The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm for Symplectic and Orthogonal Groups

In this chapter, we study the MOR cryptosystem with symplectic and orthogonal groups over finite fields of odd characteristics. There are four infinite families of finite classical Chevalley groups. These are special linear groups SL( d , q ), orthogonal groups O( d , q ), and symplectic groups Sp( d , q ). The family O( d , q ) splits into two different families of Chevalley groups depending on the parity of d . The MOR cryptosystem over SL( d , q ) was studied by the second author. In that case, the hardness of the MOR cryptosystem was found to be equivalent to the discrete logarithm problem in F q d . In this chapter, we show that the MOR cryptosystem over Sp( d , q ) has the security of the discrete logarithm problem in F q d . However, it seems likely that the security of the MOR cryptosystem for the family of orthogonal groups is F q d 2 . We also develop an analog of row-column operations in symplectic and orthogonal groups which is of independent interest as an appendix.


Introduction
Public-key cryptography is the backbone of this modern society.However with recent advances in quantum computers and its possible implication to factoring integers and solving the discrete logarithm problems, it seems that we are left with no secure cryptographic primitive.So it seems prudent that we set out in search for new cryptographic primitives and subsequently new cryptosystems.The obvious question is: how to search and where to look?One can look into several well-known hard problems in Mathematics and hope to create a trap-door function, or one can try to generalize the known, trusted cryptosystems.This chapter is in the direction of generalizing a known cryptosystem with the hope that something practical and useful will come out of this generalization.A new but arbitrary cryptosystem might not be considered by the community as a secure cryptosystem for decades.So our approach is conservative but practical.Several such approaches were earlier made by many eminent mathematicians.To name a few, Maze et al. [1,2] developed SAP and Shpilrain and Zapata developed CAKE, both work in non-abelian structures.There is an interesting cryptosystem in the work of Climent et al. [3].We further recommend the work of Grogoriev et al. [4] and Roman'kov [5].
The cryptosystem that we have in mind is the MOR cryptosystem [6][7][8][9].In Section 2, we describe the MOR cryptosystem in details.It is a simple but powerful generalization of the well-known and classic ElGamal cryptosystem.In this cryptosystem, the discrete logarithm problem works in the automorphism group of a group instead of the group.As a matter of fact, it can work in the automorphism group of most algebraic structures.However, we will limit ourselves to finite groups.One way to look at the MOR cryptosystem is that it generalizes the discrete logarithm problem from a cyclic (sub)group to an arbitrary group.
The MOR cryptosystem over SL(d, q) was studied earlier [6] and cryptanalyzed by Monico [10].It became clear that working with matrix groups of size d over F q and with automorphisms that act by conjugation, like the inner automorphisms, there are two possible reductions of the security to finite fields.It is the security of the discrete logarithm problem in F q d or F q d 2 ([6], Section 7).This reduction is similar to the embedding of the discrete logarithm problem in the group of rational points of an elliptic curve to a finite field; the degree of the extension of that field over the field of definition of the elliptic curve is called the embedding degree.In the case of SL(d, q), it became the security of F q d .The reason that we undertook this study is to see if the security in other classical Chevalley groups is F q d or F q d 2 .
In cryptography, it is often hard to come up with theorems about security of a cryptosystem.However, at this moment it seems likely that the security of the MOR cryptosystem in orthogonal groups O(d, q) is F q d 2 .The way we implement this cryptosystem is by solving the word problem in generators.It presents no advantage to small characteristic.In the light of Joux's [11] improvement of the index-calculus attack in small characteristic, this contribution of the MOR cryptosystem is remarkable.
In summary, the proposed MOR cryptosystem is totally different from the known ElGamal cryptosystems from a functional point of view.Its implementation depends on Gaussian elimination and substitutions (substituting a matrix for a word in generators).However, we do have a concrete and tangible understanding of its security.It is clear from this work that the MOR cryptosystem over classical groups is not quantum-secure.However, for other groups like solvable groups, the answer is not known and could be a topic of further research.

Structure of the chapter
This chapter is an interplay between computational group theory and public-key cryptography, in particular the MOR cryptosystem, and is thus interdisciplinary in nature.In this chapter, we study the MOR cryptosystem using the orthogonal and symplectic groups over finite fields of odd characteristic.
In Section 2, we describe the MOR cryptosystem in some details.We emphasize that the MOR cryptosystem is a natural generalization of the classic ElGamal cryptosystem.In Section 3, we describe the orthogonal and symplectic groups and their automorphisms.In Appendix A, we describe few new algorithms.These algorithms use row-column operations to write an element in classical groups as a word in generators.This is very similar to the Gaussian elimination algorithm for special linear groups.These algorithms are vital to the implementation of the MOR cryptosystem.These algorithms are also of independent interest in computational group theory.

Notations and terminology
It was bit hard for us to pick notations for this chapter.The notations used by a Lie group theorist is somewhat different from that of a computational group theorist.We tried to preserve the essence of notations as much as possible.For example, a Lie group theorist will use SL lþ1 q ð Þ to denote what we will denote by SL l þ 1; q ð Þor SL d; q ð Þ.We have used T X to denote the transpose of the matrix X.This was necessary to avoid any confusion that might arise when using X À1 and T X simultaneously.In this chapter, we use K and F q interchangeably, while each of them is a finite field of odd characteristic.However, in the appendix the field k is unrestricted.The matrix te ij is used to denote the matrix unit with t in the i; j ð Þ th place and zero everywhere else.We will often use x r t ð Þ as generators, a notation used in the theory of Chevalley groups.Here r is a short hand for i; j ð Þ and x r t ð Þ are defined in Tables A1, A3, A5, and A7.We often refer to the orthogonal group as O d; q ð Þ, specifically, the split orthogonal group as O þ 2l; q ð Þor O þ 2l þ 1; q ð Þand the twisted orthogonal group as O À 2l; q ð Þ.All other notations used are standard.

