Security Analysis of MOR using GL(2,R) ×

Christian Tobias

Justus Liebig University Giessen, Department of Mathematics

Arndtstrasse 2, 35392, Germany

Abstract. This paper cryptanalyses the MOR cryptosystem [6] when

the group GL(2,R) ×

proposed in [7] is used.

We show generic attacks on the system that work with every ring R.For

a concrete choice of R even stronger attacks may be possible.

Key words: MOR cryptosystem, cryptanalysis, conjugacy problem

1 Introduction

In 2001 Paeng, Ha, Kim, Chee and Park proposed a new cryptosystem based

on the diﬃculty of the discrete logarithm problem in the inner automorphism

group Inn(G)ofanon-abeliangroupG [6]. Later this system was named MOR

cryptosystem [7].

Theusednon-abeliangroupG has to be chosen very carefully not to under-

mine the security of the system. The ﬁrst proposal for G was the semi-direct

product group SL(2,ZZ

) ×

(see [6]). The authors themselves showed the

interrelation between MOR using SL(2,ZZ

)×

and MOR using SL(2,ZZ

Since the conjugacy and the special conjugacy problem can be eﬃciently solved

in SL(2,ZZ

), the security of MOR using SL(2,ZZ

) ×

could be reduced to

the hardness of the discrete logarithm problem in SL(2,ZZ

) (see [7]).

In 2003 a detailed analysis of MOR using SL(2,ZZ

) ×

[8] was published.

TheeﬃcientmodesofMORusingSL(2,ZZ

) ×

proved to be extremely

vulnerable to the presented attacks. In some cases an attacker is able to gain

information equivalent to the secret key.

In [7] Paeng, Kwon, Ha and Kim described how to construct a semi-direct prod-

uct group GL(2,R) ×

from a given ring isomorphism Φ : R → R and

proposed to use this group for the MOR cryptosystem. The purpose of this arti-

cle is to evaluate the level of security provided by MOR using GL(2,R) ×

Our analysis focusses on the impact of the hardness of the computational Diﬃe-

Hellman and the discrete logarithm problem in <Φ>on the security of MOR

using GL(2,R) ×

. We show that if the computational Diﬃe-Hellman prob-

lem can be solved eﬃciently in <Φ>, then the eﬃcient modes of MOR using

GL(2,R) ×

are vulnerable to chosen-ciphertext attacks. Furthermore, if

even the discrete logarithm problem can be solved eﬃciently in <Φ>,thenthe

secret key can be (partly) calculated from the public parameters.

The rest of this paper is organized as follows. In section 2 needed notations

Tobias C. (2004).

Security Analysis of MOR using GL(2, R) ×Îÿ ZZ n.

In Proceedings of the 2nd International Workshop on Security in Information Systems, pages 170-179

DOI: 10.5220/0002671201700179

 SciTePress

and deﬁnitions are described and the MOR cryptosystem is introduced. Sec-

tion 3 shows how to construct a semi-direct product group GL(2,R) ×

given a ring isomorphism Φ : R → R and how to apply this group to the

MOR cryptosystem. We further demonstrate that the discrete logarithm prob-

lem in Inn(GL(2,R) ×

) can be reduced to the discrete logarithm problem

in <Φ>. In section 4 we show that MOR using GL(2,R)×

is vulnerable to

chosen ciphertext attacks if the computational Diﬃe-Hellman problem in <Φ>

can be solved eﬃciently. In the ﬁnal section 5 the impact of the presented attacks

on the security of MOR using GL(2,R) ×

is discussed and directions for

future research are pointed out. The appendix brieﬂy describes how to solve the

special conjugacy problem (SCP) in GL(2,R) by solving simultaneous instances

of the conjugacy problem (CP) in GL(2,R).

Related Work: The conjugacy problem is considered a hard problem in braid

groups. There is no known polynomial time algorithm which solves the decisional

or the computational conjugacy problem in braid groups. For a detailed discus-

sion of cryptography on braid groups we refer to [1, 3, 5]. Other cryptosystems

using the conjugation map on matrix groups have been published by Yamamura

[9, 10]. The systems later were broken by Blackburn and Galbraith [2].

