Double shielded Public Key Cryptosystems

Double shielded Public Key Cryptosystems

∗

Xiaofeng Wang, Chen Xu

†

, Guo Li, Hanling Lin and Weijian Wang

School of Mathematics, Shenzhen University Shenzhen 518060, P. R. China

Abstract. By introducing extra shields on Shpilrain and Ushakov’s Ko-Lee-like protocol based on the decomposition problem of group elements we propose two new key exchange schemes and then a number of public key cryptographic protocols. We show that these protocols are free of known attacks. Particularly, if the entities taking part in our protocols create their private keys composed by the generators of the Mihailova subgroups ofBn, we show that the safety of our protocols are very highly guarantied by the

insolvability of subgroup membership problem of the Mihailova subgroups.

Key words: public key protocol, braid group, subgroup membership problem, quantum computa-tional attack

1

Introduction

In 2000, Ko et al proposed a key exchange scheme (called Ko-Lee Scheme) in [30] based on the conjugacy search problem in Braid groups. Followed then braid groups have been intensively taken as platforms by people to set up public key mechanisms (see [3, 9, 15, 33, 45, 47, 48, 49, 51, 52] for references). However, people also found a number of attacks on these protocols, for examle, the length based attack [29, 34, 26, 21, 39, 40], the Burau representation attack [28, 34, 35], the Lawrence-Krammer representation attack [10, 32], the super summit set attack [18], and the Ultra summit set attack [22]. Based on decomposition problem (DP, see [53]) in groups people also suggested a number of public key cryptographic schemes [9, 44] which actually are the generalizations of Ko-Lee scheme. Unfortunately, there are also some cryptanalyses [10, 39] on these schemes.

In this article, taking a non-abelian infinite group as a platform, we introduce a new technic by attaching extra shields on the exchange data during the interactive process setting up protocols. We show that with these enforced protections our proposed protocols are safe against all known attacks. In [53] we have given an explicit presentation of Mihailova subgroup of the group F2×F2 and therefore,

this Mihailova subgroup enjoys unsolvable subgroup menbership problem (GWP [53]). Collins [12] had shown that forn≥6 there are subgroups ofBn isomorphic toF2×F2. Therefore, in the application of

our proposed protocols if the entities take a braid groupBn with n≥ 12 as the platform and use the

generators of Mihailova subgroup ofBn which are translated from the explicit presentation of Mihailova

subgroup [53] to create their private keys, the correspondent protocol would be also free of the quantum computational attack (the attack based on Shor’s quantum computation algorithm [43]) due to the insolvability of subgroup membership problem of Mihailova subgroup of the groupF2×F2.

This paper is organized as follows. In Section 2, we propose a number of new public key crypt protocols by adding extra shields during the exchange procedures. In Section 3, we first present the translation into a braid group of the explicit presentation of a Mihailova subgroup given in [53], and then we suggest that a braid group is chosen to be the platform for our proposed protocols and propose two strategies of choosing private keys in the braid group where in one of the strategy we require that the

∗

Applications of the protection of intellectual property of all protocols proposed in this paper have been made to State Intellectual Bureau of China with patent application numbers: 201310382299.7 in 27/08/2013 and 201380001693.X in 04/12/2013, and made to Patent Cooperation Treaty(PCT) with international application numbers: PCT/CN2013/001119 in 22/09/2013 and PCT/CN2013/088475 in 04/12/2013.

†

private keys are created by the generators of Mihailova subgroups. Finally in section 4, we show that our protocols are free of the most known attacks and point out that security of the protocols setting up by taking the second strategy is in the very high level even against the quantum computational attack.

2

The shielded Ko-Lee-like schemes

Based on decomposition problem Shpilrain and Ushakov suggested the following key exchange pro-tocol in [44] (also see [9]). We will call this propro-tocol a Ko-Lee-like scheme since it would be traced back to Ko-Lee scheme in [30].

Shpilrain and Ushakov’s Ko-Lee-like protocol

(0) Alice and Bob agree on a nonabelian groupGand two subgroupsA, B ofG, such thatab=bafor any a∈Aand anyb∈B.

(1) Alice privately chooses two elements a1 ∈Aand b1 ∈B, a randomly chosen element g∈G, and

computesx=a1gb1. Alice then sends (x, g) to Bob.

(3) Bob privately chooses two elements a2∈A andb2∈B, and computesy=b2ga2 andk=b2xa2=

b2a1gb1a2. Bob then sendsy to Alice.

(4) Alice computesk0=a1yb1=a1b2ga2b1.

Sincea1b2=b2a1anda2b1=b1a2,k0=kwhich is then the shared key by Alice and Bob.

However, as they pointed out in [46] that if an attacker can solve the following decomposition problem (also see [53]) inG, he then is able to obtain the shared key.

Decomposition problemGiven an elementg of a groupG, two subsetsA, B⊆Gand an element

u=xgy∈Gwithx∈Aandy∈B, find elements x0∈Aandy0∈B such thatx0wy0=xwy.

Indeed, suppose that the attacker is able to solve the above problem inGto finda0 ∈Aandb0∈B

such that a0gb0 = a1gb1 and followed he can obtain the shared key by computing a0yb0 =a0b2ga2b0 =

b2a0gb0a2=b2a1gb1a2=k.

To avoid the above possible attack, in the following we proposed two new public key primitives by introducing extra ”shields” on the exchange data during the interactive process setting up protocols.

The shielded key exchange protocol 1

(0) Alice and Bob agree on a nonabelian group G, an randomly chosen element g ∈ G and two subgroupsA, B ofG, such thatab=ba for anya∈Aand anyb∈B.

(1) Alice chooses four elementsa1, a2, b1, b2∈A, computesx=b1a1ga2b2, and then sendsxto Bob.

(2) Bob chooses six elementsc1, c2, d1, d2, d3, d4∈B, computesy=d1c1gc2d2andw=d3c1xc2d4, and

then sends (y, w) to Alice.

(3) Alice chooses two elements b3, b4∈A, computesz=b3a1ya2b4 andu=b−11wb

−1

2 , and then sends

(z, u) to Bob.

(4) Bob sendsv=d−₁1zd−₂1 to Alice.

(5) Alice computesKA=b−31vb

−1 4 .

(6) Bob computes KB =d−31ud

−1

4 which is equal to KA and then is Alice and Bob’s common secret

key.

Proof of whyKB=KA:

Sincea1, a2, b1, b2, b3, b4∈A,c1, c2, d1, d2, d3, d4∈B,a1, a2, b1, b2, b3, b4commute withc1, c2, d1, d2, d3, d4

respectively, we have

KB = d−31ud

−1 4

= d−₃1b₁−1wb−₂1d−₄1

= d−₃1b−₁1d3c1xc2d4b−21d

−1 4

= b−₁1c1b1a1ga2b2c2b−21

and

KA = b−31vb

−1 4

= b−₃1d₁−1zd−₂1b−₄1

= b−₃1d−₁1b3a1ya2b4d−21b

−1 4

= d−₁1a1d1c1gc2d2a2d−21

= a1c1gc2a2=KB

The shielded key exchange protocol 2

(0) Alice and Bob agree on a nonabelian group G, an randomly chosen element g ∈ G and two subgroupsA, B ofG, such thatab=ba for anya∈Aand anyb∈B.

(1) Alice chooses four elements a1, b1 ∈A andc2, d2∈B, computes x=b1a1gc2d2, and then sendsx

to Bob.

(2) Bob chooses six elements a2, b2, b3 ∈ A and c1, d1, d3 ∈ B, computes y = d1c1ga2b2 and w =

d3c1xa2b3, and then sends (y, w) to Alice.

(3) Alice chooses two elements b4 ∈ Aand d4 ∈B, computesz =b4a1yc2d4 andu=b−11wd

−1 2 , and

then sends (z, u) to Bob.

(4) Bob sendsv=d−₁1zb−₂1to Alice.

(5) Alice computesKA=b−41vd

−1 4 .

(6) Bob computes KB =d−31ub

−1

3 which is equal toKAand then is Alice’s and Bob’s common secret

key.

