Abstract
We present an efficient quantum algorithm for solving the semidirect discrete logarithm problem (\(\textsf{SDLP}\)) in any finite group. The believed hardness of the semidirect discrete logarithm problem underlies more than a decade of works constructing candidate post-quantum cryptographic algorithms from non-abelian groups. We use a series of reduction results to show that it suffices to consider \(\textsf{SDLP}\) in finite simple groups. We then apply the celebrated Classification of Finite Simple Groups to consider each family. The infinite families of finite simple groups admit, in a fairly general setting, linear algebraic attacks providing a reduction to the classical discrete logarithm problem. For the sporadic simple groups, we show that their inherent properties render them unsuitable for cryptographically hard \(\textsf{SDLP}\) instances, which we illustrate via a Baby-Step Giant-Step style attack against \(\textsf{SDLP}\) in the Monster Group.
Our quantum \(\textsf{SDLP}\) algorithm is fully constructive, up to the computation of maximal normal subgroups, for all but three remaining cases that appear to be gaps in the literature on constructive recognition of groups; for these cases \(\textsf{SDLP}\) is no harder than finding a linear representation. We conclude that \(\textsf{SDLP}\) is not a suitable post-quantum hardness assumption for any choice of finite group.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Interestingly, this method is somewhat similar to the “linear decomposition” attacks presented in the analysis of SDPKE.
- 2.
The situation is actually slightly more complicated than this, as we will see.
- 3.
Note that the dimension of the representation implied by Cayley’s theorem is rather large. For the groups we are interested in we will have to work harder than this to find lower-dimensional linear representations.
References
László Babai and Robert Beals. A polynomial-time theory of black box groups i. London Mathematical Society Lecture Note Series, pages 30–64, 1999
László Babai, Robert Beals, and Ákos Seress. Polynomial-time theory of matrix groups. In Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC ’09, page 55-64, New York, NY, USA, 2009. Association for Computing Machinery
László Babai, Gene Cooperman, Larry Finkelstein, Eugene Luks, and Ákos Seress. Fast monte carlo algorithms for permutation groups. In Proceedings of the twenty-third annual ACM symposium on Theory of computing, pages 90–100, 1991
László Babai and Endre Szemerédi. On the complexity of matrix group problems i. In 25th Annual Symposium onFoundations of Computer Science, 1984., pages 229–240. IEEE, 1984
Reinhold Baer. Der reduzierte Rang einer Gruppe. Journal für die reine und angewandte Mathematik, 0214_0215: 146–173, 1964. URL http://eudml.org/doc/150612
Christopher Battarbee, Delaram Kahrobaei, Ludovic Perret, and Siamak F. Shahandashti. A subexponential quantum algorithm for the semidirect discrete logarithm problem, 2023
Christopher Battarbee, Delaram Kahrobaei, Ludovic Perret, and Siamak F. Shahandashti. Spdh-sign: Towards efficient, post-quantum group-based signatures. In Thomas Johansson and Daniel Smith-Tone, editors, Post-Quantum Cryptography, pages 113–138, Cham, 2023. Springer Nature Switzerland
Christopher Battarbee, Delaram Kahrobaei, and Siamak F Shahandashti. Semidirect product key exchange: The state of play. Journal of Algebra and Its Applications, page 2550066, 2023
Alexandre Borovik and Sukru Yalcinkaya. Steinberg presentations of black box classical groups in small characteristics, 2013
Alexandre Borovik and Şükrü Yalçınkaya. Natural representations of black box groups encrypting \(sl_2(\mathbb{F}_q)\), 2020
Alexander Bors. A bound on element orders in the holomorph of a finite group, 2015
Peter A. Brooksbank. Fast constructive recognition of black box symplectic groups. Journal of Algebra, 320 (2): 885–909, 2008. ISSN 0021-8693. Computational Algebra
Brooksbank, Peter A.: Fast constructive recognition of black-box unitary groups. LMS Journal of Computation and Mathematics 6, 162–197 (2003)
Brooksbank, Peter A., Kantor, William M.: Fast constructive recognition of black box orthogonal groups. Journal of Algebra 300(1), 256–288 (2006)
Brooksbank, Peter A., Kantor, William M.: On constructive recognition of a black box psl (d, q). Groups and computation 3, 95–111 (1999)
Brown, Daniel, Koblitz, Neal, Legrow, Jason: Cryptanalysis of ‘make’. J. Math. Cryptol. 16(1), 98–102 (2015)
Childs, Andrew M., Ivanyos, Gábor.: Quantum computation of discrete logarithms in semigroups. J. Math. Cryptol. 8(4), 405–416 (2014)
Marston Conder and Charles R. Leedham-Green. Fast recognition of classical groups over large fields. Groups and computation, III (Columbus, OH, 1999), 8: 113–121, 2001
Conder, Marston, Leedham-Green, Charles R., O’Brien, Eamonn: Constructive recognition of \(PSL (2, q)\). Trans. Amer. Math. Soc. 358(3), 1203–1221 (2006)
