Characterization of conjugate powers of a matrix Amit Kalele and Virendra Sule Defense and Homeland Security Group Computational Research Laboratories, Pune, India 1

Introduction

This paper solves the problem of characterizing conjugate powers of a matrix over a field. If F → K is an algebraic field extension with the minimal polynomial h in F [X] then the roots of h in K are known as conjugates. In the case of finite fields all conjugates are obtained by Frobenius mapping on any one root. To formulate the analogous problem for matrices, let A be a matrix over GLn (F) with its minimal polynomial h(X) in F[X]. Then all matrices B in GL(n, F) which have the same minimal polynomial h(X) can be called conjugates of A. The question which of these conjugates are powers of A assumes significance in cryptography. It is shown in [2, 3] that for the Diffie Hellman (DH) key exchange scheme formulated over a cyclic subgroup hAi of GLn (F), when the powers Ak as public keys are conjugate to A called conjugate powers, then the Diffie Hellman problem (DHP) can be solved in polynomial time without explicit computation of the discrete log (DL) i.e. k from the knowledge of Ak . This creates what is known as an instance of gap DH scheme which has many applications in public key cryptography. Presently such gap instances are known to be possible using special elliptic curves and it is of practical interest to determine such instances over other groups. Hence the problem of characterizing conjugate powers of a matrix, showing instances of large number of conjugates and developing algorithms for generation of such conjugates is of interest to cryptographic application. Instances of examples of matrices A over finite fields having conjugate powers are shown in [2] however the problem of their characterization and generation had remained unanswered. This papers answers these problems. Further description of cryptographic problems associated with the DH scheme and conjugates are out of scope of this paper and shall be given elsewhere. The problem of characterizing conjugate powers is simple enough to describe and addresses the investigation of parameters when conjugate powers exist hence we restrict this paper to this limited aim. Although mathematically the problem statement can be made over arbitrary fields we restrict to only finite fields due to practical reasons. Formally stated we shall solve Problem 1. Given a matrix A ∈ GLn (F), where F is a finite field. Characterize all powers Ak which are conjugate to A For further simplification we assume that the matrix A has distinct characteristic roots (the roots of its characteristic polynomial over a splitting field extension of F. This condition 1

2 Relationship of conjugate powers with Characteristic roots

2

is even stronger than diagonalizability of A over the extension field. (It is well known [4] that for matrices which are not diagonalizable, the DL problem is easy. Hence such matrices are of no interest in the DH scheme). In the next section we present an initial result and the necessary condition which fixes the structure of characteristic roots of matrix A. Subsequently we state and prove the necessary and sufficient condition, which characterizes all the conjugates of a matrix A.

2

Relationship of conjugate powers with Characteristic roots

Consider the cyclic subgroup hAi generated by a matrix A ∈ GLn (F). Let N denote the order of hAi and h(A, x) ∈ F[x] denote the minimal polynomial of A. Lemma 1. The matrix Ak is conjugate to A iff Ak has same characteristic roots as that of A. Q Proof. Let h(A, x) = ni=1 (x − ai ) with ai ’s as distinct characteristic roots. If Ak also has same characteristic roots as that of A , which are also Qn distinct by our assumption, then the k k k minimal polynomial h(A , x) of A is h(A , x) = i=1 (x − ai ), which is same as h(A, x). Hence Ak is conjugate to A. Conversely if A and Ak are conjugates then both the matrices have same minimal polynomial. Since A hasQdistinct characteristic roots, the minimal polynomial h(A, x) of A is given by h(A, x) = ni=1 (x − ai ). Since h(A, x) = h(Ak , x), it follows that A and Ak have same characteristic roots. The next result shows a special way in which the conjugate powers of A are related to the characteristic roots of A. Let σ ∈ Sn be a permutation having a cyclic decomposition σ = C1 C2 · · · Cm . We call length li of Ci a divisor of σ. Theorem 1. If Ak is conjugate for some k then there exists a permutation σ ∈ Sn such that the divisors li of σ divides φ(N ) and k ∈ ∩m i=1 0(N, li )

(1)

0(N, li ) = { bφ(N )/li : b ∈ Z∗φ(N ) }

(2)

where the set 0(N, li ) is defined as

Proof. Since the characteristic roots of Ak are k th power of characteristic roots ai , for i = 1 · · · n of matrix A and if Ak is a conjugate then from above lemma 1 it follows that Ak has same roots as that of A and since there is a permutation σ ∈ Sn such that (ai )k = aσ(i) for i = 1 to n Let σ be such a permutation associated with a k such that Ak is a conjugate power and let σ have a cycle of length l ( a divisors of σ). Then after a suitable re indexing of ai ’s, Ak has a cycle of characteristic roots (a1 )k = a2 , (a2 )k = a3 · · · (al )k = a1

3 Necessary and Sufficient condition

3

and we get l

(a1 )k = a1 Hence it follows that k l ≡ 1 mod N . This implies that k is lth root of unity in the group Z∗N , which has order φ(N ) and l divides φ(N ). Since this must hold for all the divisors li of σ, the result follows. It follows from the above proof that if Ak is conjugate to A for some k then A will have the characteristic roots of the following form: 2

l −1

a1 , a1 k , a1 k , · · · a1 k 1 2 l −1 a1 , a2 k , a2 k , · · · a2 k 2 .. . 2

am , am k , am k , · · · am k

(3)

lm −1

where li ’s are cycle lengths of the permutation σ associated with k.