Proof of whyKB=KA:

Also sincea1, a2, b1, b2, b3, b4∈A,c1, c2, d1, d2, d3, d4∈B,a1, a2, b1, b2, b3, b4commute withc1, c2, d1, d2, d3, d4

respectively, we have

KB = d−31ub

−1 3

= d−₃1b₁−1wd−₂1b−₃1

= d−₃1b−₁1d3c1xa2b3d−21b

−1 3

= b−₁1c1b1a1gc2d2a2d−21

= c1a1gc2a2

and

KA = b−41vd

−1 4

= b−₄1d₁−1zb−₂1d−₄1

= b−₄1d−₁1b4a1yc2d4b−21d

−1 4

= d−₁1a1d1c1ga2b2c2b−21

= a1c1ga2c2=KB

Based on the protocol 1 in the above, by using the technic in [30] one then can easily set up the following public key encryption protocol and digital signature protocol. Analogously, one also can set up correspondent public key application protocols based on our shielded key exchange protocol 2.

The shielded public key encryption protocol

Key generation:

Alice chooses a nonabelian groupG, an elementg∈G, two subgroupsA, B ofGsatisfyingab=ba

for anya∈Aand anyb∈B, and two elementsb1, b2∈A. Alice also chooses a collision free hash function

Θ :G→ {0,1}k _{where k is a positive integer large enough such that{0,1}}k _{can cover all the message.}

Alice publishes

(G, A, B, g,Θ)

as her public key. Alice’s private key is (b1, b2).

Letm∈ {0,1}k_{is the message which is going to be sent to Alice by Bob. Bob and then Alice processe}

the following encryption.

(1) Bob chooses four elementsc1, c2, d1, d2∈B, computesy=d1c1gc2d2, and then sends yto Alice.

(2) Alice chooses four elementsa1, a2, b3, b4∈A, computesx=b1a1ga2b2andz=b3a1ya2b4, and then

sends (x, z) to Bob.

(3) Bob chooses two elementsd3, d4∈B, computesw=d3c1xc2d4 andv =d−11zd

−1

2 , and then sends

(w, v) to Alice.

(4) Alice computesKA=b−31vb

−1

4 andu=b

−1 1 wb

−1

2 , and then sends uto Bob.

(5) Bob computes KB =d−31ud

−1

4 and t = Θ(KB)⊕m where ⊕ is theexclusive or operation. Bob

then sends tto Alice which is the ciphertext.

Decryption:

Alice recovers the messagem by computing Θ(KA)⊕t=m.

Proof of why the above decryption works: First we already haveKA=KB. Therefore,

Θ(KA)⊕t= Θ(KB)⊕Θ(KB)⊕m=m

The shield digital signature protocol

Let m ∈ {0,1}k _{be the document which is going to be signed by Alice. Alice then processes the}

following procedure.

Key generation:

Alice chooses a groupG, an elementg∈G, two subgroupsA, BofGsuch thatab=bafor anya∈A

and anyb∈B, and two elementsb1, b2∈A. Alice publishes

(G, A, B, g,Θ)

as her public key. Alice’s private key is (b1, b2).

Signing the documentm:

(1) Alice chooses two elementsa1, a2∈A, computesx=b1a1ga2b2, and then sends xto Bob.

(2) Bob chooses six elementsc1, c2, d1, d2, d3, d4∈B, computesy=d1c1gc2d2andw=d3c1xc2d4, and

then sends (y, w) to Alice.

(3) Alice chooses two elements b3, b4∈A, computesz=b3a1ya2b4 andu=b−11wb

−1

2 , and then sends

(z, u) to Bob.

(3) Bob computesv=d−₁1zd−₂1, and then sends vto Alice.

(4) Alice computese=b−₃1vb−₄1and sends Bob S= Θ(me).

Verification:

(1) Bob computese0 =d−₃1ud−₄1

(2) Bob computesS0 = Θ(me0).

(3) Bob acceptsS as a valid signature of Alice’s formifS0=S. Otherwise, he rejects it.

Proof of why the above verification works:

Since we already have known thate0=e, indeed thenS0 =S.

The shield Sibert-Dehornoy-Girault-like authentication protocol

Based on our shielded key exchange protocol 1 and the idea setting up an authentication protocol given by Sibertet al in [49] we then have the following authentication protocol. One also can obtain an analogous protocol based on our shielded key exchange protocol 2.

Here Alice is the prover and Bob the verifier.

Alice chooses a group G, an element g ∈ G, two subgroups A, B of G such that ab = ba for any a ∈ A and any b ∈ B, four elements a1, a2, b1, b2 ∈ A, and a collision free hash function

Θ : G → {0,1}k _{where k is a positive integer large enough such that {0,1}}k _{can cover all the}

message. Alice computesx=b1a1ga2b2. Alice publishes

(G, A, B, g, x,Θ)

as her public key. Alice’s private key is (b1, b2).

Authentication:

(1) Alice selects two elementc1, c2∈B, and sends Bob the commitmentz= Θ(c1a1ga2c2).

(2) Bob chooses a random bit hand sends it to Alice.

(3) Ifh= 0, then Alice computesu=b−₁1c1,v=c2b−21, and sends (u, v) to Bob and Bob checks if the

equalityz= Θ(uxv).

(4) If h= 1, then Alice computes u=c1a1, v =a2c2, and sends (u, v) to Bob and Bob checks if the

equalityz= Θ(ugv).

Proof of why the above verification works:

If Alice knowsa1, a2 and answers correctly, she is accepted by Bob: forh= 0, sinceb1, b2 commute

withc1, c2 respectively, we have

Θ(uxv) = Θ(b−₁1c1xc2b−21)

= Θ(b−₁1c1b1a1ga2b2c2b−21)

= Θ(c1a1ga2c2)

= z

While, forh= 1, sincev=cawe have

Θ(uxv) = Θ(a1c1ga2c2))

= Θ(c1a1gc2a2)

= z

One can see that if Alice want to cheat by sending a correct answer in both cases: in the caseh= 0, it suffices that Alice has to have gussied in advance that h= 0 and then had created the commitment

z= Θ(uxv) withu=c1 and v=c2; and in the caseh= 1, it suffices that Alice has to have gussied in

advance thath= 1 and then had created the commitment z= Θ(ugv) with u=c1 andv =c2. But a

cheater cannot choose his commitment so as to answer correctly in both cases: if he anticipatesh= 0, the probability of answering correctly forh= 1 is negligible, and, symmetrically, if he anticipatesh= 1, the probability of answering correctly forh= 0 is negligible. So, globally, a cheater has no more than 0.5 chance to be accepted. Thus, by repeating the exchangesl times, we can make the probability that a cheater be accepted as small as 1/2l.

3

Platform group and parameters

3.1

Braid groups

We suggest that the infinite nonabelian braid groups Bn withn≥12 can be taken as the platform

groups for the protocols in the above section whereBn is defined by the following presentation.

Definition 3.1 Then-th braid group has a presentation as the following:

whereσ1, σ1,· · ·, σn−1are called the Artin generators ofBn, and each element ofBnis called ann-braid.

For more details of the fundamental facts of Braid groups we refer the reader to [4, 15]. Denote B+

n the submonoid generated by σ1, σ1,· · ·, σn−1 and call each element of Bn+ a positive

braid. Let ∆n denoted the positive braid inductively defined by

∆1= 1, ∆2=σ1∆1,· · · ,∆i+1= (σ1· · ·σi)∆i, 1≤i≤n

In particular, ∆n is called the fundamental braids and denoted as ∆ := ∆n.

Foru, v∈Bnwe denotev≤wif and only if there exist positive braidsα, β∈Bn+such thatw=αvβ.

Obviously≤is a partial ordering relation on the set of all elements ofBn. An element α∈Bn is then

said to be a canonical factor ifα≤∆.

A factorizationγ =αβ of a positive braidγinto a canonical factor αand a positive braidβ is said to beleft-weightedif and only ifαhas the maximal length among all such decompositions. Similarly, one can define the idea of aright-weightedfactorization. For any braidω∈Bn, notation supω is the greatest i∈Zwith ∆i≤ω, and the notation infω is the smallesti∈Zwith ω≤∆i. Now, every braidα∈Bn

can be written uniquely as

α= ∆rW1· · ·Ws

wherer= infω, s= supω−infω and each Wi are canonical factors such that WiWi+1 is left-weighted

for 1≤i < s (see [20, 16, 30]). This expression ofαin the above is called the ∆-normal formofαwith

canonical lengths. There are three facts [30] (also see [17, 16]) about the computation complexities of ∆-normals ofn-braids.

• Let αbe a word on{σ1, σ2,· · ·, σn−1} with word lengthl. Then the ∆-normal form ofαcan be

computed in time O(l2_nlogn).

• Letα= ∆rW1· · ·Wpandγ= ∆tU1· · ·Uqbe the ∆-normal forms ofn-braidsαandγ, respectively.

