Cryptographic protocols based on Nielsen transformations

Based on a combinatorial distribution of shares we present in this paper secret sharing schemes and cryptosystems using Nielsen transformations.


Introduction
We first describe secret sharing protocols and combinatorial distributions of shares. After this introductory definitions we start with a secret sharing scheme using directly the combinatorial distribution of shares. Based on this we present two schemes in which we apply regular Nielsen transformations in connections with faithful representations of free groups and the Nielsen reduction theory. In the last sections we modify the secret sharing schemes to a private key cryptosystem and finally Nielsen transformations are used for a public key cryptosystem which is inspired by the ElGamal cryptosystem. The new cryptographic protocols are in part in the dissertation from A. Moldenhauer [6] under her supervisor G. Rosenberger at the University of Hamburg.
A (n, t)-secret sharing protocol, with n, t ∈ N and t ≤ n, is a method to distribute a secret among a group of n participants in such a way that it can be recovered only if at least t of them combine their shares. Hence any group of t − 1 or fewer participants cannot calculate the secret. The number t is called threshold. The person who distributes the shares is called the dealer. D. Panagopoulos presents in his paper [8] a (n, t)-secret sharing scheme using group presentations with solvable word problem. Here we use combinatorial distributions of the shares similar to those introduced in the paper of D. Panagopoulos: To distribute the shares in a (n, t)-secret sharing scheme the dealer does the following steps: 1. Calculate m = n t−1 , the number of all elements, for example {a 1 , a 2 , . . . , a m }, the participants need to know for the reconstruction of the secret.
3. The dealer distributes to each of the n participants one of the sets R 1 , R 2 , . . . , R n .
The new protocols in this paper are based on Nielsen transformations, which are the basis of a linear technique to study free groups and general infinite groups. We now review some basic definitions concerning regular Nielsen transformations and Nielsen reduced sets (see [1] or [5]).
Let F be a free group on the free generating set X := {x 1 , x 2 , . . .} and let U := {u 1 , u 2 , . . .} ⊂ F . (T2) replace some u i by u i u j where j = i; In all three cases the u k for i = k are not changed. A (finite) product of elementary Nielsen transformations is called a Nielsen transformation. A Nielsen transformation is called regular if it is a finite product of the transformations (T 1) and (T 2), otherwise it is called singular. The set U is called Nielsen-equivalent to the set V , if there is a regular Nielsen transformation from U to V .
i , call U Nielsen reduced if for all such triples the following conditions hold: Here | · | denotes the free length in F .
. . , u n } is finite, then U can be carried by a Nielsen transformation into some V such that V is Nielsen reduced.
For a proof see [1,Theorem 2.3] or [5,Proposition 2.2]. For the secret sharing scheme based on Nielsen transformations we will only use regular Nielsen transformations. We agree on some notations. We write (T 1) i if we replace u i by u −1 i and we write (T 2) ij if we replace u i by u i u j . If we want to apply t-times one after the other the same Nielsen transformation (T 2) we write [(T 2) ij ] t and hence replace u i by u i u t j . In all cases the u k for i = k are not changed.

A combinatorial secret sharing scheme
Now we present a (n, t)-secret sharing scheme, whereby the secret is the sum of multiplicative inverses of elements in the natural numbers. For the distribution of the shares the dealer uses the method of D. Panagopoulos described in Section 1. The numbers n and t are given, whereby n is the number of participants and t is the threshold.
1. The dealer first calculates the number m = n t−1 . 2. He chooses m elements a 1 , a 2 , . . . , a m ∈ N. From these elements he constructs analogously as in Section 1 the sets R 1 , R 2 , . . . , R n . The secret S is the sum 3. Each participant P i gets one share R i , 1 ≤ i ≤ n.
If t of the n participants come together they can reconstruct the secret while they first combine their t private sets R i and get by construction the setR = {a 1 , a 2 , . . . , a m }. The secret is the sum of the inverse elements in the setR, that is If the dealer needs a special secretS ∈ Q he gives every participant one more element x ∈ Q in each R i , with x :=S S .
The participants getS by multiplying the reconstructed secret S with x.
Each element a j is exactly contained in n − (t − 1) subsets. Hence for each j = 1, 2, . . . , m the element a j is not contained in t − 1 subsets from {R 1 , R 2 , . . . , R n }. As a consequence, a j is in each union of t subsets. Otherwise, if just t − 1 arbitrary sets from {R 1 , R 2 , . . . , R n } are combined, there exist a j so that the element a j is not included in the union of this sets. If just one element a j is absent, the participants do not get the correct sum S, and hence cannot compute the correct secret.
Example 2.1. We perform the steps for a (4, 3)-secret sharing scheme. It is n = 4 and t = 3.

