem in unitary groups and study its security.

Unitary groups
Let K be a field with a non-trivial field automorphism σ of order 2 with fixed field k.Let V be a vector space of dimension d over K.We denote the image of α under σ by ᾱ.Let β : V × V → K be a non-degenerate Hermitian form, i.e., bar-linear in the first coordinate and linear in the second coordinate satisfying β(x, y) = β(y, x).We fix a basis for V and slightly abuse the notation to denote the matrix of β by β.Thus β is a non-singular matrix satisfying β = T β.Definition 2.1 (Unitary Group).The unitary group is: The special unitary group SU(d, K) consists of matrices of U(d, K) of determinant 1.Note that the unitary group depends on the Hermitian form β.
It is known that corresponding to equivalent Hermitian forms, corresponding unitary groups are conjugate in GL(d, K).However over a infinite field there could be more than one non-equivalent nondegenerate Hermitian form giving rise to more than one non-isomorphic unitary groups.In this article, we deal with a specific form β and the corresponding split unitary group.Recall, we assumed that characteristic of K is odd whenever d is odd.For the convenience of computations we index the basis of the vector space by 1, . . ., l, −1, . . ., −l when d = 2l and by 0, 1, . . ., l, −1, . . ., −l when d = 2l + 1; where l > 1.We also fix the matrix β as follows: There are two important examples of fields: complex numbers C over reals R with σ the complex conjugation and the other, finite field F q 2 over F q with σ : α → α q .In the case of C : R, Hermitian forms are classified by signatures and unitary groups denoted by U (p, q) where p + q = d (see [12] discussion following Theorem 6.19).The form corresponding to p being maximum is the split Hermitian form and is of interest in this paper.However there is only one non-degenerate Hermitian form up to equivalence [11,Corollary 10.4] over finite fields.In this case a unitary group will be denoted by U(d, q 2 ) and special unitary group as SU(d, q 2 ).A word of caution: in the literature U(d, q 2 ), U(d, F q ) and U(d, q) are used interchangeably.

Elementary matrices and elementary operations in unitary groups
Solving the word problem in any group is of interest in computational group theory.In a special linear group, it can be easily solved using Gaussian elimination.However, for many groups, it is a very hard problem.In this paper we present a fast, cubic-time solution to the word problem in unitary groups.
Gaussian elimination in SL(d, K) uses elementary transvections as the elementary matrices and row-column operations as elementary operations.These elementary operations are multiplication by elementary matrices.The elementary matrices are of the form I + te i,j (t ∈ K), where e i,j is the matrix unit with 1 in the (i, j) th position and zero elsewhere.
In the same spirit, one can define Chevalley-Steinberg generators for the unitary group [6, Section 14.5] as follows:

Elementary matrices for U(2l, K)
In what follows, l ≥ 2. For 1 ≤ i, j ≤ l, t ∈ K and s ∈ K o :

Row-column operations for U(2l, K)
Rephrasing the earlier definition in matrix format, we have three kinds of elementary matrices.
E1: R T R−1 where R = I + te i,j ; i = j.

E2:
I R I where R is either te i,j − te j,i ; i < j or se i,i .
E3: I R I where R is either te i,j − te j,i ; i < j or se i,i .
Let g = A B C D be a 2l × 2l matrix written in block form of size l × l.Note the effect of multiplying g by matrices from above.

Row-column operations for U(2l + 1, K)
Rephrasing in matrix format:  where R is either te i,j − te j,i ; i < j or se i,i . E3: Here e i is the row vector with 1 at i th place and zero elsewhere.
. ., F l ) are rows of length l.Furthermore α ∈ K.Note the effect of multiplication by elementary matrices from above is as follows: For E4 we only write the equations that we need later.

Row-interchange matrices
We need certain row interchange matrices, multiplication with these matrices from left, interchanges i th row with −i th row for 1 ≤ i ≤ l.These are certain Weyl group elements.These matrices can be produced as follows: for s ∈ K o , Note that our row interchange multiplies one row by s and the other by −s −1 and then swaps them.This scalar multiplication of rows produce no problem for our cause.