The MOR cryptosystem
The MOR cryptosystem is a natural generalization of the classic ElGamal cryptosystem.It was first proposed by Paeng et al. [9].To elaborate the idea behind a MOR cryptosystem, we take a slightly expository route.For the purpose of this exposition, we define the discrete logarithm problem.It is one of the most common cryptographic primitive in use.It works in any cyclic (sub)group G ¼ g h i but is not secure in any cyclic group.
Definition 2.1 (The discrete logarithm problem).The discrete logarithm problem in G ¼ g h i, given g and g m , find m.The word "find" in the above definition is bit vague, in this chapter we mean compute m.The hardness to solve the discrete logarithm problem depends on the presentation of the group and is not an invariant under isomorphism.It is believed that the discrete logarithm problem is secure in the multiplicative group of a finite field and the group of rational points of an elliptic curve.
A more important cryptographic primitive, related to the discrete logarithm problem, is the Diffie-Hellman problem, also known as the computational Diffie-Hellman problem.Definition 2.2 (Diffie-Hellman problem).Given g, g m 1 , and g m 2 , find g m 1 m 2 .It is clear; if one solves the discrete logarithm problem, then the Diffie-Hellman problem is solved as well.The other direction is not known.
The most prolific cryptosystem in use today is the ElGamal cryptosystem.It uses the cyclic group G ¼ g h i.It is defined as follows:

The ElGamal cryptosystem
A cyclic group G ¼ g h i is public.
• Public-key: Let g and g m be public.
• Private-key: The integer m be private.

Encryption:
To encrypt a plaintext M ∈ G, get an arbitrary integer r ∈ 1; jGj ½ and compute g r and g rm .The ciphertext is g r ; M g rm ð Þ .

Decryption:
After receiving the ciphertext g r ; M g rm ð Þ , the user uses the private-key m.So she computes g mr from g r and then computes M.
It is well known that the hardness of the ElGamal cryptosystem is equivalent to the Diffie-Hellman problem ([12], Proposition 2.10).

The MOR cryptosystem
In the case of the MOR cryptosystem, one works with the automorphism group of a group.An automorphism group can be defined on any algebraic structure, and subsequently a MOR cryptosystem can also be defined on that automorphism group; however, in this chapter we restrict ourselves to finite groups.Furthermore, we look at classical groups defined by generators and automorphisms that are defined as actions on those generators.Let G ¼ g 1 ; g 2 ; …; g s be a finite group.Let ϕ be a non-identity automorphism.
• Private-key: The integer m is private.

Encryption:
To encrypt a plaintext M ∈ G, get an arbitrary integer r ∈ 1; jϕj ½ and compute ϕ r and ϕ rm .The ciphertext is ϕ r ;

Decryption:
After receiving the ciphertext ϕ r ; ϕ rm M ð Þ ð Þ , the user knows the private-key m.So she computes ϕ mr from ϕ r and then computes M.
Theorem 2.1 The hardness to break the above MOR cryptosystem is equivalent to the Diffie-Hellman problem in the group ϕ h i. Proof.It is easy to see that if one can break the Diffie-Hellman problem, then one can compute ϕ mr from ϕ m in the public-key and ϕ r in the ciphertext.This breaks the system.
On the other hand, observe that the plaintext is Assume that there is an oracle that can break the MOR cryptosystem, i.e., given ϕ, ϕ m and a plaintext ϕ r ; g ð Þwill deliver ϕ Àmr g ð Þ.Now we query the oracle s times with the public-key and the ciphertext ϕ r ; From the output, one can easily find ϕ mr g i À Á for i ¼ 1, 2, …, s.So we just witnessed that for ϕ m and ϕ r , one can compute ϕ mr using the oracle.This solves the Diffie-Hellman problem.
In a practical implementation of a MOR cryptosystem, there are two things that matter the most.
a: The number of generators.As we saw that the automorphism ϕ is presented as action on generators.Larger the number of generators, bigger is the size of the public key.b: Efficient algorithm to solve the word problem.This means that given G ¼ g 1 ; g 2 ; …; g s and g ∈ G, is there an efficient algorithm to write g as word in g 1 , g 2 , …, g s ?The reason of this importance is immediate-the automorphisms are presented as action on generators, and if one has to compute ϕ g ð Þ, then the word problem must be solved.
The obvious question is: what are the right groups for the MOR cryptosystem?In this chapter, we pursue a study of the MOR cryptosystem using finite Chevalley groups of classical type, in particular, orthogonal and symplectic groups.