A secret sharing scheme using a regular Nielsen transformation
In this section we describe a (n, t)-secret sharing scheme which extends and improves the ideas in Section 2 by using Nielsen transformations. We consider free groups as abstract groups but also as subgroups of the special linear group of all 2 × 2 matrices over Q, that is, We use the special linear group over the rational numbers because these numbers can be stored and computed more efficiently on a computer than irrational numbers. Let F be a free group in SL(2, Q) of rank m := n t−1 . The dealer wants to distribute the shares for the participants as described in Section 1. The shares will be subsets of a free generating set of the group F .
Steps for the Dealer: The numbers n and t are given, whereby n is the number of participants and t is the threshold. We have m := n t−1 . 1. The dealer chooses an abstract free generating set X for the free group F of rank m, that is He also needs an explicit free generating set M , that is the dealer needs a special secret he can act as in Section 2 described.
3. The dealer constructs the shares for the participants in the following way: (a) He first applies a regular Nielsen transformation simultaneously for both sets X and M to get Nielsen-equivalent sets U and N to X and M , respectively (see Figure 1). The elements u i are words in X and the elements N i are words in M . Hence we have N i ∈ SL(2, Q).
(b) The dealer now uses the method of D. Panagopoulos to split U and N and to get the shares (R i , S j ) for the participants with R i ⊂ U and S j ⊂ N .
4. The dealer distributes the shares.
If t of the n participants combine their parts they obtain the sets U and N . The secret can be recovered as follows: 1. The participants apply regular Nielsen transformations in a Nielsen reduction manner for U and step by step simultaneously for N . By Proposition 1.3 they get Nielsen reduced sets  Recall that tr(M δ i i ) = tr(M i ) for i = 1, . . . , m.
Less than t participants can neither get the whole set U , which is Nielsen-equivalent to X, nor the set N , which is Nielsen-equivalent to M . For the calculation of the secret, the participants need the set M , because the secret depends on the traces of the matrices M i ∈ M . The participants need both sets U and N . If they just have one set U or N they cannot get information about the set M . If the set U is known, it is only known which Nielsen transformation should be done to get the Nielsen-equivalent set X, but it is unknown on which matrices they should be done simultaneously. If only the set N is known, then the matrices in SL(2, Q) are known, but nobody knows which Nielsen transformation should be done on N to get the set M . It is also unknown how many Nielsen transformations were used. In the book [4] of J. Lehner on page 247 a method is given to explicitly obtain a free generating set M for a free group F on the abstract generating set X := {x 1 , x 2 , . . . , x m }: Example 3.1. Let F be a free group with countably many free generators x 1 , x 2 , . . .. Corresponding to x j define the matrix with r j ∈ Q such that the following inequalities hold: The group G generated by {M 1 , M 2 , . . .} is isomorphic to F (see [4]).
We now present an example for this secret sharing scheme. is a free generating set for a free group of rank 3.