Then one can compute the ∆-normal form ofαγ in time O(pqnlogn).

• If ∆rW1· · ·Wpis the ∆-normal form of ann-braidα, then one can compute the ∆-normal ofα−1

in time O(pn).

Given a braid groupBn, let

LBn=hσ1, σ2, . . . , σbn

2c−1i

and

RBn=hσbn

2c+1, σb

n

2c+2, . . . , σn−1i

be the subgroups ofBn generated by{σ1, σ2, . . . , σbn

2c−1} and{σb

n

2c+1, σb

n

2c+2, . . . , σn−1}, respectively.

Then by the definition ofBn, we haveab=bafor any a∈LBn and any b∈RBn. We callLBn theleft

half subgroupofBn andRBn theright half subgroupofBn.

For a braid groupBnwithn≥6, by a result of Collins [12] there is a subgroup ofBnof the following

form

Gi=hσi2, σ

2

i+1, σ 2

i+3, σ 2

i+4i, 1≤i≤n−5

such thatGi is isomorphic to the direct product F2×F2withF2 the free group of rank 2.

3.2

Presentations of Mihailova subgroups of

B

n

Since the group H defined by Presentation C in [53] is generated by two elements t, u and the the subgroups

Gi=hσi2, σ

2

i+1, σ 2

i+3, σ 2

i+4i, 1≤i≤n−5

ofBn withn≥6 in§3.1 is isomorphic to the group F2×F2, we now can apply Theorem 3.3 of [53] to

present an explicit countable presentation for Mihailova subgroupMGi(H) ofGi. To do so we introduce

some notations as follows.

If a relationRj in Presentation D in [53] is of the form

Rj :R

(l)

j (u, t) =R

(r)

with bothR(_jl)(u, t) andR_j(r)(u, t) being words on the set{u, t, u−1_{, t}−1_{}then we denote}

Sij = (R

(r)

j (σ

2

i, σ

2

i+1))− 1_R(l)

j (σ

2

i, σ

2

i+1)

by replacing all occurrences ofuwithσ_i2 and all occurrences oftwithσ2_i+1, and denote

Tij = (R

(r)

j (σ

2

i+3, σi2+4))−1R (l)

j (σ

2

i+3, σi2+4)

by replacing all occurrences ofuwithσ2

i+3 and all occurrences oftwithσ2i+4.

In Theorem 1.1 of [6], we let k = 2 and φ be the isomorphism sending the groupF2×F2 with F2

generated by (x1, x2) to the subgroupGi with 1≤i≤n−5 andn≥6 defined by

φ: (x1,1)7→σi2, (x2,1)7→σi2+1, (1, x1)7→σ2i+3, (1, x2)7→σi2+4

Therefore, the generators of the presentation in Presentation D of [53] ared1=σi2σ2i+3,d2=σi2+1σ2i+4,

1Tij=Tij, and 1Sij =Sij, j= 1,2,· · ·,27.

Clearly, one can check that root(Sij) =Sij and root(Tij) =Tij,j = 1,2,· · ·,27. Thus, by replacing

each occurrence ofuwithσ2

iσi2+3 and each occurrence oftwithσi2+1σi2+4 of eachRj we then have

rij = (R

(r)

j (σ

2

iσ

2

i+3, σ 2

i+1σ 2

i+4))

−1_R(l)

j (σ

2

iσ

2

i+3, σ 2

i+1σ 2

i+3), j= 1,2,· · ·,27

whererij is defined asri in the the presentation given in Theorem 1.1 [6].

Finally, by Theorem 1.1 [6] we then have an explicit countable presentation with 56 generators for Mihailova subgroupMGi(H) ofBn withn≥6 as the following.

Presentation D

56 generators:

σ2_iσ2_i+3, σ_i2₊₁σ_i2₊₄, Sij, Tij, j= 1,2,· · · ,27

Countable number of relators:

S_ij−1(δ−1S_ik−1r_ik−1δ)−1Sij(δ−1S_ik−1r_ik−1δ), Tj−1(δ

−1_S−1

ikr

−1

ik δ)

−1_T

j(δ−1S_ik−1r−_ik1δ)

S_ij−1(δ−1T_ik−1r_ik−1δ)−1Sij(δ−1Tik−1r

−1

ik δ), T

−1

ij (δ

−1_T−1

ik r

−1

ikδ)

−1_T

ij(δ−1Tik−1r

−1

ik δ)

T_ij−1r−_ij1Tijrij, Sij−1r

−1

ij Sijrij, j, k= 1,2,· · · ,27

whereδ∈ hσ2_i, σ_i2₊₁i ∪ hσ2_i+3, σ_i2₊₄i.

For being used in setting up a public cryptograph mechanism in the following sections we give the details of the descriptions of all the generatorsSij, j = 1,2,· · ·,27 in Presentation D as follows. We

point out that one can obtain all the descriptions of generatorsTij in Presentation D by replacing all

occurrences ofσ2

i withσi2+3 and all occurrences ofσ2i+1 withσi2+4 inSij,j= 1,2,· · · ,27.

Si1: (σ2iσ

2

i+1σ

−2

i σ

2

i+1σ 4

iσ

−2

i+1σ

−2

i σ

−2

i+1σ 2

iσ

2

i+1σ

−4

i σ

−14

i+1σ 2

iσ

2

i+1σ

−2

i σ

14

i+1σ 4

iσ

−14

i+1σ

−2

i σ

−2

i+1σ 2

iσ

12

i+1)− 1

σ_i−₊₁12σ2_iσ_i2₊₁σ_i−2σ_i14₊₁σ4_iσ_i−₊₁14σ−_i 2σ−_i+12σ_i2σ_i14₊₁(σ−_i 4σ−_i+114σ2_iσ2_i+1σ_i−2σ_i14₊₁σ_i4σ−_i+114σ−_i 2σ_i−₊₁2σ2_iσ_i14₊₁)9