Description of automorphisms of classical groups
This chapter studies the MOR cryptosystem for orthogonal and symplectic groups over a field of odd characteristics.As we discussed before, MOR cryptosystem is presented as action on generators of the group.Then to use an automorphism on an arbitrary element, one has to solve the word problem in that group with respect to that set of generators.
The generators and the Gaussian elimination algorithm to solve the word problem are described in Appendix A. We will be very brief here.
Let V be a vector space of dimension d over a field K of odd characteristic.Let β : V Â V !K be a bilinear form.By fixing a basis of V, we can associate a matrix to β.We shall abuse the notation slightly and denote the matrix of the bilinear form by β itself.Thus β x; y ð Þ¼ T xβy, where x, y are column vectors.We will work with non-degenerate bilinear forms and that means detβ 6 ¼ 0. A symmetric or skewsymmetric bilinear form β satisfies β¼ T β or β ¼ À T β, respectively.Definition 3.1 (Orthogonal group).A square matrix X of size d is called orthogonal if T XβX ¼ β, where β is symmetric.It is well known that the orthogonal matrices form a group known as the orthogonal group.Definition 3.2 (Symplectic group).A square matrix X of size d is called symplectic if T XβX ¼ β, where β is skew-symmetric.And the set of symplectic matrices form a symplectic group.
We write the dimension of V as d ¼ 2l þ 1 or d ¼ 2l for l ≥ 1.We fix a basis and index it by 0, 1, …, l, À 1, …, À l in the odd dimension, and in the case of even dimension where there are two non-degenerate symmetric bilinear forms up to equivalence, we index the bases by 1, 2, …, l, À 1, À 2, …, À l and 1, À 1, 2, …, l, À 2, …, À l for split and twisted forms, respectively.We consider the non-degenerate bilinear forms β on V given by the following matrices: a: The odd-orthogonal group.The form β is symmetric with b: The symplectic group.The form β is skew-symmetric with d ¼ 2l and c: The split orthogonal group.The form β is symmetric with d ¼ 2l and c 0 : The twisted orthogonal group.The form β is symmetric with d ¼ 2l and where I l is the identity matrix of size l over K and for a fixed non-square ϵ ∈ K, The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 We now describe the automorphism group of the orthogonal and symplectic groups.This helps us in picking the right set of automorphisms for the MOR cryptosystem.
Definition 3.3 (Orthogonal similitude group).The orthogonal similitude group is defined as the set of matrices X of size d as where d ¼ 2l þ 1 or 2l and β is of type a, c, or c 0 , respectively.Definition 3.4 (Symplectic similitude group).The symplectic similitude group is defined as where β is of type b.
Here μ depends on the matrix X and is called the similitude factor.The similitude factor μ defines a group homomorphism from the similitude group to F Â q , and the kernel is the orthogonal group O d; q ð Þ when β is symmetric and symplectic group Sp 2l; q ð Þand when β is skew-symmetric, respectively ([13], Section 12).Note that scalar matrices λI for λ ∈ F Â q belong to the center of similitude groups.The similitude groups are analog of what GL d; q ð Þ is for SL d; q ð Þ.For a discussion of the diagonal automorphisms of Chevalley groups, we need the diagonal subgroups of the similitude groups.
Definition 3.5 (Diagonal group).The diagonal groups are defined to be the group of non-singular diagonal matrices in the corresponding similitude group and are as follows: and in the case of GO 2l; Conjugation by these diagonal elements produces diagonal automorphisms in the respective Chevalley groups.To build a MOR cryptosystem, we need to work with the automorphism group of Chevalley groups.In this section we describe the automorphism group of classical groups following Dieudonne [14].
Conjugation automorphisms: If N is a normal subgroup of a group G, then the conjugation maps n↦gng À1 for n ∈ N and g ∈ G are called conjugation automorphisms of G.In particular, both inner automorphisms and diagonal automorphisms are examples of conjugation automorphisms.
Central automorphisms: Let χ : G ! Z G ð Þ be a homomorphism to the center of the group.Then the map g↦χ g ð Þg is an automorphism of G, known as the central automorphism.There are no nontrivial central automorphisms for perfect groups, for example, the Chevalley groups SL l þ 1; K ð Þand Sp 2l; K ð Þ, |K| ≥ 4, and l ≥ 2. In the case of orthogonal group, the center is of two elements I; ÀI f g, where I is the identity matrix.This implies that there are at most four central automorphisms in this case.
Field automorphisms: In terms of matrices, field automorphisms amount to replacing each term of the matrix by its image under f.Modern Cryptography -Theory, Technology, Adaptation and Integration Graph automorphisms: A symmetry of Dynkin diagram induces such automorphisms.This way we get automorphisms of order 2 for SL l þ 1; K ð Þand l ≥ 2 and O þ 2l; K ð Þand l ≥ 4. We also get an automorphisms of order 3 for O þ 4; K ð Þ.In the case of SL(d, q) for d ≥ 3, the map x↦A À1T x À1 A, where explicitly describes the graph automorphism.In the case of O(2l, q) for l ≥ 5, the graph automorphism is given by x↦B À1 xB where B is a permutation matrix obtained from identity matrix of size 2l Â 2l by switching the l th row and Àl th row.This automorphism is a conjugating automorphism.
Theorem 3.1 (Dieudonne).Let K be a field of odd characteristic and l ≥ 2.
1.For the group SL l þ 1; K ð Þ , any automorphism is of the form ιγθ where ι is a conjugation automorphism defined by elements of GL l þ 1; K ð Þand γ is a graph automorphism for the special linear group.In all cases θ denotes a field automorphism.For a proof of the above theorem, see [26], Theorems 30 and 36.In the above theorem, conjugation automorphisms are given by conjugation by elements of a larger group, and it includes the group of inner automorphisms.We introduce diagonal automorphisms to make it more precise.The conjugation automorphisms ι can be written as a product of ι g and η where ι g is an inner automorphism and η is a diagonal automorphism.

For the group
Diagonal automorphisms: In the definition of the conjugating automorphism, when the conjugating element is from the similitude group but not in the group we get a diagonal automorphism.In the case of special linear groups, diagonal automorphisms are given by conjugation by diagonal elements of PGL(l + 1, q) on PGL(l + 1, q).In the case of symplectic and orthogonal groups, diagonal automorphisms are given by conjugation by corresponding diagonal group elements defined in Definition 3.5.

Security of the proposed MOR cryptosystem
The purpose of this section is to show that for a secure MOR cryptosystem over the classical Chevalley and twisted orthogonal groups, we have to look at automorphisms that act by conjugation like the inner automorphisms.There are other automorphisms that also act by conjugation, like the diagonal automorphism and the graph automorphism for odd-order orthogonal groups.Then we argue what is The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 the hardness of our security assumptions.We denote the split orthogonal group by O þ 2l; q ð Þand twisted orthogonal group by O À 2l; q ð Þ.Now onwards O(2l,q) means either split or twisted orthogonal group and we will specify whenever required.
Let ϕ be an automorphism of one of the classical Chevalley groups G: From Theorem 3.1, we know that ϕ ¼ c χ ιηγθ where c χ is a central automorphism, ι is an inner automorphism, η is a diagonal automorphism, γ is a graph automorphism, and θ is a field automorphism.
The group of central automorphisms are too small and the field automorphisms reduce to a discrete logarithm in the field F q .So there is no benefit of using these in a MOR cryptosystem.Also there are not many graph automorphisms in classical Chevalley and twisted orthogonal groups other than special linear groups and oddorder orthogonal groups.In the odd-order orthogonal groups, these automorphisms act by conjugation.Recall here that our automorphisms are presented as action on generators.It is clear ( [6], Section 7) that if we can recover the conjugating matrix from the action on generators, the security is a discrete logarithm problem in F q d , or else the security is a discrete logarithm problem in F q d 2 .
So from these we conclude that for a secure MOR cryptosystem, we must look at automorphisms that act by conjugation, like the inner automorphisms.Inner automorphisms form a normal subgroup of Aut G ð Þ and usually constitute the bulk of automorphisms.If ϕ is an inner automorphism, say ι g : x↦gxg À1 , we would like to determine the conjugating element g.For the special linear group, it was done in [6].We will follow the steps there for the present situation too.However, before we do that, let us digress briefly to observe that This implies that our problem is equivalent to solving the word problem in Inn G ð Þ.Note that solving word problem depends on how the group is presented and it is not invariant under group homomorphisms.Thus the algorithm described earlier to solve the word problem in the classical Chevalley and twisted orthogonal groups does not help us in the present case.
In what follows, we will use generators These are the Chevalley generators for the Chevalley groups we are dealing with and are described in details in Tables A1, A5, A3, and A7 in the Appendix.