Conway, John H., Curtis, Robert T., Norton, Simon P., Parker, Richard A., Wilson, Robert A.: Atlas of finite groups. Oxford University Press, Eynsham (1985)
Dietrich, Heiko, Leedham-Green, Charles R., O’Brien, Eamonn A.: Effective black-box constructive recognition of classical groups. Journal of Algebra 421, 460–492 (2015)
Daniel Gorenstein, Richard. Lyons, and Ron Solomon. The classification of finite simple groups. Number 3. Part I. American Mathematical Society, Providence, RI, 1998
Grigoriev, Dima, Shpilrain, Vladimir: Tropical cryptography ii: extensions by homomorphisms. Communications in Algebra 47(10), 4224–4229 (2019)
Maggie Habeeb, Delaram Kahrobaei, Charalambos Koupparis, and Vladimir Shpilrain. Public key exchange using semidirect product of (semi)groups. In International Conference on Applied Cryptography and Network Security, pages 475–486. Springer, 2013
Muhammad Imran and Gábor Ivanyos. Efficient quantum algorithms for some instances of the semidirect discrete logarithm problem. Designs, Codes and Cryptography, 5 2024
Gábor Ivanyos, Frédéric Magniez, and Miklos Santha. Efficient quantum algorithms for some instances of the non-abelian hidden subgroup problem. Proceedings of the 13th Annual ACM Symposium on Parallel Algorithms and Architectures, pages 263–270, 2001
Sebastian Jambor, Martin Leuner, Alice C Niemeyer, and Wilhelm Plesken. Fast recognition of alternating groups of unknown degree. Journal of Algebra, 392: 315–335, 2013
Delaram Kahrobaei and Vladimir Shpilrain. Using semidirect product of (semi) groups in public key cryptography. In Arnold Beckmann, Laurent Bienvenu, and Nataša Jonoska, editors, Pursuit of the Universal, pages 132–141, Cham, 2016. Springer International Publishing
Kantor, W.M., Magaard, K.: Black box exceptional groups of Lie type. Trans. Amer. Math. Soc. 365(9), 4895–4931 (2013)
Kantor, W.M., Magaard, K.: Black box exceptional groups of lie type ii. Journal of Algebra 421, 524–540 (2015)
Kantor, William M., Kassabov, Martin: Black box groups isomorphic to pgl (2, 2e). Journal of Algebra 421, 16–26 (2015)
Kimmerle, Wolfgang, Lyons, Richard, Sandling, Robert, Teague, David N.: Composition factors from the group ring and artin’s theorem on orders of simple groups. Proceedings of the London Mathematical Society 3(1), 89–122 (1990)
Stefan Kohl. A bound on the order of the outer automorphism group of a finite simple group of given order, 2003. Available at https://stefan-kohl.github.io/preprints/outbound.pdf
Leedham-Green, Charles R.: The computational matrix group project. Groups and computation 3, 229–248 (2001)
Andrew Mendelsohn, Edmund Dable-Heath, and Cong Ling. A Small Serving of Mash: (Quantum) Algorithms for SPDH-Sign with Small Parameters. Cryptology ePrint Archive, Paper 2023/1963, 2023. URL https://eprint.iacr.org/2023/1963
Chris Monico. Remarks on MOBS and cryptosystems using semidirect products, 2021
Chris Monico and Ayan Mahalanobis. A remark on MAKE – a Matrix Action Key Exchange, 2020
Myasnikov, Alexei, Roman’kov, Vitaliǐ: A linear decomposition attack. Groups Complexity Cryptology 7(1), 81–94 (2015)
NIST. Post-Quantum Cryptography Standardization, 2017. URL: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
Eamonn A O’Brien. Algorithms for matrix groups. London Math. Soc. Lecture Note Ser, 388: 297–323, 2011
Rahman, Nael, Shpilrain, Vladimir: Make: A matrix action key exchange. J. Math. Cryptol. 16(1), 64–72 (2022)
Nael Rahman and Vladimir Shpilrain. MOBS (Matrices Over Bit Strings) public key exchange. Cryptology ePrint Archive, Paper 2021 /560, 2021. URL https://eprint.iacr.org/2021/560
Vitaliĭ Roman’kov. Linear decomposition attack on public key exchange protocols using semidirect products of (semi) groups, 2015
Martin Seysen. Python implementation of the monster group. GitHub repository, 2024. URL https://github.com/Martin-Seysen/mmgroup
Daniel Shanks. Class number, a theory of factorization, and genera. In Proceedings of Symposia in Pure Mathematics, 1971
Peter W. Shor. Algorithms for quantum computation: discrete logarithms and factoring. In Proceedings 35th Annual Symposium on Foundations of Computer Science, pages 124–134, 1994
Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy, editor, Advances in Cryptology — EUROCRYPT ’97, pages 256–266, Berlin, Heidelberg, 1997. Springer Berlin Heidelberg
Robert A. Wilson. The Finite Simple Groups, volume 251 of Graduate Texts in Mathematics. Springer, 2009
Acknowledgments
This collaboration was initiated during the “Post-Quantum Group-Based Cryptography” workshop at the American Institute of Mathematics (AIM), April 29-May 3, 2024. The authors are indebted to the workshop organizers Delaram Kahrobaei and Ludovic Perret and the AIM team for bringing this group together and creating a stimulating and collaborative atmosphere.