σ_i−4σ−_i+12σ_i2σ_i2₊₁σ−_i 2σ_i2₊₁σ_i4σ_i−₊₁2σ_i−2σ_i−₊₁2σ2_i

Si2: (σ2iσ2i+1σ

−2

i σ

4

i+1σi4σ

−4

i+1σ

−2

i σ

−2

i+1σ 2

iσ4i+1σ

−4

i σ

−14

i+1σ 2

iσ2i+1σ

−2

i σ

14

i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σ 2

iσi10+1)−1

σ−_i+110σ2

iσi2+1σ− 2

i σ

14

i+1σ4iσ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσi14+1(σ− 4

i σ

−14

i+1σ 2

iσ2i+1σ− 2

i σ

14

i+1σi4σ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσi14+1)9

σ−_i4σ−_i+14σ2

iσi2+1σ− 2

i σ

4

i+1σi4σ−

4

i+1σ

−2

i σ

−2

i+1σ 2

i

Si3: (σ2iσ2i+1σ

−2

i σi6+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σi2σ6i+1σ

−4

i σ

−14

i+1σ2iσ2i+1σ

−2

i σi14+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σ2iσi8+1)−1

σ−_i+18σ2

iσ2i+1σ

−2

i σ14i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σ2iσ14i+1(σ

−4

i σ

−14

i+1σi2σi2+1σ

−2

i σ14i+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σi2σi14+1)9

σ−_i4σ−_i+16σ2

iσi2+1σ

−2

i σ6i+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σ2i

Si4: (σ2iσ

2

i+1σ

−2

i σ

8

i+1σ 4

iσ

−8

i+1σ

−2

i σ

−2

i+1σ 2

iσ

8

i+1σ

−4

i σ

−14

i+1σ 2

iσ

2

i+1σ

−2

i σ

14

i+1σ 4

iσ

−14

i+1σ

−2

i σ

−2

i+1σ 2

iσ

6

σ−_i+16σ2

iσ2i+1σ− 2

i σ

14

i+1σi4σ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσ14i+1(σ− 4

i σ

−14

i+1σ 2

iσi2+1σ− 2

i σ

14

i+1σ4iσ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσi14+1)9

σ−_i4σ−_i+18σ2

iσi2+1σ− 2

i σ

8

i+1σi4σ−

8

i+1σ

−2

i σ

−2

i+1σ 2

i

Si5: (σ2iσ2i+1σ

−2

i σi10+1σi4σ

−10

i+1σ

−2

i σ

−2

i+1σ2iσi10+1σ

−4

i σ

−14

i+1σi2σi2+1σ

−2

i σ14i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σi2σ4i+1)−1

σ−_i+14σ2

iσ2i+1σ

−2

i σ14i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σ2iσ14i+1(σ

−4

i σ

−14

i+1σi2σi2+1σ

−2

i σ14i+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σi2σi14+1)9

σ−_i4σ−_i+110σ2

iσi2+1σ

−2

i σi10+1σ4iσ

−10

i+1σ

−2

i σ

−2

i+1σ2i

Si6: (σ2iσ

2

i+1σ

−2

i σ

2

i+1σ 4

iσ

−2

i+1σ

−2

i σ

−2

i+1σ 2

iσ

2

i+1(σ

−4

i σ

−16

i+1σ 2

iσ

2

i+1σ

−2

i σ

16

i+1σ 4

iσ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσ

16

i+1) 9

σ−_i4σ−_i+116σ2_iσ_i2₊₁σ_i−2σ_i16₊₁σ4_iσ−_i+116σ−_i 2σ−_i+12σ2_iσ_i14₊₁)−1

σ−_i+114σ2_iσ_i2₊₁σ_i−2σ_i16₊₁σ_i4σ−_i+116σ−_i 2σ_i−₊₁2σ_i2σ_i16₊₁σ−_i 4σ−_i+12σ_i2σ_i2₊₁σ_i−2σ_i2₊₁σ4_iσ−_i+12σ_i−2σ_i−₊₁2σ2_i

Si7: (σ2iσ4i+1σ

−2

i σ

4

i+1σi4σ

−4

i+1σ

−2

i σ

−2

i+1σ 2

iσ4i+1(σ

−4

i σ

−16

i+1σ 2

iσi2+1σ

−2

i σ

16

i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσi16+1)9

σ−_i4σ−_i+116σ2

iσi2+1σ

−2

i σ

16

i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσi12+1)−1

σ−_i+112σ2

iσi2+1σ

−2

i σ

16

i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσi16+1σ

−4

i σ

−2

i+1σ 2

iσi2+1σ

−2

i σ

2

i+1σ4iσ

−2

i+1σ

−2

i σ

−2

i+1σ 2

i

Si8: (σ2iσ6i+1σ

−2

i σi6+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σi2σ6i+1(σ

−4

i σ

−16

i+1σ2iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2σi16+1)9

σ−_i4σ−_i+116σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ2iσi10+1)−1

σ−_i+110σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2σi16+1σ

−4

i σ

−2

i+1σ2iσi2+1σ

−2

i σi2+1σ4iσ

−2

i+1σ

−2

i σ

−2

i+1σ2i Si9: (σ2iσ8i+1σ−

2

i σ

8

i+1σi4σ−

8

i+1σ

−2

i σ

−2

i+1σ 2

iσ2i+1(σ− 4

i σ

−16

i+1σ 2

iσi2+1σ− 2

i σ

16

i+1σ4iσ−

16

i+1σ

−2

i σ

−2

i+1σ 2

iσi16+1)9

σ−_i4σ−_i+116σ2_iσ_i2₊₁σ_i−2σ_i16₊₁σ4_iσ−_i+116σ−_i 2σ−_i+12σ2_iσ_i8₊₁)−1

σ−_i+18σ_i2σ_i2₊₁σ−_i2σ16_i+1σ_i4σ_i−₊₁16σ_i−2σ_i−₊₁2σ2_iσ16_i+1σ_i−4σ−_i+12σ_i2σ2_i+1σ−_i2σ_i2₊₁σ_i4σ_i−₊₁2σ_i−2σ−_i+12σ2_i

Si,10: (σi2σi10+1σ

−2

i σ10i+1σi4σ

−10

i+1σ

−2

i σ

−2

i+1σi2σ2i+1(σ

−4

i σ

−16

i+1σ2iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2σi16+1)9

σ−_i4σ−_i+116σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ2iσi6+1)−1

σ−_i+16σ2

iσ2i+1σ

−2

i σ16i+1σi4σ

−16

i+1σ

−2

i σ

−2

i+1σ2iσ16i+1σ

−4

i σ

−2

i+1σi2σ2i+1σ

−2

i σ2i+1σi4σ

−2

i+1σ

−2

i σ

−2

i+1σ2i

Si,11: (σi2σ

2

i+1σ

−2

i σ

2

i+1σ 4

iσ

−2

i+1σ

−2

i σ

−2

i+1σ 2

iσ

2

i+1σ

−4

i σ

−18

i+1σ 2

iσ

2

i+1σ

−2

i σ

18

i+1σ 4

iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσ

16

i+1)− 1

σ−_i+116σ2_iσ_i2₊₁σ_i−2σ_i18₊₁σ_i4σ−_i+118σ−_i 2σ_i−₊₁2σ_i2σ_i18₊₁σ−_i 4σ−_i+12σ_i2σ_i2₊₁σ_i−2σ_i2₊₁σ4_iσ−_i+12σ_i−2σ_i−₊₁2σ2_i

Si,12: (σi2σi2+1σ

−2

i σ

4

i+1σi4σ

−4

i+1σ

−2

i σ

−2

i+1σ 2

iσi4+1σ

−4

i σ

−18

i+1σ 2

iσi2+1σ

−2

i σ

18

i+1σi4σ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσ14i+1)−1

σ−_i+114σ2

iσi2+1σ

−2

i σ

18

i+1σ4iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσi18+1σ

−4

i σ

−4

i+1σ 2

iσi2+1σ

−2

i σ

4

i+1σ4iσ

−4

i+1σ

−2

i σ

−2

i+1σ 2

i

Si,13: (σi2σi2+1σ

−2

i σ6i+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σ2iσi6+1σ

−4

i σ

−18

i+1σi2σi2+1σ

−2

i σ18i+1σi4σ

−18

i+1σ

−2

i σ

−2

i+1σi2σ12i+1)−1

σ−_i+112σ2

iσi2+1σ

−2

i σi18+1σ4iσ

−18

i+1σ

−2

i σ

−2

i+1σi2σi18+1σ

−4

i σ

−6

i+1σ2iσi2+1σ

−2

i σi6+1σ4iσ

−6

i+1σ

−2

i σ

−2

i+1σ2i Si,14: (σi2σi2+1σ−

2

i σ

8

i+1σi4σ−

8

i+1σ

−2

i σ

−2

i+1σ 2

iσi8+1σ− 4

i σ

−18

i+1σ 2

iσi2+1σ− 2

i σ

18

i+1σi4σ−

18

i+1σ

−2

i σ

−2

i+1σ 2

iσ10i+1)−1

σ−_i+110σ2_iσ_i2₊₁σ_i−2σ_i18₊₁σ_i4σ−_i+118σ−_i 2σ_i−₊₁2σ_i2σ_i18₊₁σ−_i 4σ−_i+18σ_i2σ_i2₊₁σ_i−2σ_i8₊₁σ4_iσ−_i+18σ_i−2σ_i−₊₁2σ2_i

Si,15: (σi2σi2+1σ

−2

i σ10i+1σi4σ

−10

i+1σ

−2

i σ

−2

i+1σi2σ10i+1σ

−4

i σ

−18

i+1σ2iσ2i+1σ

−2

i σi18+1σ4iσ

−18

i+1σ

−2

i σ

−2

i+1σ2iσi8+1)−1

σ−_i+18σ2

iσ2i+1σ

−2

i σ18i+1σi4σ

−18

i+1σ

−2

i σ

−2

i+1σi2σ18i+1σ

−4

i σ

−10

i+1σ2iσi2+1σ

−2

i σi10+1σ4iσ

−10

i+1σ

−2

i σ

−2

i+1σi2

Si,16: (σi−+16σ 2

iσ

2

i+1σ

−2

i σ

20

i+1σ 4

iσ

−20

i+1σ

−2

i σ

−2

i+1σ 2

iσ

20

i+1σ

−4

i σ

−14

i+1σ 2

iσ

2

i+1σ

−2

i σ

14

i+1σ 4

iσ

−14

i+1σ

−2

i σ

−2

i+1σ 2

i)−

1

σ_i2σ_i2₊₁σ_i−2σ_i14₊₁σ4_iσ_i−₊₁14σ−_i2σ_i−₊₁2σ_i2σ_i14₊₁σ−_i 4σ−_i+120σ2_iσ2_i+1σ_i−2σ_i20₊₁σ_i4σ−_i+120σ_i−2σ_i−₊₁2σ2_iσ6_i+1