Reduction of security
In this subsection, we show that for special linear and symplectic groups, the security of the MOR cryptosystem is the hardness of the discrete logarithm problem in F q d .This is the same as saying that we can find the conjugating matrix up to a scalar multiple.We further show that the method that works for special linear and symplectic groups does not work for orthogonal groups.
Let ϕ be an automorphism that works by conjugation, i.e., ϕ ¼ ι g , for some g, and we try to determine g.
Step 1: The automorphism ϕ is presented as action on generators . This implies that we know ge r g À1 for all possible r.We first claim that we can determine N = gD where D is sparse, in fact, diagonal in the case of special linear and symplectic groups.
Modern Cryptography -Theory, Technology, Adaptation and Integration In the case of special linear groups, write where G i is at the j th place.Multiplying this with g À1 on the right, i.e., computing ge i, j g À1 , determines G i up to a scalar multiple d i (say).Thus, we know N ¼ gD where For the symplectic groups, we do the similar computation with the generators In the case of special linear groups, we have D a diagonal.Thus by computing D À1 e i, j D, we determine d À1 i d j for i 6 ¼ j and form a matrix diag 1; , and multiplying this to N, we get d 1 g.Hence we can determine g up to a scalar matrix.
For symplectic groups, we can do similar computation as and multiply it to N ¼ gD to get d 1 g.Thus we can determine g up to a scalar multiple say ag.Similarly we can determine g m up to a scalar multiple say bg m .Now, compute ag , and then we can recover m by solving the discrete logarithm in the matrices using Menezes and Wu's idea [15].However, if we choose g such that g qÀ1 ¼ 1, then it seems that we might avoid this line of attack.We can bypass this argument by recovering the scalars a and b, and then to determine m, we compute the discrete logarithm in g h i using Menezes and Wu's idea.We prove the following proposition.
Proposition 4.1 Given any g ∈ Sp d; q ð Þ up to scalar multiple ag, a ∈ F q .If gcd d; q À 1 ð Þ¼1, we can determine the scalar a. Otherwise one can find the scalar a by solving a discrete logarithm problem in F q .
Proof.We can recover the scalar a as follows: Let λ 1 ; …; λ d f gbe a set of eigenvalues of g, and then the eigenvalues of ag are aλ , then we have recovered the scalar a; otherwise we can recover the scalar by solving the discrete logarithm problem in F q .
Thus, if gcd d; q À 1 ð Þ¼1, then using the above proposition, we can recover the scalars a and b from ag and bg m , respectively.Otherwise one needs to solve discrete logarithm problem in F q to recover the scalars.Now, we can recover g and g m from ag and bg m just by multiplying with scalar matrices a À1 I and b À1 I, respectively.Finally, we recover m using Menezes and Wu's idea.Thus, if we choose g such that The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663g qÀ1 ¼ 1 and gcd d; q À 1 ð Þ6 ¼ 1, then to solve the discrete logarithm in ϕ h i, one needs to solve the discrete logarithm in F q and F q d .However, in the case of orthogonal groups, we show that one cannot recover g up to a diagonal matrix using the above approach, and hence the above reduction attack does not work.
f g be a set of Chevalley generators of O(d,q) described in Appendix A. Suppose that the public-key is presented as an action of ϕ on x r f g, then it is impossible to recover a matrix gD, where D is a diagonal matrix using the above reduction.
Proof.We prove the theorem for O þ d; q ð Þ, d even, and the theorem follows for other cases similarly.Let d ¼ 2l and we write g in columns form as We compute ge r g À1 which gives the following equations: 1. Note that g e i, j À e Àj, Ài , where C i is at jth place and C Àj is at Ài th place.After multiplying by g À1 , we get a matrix whose all columns are linear combinations of columns C i and C Àj .
2. Note that g e i, Àj À e j, Ài À Á g À1 ¼ 0; …; 0; C i ; 0; …; 0; C j ; 0; …; 0 Â Ã g À1 , where C i is at Àj th place and C j is at Ài th place.After multiplying by g À1 , we get a matrix whose all columns are linear combinations of columns C i and C j .

Note that g e
, where C Ài is at j th place and C Àj is at i th place.After multiplying by g À1 , we get a matrix whose all columns are linear combinations of columns C Ài and C Àj .
Suppose one can construct a matrix B from columns obtained above such that B ¼ gD, where D is diagonal, then we can see that d i C i ¼ a i C j þ b j C k for some i, j, k which is a contradiction as det g ð Þ 6 ¼ 0. Thus, it is not possible to construct a matrix B such that B ¼ gD, where D is diagonal.
This conclusively proves that the attack on the special linear groups and symplectic groups will not work for most orthogonal groups.
For orthogonal groups, the best we can do is the following: We can construct N such that , where D 1 and D 2 are diagonal and P is a permutation matrix.We demonstrate the construction of N in the case of a split orthogonal group O þ 2l; q ð Þ; similar construction works for other cases as well.Computing ge r g À1 gives the following equations: , where G i is at jth place and G Àj is at Ài th place.This gives us a linear combination of the columns G i and G Àj .

G
, where G i is at Àj th place and G j is at Ài th place.This will give us a linear combination of the columns G i and G j .

G
, where G Ài is at jth place and G Àj is at ith place.This will give us a linear combination of the columns G Ài and G Àj .
Modern Cryptography -Theory, Technology, Adaptation and Integration We construct a matrix N as follows: , and P are permutation matrix corresponding to the permutation of indexing set 1 , where D 1 and D 2 are diagonal and P is a permutation matrix.This is not a diagonal matrix.One can do a similar computation for the odd-orthogonal group and twisted orthogonal group as well.
Remark 4.1 An observant reader would ask the question: why does this attack works for the special linear and symplectic groups but not for orthogonal groups?The answer lies in a closer look at the generators (elementary matrices) for these groups.
In the special linear groups, the generators are the elementary transvections of the form I þ te i, j where i 6 ¼ j and t ∈ F q .Then the attack goes on smoothly as we saw earlier.However, when we look at generators of the form I þ te i, j À te Àj, Ài , where t ∈ F q and i 6 ¼ j, conjugating by them, it gets us a linear sum of the ith and jth column, not scalar multiple of one particular column.This stops the attack from going forward.However in the symplectic groups, there are generators of the form I þ e i, Ài and I þ e Ài, i for 1 ≤ i ≤ l.These generators make the attack possible for the symplectic groups.However there are no such generators for orthogonal groups, and so this attack turns out to be impossible for orthogonal groups.