2 Framework and Deﬁnitions

Deﬁnition 1 (Semi-Direct Product Group). Let G and H be groups and

θ : H → Aut(G) be a homomorphism. The set G × H = {(g,h) | g ∈ G, h ∈ H}

together with the multiplication map

)(g

)=(g

θ(h

)(g

),h

)

is a group, called the semi-direct product G ×

H of G and H with respect to θ.

Deﬁnition 2 (The mapping Inn). Let G be a group. Then the mapping

Inn : G → Aut(G)

g → Inn(g)

is given by Inn(g)(h)=ghg

−1

We call Inn(g) an inner automorphism and Inn(G)={Inn(g) | g ∈ G} the

inner automorphism group. If G is an abelian group then Inn(g) is the identity

map for all g ∈ G and Inn(G) is trivial. Let {γ

} be a set of generators of G.

Since Inn(g) is a homomorphism, Inn(g) is totally speciﬁed for all m ∈ G if the

values {Inn(g)(γ

)} are given.

Deﬁnition 3 (center, centralizer). Let G be a group. The center Z(G) of G

is deﬁned as Z(G):={g ∈ G | xg = gx ∀x ∈ G}.

Let g ∈ G. The centralizer Z(g) of g is deﬁned as Z(g):={h ∈ G | hg = gh}.

Note that Z(G)=



g∈G

Z(g).

171

In the appendix the terms ”center” and ”centralizer” are also used for rings resp.

ring elements. For a ring R and ring elements r ∈ R we deﬁne Z(R):={r ∈ R |

sr = rs ∀s ∈ R} and Z(r):={s ∈ R | rs = sr}.

In some cases it may not be clear from the context which structure is referred

to, e.g. for g ∈ GL(2,R) ⊆ M (2,R) the cenralizer Z(g)intheringM (2,R)may

be diﬀerent from the centralizer Z(g) in the multiplicative group GL(2,R). In

this case the corresponding structure is added as an index, e.g. Z

M(2,R)

(g)=

{h ∈ M (2,R) | gh = hg} and Z

GL(2,R)

(g)={h ∈ GL(2,R) | gh = hg}.

Deﬁnition 4 (Conjugacy Problem). Let G be a group. For arbitrary x, y ∈ G

the conjugacy problem (CP) is to ﬁnd w ∈ G such that wxw

−1

= y.

Let w ∈ G be a solution of the instance (x, y) of the CP, i.e. wxw

−1

= y.Then

w · Z(x) is the solution set for instance (x, y).

Deﬁnition 5 (Special Conjugacy Problem). For a given ϕ ∈ Inn(G) the

special conjugacy problem is to ﬁnd an element g ∈ G satisfying Inn(g)=ϕ.

The solution set for instance Inn(g) of the special conjugacy problem is g ·Z(G).

In GL(2,ZZ

) the conjugacy problem is easy. To solve the special conjugacy prob-

lem in GL(2,ZZ

)twopairs(A

,Inn(A

)) and (A

,Inn(A

)) with A

/∈ Z(A

)

are needed (see [8] for details). A similar result holds for the group GL(2,R)of

invertible matrices over a commutative ring with identity R (see appendix A).

The MOR cryptosystem: MOR is an asymmetric cryptosystem with a ran-

dom value a as secret and the two mappings Inn(g)andInn(g

) (given as

{Inn(g)(γ

)} and {Inn(g

)(γ

)} for a generator set {γ

} of G) as corresponding

public key. The encryption process works as follows:

1. Alice expresses the plaintext m ∈ G as a product of the γ

2. Alice chooses a random b ∈

ord(Inn(g))

and computes (Inn(g

))

,i.e.

{(Inn(g

))

(γ

)}.

3. Alice computes E = Inn(g

)(m)=(Inn(g

))

(m).

4. Alice computes Φ = Inn(g)

, i.e. {Inn(g

)(γ

)}.

5. Alice sends the ciphertext C =(E, Φ) to Bob.

Decryption Process:

1. Bob expresses E as a product of the γ

2. Bob computes Φ

−a

, i.e. {Φ

−a

(γ

)}.

3. Bob computes m = Φ

−a

(E).