Si,17: (σi−+14σ2iσ2i+1σ

−2

i σi20+1σi4σ

−20

i+1σ

−2

i σ

−2

i+1σ2iσ20i+1σ

−4

i σ

−16

i+1σi2σi2+1σ

−2

i σ16i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2)−1 σ2

iσi2+1σ

−2

i σ

16

i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσi16+1σ

−4

i σ

−20

i+1σ 2

iσ2i+1σ

−2

i σ

20

i+1σi4σ

−20

i+1σ

−2

i σ

−2

i+1σ 2

iσ4i+1

Si,18: (σi−4σ

−12

i+1σ 2

iσ

2

i+1σ

−2

i σ

12

i+1σ 4

iσ

−12

i+1σ

−2

i σ

−2

i+1σ 2

iσ

10

i+1σ

−2

i σ

2

i+1σ 2

iσ

2

i+1σ

−4

i σ

−2

i+1σ 2

iσ

−2

i+1σ

−2

i σ

2

i+1σ 4

i σ−_i+12σ_i−2σ2

i+1σ2iσ2i+1σ

−4

i σ

−2

i+1σi2σ

−2

i+1σ

−2

i σ2i+1σi4σ

−2

i+1σ

−2

i σ2i+1σi2σi2+1σ

−4

i σ

−2

i+1σ2iσ

−2

i+1σ

−2

i σ

−18

i+1σi2 σ2

i+1σ

−2

i σi20+1σ4iσ

−20

i+1σ

−2

i σ

−2

i+1σ2iσi20+1(σ

−4

i σ

−2

i+1σ2iσi2+1σ

−2

i σi2+1σ4iσ

−2

i+1σ

−2

i σ

−2

i+1σ2iσ2i+1)2

σ−_i4σ−_i+12σ2

iσi2+1σ

−2

i σ2i+1σi4σ

−2

i+1σ

−2

i σ

−2

i+1σ2i)−1

(σ_i−4σ_i−₊₁2σ2

iσ2i+1σ

−2

i σ2i+1σi4σ

−2

i+1σ

−2

i σ

−2

i+1σi2σi2+1)−2σ

−2

i+1σ

−2

i σ2i+1σi2σ2i+1σ

−4

i σ

−2

i+1σi2σ

−2

i+1σ

−2

i σ

−18

i+1σi2 σ2

i+1σ

−2

i σi20+1σ4iσ

−20

i+1σ

−2

i σ

−2

i+1σ2iσi20+1(σ

−4

i σ

−2

i+1σ2iσi2+1σ

−2

i σi2+1σ4iσ

−2

i+1σ

−2

i σ

−2

i+1σ2iσ2i+1)3

σ−_i4σ−_i+112σ2

iσi2+1σ

−2

i σi12+1σ4iσ

−12

i+1σ

−2

i σ

−2

i+1σ2iσi10+1

Si,19: (σi−+14σ 2

iσ

2

i+1σ

−2

i σ

18

i+1σ 4

iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσ

18

i+1σ

−4

i σ

−14

i+1σ 2

iσ

2

i+1σ

−2

i σ

14

i+1σ 4

iσ

−14

i+1σ

−2

i σ

−2

i+1σ 2

iσ

14

i+1

σ−_i4σ−_i+116σ2

iσi2+1σ− 2

i σ

16

i+1σ4iσ−

16

i+1σ

−2

i σ

−2

i+1σ 2

i)−1 σ2

iσi2+1σ− 2

i σ

14

i+1σ4iσ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσi14+1σ− 4

i σ

−2

i+1σ 2

iσi2+1σ− 2

i σ

2

i+1σ4iσ−

2

i+1σ

−2

i σ

−2

i+1σ 2

iσ2i+1

σ−_i4σ−_i+16σ2

iσi2+1σ− 2

i σ

6

i+1σi4σ−

6

i+1σ

−2

i σ

−2

i+1σ 2

iσi6+1σ− 4

i σ

−16

i+1σ 2

iσi2+1σ− 2

i σ

16

i+1σi4σ−

16

i+1σ

−2

i σ

−2

i+1σ 2

iσ16i+1

σ−_i4σ−_i+118σ2_iσ_i2₊₁σ_i−2σ_i18₊₁σ4_iσ−_i+118σ−_i 2σ−_i+12σ2_iσ_i2₊₁

Si,20: (σi−+14σ2iσ2i+1σ

−2

i σi18+1σi4σ

−18

i+1σ

−2

i σ

−2

i+1σ2iσ18i+1(σ

−4

i σ

−14

i+1σi2σi2+1σ

−2

i σ14i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σi2σ14i+1)2

σ−_i4σ−_i+18σ2

iσi2+1σ

−2

i σ8i+1σi4σ

−8

i+1σ

−2

i σ

−2

i+1σ2iσi8+1σ

−4

i σ

−2

i+1σ2iσ2i+1σ

−2

i σi2+1σi4σ

−2

i+1σ

−2

i σ

−2

i+1σi2σi2+1

σ−_i4σ−_i+116σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ2iσi16+1σ

−4

i σ

−16

i+1σi2σ2i+1σ

−2

i σ16i+1σi4σ

−16

i+1σ

−2

i σ

−2

i+1σ2i)−1 σ2

iσi2+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σi2σi14+1σ

−4

i σ

−14

i+1σ2iσ2i+1σ

−2

i σi14+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σ2iσ14i+1

σ−_i4σ−_i+12σ2

iσi2+1σ

−2

i σ2i+1σi4σ

−2

i+1σ

−2

i σ

−2

i+1σ2iσi2+1σ

−4

i σ

−8

i+1σ2iσ2i+1σ

−2

i σi8+1σi4σ

−8

i+1σ

−2

i σ

−2

i+1σi2σi8+1

(σ_i−4σ_i−₊₁16σ2

iσi2+1σ

−2

i σ

16

i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσi16+1)2σ

−4

i σ

−18

i+1σ 2

iσi2+1σ

−2

i σ

18

i+1σ4iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσi2+1

Si,21: (σi−+14σ 2

iσ

2

i+1σ

−2

i σ

18

i+1σ 4

iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσ

18

i+1(σ

−4

i σ

−14

i+1σ 2

iσ

2

i+1σ

−2

i σ

14

i+1σ 4

iσ

−14

i+1σ

−2

i σ

−2

i+1σ 2

iσ

14

i+1) 3

σ−_i4σ−_i+16σ2

iσi2+1σ

−2

i σ6i+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σ2iσi6+1σ

−4

i σ

−4

i+1σ2iσ2i+1σ

−2

i σi4+1σi4σ

−4

i+1σ

−2

i σ

−2

i+1σi2σi4+1

(σ_i−4σ_i−₊₁16σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2σi16+1)2σ

−4

i σ

−16

i+1σi2σi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2)−1 σ2

iσi2+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σi2σi14+1(σ

−4

i σ

−14

i+1σ2iσ2i+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σ2iσi14+1)2

σ−_i4σ−_i+14σ2

iσi2+1σ

−2

i σ4i+1σi4σ

−4

i+1σ

−2

i σ

−2

i+1σ2iσi4+1σ

−4

i σ

−6

i+1σ2iσ2i+1σ

−2

i σi6+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σi2σi6+1

(σ_i−4σ_i−₊₁16σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2σi16+1)3σ

−4

i σ

−18

i+1σi2σi2+1σ

−2

i σi18+1σ4iσ

−18

i+1σ

−2

i σ

−2

i+1σi2σi2+1

Si,22: (σi−+14σ 2

iσ

2

i+1σ

−2

i σ

18

i+1σ 4

iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσ

18

i+1(σ

−4

i σ

−14

i+1σ 2

iσ

2

i+1σ

−2

i σ

14

i+1σ 4

iσ

−14

i+1σ

−2

i σ

−2

i+1σ 2

iσ

14

i+1) 4

σ−_i4σ−_i+18σ_i2σ_i2₊₁σ−_i 2σ8_i+1σ_i4σ_i−₊₁8σ−_i 2σ_i−₊₁2σ2_iσ_i8₊₁σ_i−4σ_i−₊₁4σ2_iσ2_i+1σ_i−2σ_i4₊₁σ_i4σ−_i+14σ_i−2σ−_i+12σ_i2σ_i4₊₁

(σ_i−4σ_i−₊₁16σ_i2σ_i2₊₁σ−_i 2σ_i16₊₁σ4_iσ_i−₊₁16σ−_i2σ−_i+12σ_i2σ_i16₊₁)3σ_i−4σ_i−₊₁16σ_i2σ_i2₊₁σ−_i 2σ_i16₊₁σ4_iσ_i−₊₁16σ_i−2σ−_i+12σ_i2)−1