The case for two-generators and prime fields
One serious objection against a MOR cryptosystem is the size of the key ([10], Section 7).The reason is that in a MOR cryptosystem, the automorphisms are presented as action on generators.Now the bigger the number of generators, the larger the key-size.
On the other hand, many of the finite simple groups can be generated by two elements.However, a set of generators is not enough.We must be able to compute the image of an arbitrary element.When the automorphism is presented as action on generators, we need an efficient solution to the word problem in order to do that.We have demonstrated in Appendix A that there is one set of generators, the elementary matrices, for which the word problem is easy.
The theme of this section is that for symplectic and even-order split orthogonal groups, there are two generators and for the odd-orthogonal group there are three generators.Over the prime field of odd characteristic, one can easily compute the word corresponding to the elementary matrices for these generators.
So one can present the automorphisms ϕ and ϕ m as action on these few generators and then compute the action of these automorphisms on the elementary matrices later.This substantially reduces the key-size.To do this we use the technique of straight line programs, which is popular in computational group theory.These are programs, but in practice are actually easy to use formulas.Say, for example, we want to compute x i, j t ð Þ for some t ∈ F q .We have loaded matrices The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 the memory in such a way that this formula takes as input t and put it in the (1, 2) position of the matrix x 1, 2 Á ð Þ and do the matrix multiplication.This is one straight line program.Since these programs are loaded in the memory, computation is much faster.This is somewhat similar to a time-memory trade-off.We have built a series of these straight line programs, where one straight line program can use other straight line programs and have written down the length of these programs.The length is nothing but the number of matrices in the formula.
Using the symplectic group in the MOR cryptosystem is straightforward.However, using orthogonal groups is little tricky because of the presence of λ in the output of the Gaussian elimination algorithm (see Section A.2.3).It is well known that the elementary matrices, without w i -the row interchanges matrices and generates Ω, the commutator subgroup of a orthogonal group.However in between the commutator and the whole group, there is another important subgroup, WΩ ¼ Ω; w i h ifor some i.From the algorithmic point of view, it is the subgroup of all the matrices for which the λ is a square.Now once the λ is a square and we can efficiently compute the square root, we can write this matrix down as product of elementary matrices, and it is easy to implement in the MOR cryptosystem.It is well known that if p 3 mod4 ð Þ, then it is easy to compute the square root.Only for this reason, in the latter part of this section and for orthogonal groups, we concentrate on p 3 mod4 ð Þ.

Symplectic group Sp (2l, p)
Let p be an odd prime.It is known [16] that the group Sp(2l,p) is generated by two elements: We will refer these two elements as Steinberg generators.However in the context of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets-Steinberg generators and elementary matrices (see Table A3).To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm.Here we demonstrate the other way round, that is, how to write elementary matrices as a product of x and w.
In what follows, we denote the length of SLPs by L δ; i ð Þ, where δ ¼ j À i and Here & Modern Cryptography -Theory, Technology, Adaptation and Integration Now w l ¼ À1 ð Þ lÀ1 0 I l ÀI l 0 and x j, i t ð Þ ¼ w l x i, j Àt ð Þw Àl , so length of this SLP is Next observe the following: Hence we generate all the elementary matrices (Table A3) using only two generators x and w.Hence Sp(2l, p) is generated by only two generators x and w.

Split orthogonal group O + (2l, p)
Let p 3 mod4 ð Þbe a prime.It is known [16] that the group O + (2l,p) is generated by two elements: We will refer these two elements as Steinberg generators.As we discussed earlier, in context of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets-Steinberg generators and elementary matrices (Table A1).To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm.Here we demonstrate the other way round, that is, how to write elementary matrices as a product of x and w.In what follows, we denote the length of SLPs by L δ; i ð Þ, where δ ¼ j À i and 1 ≤ i , j ≤ l.
The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 The number of SLPs is l.Next observe the following: So we generate all x i, Àj t ð Þ for i .j. Now w l x i, Àj t ð Þw Àl ¼ x Ài, j t ð Þ, and we get x Ài, j t ð Þ and the total number of SLPs is l þ 4. It is shown by Ree [17] that elementary matrices x i, j t ð Þ generate Ω 2l; p ð Þ, the commutator subgroup of O(2l, p).Hence we generate Ω 2l; p ð Þ, using only two elements x and w.Since we generate x i, j t ð Þ and w i, j as a product of x i, j t ð Þ and w ¼ w 1, 2 1 ð Þw 2, 3 1 ð Þ⋯w lÀ1, l 1 ð Þw l , so we are able to generate w l .Here w i, j t ð Þ ¼ x i, j t ð Þx j, i Àt À1 ð Þx i, j t ð Þ for i 6 ¼ j and w l ¼ I À e l, l À e Àl, Àl þ e l, Àl þ e Àl, l .Now we know w lÀ1 ¼ w l w l, lÀ1 1 ð Þw lÀ1, Àl 1 ð Þ, so we generate w lÀ1 .Hence by induction, we generate Hence we generate all the elementary matrices (Table A1 Hence we generate WΩ 2l; p ð Þusing only two generators x and w.

Orthogonal group O(2l+1, p)
Let p 3 mod4 ð Þbe a prime.It is known [16] that the group O(2l+1, p) is generated by these elements: Modern Cryptography -Theory, Technology, Adaptation and Integration We will refer these three elements as Steinberg generators.However in context of the MOR cryptosystem, we need to know how to go back and forth between these two generating sets-Steinberg generators and elementary matrices (Table A5).To write w as a product of elementary matrices is easy, just put this generator through our Gaussian elimination algorithm.Here we demonstrate the other way round, that is, how to write elementary matrices as a product of w and x.First we compute, In what follows, we denote the length of SLPs by L δ; i ð Þ, where δ ¼ j À i and 1 ≤ i , j ≤ l.

Next observe the following:
Elements Indices Equation (SLP) Length The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 So we generate all x i, Àj t ð Þ for i , j.Now w l x i, Àj t ð Þw Àl ¼ x Ài, j t ð Þ, and we have x Ài, j t ð Þ.The total number of SLPs is l þ 7. It is shown in Ree [17] that elementary matrices Hence we generate all the elementary matrices (Table A5) using only two generators x and w and an extra element w l .Hence we generate a new subgroup In our algorithm the output matrix is iis the orthogonal group.

Twisted orthogonal group O
We use the following generators which we refer as Steinberg generators.
x ¼ x 1, 2 1 ð Þ, w l ¼ I À e l, l À e Àl, Àl À e l, Àl À e Àl, l , In the context of MOR cryptosystem, we need to know how to go back and forth between these generators and elementary matrices (Table A7).The procedure is almost similar to the case of O + (2l,p).Again, note that x ¼ x 1, 2 , x 0 ¼ x À1, 2 , x 1 t; s ð Þ, and x 2 are elementary matrices.Thus, we just need to write w as a product of elementary matrices.However, computing w is fairly easy, just put this generator through our Gaussian elimination algorithm in Appendix A.Here we demonstrate the other way round, that is, how to write elementary matrices as a product of w, x, and x 0 .First, we compute Modern Cryptography -Theory, Technology, Adaptation and Integration A and length of this SLP is , and length of this SLP are 2i À 1 and 2 l À 1 ð Þþ2i À 1, respectively.Next, we compute x 2, 3 t ð Þ using the commutator formula , and length of this SLP is 4 l À 1 ð Þþ8.In what follows, we denote the length of SLPs by L δ; i ð Þ, where δ ¼ j À i and 2 ≤ i , j ≤ l. Here Hence, we get all x i, j t ð Þ for 2 ≤ i 6 ¼ j ≤ l and the number of SLPs is l þ 2. Next, we compute the remaining elementary matrices using the commutator formula and are listed in the table; let r ¼ l À 1.