The MOR cryptosystem is very similar to the ElGamal cryptosystem [4]. The

Diﬃe-Hellman key establishment protocol is used to ﬁx a common inner auto-

morphism (Inn(g))

. The ciphertext of a message m ∈ G is the image of m

under Inn(g

)=(Inn(g))

In [6] no formal proof of security is given for the MOR system. If the discrete

logarithm problem is eﬃciently solvable in <Inn(g) >, then the secret key a can

be calculated from Inn(g),Inn(g

) which are part of the public key. However,

knowledge of the secret key is not necessary to attack the MOR cryptosystem

for certain non-abelian groups G (see [8] for details).

172

3 MOR using GL(2,R) ×

Let R be a commutative ring with identity and Φ : R → R be a (non-trivial) ring

isomorphism. Then GL(2,R)={





∈ M(2,R) | a

−a

is invertible}

is a (multiplicative) group. A group automorphism φ is induced by Φ:

φ : GL(2,R) → GL(2,R),





→



Φ(a

) Φ(a

)

Φ(a

) Φ(a

)



By setting θ(1) = φ we get a homomorphism θ : ZZ

→ Aut(GL(2,R)), i.e.

θ(k)=φ





→



) Φ

)

) Φ

)



We now examine MOR using the semi-direct product GL(2,R) ×

The conjugation map in GL(2,R) ×

Let (x, y), (m

) ∈ G ×

H. Then:

(x, y)(m

)(x, y)

−1

=(xθ(y)(m

)θ(m

)(x

−1

),m

)

Applied to the group G = GL(2,R) ×

and homomorphism θ we get for

(x, y), (m

) ∈ GL(2,R) ×

(x, y)(m

)(x, y)

−1

=(x · φ

) · φ

−1

),m

)

The choice of Φ:

Let G = GL(2,R) ×

and Φ, φ and θ as deﬁned above. Then

1. ord(Φ)=ord(φ)

2. θ(n)=Id

GL(2,R)

⇔ n ≡ 0(modord(Φ))

3. If (x, y), (x, ˆy) ∈ G,thenInn((x, y)) = Inn((x, ˆy)) ⇔ y ≡ ˆy (mod ord(Φ))

4. The homomorphism θ is well-deﬁned if and only if ord(Φ) | n.

Let (x, y) ∈ GL(2,R) ×

and (x, y)

=(ˆx, aby (mod n)) for some ˆx ∈

GL(2,R). Then a ciphertext of a message (m

) ∈ GL(2,R) ×

looks as

follows:

Inn((x, y)

)(m

)=(ˆxφ

aby

)φ

(ˆx

−1

),m

)

The values a, b, y ∈ ZZ

should have no common divisor with the order of ho-

momorphism φ.Otherwiseφ

aby

is no generator of the cyclic group <φ>.This

reduces the number of possible ciphertexts for a plaintext message (m

) ∈

GL(2,R) ×

. To avoid this problem, we suggest to choose n prime.

173

Extracting φ

from Inn(g):

We now show that given an inner automorphism Inn(g)forsomeg =(x, y) ∈

GL(2,R) ×

the group automorphism φ

can be calculated eﬃciently.

Step 1: To calculate φ

we make use of the fact that Φ

(0) = 0 and Φ

(1) = 1.

For a unimodular matrix m ∈ GL(2,R) (i.e. a matrix with entries only 0 and 1)

it follows that φ

(m)=m and we get

Inn(g)(m, 0) = (x, y)(m, 0)(x, y)

−1

=(x · φ

(m) · φ

−1

), 0)

=(x · m · x

−1

, 0)

This leads to an instance m, xmx

−1

of the conjugacy problem in GL(2,R). By

solving the two instances









−1

and









−1

of the

conjugacy problem in GL(2,R) simultaneously the special conjugacy problem

can be solved and an element ˆx ∈ GL(2,R)withInn(x)=Inn(ˆx)canbecal-

culated (see appendix A).

Step 2: For arbitrary m ∈ GL(2,R)weget

Inn(g)(m, 0) = (x, y)(m, 0)(x, y)

−1

=(x · φ

(m) · x

−1

, 0)

Since Inn(x)=Inn(ˆx)weknowthatˆx

−1

· x ∈ Z(GL(2,R)). The image of

martix m under φ

can be calculated as follows:

Inn(ˆx

−1

)(x · φ

(m) · x

−1

)=(ˆx

−1

x) · φ

(m) · (ˆx

−1

= φ

(m)

Using the same technique the homomorphism φ

can be calculated given Inn(g

Since Inn(g)andInn(g

) are part of the public key, the two ring homomor-

phisms φ

and φ

can be calculated eﬃciently. For the security of MOR using

GL(2,R) ×

it is necessary that the discrete logarithm problem is hard in

<φ>. Otherwise a (mod ord(φ)) can be calculated which gives partial infor-

mation of the secret key a.