Construction of the shares for the participants:
(a) First the dealer applies regular Nielsen transformations (NTs) simultaneously for both sets X and M to get Nielsen-equivalent sets U and N to X or M , respectively. These transformations are shown in the Table 1.    The Dealer obtains the sets (b) He gets the shares (R i , S j ) for the participants with R i ⊂ U and S j ⊂ N as follows: i. It is m = n t−1 = 3 1 = 3. ii. The dealer chooses the elementsã 1 ,ã 2 ,ã 3 and gets the three sets With the help of the A i the dealer gets the sets R ′ 1 , R ′ 2 , and R ′ 3 which contain elements from the set {ã 1 ,ã 2 ,ã 3 }. He puts the elementã j by which i is not contained in the set A j for i = 1, 2, 3 and j = 1, 2, 3, into the set R ′ i .
Now we apply this to U and N to create the share-sets for the participants, respectively: 4. The Dealer distributes to each participant a tuple (R i , S j ). Participant P 1 gets (R 1 , S 2 ), P 2 gets (R 2 , S 3 ) and P 3 gets (R 3 , S 1 ).
Assume the participants P 1 and P 2 come together to reconstruct the secret. They generate the sets U = {u 1 , u 2 , u 3 } and N = {N 1 , N 2 , N 3 }. The secret can be recovered as follows.
The participants apply regular Nielsen transformations step by step simultaneously for both sets U and N to get X ± and M ± . The steps are shown in the Tables 2 and 3.       In general we can use any free matrix group F of rank m := n t−1 for a (n, t)-secret sharing scheme as it is described in this section. The shares can be generated by the above method and are tuples (R i , S j ) with R i ⊂ U and S j ⊂ N . Some other ideas for the secret S are

A variation of the secret sharing scheme based on Nielsen transformations
We explain a variation of the secret sharing scheme described in Section 3. As in the previous sections, let F be a free group with the abstract free generating set X := {x 1 , x 2 , . . . , x q }, q ∈ N, that is, Each participant P i , 1 ≤ i ≤ n, gets one set R i ⊂ V , as above.
If t of the n participants come together to reconstruct the secret, they combine their shares and get the set V = {v 1 , v 2 , . . . , v m }. They have to find a Nielsen-reduced set U ′ := {u ′ 1 , u ′ 2 , . . . , u ′ m } to V . They apply Nielsen transformations in a Nielsen reducing manner as described in [1] and [5] and get from V a Nielsen-reduced set U ′ . The secret is the sum

A symmetric key cryptosystem using Nielsen transformations
Before Alice and Bob are able to communicate with each other they have to make some arrangements. Let F be an abstract free group with the free generating set X = {x 1 , x 2 , . . . , x q }, q ∈ N\{1}. Let ϕ : F → SL(2, Q) be a faithful representation of F into SL(2, Q) as in Section 3. The group G = ϕ(F ) is isomorphic to F under the map x i → M i , for i = 1, . . . , q.
Let N be the number of letters from the alphabet A = {a 1 , . . . , a N }, for instance N = 26. We assume that N ≥ 5. Let U ⊂ F , U = {u 1 , . . . , u N } be a basis of a free subgroup of F of rank N . Such systems U are easily to construct (see [1] or [5]). There is the one to one assignment A → U a j → u j , for j = 1, . . . , N.
Let U ′ = ϕ(U ) = {U ′ 1 , . . . , U ′ N } ⊂ SL(2, Q), u j → U ′ j for j = 1, . . . , N . The set U ′ is a basis for a free subgroup of G. Now, Alice and Bob agree on a block sequence P := p 1 p 2 · · · p k with, say, 1 ≤ p i ≤ 4 and k ≥ 2, and for each p i they construct a regular Nielsen transformation f i from U ′ to a Nielsen-equivalent system The Nielsen transformations f i , 1 ≤ i ≤ k, should be pairwise different and given as sequences of elementary Nielsen transformations from U ′ to f i (U ′ ).
As soon as Alice an Bob agree on a Nielsen transformation f i they compute f i (U ′ ), i = 1, 2, . . . , k, independent from each other even if they do not know the message. Hence they get a one to one assignment between the letters in their alphabet A and the matrices for the ciphertext depending from the part of the sequence P . This is shown in Table 4.
Now, Alice wants to send a message S with z, z > 0, letters from A. To describe the procedure let first