Elements
Indices Equation (SLP) Length Thus, we have generated all x i, Àj t ð Þ for i , j.Now, using the formula w l x i, Àj t ð Þw Àl ¼ x Ài, j t ð Þ, we get x Ài, j t ð Þ and the total number of SLPs required is l þ 6.Now we know w lÀ1 ¼ w l w l, lÀ1 1 ð Þw lÀ1, Àl 1 ð Þ, so we generate w lÀ1 .Hence by induction we can generate Hence we generate all the elementary matrices defined in Table A7 using generators x, x 0 , x 1 t; s ð Þ, x 2 , and w and an extra element w l .In our algorithm the output matrix is The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 , where ζ is non-square in F Â p .Then as a consequence of our Gaussian elimination algorithm in Appendix A, we can see that x, x 0 , x 1 t; s ð Þ, x 2 ,w and w l along with d ζ ð Þ generate the twisted orthogonal group.

Conclusion
This section is similar to ([6], Section 8).A useful public-key cryptosystem is a delicate dance between speed and the security.So one must talk about speed along with security.
The implementation of the MOR cryptosystem that we have in mind uses the row-column operations.Let g 1 ; g 2 ; …; g s be a set of generators for the orthogonal or symplectic group as described before.As is the custom with a MOR cryptosystem, the automorphisms ϕ and ϕ m are presented as action on generators, i.e., we have ϕ g i À Á and ϕ m g i À Á as matrices for i ¼ 1, 2, …, s.To encrypt a message in this MOR cryptosystem, we compute ϕ r .We do that by square-and-multiply algorithm.For this implementation, squaring and multiplying is almost the same.So we will refer to both squaring and multiplication as multiplication.Note that multiplication is composed of automorphisms.
The implementation that we describe in this chapter can work in parallel.Each instance computes ϕ r g i À Á for i ¼ 1, 2, …, s.First thing that we do is write the matrix of ϕ g i À Á as a word in generators.So essentially the map ϕ becomes a map g i ↦w i where w i is a word in generators of some fixed length.Then multiplication becomes essentially a replacement, replace all instances of g i by w i .This can be done very fast.However, the length of the replaced word can become very large.The obvious question is how soon are we going to write this word as a matrix.This is a difficult question to answer at this stage and depends on available computational resources.
Once we decide how often we change back to matrices, how are we going to change back to matrices?There can be a fairly easy time-memory trade-offs.Write all words up to a fixed length and the corresponding matrix as a pre-computed table and use this table to compute the matrices.Once we have matrices, we can multiply them together to generate the final output.There are also many obvious relations among the generators of these groups.One can just store and use them.The best strategy for an efficient implementation is yet to be determined.It is clear now that there are many interesting and novel choices.
The benefits of this MOR cryptosystem are: This can be implemented in parallel easily.This implementation does not depend on the size of the characteristic of the field.This is an important property in light of Joux's recent improvement of the index-calculus attacks [11].
For parameters and complexity analysis of this cryptosystem, we refer to ([6], Section 8).Assume that we take a prime of size 2 160 and we are using two generators presentation of ϕ for the even-orthogonal group.Then the security is the discrete logarithm problem in F p d 2 .Now if we take d ¼ 4, then the security is better than F 2 2560 .Our key-size is about 8000 bits.Comparing with Monico ([10], Section 7), where he says an ElGamal will have about 6080 bits, our system is quite comparable.Moreover, the MOR cryptosystem is better suited to handle large primes and can be easily parallelized.
Modern Cryptography -Theory, Technology, Adaptation and Integration algorithm for all orthogonal groups over a perfect field of even characteristics.
• Furthermore, we have Gaussian elimination algorithm for orthogonal groups that are given by the above bilinear forms or quadratic forms over arbitrary fields.This algorithm also works for bilinear or quadratic forms that are equivalent to the above forms.
A.2 Gaussian elimination for matrices of even size-orthogonal group O þ d; k ð Þ and symplectic group Recall that the bilinear forms β are the following: Note that any isometry g satisfies T gβg ¼ β.The main reason our algorithm works is the following: Recall that a matrix g ¼ A B

C D
, where A, B, C, and D are matrices of size l, is orthogonal or symplectic if T gβg ¼ β for the respective β.After some usual calculations, for orthogonal group it becomes The above equation implies among other things, T CAþ T AC ¼ 0. This implies that T AC is skew-symmetric.In an almost identical way, one can show, if g is symplectic, T AC is symmetric.The working principle of our algorithm is simpleuse the symmetry of T AC.The problem is, for arbitrary A and C, it is not easy to use this symmetry.In our case we were able to reduce A to a diagonal matrix, and then it is relatively straightforward to use this symmetry.We will explain the algorithm in details later.First of all, let us describe the elementary matrices and the rowcolumn operations for orthogonal and symplectic groups.The genesis of these elementary matrices lies in the Chevalley basis of simple Lie algebras.We will not go into details of Chevalley's theory in this appendix.Furthermore, we do not need to, the algorithm that we produce will show that these elementary matrices are generators for the respective groups.
Next we present the elementary matrices for the respective groups and then the row-column operations in a tabular form.

A.2.1 Elementary matrices (Chevalley generators) for orthogonal group
Following the theory of root system in a simple Lie algebra, we index rows by 1, 2, …, l, À 1, À 2, …, À l.For t ∈ k, the elementary matrices are defined as follows (Tables A1 and A2): Let us note the effect of multiplying g by elementary matrices.We write Modern Cryptography -Theory, Technology, Adaptation and Integration , where A, B, C, and D are l Â l matrices.

A.2.2 Elementary matrices (Chevalley generators) for symplectic group
For t ∈ k, the elementary matrices are defined as follows (Table A3): Let us note the effect of multiplying g by elementary matrices.We write , where A, B, C, and D are l Â l matrices (Table A4).