4 Analysis of MOR using GL(2,R) ×

The most time consuming operations in the encryption and decryption process of

the MOR cryptosystem are the exponentiations in <Inn(g) >. The inner auto-

morphisms are given by the images of the generators γ

,...γ

of the used group

G. To calculate Inn(g

)(γ

), two steps are needed. In the ﬁrst step Inn(g)(γ

)

has to be expressed as a product of the generators γ

and in the second step the

corresponding images Inn(g)(γ

) have to be multiplied. Since 2 (resp. 1) expo-

nentiations in <Inn(g) > have to be calculated during the encryption (resp.

decryption) process, the MOR cryptosystem in its basic form is much too inef-

ﬁcient to be of practical interest.

Therefore a variant of MOR has been proposed [6] where the encryption expo-

nent b is used for multiple encryptions. Since the resulting encryption scheme

174

is deterministic, the authors of [6] recommend to use a probabilistic padding

scheme when ﬁxing the encryption exponent.

We now show that MOR using GL(2,R) ×

with ﬁxed encryption exponent

(even when the probabilistic padding scheme is used) is vulnerable to chosen

ciphertext attacks if the computational Diﬃe-Hellman Problem in <φ>can be

solved (eﬃciently). From Inn(g

) (which is part of the public key) and Inn(g

)

(which is part of the ciphertext) the homomorphisms φ

and φ

can be com-

puted. Solving the computational Diﬃe-Hellman problem yields φ

aby

Let c =(c

) ∈ GL(2,R) be a given challenge ciphertext of MOR using

GL(2,R) ×

. In a chosen ciphertext attack the attacker is assumed to have

access to a decryption oracle. He is allowed to send ciphertexts ˆc = c to the

oracle and gets the corresponding plaintext messages. A cryptosystem is secure

against chosen ciphertext attacks if such an attacker is not able to compute the

plaintext corresponding to c eﬃciently.

In our attack we make use of the fact that the encryption function Inn(g

)is

an automorphism, i.e. every d =(d

) ∈ GL(2,R) ×

is a valid ciphertext

of a (maybe unknown) message m =(m

) ∈ GL(2,R) ×

Let g =(x, y) ∈ GL(2,R) ×

.Then(x, y)

=(ˆx, aby (mod n)) for some

ˆx ∈ GL(2,R). Ciphertexts of MOR using GL(2,R) ×

are of the form

d =(d

)=(ˆx · φ

aby

) · φ

(ˆx

−1

),m

)

The attack consists of two steps. In the ﬁrst step an ¯x ∈ GL(2,R)withInn(ˆx)=

Inn(¯x) is computed. This element ¯x is used in the second step to decipher the

challenge ciphertext c.

Step 1: For every d

∈ GL(2,R)thevalue(d

, 0) ∈ GL(2,R) ×

is a valid

ciphertext of the (unknown) message (m

, 0) ∈ GL(2,R) ×

, 0) = (ˆx · φ

aby

) · ˆx

−1

, 0)

Sending (d

, 0) to the decryption oracle, the attacker gets the corresponding

plaintext message (m

, 0). Since we assumed that the attacker knows φ

aby

he is

able to compute φ

aby

). The values φ

aby

),d

=ˆx · φ

aby

) · ˆx

−1

form an

instance of the conjugacy problem in GL(2,R). Repeating this process generates

multiple simultaneous instances of the conjugacy problem in GL(2,R)whichcan

be used to solve the special conjugacy problem in GL(2,R) and get a group el-

ement ¯x ∈ GL(2,R)withInn(ˆx)=Inn(¯x) (see appendix A for details).