Gaussian elimination in unitary group
Now we present the main result of this paper, two algorithms, one for even-order unitary groups and other for the odd-order unitary groups.

The algorithm for even-order unitary groups
Let g = A B C D be an element of the unitary group U (2l, K).One principal reason our algorithm works is that we are able to exploit a symmetry that comes out of the use of the Hermitian form β described earlier.
Notice that, T ḡβg = β implies after straightforward computations that T CA + T ĀC = 0 and T DB + T BD = 0.This implies that T ĀC and T BD are skew-Hermitian matrices.We now describe the algorithm.
Step 1 Using ER1 and EC1 make A into a diagonal matrix.This is the usual Gaussian elimination algorithm.This new diagonal matrix will be referred to A as well.There are two possibilities.
a The diagonal matrix has full rank and is of the form diag(λ 1 , λ 2 , . . ., λ l ), where each λ i are non-zero.
b The diagonal matrix A do not have a full rank and is of rank r less than l and is of the form diag(λ 1 , λ 2 , . . ., λ r , 0, 0 . . ., 0).
Step 2 In case a, use ER3 to make C into a zero matrix.In case b, bottom l − r rows in A are zero.Make the top r rows of C zero using ER3.We now interchange bottom l − r rows of A with the corresponding l − r rows of C.This makes C a zero matrix.We claim that A must be of full rank.We know that T CB + T ĀD = I.Since, C = 0, A must be of full rank.We now go back to Step 1 and make A a diagonal matrix.
Step 3 Note that T DA + T BC = I and since C is zero and A is diagonal makes D a diagonal matrix of full rank l.Using this diagonal matrix, we can make B a zero matrix using ER2.So now we have a diagonal matrix instead of g.
Step 4 In this step we only work with A. Using ER1 and EC1, we reduce all diagonal elements of A to 1 except the last.

The algorithm for odd-order unitary groups
Recall that for odd-order unitary groups, we assumed the characteristic of K to be odd.Let  be an element of the unitary group U (2l + 1, K).As with even-order case, our algorithm exploits the symmetry that come out of the chosen bilinear form β. From the equation T ḡβg = β we get two useful equations: Now if X = 0, T ĀC is skew-Hermitian and similarly for the other case T BD is skew-Hermitian.The reader will notice our insistence in making X zero as quickly as possible in the algorithm.Once we do that rest of the algorithm is very similar to that of the even-order algorithm.
The algorithm is as follows: Step 1 Using ER1 and EC1, make A a diagonal matrix.This new diagonal matrix will be referred to A as well.Two things can happen a The diagonal matrix A has full rank and is of the form diag(λ 1 , λ 2 , . . ., λ l ) where λ i are non-zero for 1 ≤ i ≤ l. b The matrix A is not of full rank, but of rank r and is diag(λ 1 , λ 2 , . . ., λ r , 0, . . ., 0) where λ i are non-zero for 1 ≤ i ≤ r.
Step 2 The purpose of this step is to make X and E zero using A. In the case a above, this can be easily done using ER4 and EC4 respectively.In the case b above, from Lemma 5.1, if x 1 = x 2 = . . .= x r = 0 then X = 0. However x 1 , x 2 , . . ., x r can be made zero as above and that will make whole of X zero.Similarly, use the non-zero diagonals of A to make the corresponding entries of E zero.
Step 3 The purpose of this step is to make C zero matrix.We first use the non-zero diagonal entries in A to make the corresponding rows in C zero.If there are any zero rows in A, i.e., we are in case b of Step 1, we use the row interchange operation to exchange the zero rows of A with the corresponding ones in C. Then C is a zero matrix and that makes A of full rank.Diagonalize A using ER1 and EC1 and make E a zero matrix.This makes D a full-rank diagonal matrix.
Step 4 Using ER2 and D we make B a zero matrix.
Step 5 We now have a diagonal matrix, using ER1 and EC1 we can make the diagonal entries of A except the last one 1.