A.2.3 Gaussian elimination for Sp
Step 1: Use ER1 and EC1 to make A into a diagonal matrix.This makes A into a diagonal matrix and changes other matrices A, B, C, and D. For the sake of notational convenience, we keep calling these changed matrices as A, B, C, and D as well.
Char(k) Elementary matrices

Row operations
Column operations Char(k) Elementary matrices The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 Step 2: There are two possibilities.One, the diagonal matrix A is of full rank, and two, the diagonal matrix A is of rank r less than l.This is clearly identifiable by looking for zeros in the diagonal of A.
Step 3: Make r rows of C, corresponding to the non-zero entries in the diagonal of A zero by using ER3.If r ¼ l, we have C as zero matrix.If not let us assume that ith row is zero in A. Then we interchange the i th row with the Ài th row in g.We do this for all zero rows in A. The new C is a zero matrix.We claim that the new A must have a full rank.This follows from Equation A.1; in particular T CBþ T AD ¼ I l .If C is zero matrix, then A is invertible.Now make A a diagonal matrix by using Step 1. Then one can make A a matrix of the form diag 1; …; 1; λ ð Þ , where λ ∈ k Â using ER1 ( [18], Proposition 6.2).Once A is diagonal and C a zero matrix, the equation T CBþ T AD ¼ I l makes D a diagonal matrix of full rank.
Step 5: (Only for symplectic groups) Reduce the λ to 1 using Lemma A.1.
Þ¼I À e l, l À e Àl, Àl þ λe l, Àl À λ À1 e Àl, l and denote it by w l λ ð Þ, and then the diagonal element is w l λ ð Þw l À1 ð Þ. Remark A.1 As we saw in the above algorithm, we will have to interchange i th and Ài th rows for i ¼ 1, 2, …, l.This can be done by pre-multiplying with a suitable matrix.
Let I be the 2l Â 2l identity matrix over k.To swap ith and Àith row in O þ 2l; k ð Þ, swap ith and Àith rows in the matrix I.We will call this matrix w i .It is easy to see that this matrix w i is in O þ 2l; k ð Þand is of determinant À1.Pre-multiplying with w i does the row interchange we are looking for.
In the case of symplectic group Sp 2l; k ð Þ, we again swap two rows ith and Àith in I. However we do a sign change in the ith row and call it w i .Simple computation with our chosen β shows that the above matrices are in O þ 2l; k ð Þand Sp 2l; k ð Þ, respectively.

Row operations
Column operations Interchange ith and (Ài)th rows Interchange ith and (Ài)th columns with a sign change in the ith row with a sign change in the ith column Table A4.
The row-column operations for symplectic groups.
Modern Cryptography -Theory, Technology, Adaptation and Integration However there is one difference between orthogonal and symplectic groups.In symplectic group, w i can be generated by elementary matrices because In the case of orthogonal groups, that is not the case.This is clear that the elementary matrices come from the Chevalley generators and those generates Ω, the commutator of the orthogonal group.All matrices in Ω have determinant 1. However w i has determinant À1.So we must add w i as an elementary matrix for O þ 2l; k ð Þ. Remark A.2 This algorithm proves every element in the symplectic group is of determinant 1.Note the elementary matrices for the symplectic group are of determinant 1, and we have an algorithm to write any element as product of elementary matrices.So this proves that the determinant is 1.
Remark A.3 This algorithm proves if X is an element of a symplectic group then so is T X.The argument is similar to the above; here we note that the transpose of an elementary matrix in symplectic groups is an elementary matrix.

A.3 Gaussian elimination for matrices of odd size-the odd-orthogonal group
In this case, matrices are of odd size and there is only one family of group to consider; it is the odd-orthogonal group O 2l þ 1; k ð Þ .This group will be referred to as the odd-orthogonal group.
Elementary matrices for the odd-orthogonal group in even characteristics differ from that of odd characteristics.In above table we made that distinction and listed them separately in different rows according to the characteristics of k.If char(k) is even, we can construct the elements w i , which interchanges the ith row with Ài th row as follows: Otherwise, we can construct w i , which interchanges the ith row with Ài th row with a sign change in i th , À i th and 0 th row in odd-orthogonal group as follows: The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 À e Ài, Ài À e i, Ài À e Ài, i : The Gaussian elimination algorithm for O 2l þ 1; k ð Þfollows the earlier algorithm for symplectic and even-orthogonal group closely, except that we need to take care of the zero row and the zero column.We write an element g Let us note the effect of multiplying g by elementary matrices (Table A6).

Row operations
Column operations Modern Cryptography -Theory, Technology, Adaptation and Integration Step 1: Use ER1 and EC1 to make A into a diagonal matrix, but in the process, it changes other matrices A, B, C, D, E, F, X, and Y.For the sake of notational convenience, we keep calling these changed matrices as A, B, C, D, E, F, X, and Y as well.
Step 2: Now there will be two cases depending on the rank r of matrix A. The rank of A can be easily determined using the number of non-zero diagonal entries.Use ER3 and non-zero diagonal entries of A to make corresponding r rows of C zero.
1.If r ¼ l then C becomes zero matrix.
2. If r , l then interchange all zero rows of A with corresponding rows of C using w i so that the new C becomes a zero matrix.
Once C becomes zero, note that Relation A.
is even guarantees that X becomes zero.Relation A.5 guarantees that A has full rank l which also makes D a diagonal with full rank l.Thus Relation A.3 shows that F becomes zero as well.Then use Step 1 to reduce Step 3: Now if char(k) is even, then Relation A.4 guarantees that E becomes zero as well.If char(k) is odd, then use ER4 to make E a zero matrix.
Step 4: Use ER2 to make B a zero matrix.For char(k) even the relation

A.4 Gaussian elimination in twisted orthogonal groups
In this section we present a Gaussian elimination algorithm for twisted orthogonal groups.The size of the matrix is even; the bilinear form used is c 0 from Section 3.