The oracle may not answer queries with zero as second component, because

GL(2,R) ×

{0} is isomorphic to GL(2,R) and the conjugacy problem is eﬃ-

ciently solvable in GL(2,R). In this case the attacker sends queries (d

,i), (

,i) ∈

GL(2,R) ×

with the same second component to the decryption oracle:

,i)=(ˆx · φ

aby

) · φ

(ˆx

−1

),i)

(

,i)=(ˆx · φ

aby

(ˆm

) · φ

(ˆx

−1

),i)

175

With the plaintext messages (m

,i), (ˆm

,i) ∈ GL(2,R) ×

and homomor-

phism φ

aby

the attacker can compute φ

aby

)· (φ

aby

(ˆm

))

−1

= φ

aby

· ˆm

−1

)

and d

·(

)

−1

=ˆx·φ

aby

· ˆm

−1

)·ˆx

−1

to get an instance of the CP in GL(2,R).

Step 2: Let (p

) be the plaintext message encrypted in the challenge cipher-

text c =(c

). Since ¯x =ˆx · z for a z ∈ Z(GL(2,R)) we get:

¯x

−1

· c

· φ

(¯x)=¯x

−1

· (ˆx · φ

aby

) · φ

(ˆx)) · φ

(¯x)

= φ

aby

) · z

−1

· φ

(z)

Only one oracle query is necessary to calculate z

−1

·φ

(z). The attacker chooses

a c

= c

∈ GL(2,R)andsends(c

) to the oracle. If ˆm is the answer of the

oracle, the attacker gets z

−1

· φ

(z) as follows:

· (φ

(¯x)φ

aby

(ˆm

−1

)¯x

−1

)=(ˆxφ

aby

(ˆm)φ

(ˆx

−1

)) · (φ

(¯x)φ

aby

(ˆm

−1

)¯x

−1

)

=ˆxφ

aby

(ˆm)φ

(ˆx

−1

)φ

(ˆxz)φ

aby

(ˆm

−1

)(ˆxz)

−1

= z

−1

· φ

(z)

Now the attacker can compute φ

aby

Step 3: If the knowledge of φ

aby

is not suﬃcient to compute p

from φ

aby

thedecryptionoracleisusedtocomputepreimagesunderφ

aby

. To obtain the

preimage of φ

aby

) the attacker sends

, 0) = (¯x · φ

aby

) · ¯x

−1

, 0) = (ˆx · φ

aby

) · ˆx

−1

, 0)

as query to the decryption oracle. The oracle reply equals the wanted preim-

age. If the oracle does not answer queries with zero as second component the

value ¯x · φ

aby

) · ¯x

−1

can be expressed as ¯x · φ

aby

) · ¯x

−1

= e

· ˆe

−1

for

, ˆe

∈ GL(2,R)and(e

,i)and(ˆe

,i) can be sent to the oracle. If a

and ˆa

are the oracle’s answers, the desired preimage is p

= a

· ˆa

−1

(see also step 1

forasimilarargument).

Using a randomised padding scheme: In [6] the authors propose to use a

probabilistic padding scheme when ﬁxing the encryption exponent. The plain-

text message m ∈ R is embedded in GL(2,R) by choosing a random matrix

M =





∈ GL(2,R)withm

= m. After that the encryption function

Inn(g

)isappliedtoM .

In [8] it has been shown that MOR using SL(2,ZZ

)×

is insecure even if the

randomised padding scheme is used: Two pairs consisting of plaintext and cor-

responding ciphertext are suﬃcient to calculate Inn(g

). The same techniques

can be applied to step 1 of our attack to calculate an element ¯x ∈ GL(2,R)with

Inn(ˆx)=Inn(¯x).

The ﬁrst part of step 2 also works if the described padding scheme is used, i.e.

aby

) · z

−1

· φ

(z) can be calculated. The second part of step 2 has to be

176

changed slightly: On input (c

) the decryption oracle outputs only the (1, 1)-

component of ˆm. The other entries of matrix ˆm are not known to the attacker.