σ2_iσ_i2₊₁σ−_i 2σ_i14₊₁σ4_iσ_i−₊₁14σ−_i2σ−_i+12σ_i2σ_i14₊₁(σ−_i4σ_i−₊₁14σ2_iσ2_i+1σ_i−2σ_i14₊₁σ4_iσ_i−₊₁14σ−_i 2σ_i−₊₁2σ2_iσ_i14₊₁)3

σ−_i4σ−_i+14σ_i2σ_i2₊₁σ−_i 2σ4_i+1σ_i4σ_i−₊₁4σ−_i 2σ_i−₊₁2σ2_iσ_i4₊₁σ_i−4σ_i−₊₁8σ2_iσ2_i+1σ_i−2σ_i8₊₁σ_i4σ−_i+18σ_i−2σ−_i+12σ_i2σ_i8₊₁

(σ_i−4σ_i−₊₁16σ_i2σ_i2₊₁σ−_i 2σ_i16₊₁σ4_iσ_i−₊₁16σ−_i2σ−_i+12σ_i2σ_i16₊₁)4σ_i−4σ_i−₊₁18σ_i2σ_i2₊₁σ−_i 2σ_i18₊₁σ4_iσ_i−₊₁18σ−_i2σ−_i+12σ_i2σ_i2₊₁

Si,23: (σi−+14σ 2

iσ2i+1σ

−2

i σ

18

i+1σi4σ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσ18i+1(σ

−4

i σ

−14

i+1σ 2

iσi2+1σ

−2

i σ

14

i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σ 2

iσ14i+1)5

σ−_i4σ−_i+110σ2

iσi2+1σ

−2

i σ

10

i+1σ4iσ

−10

i+1σ

−2

i σ

−2

i+1σ 2

iσi10+1σ

−4

i σ

−6

i+1σ 2

iσi2+1σ

−2

i σ

6

i+1σ4iσ

−6

i+1σ

−2

i σ

−2

i+1σ 2

iσ6i+1

σ−_i4σ−_i+12σ2

iσi2+1σ

−2

i σ

2

i+1σi4σ

−2

i+1σ

−2

i σ

−2

i+1σ 2

iσi2+1(σ

−4

i σ

−16

i+1σ 2

iσ2i+1σ

−2

i σ

16

i+1σi4σ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσ16i+1)4

σ−_i4σ−_i+116σ2

iσi2+1σ− 2

i σ

16

i+1σ4iσ−

16

i+1σ

−2

i σ

−2

i+1σ 2

i)−1 σ2

iσi2+1σ− 2

i σ

14

i+1σ4iσ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσi14+1(σ− 4

i σ

−14

i+1σ 2

iσ2i+1σ− 2

i σ

14

i+1σ4iσ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσi14+1)4

σ−_i4σ−_i+16σ2

iσi2+1σ− 2

i σ

6

i+1σi4σ−

6

i+1σ

−2

i σ

−2

i+1σ 2

iσi6+1σ− 4

i σ

−10

i+1σ 2

iσi2+1σ− 2

i σ

10

i+1σi4σ−

10

i+1σ

−2

i σ

−2

i+1σ 2

iσ10i+1

(σ_i−4σ_i−₊₁16σ_i2σ_i2₊₁σ−_i 2σ_i16₊₁σ4_iσ_i−₊₁16σ−_i2σ−_i+12σ_i2σ_i16₊₁)5σ_i−4σ_i−₊₁18σ_i2σ_i2₊₁σ−_i 2σ_i18₊₁σ4_iσ_i−₊₁18σ−_i2σ−_i+12σ_i2σ_i2₊₁

Si,24: (σi−+14σ2iσ2i+1σ

−2

i σi18+1σi4σ

−18

i+1σ

−2

i σ

−2

i+1σ2iσ18i+1(σ

−4

i σ

−14

i+1σi2σi2+1σ

−2

i σ14i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σi2σ14i+1)6

σ−_i4σ−_i+110σ2

iσi2+1σ

−2

i σi10+1σ4iσ

−10

i+1σ

−2

i σ

−2

i+1σ2iσi10+1σ

−4

i σ

−8

i+1σ2iσi2+1σ

−2

i σi8+1σ4iσ

−8

i+1σ

−2

i σ

−2

i+1σi2σ8i+1

σ−_i4σ−_i+14σ2

iσi2+1σ

−2

i σ4i+1σi4σ

−4

i+1σ

−2

i σ

−2

i+1σ2iσi4+1(σ

−4

i σ

−16

i+1σi2σ2i+1σ

−2

i σ16i+1σi4σ

−16

i+1σ

−2

i σ

−2

i+1σ2iσ16i+1)5

σ−_i4σ−_i+116σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ2i)−1 σ2

iσi2+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σi2σi14+1(σ

−4

i σ

−14

i+1σ2iσ2i+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σ2iσi14+1)5

σ−_i4σ−_i+18σ2

iσi2+1σ

−2

i σ

8

i+1σi4σ

−8

i+1σ

−2

i σ

−2

i+1σ 2

iσi8+1σ

−4

i σ

−10

i+1σ 2

iσi2+1σ

−2

i σ

10

i+1σi4σ

−10

i+1σ

−2

i σ

−2

i+1σ 2

iσ10i+1

(σ_i−4σ_i−₊₁16σ2

iσi2+1σ

−2

i σ

16

i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσi16+1)6σ

−4

i σ

−18

i+1σ 2

iσi2+1σ

−2

i σ

18

i+1σ4iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσi2+1

Si,25: (σi−+14σ2iσ2i+1σ

−2

i σ18i+1σi4σ

−18

i+1σ

−2

i σ

−2

i+1σ2iσ18i+1(σ

−4

i σ

−14

i+1σi2σi2+1σ

−2

i σ14i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σi2σ14i+1)7

σ−_i4σ−_i+16σ2

iσi2+1σ

−2

i σ6i+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σ2iσi6+1σ

−4

i σ

−8

i+1σ2iσ2i+1σ

−2

i σi8+1σi4σ

−8

i+1σ

−2

i σ

−2

i+1σi2σi8+1

σ−_i4σ−_i+16σ2

iσi2+1σ

−2

i σ6i+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σ2iσi6+1σ

−4

i σ

−10

i+1σi2σi2+1σ

−2

i σ10i+1σi4σ

−10

i+1σ

−2

i σ

−2

i+1σi2σ10i+1

(σ_i−4σ_i−₊₁16σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2σi16+1)6σ

−4

i σ

−16

i+1σi2σi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2)−1 σ2

iσi2+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σi2σi14+1(σ

−4

i σ

−14

i+1σ2iσ2i+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σ2iσi14+1)6

σ−_i4σ−_i+16σ2

iσi2+1σ

−2

i σ6i+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σ2iσi6+1σ

−4

i σ

−8

i+1σ2iσ2i+1σ

−2

i σi8+1σi4σ

−8

i+1σ

−2

i σ

−2

i+1σi2σi8+1

σ−_i4σ−_i+16σ2

iσi2+1σ

−2

i σ6i+1σi4σ

−6

i+1σ

−2

i σ

−2

i+1σ2iσi6+1σ

−4

i σ

−10

i+1σi2σi2+1σ

−2

i σ10i+1σi4σ

−10

i+1σ

−2

i σ

−2

i+1σi2σ10i+1

(σ_i−4σ_i−₊₁16σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2σi16+1)7σ

−4

i σ

−18

i+1σi2σi2+1σ

−2

i σi18+1σ4iσ

−18

i+1σ

−2

i σ

−2

i+1σi2σi2+1

Si,26: (σi−+14σ 2

iσ

2

i+1σ

−2

i σ

18

i+1σ 4

iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσ

18

i+1(σ

−4

i σ

−14

i+1σ 2

iσ

2

i+1σ

−2

i σ

14

i+1σ 4

iσ

−14

i+1σ

−2

i σ

−2

i+1σ 2

iσ

14

i+1) 8

σ−_i4σ−_i+116σ2

iσi2+1σ− 2

i σ

16

i+1σ4iσ−

16

i+1σ

−2

i σ

−2

i+1σ 2

i)−1 σ2

iσi2+1σ− 2

i σ

14

i+1σ4iσ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσi14+1(σ− 4

i σ

−14

i+1σ 2

iσ2i+1σ− 2

i σ

14

i+1σ4iσ−

14

i+1σ

−2

i σ

−2

i+1σ 2

iσi14+1)7

σ−_i4σ−_i+16σ2

iσi2+1σ− 2

i σ

6

i+1σi4σ−

6

i+1σ

−2

i σ

−2

i+1σ 2

iσi6+1(σ− 4

i σ

−2

i+1σ 2

iσi2+1σ− 2

i σ

2

i+1σ4iσ−

2

i+1σ

−2

i σ

−2

i+1σ 2

iσ2i+1)3

(σ_i−4σ_i−₊₁16σ_i2σ_i2₊₁σ−_i 2σ_i16₊₁σ4_iσ_i−₊₁16σ−_i2σ−_i+12σ_i2σ_i16₊₁)8σ_i−4σ_i−₊₁18σ_i2σ_i2₊₁σ−_i 2σ_i18₊₁σ4_iσ_i−₊₁18σ−_i2σ−_i+12σ_i2σ_i2₊₁