3

Necessary and Sufficient condition

The above result forms the necessary condition for matrices Ak and A to be the conjugates and also fixes the relationship of the characteristic roots of A with that of k. In what follows, we state and prove the necessary and sufficient condition for matrices A and Ak to be conjugate for some k. Theorem 2. Ak is conjugate to A iff for the distinct characteristic roots of A described in (3) the power k satisfies k l ≡ 1 mod N (4) where l = gcd(l1 , l2 , · · · lm ) and li ’s are lengths of disjoint cycles of permutation σ. Proof. We first prove the sufficiency. Let the matrix A has distinct characteristic roots of the form described in equation (3) and let k satisfies equation (4). Then the characteristic roots 2 l −1 of matrix Ak will be k th power of characteristic roots of A, which are {ak1 , ak1 , · · · , (ak1 1 )k } l −1 l and so on for a2 upto am . Then (a1k 1 )k = ak1 1 and since k l ≡ 1 mod N , and l1 is multiple l of l, it implies that ak1 1 = a1 . This shows that the first set of characteristic roots remains unchanged under exponentiation by k. Similarly this can be proved for other set a2 upto am . This implies that Ak has the same characteristic roots as that of A. Hence it follows from Lemma 1 that the matrices A and Ak have the same minimal polynomial and are conjugates. The necessary condition follows from the Corollary 1 If Ak is conjugate to A then k ∈ ∩m i=1 0(N, li ) This implies that k is li th root of unity for i = 1, . . . , m in Z∗N . That means k li ≡ 1 mod N for i = 1, . . . , m. Hence it follows that k l ≡ 1 mod N , where l = gcd(l1 , l2 , . . . lm ).

4 Conclusion

4

The above results allows us to generate matrices and their conjugate powers. In what follows, we present an algorithm to generate such matrices of desired size over a given finite field. Let F be a finite field with characteristics p and n is the desired size of a matrix. The following algorithms outputs a matrix and its conjugate powers. In the algorithm the set ∆(p − 1) denotes the set of divisors of p − 1 and the set ω(n, N ) is the set of nth roots of unity in Z∗N , i.e., ∆(p − 1) = {2 ≤ d : d divides p − 1} and ω(n, N ) = {a ∈ Z∗N : an = 1}.

(5)

Algorithm 1 Algorithm for generating a matrix A and its conjugate powers INPUT: Finite field F, p and Size n of matrix. OUTPUT: Matrix A and its conjugate powers. 1: Initialize: N = 2 ∈ ∆(p − 1) 2: while ∆(p − 1) 6= ∅ do 3: while ω(n, N ) 6= ∅ do 4: Choose k ∈ ω(n, N ) 5: Choose α primitive element α of F∗ n−1 6: Set matrix Λ = diag(α, αk , . . . , αk ). 7: Choose a random T ∈ GLn and set A = T −1 ΛT . 8: Return A and k i for i = 0 · · · n − 1. 9: end while 10: end while Using the above algorithm for smaller n, it would be easy to construct larger matrices with diagonal block of sizes n1 , n2 . . . etc. The complexity of the above algorithm depends on the computation of the nth roots of unity in Z∗N . These roots can be computed once the prime factorization of N is known. The roots of unity can be computed in Z∗pi , where pi ’s are distinct prime factors of N , and the final result can be obtained using chinese reminder theorem. We present an example of a matrix A and its conjugates powers. Example: Let the finite field be Fp with p = 1630049, then for the matrix A = diag{3, 1306629, 485198, 775804, 1039947, 914655} Then k = 767, 1324415, 282655 are examples of conjugate powers.

4

Conclusion

In this short paper we proved a characterization of conjugate powers of a non-singular matrix over finite field Fp . We also presented an algorithm to compute such conjugate powers. These results assume significance because it is shown in [2] and [3] that the discrete log problem in GLn can be solved easily when the public/private keys involved therein are conjugate powers.

4 Conclusion

5

Acknowledgements We are thankful to Habeeb for the discussions and his comments.

References [1] W. Diffie and M. Hellman, “New directions in cryptography”, IEEE Trans. on Information Theory, vol. 22, pp. 644-654, 1976. [2] A. A. Kalele and V. R. Sule, “Weak keys of the Diffie Hellman key exchange I”, Cryptology ePrint Archive, 2005/024. http://eprint.iacr.org/2005/024. [3] A. A. Kalele, “Singular Diffie-Hellman problems and their applications over GLm ”, PhD Thesis, IIT Bombay [4] A. J. Menezes and Yi-Hong Wu, “The discrete logarithm problem in GLn”, ARS Combinotoria, vol. 47 pp. 23-32, 1998.