Since Z(GL(2,R)) = {c · Id | c ∈ R, c invertible},thevaluez

−1

· φ

(z)isofthe

form z

−1

· φ

(z)=



r 0

0 r



for an invertible r ∈ R. In particular z

−1

· φ

(z) ∈

Z(GL(2,R)). For ˆm =



ˆm



we get

¯x

−1

· c

· φ

aby

(¯x)=(z

−1

ˆx

−1

) · (ˆxφ

aby

(ˆm)φ

(ˆx

−1

)) · (φ

(ˆxz))

= φ

aby

(ˆm) · z

−1

· φ

(z)



r · ˆm



The value ˆm

can be obtained by sending (c

) to the decryption oracle. If r

cannot be calculated given ˆm

and r · ˆm

this process has to be repeated with a

diﬀerent value c

Step 3 also works when the randomised padding scheme is used but has to

be carried out for every single component, i.e. to compute the preimage of

aby



aby

) Φ

aby

)

aby

) Φ

aby

)



step 3 is used to ﬁnd preimages of d

∈ GL(2,R),

1 ≤ i ≤ 4, where the (1, 1)-component of d

equals Φ

aby

5 Conclusion

We showed that MOR using GL(2,R) ×

with ﬁxed encryption exponent

is vulnerable to chosen ciphertext attacks if the computational Diﬃe-Hellman

Problem is easy in <Φ>. The presented attacks still work if the randomised

padding scheme of [6] is used. They do not work if the encryption exponent b is

randomly chosen for every plaintext to be encrypted. However, in this case two

exponentiations in <Inn(g) > have to be calculated during the encryption and

one during the decryption process. The resulting cryptosystem is too ineﬃcient

to be of practical interest.

Our results show that the hardness of the discrete logarithm problem (DLP) in

<Φ>is essential for the security of all modes of MOR (even when the encryp-

tion exponent b is chosen randomly and independently for every plaintext to be

encrypted). The DLP in <Φ>is much easier than the DLP in <Inn(g) >

(which has to be solved to calculate the secret key given the public key). It may

be more appropriate to use a variant of the ElGamal cryptosystem [4] using the

cyclic group <Φ>. The resulting cryptosystem would be provable secure and

more eﬃcient than MOR using GL(2,R) ×

All attacks are generic attacks, i.e. they work for every ring R and every homo-

morphism Φ. For certain choices of R and Φ there may be even stronger attacks.

It is a task for future reserach to ﬁnd a non-abelian group suitable for the use

with the MOR cryptosystem.

177

References

1. I. Anshel, M. Anshel, D. Goldfeld, ”An Algebraic Method for Public-Key Cryp-

tography”, Mathematical Research Letters, 6 (1999), pp. 287-291

2. S. Blackburn, S. Galbraith, ”Cryptanalysis of two cryptosystems based on group

action”, Advances in Cryptology - Asiacrypt 1999, LNCS 1716, pp. 52-61

3. P. Dehornoy, ”Braid-based cryptography”, Preprint, University of Caen, 2003,

http://matin.math.unicaen.fr/∼dehornoy/papers.html

4. T. ElGamal, ”A public key cryptosystem and a signature scheme based on discrete

logarithms”, IEEE Transactions on Information Theory, Volume 31, 1985, pp.

469-472

5. K. H. Koo, S. J. Lee, J. H. Cheon, J. W. Han, J. Kang, C. Park, ”New Public-

Key Cryptosystem Using Braid Groups”, Advances in Cryptology - Crypto 2000,

LNCS 1880, pp. 166-183

6. S.-H. Paeng, K.-C. Ha, J. H. Kim, S. Chee, C. Park, ”New Public Key Cryptosys-

tem Using Finite Non Abelian Groups”, Advances in Cryptology - Crypto 2001,

LNCS 2139, pp. 470-485

7. S.-H. Paeng, D. Kwon, K.-C. Ha, J. H. Kim, ”Improved public key cryptosys-

tem using ﬁnite non abelian groups”, IACR EPrint-Server, Report 2001/066,

http://eprint.iacr.org/2001/066

8. C. Tobias, ”Security Analysis of the MOR Cryptosystem”, 6th International

Workshop on Practice and Theory in Public Key Cryptography, PKC 2003, LNCS

2567, pp. 175-186

9. A. Yamamura, ”Public key cryptosystems using the modular group”, 1st Interna-

tional Public Key Cryptography Conference PKC 1998, LNCS 1431, pp. 203-216

10. A. Yamamura, ”A functional cryptosystem using a group action”, 4th Australian

Information Security and Privacy Conference, ACISP 1999, LNCS 1587, pp. 314-

325

A The Special Conjugacy Problem in GL(2,R)

Let Inn(g):GL(2,R) → GL(2,R) be a public inner automorphism. We assume

that Inn(g) is given as a black box, i.e. an attacker is able to calculate images

under Inn(g) but does not know the used g ∈ GL(2,R). This approach assures

that our calculations are independent of the presentation of Inn(g). We now

show that the special conjugacy problem is eﬃciently solvable in GL(2,R).