Si,27: (σi−+14σ2iσ2i+1σ

−2

i σi18+1σi4σ

−18

i+1σ

−2

i σ

−2

i+1σ2iσ18i+1(σ

−4

i σ

−14

i+1σi2σi2+1σ

−2

i σ14i+1σi4σ

−14

i+1σ

−2

i σ

−2

i+1σi2σ14i+1)9

(σ_i−4σ_i−₊₁2σ2

iσ2i+1σ

−2

i σ2i+1σi4σ

−2

i+1σ

−2

i σ

−2

i+1σi2σi2+1)3(σ

−4

i σ

−16

i+1σi2σi2+1σ

−2

i σ16i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σi2σi16+1)8

σ−_i4σ−_i+116σ2

iσi2+1σ

−2

i σi16+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ2i)−1 σ2

iσi2+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σi2σi14+1(σ

−4

i σ

−14

i+1σ2iσ2i+1σ

−2

i σi14+1σ4iσ

−14

i+1σ

−2

i σ

−2

i+1σ2iσi14+1)8

σ−_i4σ−_i+18σ2

iσi2+1σ

−2

i σ8i+1σi4σ

−8

i+1σ

−2

i σ

−2

i+1σ2iσi8+1(σ

−4

i σ

−2

i+1σ2iσi2+1σ

−2

i σi2+1σ4iσ

−2

i+1σ

−2

i σ

−2

i+1σi2σ2i+1)3

(σ_i−4σ_i−₊₁16σ2

iσi2+1σ

−2

i σ

16

i+1σ4iσ

−16

i+1σ

−2

i σ

−2

i+1σ 2

iσi16+1)9σ

−4

i σ

−18

i+1σ 2

iσi2+1σ

−2

i σ

18

i+1σ4iσ

−18

i+1σ

−2

i σ

−2

i+1σ 2

iσi2+1

Now, since the word problem of the group G defined by Presentation C is unsolvable, Mihailova’s theorem[38] implies the following conclusion.

Theorem 3.2 The membership problem for Mihailova subgroupsMGi(H) ofBn withn≥6 are

unsolv-able.

Forn≥12, one can see that Mihailova subgroupMGbn

2c−5

(H) ofBnis also a subgroup of the left half

subgroupLBn, and Mihailova subgroupMGbn₂c+1(H) ofBnis also a subgroup of the right half subgroup

RBn.

3.3

Requirements

We suggest that in the application of our proposed protocols in§2 the platform groupGis chosen to be a braid groupBn withn≥12, and the subgroupsA andB ofGin the protocols is chosen to be the

left half subgroupLBnand the right half subgroupRBn ofBn, respectively. Furthermore, there are two

strategies of elements choosing as follows.

Strategy 1

The elements a1, a2, b1, b2, b3, b4 are chosen from LBn, and the elements c1, c2, d1, d2, d3, d4 are

chosen fromRBn.

Strategy 2

(1) The elements a1, a2, b3, b4 are chosen from LBn, and the elements c1, c2, d3, d4 are chosen from

RBn.

(2) The elementsb1, b2should be chosen from the Mihailova subgroupMGbn₂c−5(H), and the elements

d1, d2 should be chosen from the Mihailova subgroupMGbn

2c+1

(H).

4

The security analysis

We first point out that in the application of Shpilrain and Ushakov’s Ko-Lee-like protocol if Alice and Bob agree on the braid groupBn withn≥12, and subgroupsAandB ofBn in the protocols being

chosen to be the Mihailova subgroupMGbn

2c−5

(H) and the Mihailova subgroupMGbn

2c+1

(H), respectively. Thus Alice’s private keys area1∈MG_bn

2c−5

(H) andb1∈MG_bn

2c+1

(H), and Bob’s private keys area2∈

MGbn

2c−5(H) andb2∈MGbn2c+1(H). However, its not necessary for the attacker to solve the membership

problem and decomposition problem to find elements a0 ∈∈ MG_bn

2c−5

(H) and b0 ∈ MG_bn

2c+1

(H) such thata0_gb0_=a

1gb1 to obtain the shared key by computinga0yb0 =a0b2ga2b0 =b2a0gb0a2=b2a1gb1a2=k,

since it is sufficient for her to attack the shared key by just solving the decomposition problem to find

a0 ∈LBn andb0∈RBn such thata0gb0=a1gb1 and then obviously she also can obtain the shared key.

The security of Strategy 1 of key exchange protocol 1

First, in the exchange procedure of the protocol what the attacker Eve can have would be the braid groupBn, two subgroups LBn, RBn ofBn, and the following elements ofBn

g, x, y, z, w, u, v

where

x=b1a1ga2b2, y=d1c1gc2d2, z=b3a1d1c1gc2d2a2b4, w=d3c1b1a1ga2b2c2d4

and

u=d3c1a1ga2c2d4=b−11wb

−1

2 , v=b3a1c1gc2a2b4=d−11zd

−1 2

Therefore, to attack the shared key Eve has to get rid of the shieldsb1 and b2 in xto have the element

a1ga2 as well as the shieldsd1 and d2 in y to have the element c1gc2. Then she would try to solve the

decomposition problem by finding elementsa0₁, a0₂inLBnandc01, c20 inRBnsuch thata01ga02=a1ga2and

c0₁gc0₂=c1gc2. Followed therefore she can obtain the shared key by computing

a0₁c0₁gc0₂a0₂=a₁0c1gc2b02=c1a01ga

0

2c2=c1a1ga2c2=KA=KB

Clearly, for the pair (g, x) of elementsg andx, what Eve is capable do is to solve the decomposition problem by finding elements h1, h2 ∈ LBn such that h1gh2 = b1a1ga2b2 = x. However, she couldn’t

guaranty that h1 =b1a1 and h2 = a2b2. Even though in the case that she does have h1 = b1a1 and

h2 = a2b2, she clearly has no way to factorize them to obtain elements a1, b1, a2, and b2. So, she

couldn’t have the elementa1ga2 from the equationh1gh2=b1a1ga2b2=x. Similarly, Eve also couldn’t

do anything over element pairs (y, g), (z, y), and (w, x).

Therefore, for Eve to launch the attack she may have to solve the decomposition problem with the elements pairs (w, u), and (z, v) with relationsw=b1ub2 andz=d1vd2.

One can check that among all known attacks on the Braid based public key protocols there are three cryptanalysis methods of solving decomposition problem in braid groups: the Burau representation attack in [35], the Lawrence-Krammer representation attack in [10], and the length based attack in [39]. However, by using one of these methods, what the attacker Eve at most can do is only capable of finding elementsb0₁, b0₂∈LBn andd01, d02∈RBn such that b01ub02=b1ub2=wandd10vd02=d1vd2=z. However,

in most cases, there are infinitely many such pair of elements b0₁, b0₂ ∈ LBn and d01, d02 ∈ RBn. For

example, letn= 2m≥12, g be an element ofGrepresented byσm, a1, a2 be elements of the subgroup

ofLBn generated byσ1, σ2, and b01, b02∈LBn be such a pair with b01ub02=w. Then for any integerl the

elementb0 represented byσl4, the pair of elementsb01b0, b−01b02∈LBn are also satisfying

b0₁b0ub−01b

0

2=b

0

1b0d3c1a1ga2c2d4b−01b

0

2=b

0

1d3c1a1ga2c2d4b0b−01b

0

2=b

0

1d3c1a1ga2c2d4b02b

0

1ub

0

2=w

sinceb0 commutes with d3, c1, a1, g, a2, c2, d4. Therefore, Eve must verify ifb10 =b1, b02 = b2, d01 =d1,

andd02=d2 since these equalities are what Eve has to have for her to get rid of the shields in xandy.

Obviously Eve has no way to do the verifications.