A.4.1 Elementary matrices (Chevalley generators) for twisted orthogonal groups O
In this section, we describe row-column operations for twisted Chevalley groups.These groups are also known as the Steinberg groups.An element A, where A, B, C, and D are Þmatrices, E and F are l À 1 ð ÞÂ2 matrices, and A 0 is a 2 Â 2 matrix.In the Gaussian elimination algorithm that we discuss, we reduce X, Y, E, F, B, and C to zero and A and D to diagonal matrices.
The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663However, unlike the previous cases, we were unable to reduce A 0 to an identity matrix.However, for odd characteristics we were able to reduce A 0 to a twoparameter subgroup.
We now talk about the output of the algorithm.In the output we will have a 2 Â 2 block (also called A 0 ) which will satisfy T A 0 β 0 A 0 ¼ β 0 , where β 0 ¼ 1 0 0 ϵ for odd characteristics and ε is a non-square.Then A 0 is a orthogonal matrix given by the bilinear form β 0 .Now if we write A 0 ¼ a b c d , then we get the following equations: Considering the fact that det A 0 ð Þ ¼ AE1, one more equation ad À bc ¼ AE1 and this leads to two cases either a ¼ d and b ¼ Àcϵ or a ¼ Àd and b ¼ cϵ.Recall that, since ϵ is not a square, d 6 ¼ 0. Then if c ¼ 0, then there are four choices for A 0 and these are A 0 ¼ AE1 0 0 AE1 .
To summarize, the output of the algorithm A 0 will have one of the following forms and t ∈ k Â , s ∈ k, and ϵ are non-square.There are now two ways to describe the algorithm: one is to leave A 0 as it is in the output of the algorithm, and the other is to include these matrices as generators.For the purpose of uniform exposition, we chose the latter and included the following two generators Char(k) Elementary matrices Modern Cryptography -Theory, Technology, Adaptation and Integration in the list of elementary matrices in Table A7.In the case of even characteristics, no such reduction is possible, and we included the matrix t p r s in the list of generators with the condition that the determinant is 1.
The elementary matrices for O À 2l; k ð Þdepend on the characteristics of k.We describe them separately in the following table.Let α be an Arf-invariant, 2 ≤ i, j ≤ l and t ∈ K and ξ ∈ k Â .
Let us note the effect of multiplying g by elementary matrices.Elementary matrices for the twisted orthogonal group in even characteristics differ from that of odd characteristics, so in the following tables (Tables A8 and A9), we made that distinction and listed them separately in different rows according to the characteristics of k.The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 Note that any isometry g satisfies T gβg ¼ β.The main reason the following algorithm works is the closed condition T gβg ¼ β which gives the following relations: T A 0 β 0 A 0 þ T FEþ T EF ¼ β 0 , (A.7) T A 0 β 0 Xþ T FAþ T EC ¼ 0, (A.8) T A 0 β 0 Yþ T FBþ T ED ¼ 0, (A.9) T Xβ 0 Xþ T CAþ T AC ¼ 0, (A.10) T Xβ 0 Yþ T CBþ T AD ¼ I lÀ1 : (A.11) A.4.2 The Gaussian elimination algorithm for O À 2l; k ð Þ Step 1: Use ER1 and EC1 to make A into a diagonal matrix, but in the process, it changes other matrices A 0 , A, B, C, D, E, F, X, and Y.For the sake of notational convenience, we keep calling these changed matrices as A 0 , A, B, C, D, E, F, X, and Y as well.
Step 2: Now there will be two cases depending on the rank r of the matrix A.
The rank of A can be easily determined by the number of non-zero diagonal entries.
Step 3: Use ER3 and non-zero diagonal entries of A to make corresponding r rows of C zero.
• If r ¼ l À 1 then C becomes zero matrix.
• If r , l À 1 then interchange all zero rows of A with corresponding rows of C using w i , so that the new C becomes a zero matrix.
• Once C becomes zero one, can note that the relation and the fact that αt 2 þ t þ α is irreducible when char k ð Þ is even guarantees that X becomes zero.Then the relation T Xβ 0 Yþ T CBþ T AD ¼ I lÀ1 guarantees that A has full rank l À 1 which also makes D a diagonal with full rank, and the relation T A 0 β 0 Xþ T FAþ T EC ¼ 0 shows that F is zero.Now we diagonalize A again to the form diag 1; …; 1; λ ð Þ , where λ ∈ k Â as in Step 1.
Step 4: Use EC4 and EC6 when char k ð Þ is odd or use EC8 and EC9 when char k ð Þ is even to make E zero.Note that the relation T A 0 β 0 A 0 þ T FEþ T EF ¼ β 0 shows that A 0 is invertible.Thus the relation T A 0 β 0 Yþ T FBþ T ED ¼ 0 guarantees that Y becomes zero.
Step 6: Using the relation T A 0 β 0 A 0 ¼ β 0 , it is easy to check that A 0 has the form t Àϵs s t or t ϵs s Àt .If the determinant of A 0 is À1, multiply g by x 2 to get new g of the above form such that A 0 has determinant 1.Now using the elementary matrix x 1 t; s ð Þ, we can reduce g to diag I 2 ; 1; …; λ; 1; …; λ À1 À Á .
Lemma A.2 Let k be a field of characteristics 2 and let g ¼ A, where A ¼ diag 1; 1; …; 1; λ ð Þ , be an element of O À 2l; k ð Þthen X ¼ 0. Proof.Let e 1 ; e À1 ; e 2 ; …; e l ; e À2 ; …; e Àl f g be the standard basis of the vector space V. Recall that for a column vector x ¼ x 1 ; x À1 ; x 2 ; …; x l ; x À2 ; …; x Àl ð Þ t , the action of the quadratic form Q is given by Q By definition, for any g ∈ O À 2l; k ð Þ, we have x 2i ¼ 0. If x 2i ¼ 0 then we can see that x 1i ¼ 0. Suppose x 2i 6 ¼ 0 for some i, then we rewrite the equation by dividing it by x 2i as α x 1i x 2i þ α ¼ 0, which is a contradiction to the fact that αt 2 þ t þ α is irreducible over k t ½ .Thus, x 2i ¼ 0 for all 2 ≤ i ≤ l and hence X ¼ 0. •

A.5 Time complexity of the above algorithms
We establish that the worst-case time complexity of the above algorithm is O l 3 À Á .We mostly count the number of field multiplications.
Step 1: We make A a diagonal matrix by row-column operations that has complexity O l 3 À Á .
Step 2: In making both C and B zero matrix, we multiply two rows by a field element and additions.In the worst case, it has to be done O l ð Þ times and done O l 2 À Á many times.So the complexity is O l 3 À Á .
Step 3: In odd-orthogonal group and twisted orthogonal group, we clear X, Y, E, F, this clearly has complexity O l 2 À Á .
Step 4: This step has only a few operations that is independent of l.
Then clearly, the time complexity of our algorithm is O l 3 À Á .We have implemented the above algorithms in Magma [25].For details of that implementation along with performance analysis of our algorithm, we refer to Bhunia et al. ( [24], Section 8).
The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663 where A, B, C, and D are l Â l matrices, X and Y are 1 Â l matrices, E and F are l Â 1 matrices, α ∈ k and β ¼ Then from the condition T gβg ¼ β, we get the following relations: any automorphism is of the form c χ ιθ where c χ is a central automorphism and ι is a conjugation automorphism by elements of GO using only two generators x and w.Now we know w lÀ1 ¼ w l w l, lÀ1 1 ð Þw lÀ1, Àl 1 ð Þ, so we generate w lÀ1 .Hence inductively we can generate w

Table A6 .
The row-column operations for guarantees that Y is a zero matrix, and for char(k) odd Relation A.4 implies that Y becomes zero.Àl t ð Þ, where t 2 ¼ λ, and hence we can reduce the matrix g to identity.