Let B, C,X ∈ GL(2,R)andB,XBX

−1

B =





and C, XCX

−1

C =



ˆc



be two simultaneous instances of the conjugacy problem in GL(2,R).

Let

X ∈ GL(2,R) be a solution of these two instances. Then

X = Z · X with





= Z ∈ Z(

B) ∩ Z(

C). By comparing the components of Z ·

B · Z and

Z ·

C · Z we get:

Since

X could also be expressed as

X = X ·

Z for a

Z ∈ Z(B) ∩ Z(C), the following

paragraph is also true if

and ˆc

are replaced by b

and c

. In particular B ∈

Z(C) ⇔

B ∈ Z(

C).

178

– z

(ˆc

−

ˆc

)=0andz

(ˆc

−

ˆc

)=0

– z

(ˆc

(

−

) −

(ˆc

− ˆc

)) = 0 and z

(ˆc

(

−

) −

(ˆc

− ˆc

)) = 0

– z

(ˆc

(

−

) −

(ˆc

− ˆc

)) = 0 and z

(ˆc

(

−

) −

(ˆc

− ˆc

)) = 0

If ˆc

ˆc

,ˆc

(

−

(ˆc

− ˆc

)and ˆc

(

−

(ˆc

− ˆc

), then

B ∈ Z(

C). Therefore, were

C ∈ GL(2,R) chosen such that

B/∈ Z(

C), one of

the equations has to be false and z

and z

are zero divisors.

C ∈ GL(2,R) where chosen such that ˆc

−

ˆc

,ˆc

(

−

)−

(ˆc

− ˆc

)or

ˆc

(

−

) −

(ˆc

− ˆc

) is no zero divisors it further follows that z

= z

=0.If

one of the ring elements

,ˆc

or ˆc

is no zero divisor, then Z =



0 z



for a

∈ R.SinceZ ·M = M ·Z for all M ∈ M(2,R), we get that Inn(X)=Inn(

X),

i.e.

X ∈ GL(2,R) is a solution of the instance Inn(X) of the special conjugacy

problem in GL(2,R).

We now show that a simultaneous solution of these two instances can be calcu-

lated eﬃciently. The equations XBX

−1

B and XCX

−1

C are equivalent to

XB =

BX and XC =

CX.IfB/∈ Z(C)thisyieldstoasystemofthreelinear

equations. In the presented attack in section 4 the elements

C ∈ GL(2,R)

canbechosenfreely.If

is invertible, the obtained system of linear equations

is equivalent to:

−b

· x

−

· x

−

· x

−b

· x

(ˆc

− c

− ˆc

−b

) · x

− (c

− ˆc

) · x

For arbitrary r ∈ R this system is solved by x

= k

·r, x

= k

·r, x

= k

·r and

= k

·r where k

=ˆc

−c

− ˆc

−b

, k

=(c

− ˆc

)·k, k

·k

−

−b

·k

and k

· k

−

−b

· k

If either

− ˆc

(ˆc

− c

) − ˆc

(

− b

)isnozerodivisor,





∈ GL(2,R)and





=



ˆrk



for r, ˆr ∈ R with r =ˆr, i.e. we get | R |

distinct solutions. In this case we further know that





∈ GL(2,R)if

and only if r ∈ R is no zero divisor.

Since X ∈ GL(2,R), the equation XB =

BX is equivalent to

B = XBX

−1

.For

an element

X ∈ M(2,R)with

XB =

X wegetthat(X

−1

X)B = B(X

−1

holds, i.e.

X = X · Z with Z ∈ Z

M(2,R)

(B).

Thus, the simultaneous solutions (in M(2,R)) of the equations XB =

BX and

XC =

CX are of the form Z · X where Z ∈ Z

M(2,R)

(

B) ∩ Z

M(2,R)

(

C). If

C ∈ GL(2,R) were chosen such that Z

M(2,R)

(

B)∩Z

M(2,R)

(

C)=Z(M(2,R)),

there are | Z(M(2,R)) |=| R | many solutions, i.e. all solutions are given by

= k

· r, x

= k

· r, x

= k

· r and x

= k

· r with r ∈ R.

179