Some lemmas
Lemma 5.1.Let g be an element of U (2l + 1, K) as described earlier.Furthermore assume that A is of the form diag(λ 1 , λ 2 , . . ., λ r , 0, . . ., 0) where λ i are non-zero and the row vector X has first r entries 0. Then X is zero.
Proof.Notice that from the equation T ḡβg = β, it follows that 2 T XX + T CA + T ĀC = 0. Then T XX is a matrix with the lower right (l − r) × (l − r) block possibly non-zero.However since, A is a diagonal matrix with lower l − r entries zero, it is clear from the equation that the possible non-zero block is zero and this proves that X = 0.
Lemma 5.2.Once E, C and X are zero in g defined earlier, it follows that F and Y are zero.
Proof.The important equation from T ḡβg = β for this lemma is 2 T Xα + T CE + T ĀF = 0 from which it follows that F = 0. Then Y = 0 follows from 2ᾱY + T F B + ĒD = 0 A cautious reader must have noticed that in the definition of the generators we define x i,−i (s) = I + se i,−i and x −i,i (s) = I + se −i,i where s ∈ K o .We need these generators to clear diagonal elements from C and B respectively.We only talk about clearing diagonal elements from C, B follows similarly.Now if A is diagonal and λ i is a non-zero element in the diagonal, then using RA + C we will clear c i,i in C. Notice that from earlier discussion it follows λi c i,i = −c i,i λ i .Then take s = − ci,i λ and it is easy to check that it belongs to K o .

Asymptotic complexity is O(l 3 )
In this section, we show that the asymptotic complexity of the algorithm that we developed is O(l 3 ).We count the number of field multiplications.We can break the algorithm into three parts.One, reduce A to a diagonal, then deal with C and then with D. It is easy to see that reducing A to the diagonal has complexity O(l 3 ) and dealing with C and D has complexity O(l 3 ).Row interchange has complexity O(l 2 ).In the odd-order case there is a complexity of O(l) to deal with X, Y, E and F .In all, the worst case complexity is O(l 3 ).

Finite unitary groups
In the next section, we talk about cryptography.In cryptography, we need to deal explicitly with finite fields.In this context, when K = F q 2 , we prove a theorem similar in spirit to Steinberg [21, Section 6.2].The proof is an obvious corollary to our algorithm.Theorem 6.1.Fix an element ζ which generates the cyclic group F × q 2 , the subgroup F 1 q 2 is generated by ζ 1 = ζ q−1 .We add following matrices to the respective set of elementary matrices: Then the group U(d, q 2 ) is generated by elementary matrices and the matrices defined above.
6.1.Special unitary group SU(d, q 2 ) In the case of SU(2l, q 2 ) a simple and straightforward enhancement of our algorithm reduces a matrix g ∈ SU(2l, q 2 ) to the identity matrix.Thus the word problem in SU(2l, q 2 ) is completely solved as with SL(d, q) using only elementary matrices; this is particularly useful for the MOR cryptosystem.An analysis of a MOR cryptosystem similar to the MOR cryptosystem over SL(d, q) [15] will be done in the next section.

The MOR cryptosystem on unitary groups
In this section, we will work with the MOR cryptosystem over U (2l, q 2 ) most of time.However, we will occasionally refer to the odd-order unitary group as well.Briefly speaking, the MOR cryptosystem is a simple and straightforward generalization of the classic ElGamal cryptosystem and was put forward by Paeng et.al. [19].In a MOR cryptosystem one works with the automorphism group rather than the group itself.It provides an interesting change in perspective in public-key cryptography -from finite cyclic groups to finite non-abelian groups.The MOR cryptosystem was studied for the special linear group in details by Mahalanobis [15].For many other classical groups, except the orthogonal groups, the analysis of a MOR cryptosystem remains almost the same.So we will remain brief in this paper and refer an interested reader to [15] (see also [16]).
The description of the MOR cryptosystem is as follows: Let G = g 1 , g 2 , . . ., g s be a finite group.Let φ be a non-identity automorphism.
• Public-key: Let {φ(g i )} s i=1 and {φ m (g i )} s i=1 is public.• Private-key: The integer m is private.