We want to thank Ray Perlner for spotting problems in the reasoning of an earlier version of this paper, and bringing those to our attention. We would also like to Gábor Ivanyos, with whom we had helpful correspondence. We also would like to acknowledge support by the following organizations: CB is supported by ONR Grant 62909-24-1-2002. GB is supported by SNSF Consolidator Grant CryptonIs 213766. DCST was partially supported by a grant from the Simons Foundation (712530, DCST). DJ is supported by an NSERC Alliance Consortia Quantum Grant (ALLRP 578463 – 22). LM is supported by an NSERC Canada Graduate Scholarship (Master’s). NH is supported by a gift from Google. RS is supported by NATO SPS project G5985. EP is supported by NCAE grant H98230-22-1-0328.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendix: Finding Maximal Normal Subgroups
Appendix: Finding Maximal Normal Subgroups
The task of finding a maximal normal subgroup depends on the particular implementation of the black-box group G. In general, if we know the particular structure of the group G, we may be able to recover them immediately from it. This can be done even with little knowledge, since from any subgroup S we can construct the smallest normal subgroup containing it via computing the normal closure \(\langle S^G \rangle \) in linear time as explained in [3].
In the literature, several techniques are known to solve this task more systematically, via computing a composition series, in this way the first element in the series (starting from G) is our desired normal subgroup. However, this branch of literature typically wishes to achieve much stronger results, in particular without using quantum computers - we do not impose this limitation upon ourselves. To perform this calculation, aided by a quantum computer, we can:
-
Use [25] if every non-Abelian composition factor of G possesses a faithful permutation representation of degree polynomial in the input size;
-
Otherwise, [1, Theorem 1.1] gives us a quasi-composition series for G. Note that [1] requires a superset of the primes dividing the order of the group |G| to solve the problem of computing order of group elements, with a quantum computer we can solve both these tasks. This result provides a quasi-composition chain \(\{1\} \triangleleft G_{m-1} \triangleleft \cdots \triangleleft G_1 \triangleleft G\), and tells us if \(G/G_1\) is abelian, or simple and nonabelian. In the latter case, we have found a maximal normal subgroup \(N = G_1\). In the former case, if \(A = G/G_1\) has the unique encoding property, we can use [26, Theorem 6] on it, since abelian groups are solvable, i.e. \(\nu (G) =1\), and the procedure runs in quantum polynomial time. In this way we get the maximal normal subgroup \(A_1 \triangleleft A\) from the composition series, and \(A_1 G_1\) will be a maximal normal in G by the correspondence theorem. However, the general results from [1], does not immediately imply the unique-encoding property requested, so additional work may be required to solve this problem for the general case, even if in more concrete cases this may be practical.
In general, we do not expect that these problems should be of some fundamental computational difficulty. We leave the full resolution of the computation of maximal normal subgroups to further work.
Rights and permissions
Copyright information
© 2025 International Association for Cryptologic Research
About this paper
Cite this paper
Battarbee, C. et al. (2025). On the Semidirect Discrete Logarithm Problem in Finite Groups. In: Chung, KM., Sasaki, Y. (eds) Advances in Cryptology – ASIACRYPT 2024. ASIACRYPT 2024. Lecture Notes in Computer Science, vol 15491. Springer, Singapore. https://doi.org/10.1007/978-981-96-0944-4_11
Download citation
DOI: https://doi.org/10.1007/978-981-96-0944-4_11
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-96-0943-7
Online ISBN: 978-981-96-0944-4
eBook Packages: Computer ScienceComputer Science (R0)