The security of Strategy 2 of key exchange protocol 1In case the quantum computation systems come to reality, we suggest that one takes the consideration of using Strategy 2 since in the analysis above, after the attacker Eve has found elementsb0₁, b0₂∈LBn and d01, d02∈RBn such thatb01ub02 =b1ub2=w

and d0₁vd0₂ = d1vd2 = z, she must verify if b01 =b1, b02 = b2, d01 =d1, and d02 = d2. Hence she must

solve the membership problem to decide ifb0₁, b0₂ are elements ofMGbn

2c−5

(H) and if d0₁, d0₂ are elements of MGbn₂c+1(H). These are definitely impossible since the two subgroups enjoy unsolvable subgroup

membership problem and hence the protocol is secured against the quantum computational attack.

References

[1] I. Anshel, M. Anshel, D. Goldfeld, An algebraic method for public-key cryptography. Math. Res. Lett. 6(1999), 287-291.

[3] I. Anshel, M. Anshel, D. Goldfeld, Non-abelian key agreement protocols, Discrete Appl. Math., 130(2003), 3C12.

[4] J. S. Birman, Braids links and mapping class groups, Annals of Math. Study 82, Princeton University Press, 1974.

[5] W. W. Boone, The word problem, Annals of Mathematics, 70(2)(1959), 207-265.

[6] O. Bogopolski, and E. Ventura, A recursive presentation for Mihailova’s subgroup, Groups, Geome-try, and Dynamics, 4(3)(2010), 407-417.

[7] V.V. Borisov, Simple examples of groups with unsolvable word problems, Math. Notes, 6(1969), 768-775 (Mat. Zametki, 6(1969), 521-532, in Russian).

[8] G.S. CIJTIN, An associative calculus with an insoluble problem of equivalence, Trudy Mat. Inst. Steklov, 52 (1957), 172-189.

[9] J. C. Cha, K.H. Ko, S. Lee, J.W. Han, J.H. Cheon, An efficient implementation of braid groups, in BOYD C. (ED.): Advances in Cryptology, ASIACRYPT 2001, Gold Coast, Australia, 9-13 December 2001, (LNCS, 2248), 144-156.

[10] J. H. Cheon and B. Jun, A polynomial time algorithm for the braid Diffie-Hellman conjugacy prob-lem, in BONEH D. (ED.): Advances in Cryptology-CRYPTO 2003, Santa Barbara, CA, USA, 17-21 August 2003, (LNCS, 2729), 212-225.

[11] M. Chiswell, D.J. Collins and J. Huebschmann, Aspherical group presentation, Math. Z., 178 (1981), 1-36.

[12] D. J. Collins, Relations among the squares of the generators of the braid group, Invent. Math., 117(1994), 525-530.

[13] D. J. Collins, A simple presentation of a group with unsolvable word problem, Illnois J. Math., 30(2)(1986), 230-234.

[14] P Dehornoy, Braid-based cryptography, Contemp. Math., 360(2004), 5-33.

[15] P Dehornoy, Using shifted conjugacy in braid-based cryptography, Arxiv ePrint Archive, Report 0609091v1, http://arxiv.org/abs/cs/0609091.

[16] E. A. Elrifai and H. R. Morton, Algorithms for positive braids, Quarterly Journal of Mathematics, 45(1994), 479-497.

[17] D. Epstein, J. Cannon, D. Holt, S. Levy, M. Paterson and W. Thurston, Word processing in groups, Jones and Bartlett, 1992.

[18] N. Franco and J. Gonzales-Meneses, Conjugacy problem for braid groups and Garside groups, J. Algebra, 266(2003), 112-132.

[19] D. Garber, S. Kaplan, M. Teicher, B. Tsaban, U. Vishne, Probabilistic solutions of equations in the braid group, Advances in Applied Mathematics 35(2005), 323-334.

[20] F. A. Garside, The braid group and other groups, Quarterly Journal of Mathematics, 20(1969), 235-254.

[21] D. Garber, S. Kaplan, M. Teicher, B. Tsaban, U. Vishne, Length-based conjugacy search in the Braid group, Contemp. Math., Amer. Math. Soc. 418(2006), 75-87.

[22] V. Gebhardt, A new approach to the conjugacy problem in Garside groups, J. Algebra, 292(1)(2005), 282-302.

[23] F.J. Grunewald, On some groups which cannot be finitely presented, J. London Math. Soc., 17(2)(1978), 427-436.

[25] G. Higman, B. H. Neumann and H. Neumann, Embedding theorems for groups, J. London Math. Sco., 24(1949), 247-254.

[26] D. Hofheinz, R. Steinwandt, A practical attack on some braid group based cryptographic primitives, in Public Key Cryptography, 6th International Workshop on Practice and Theory in Public Key Cryptography, in: PKC 2003 (Y. G. Desmedt, ed.), Lecture Notes Comp. Sc. 2567(2002), 187-198.

[27] J. Hughes, The left SSS attack on Ko-Lee-Cheon-Han-Kang-Park key agreement scheme in B45, Rump session Crypto 2000.

[28] J. Hughes, A linear algebraic attack on the AAFG1 braid group cryptosystem, in BATTEN L.M., SEBERRY J. (EDS.): Information Security and Privacy, 7th Australian Conf.-ACISP 2002, Mel-bourne, Australia, July 2002, (LNCS, 2384), 176-189.

[29] J. Hughes, A. Tannenbaum, Length-based attacks for certain group based encryp-tion rewriting systems, Inst. for Mathematics and its applic. (Minneapolis MN) 2000, http://www.ima.umn.edu/preprints/apr2000/1696.pdf, or http://arxiv.org/abs/cs/0306032.

[30] K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, J. Kang, C. Park, New public-key cryptosystem using braid groups, Advances in cryptology—CRYPTO 2000 (Santa Barbara, CA), 166-183, Lecture Notes in Comput. Sci. 1880, Springer, Berlin, 2000.

[31] K. H. Ko, D. H. Choi, M. S. Cho, J. W. Lee, A new signature scheme using conjugacy problem, Cryptology ePrint Archive, Report 2002/168, http://eprint.iacr.org/2002/168.

[32] A. G. Kallka, Representation attacks on the braid Diffie-Hellman public key encryption, Appl. Algebra Eng. Commun. Comput., 17(3-4)(2006), 257-266.

[33] S. La, A. Chaturvedi, Authentication schemes using braid groups, Arxiv ePrint Archive, Report 0507066v1, http://arxiv.org/abs/cs/0507066.

[34] S. J. Lee, E. Lee, Potential Weaknesses of the Commutator Key Agreement protocol Based on Braid Groups. In: Advances in cryptology-Eurocrypt 2002, 14-28 (Lecture Notes Comp. Sc., vol. 2332) Berlin Heidelberg New York Tokyo: Springer 2002.

[35] E. Lee, and J. H. Park, Cryptanalysis of the public-key encryption based on braid groups, in BIHAM E. (ED.): Advances in Cryptology, EUROCRYPT 2003, Warsaw, Poland, 4-8 May 2003, (LNCS, 2656), 477-490.

[36] J. Longrigg and A. Ushakov, Cryptanalysis of shifted conjugacy authentication protocol, Arxiv ePrint Archive, Report 0708.1768, http://arxiv.org/abs/0708n1768

[37] S. Maffre, A Weak Key Test for Braid Based Cryptography, Designs, Codes and Cryptography, 39(3)(2006), 347-373.

[38] K. A. Mihailova, The occurence problem for direct products of groups, Dokl. Akad, Nauk SSSR 119,1958,1103-1105.Mat. Sb. (N.S.), 70(112:2)(1966), 241C251.

[39] A. D. Myasnikov, V. Shpilrain, and A. Ushakov, A Practical Attack on a Braid Group Based Cryp-tographic Protocol, Advances in Cryptology-CRYPTO 2005, Lecture Notes in Computer Science Volume 3621, 2005, 86-96.

[40] A. D. Myasnikov and A. Ushakov, Length based attack in braid groups, in PKC 2007, Lecture Notes in Computer Science, 4450(2007), 76-88.

[41] P. S. Novikov, On the algorithmic unsolvability of the word problem in group theory, Trudy Mat. Ins. Steklov, 44(1955), 143 pages, Translation in Amer. math. Soc. Transl, 9(2)(1958), 1-122.

[42] D. Ruinskiy, A. Shamir, B. Tsaban, Cryptanalysis of group-based key agreement protocols using subgroup distance functions, in PKC 2007, Lecture Notes Comp. Sc., 4450(2007), 61-75.