Encryption:
To encrypt a plaintext M ∈ G, get an arbitrary integer r ∈ [1, |φ|] compute φ r and φ rm .The ciphertext is (φ r , φ rm (M)).Decryption: After receiving the ciphertext (φ r , φ rm (M)), the user knows the private key m.So she computes φ mr from φ r and then computes M.
To develop a MOR cryptosystem we need a thorough understanding of the automorphisms group of the group involved.The automorphisms of unitary groups are well described in the literature.We mention them briefly to facilitate further discussion.

Automorphism group of unitary groups
First we define the similitude group.We need these groups to define diagonal automorphisms.substituting each generator in the word by another word.This can be done fast.The challenging thing is to find the matrix corresponding to the word thus formed.This is not a hard problem, but can be both time and memory intensive.What is the best way to do it is still an open question!However, there are many shortcuts available.One being an obvious time-memory trade off, like storing matrices corresponding to a word in generators.The other being there are many trivial and non-trivial relations among these generators and moreover these generators are sparse matrices.One can use these properties in the implementation.This problem, which is of independent interest in computational group theory and is a reason that we insist on automorphisms being presented as generators for the MOR cryptosystem.For more information, see [15,Section 8].

Reduction of security
In this subsection, we show that for unitary groups, the security of the MOR cryptosystem reduces to the discrete logarithm problem in F q 2d .This is the same as saying that we can find the conjugating matrix up to a scalar multiple.Let φ be an automorphism that works by conjugation, i.e., φ = ι g for some g and we try to determine g.
Step 1: The automorphism φ is presented as action on generators.Thus φ(x i,−i (s)) = g(I + se i,−i )g −1 = I + sge i,−i g −1 .This implies that we know εge i,−i g −1 and similarly εge −i,i g −1 for a fixed ε ∈ K o .We first claim that we can determine N := gD where D is diagonal.We now use x i,0 (t) and x 0,i (t) to get linear combination of G 0 with G i or G −i , say we get αG 0 + βG −1 .
In this case we get N = gD where D is of the form Step 2: Now we compute and multiply it to N = gD to get d 1 g.Thus we can determine g up to a scalar multiple and the attack follows [15, Section 7.1.1].

Conclusion
For us, this paper is an interplay of finite (non-abelian) groups and public key cryptography.Computational group theory, in particular computations with quasi-simple groups have a long and distinguished history [2,7,13,14,17].The interesting thing to us is, some of the questions that arise naturally when dealing with the MOR cryptosystem are interesting in its own right in computational group theory and are actively studied.The row-column operations that we developed is one example of that.In the rowcolumn operations we developed, we used a different set of generators.These generators have a long history starting with Chevalley.In our knowledge, we are the first to use them in row-column operations in unitary groups.Earlier works were mostly done using the standard generators.It seems that Chevalley generators might offer a paradigm shift in algorithms with quasi-simple groups.In Magma, there is an implementation of row-column operations in unitary groups in a function ClassicalRewriteNatural.We compared that function with our algorithm in an actual implementation on even order unitary groups using identical parameters.To select parameters for our simulation, we followed Costi's work [8, Table 6.2].In one case, the characteristic of the field was fixed at 7 and the size of the matrix at 20, we varied the degree of the extension of the field from 4 to 34.We then picked at random elements from the GeneralUnitaryGroup and timed our algorithm.We did the same with the magma function using special unitary group.The final time was the average over one thousand such repetitions.Times of both these algorithms were tabulated and is presented in Figure 1.In another case, we kept the field fixed at 7 10 and changed the size of the matrix.In all cases, the final time was the average of one thousand random repetitions.The timing was tabulated and presented in Figure 1.It seems the our algorithm is much better than that of Costi's from all aspects.
, . . ., 0] where G −i is at i th place.Multiplying this with g −1 gives us scalar multiple of G −i , say d −i .Thus we get N = gD where D is a diagonal matrix diag(d 1 , . . ., d l , d −1 , . . ., d −l ).In the case when d = 2l + 1 we write g = [G 0 , G 1 , . . ., G l , G −1 , . . ., G −l ] and get scalar multiple of columns G i and G −i .

Figure 1 .
Figure 1.Some simulations comparing our algorithm with the one inbuilt in Magma.