Post-Quantum Signature Scheme Based on the Root Extraction Problem over Mihailova Subgroups of Braid Groups

Abstract

In this paper, by introducing an isomorphism from the Mihailova subgroup of $F_2\times F_2$ to the Mihailova subgroups of a braid group, we give an explicit presentation of Mihailova subgroups of a braid group. Hence, in a braid group, there are some Mihailova subgroups experiencing unsolvable subgroup membership problem. Based on this, we propose a post-quantum signature scheme of the Wang–Hu scheme, and we show that the signature scheme is free of quantum computational attack.

1. Introduction

In the literature, the security assumptions of signature schemes are often based on a complex computational problem. For example, the RSA signature scheme [1] is based on the integer factorization problem. Elgamal’s signature scheme [2] is based on the discrete logarithm problem. Additionally, Koblitz’s signature scheme [3] is based on the discrete logarithm problem on elliptic curves. Both Wei’s signature scheme [4] and Vermal and Sharma’s signature scheme [5] are based on the factoring and discrete logarithm problem. In 1997, Shor [6] proposed a probabilistic quantum algorithm for large integer decompositions and discrete logarithm calculations. In 2003, Proos and Zalka [7] extended Shor’s algorithm and obtained a quantum algorithm for solving the discrete logarithm problem on elliptic curves. These algorithms need to be run on a quantum computer to achieve the desired effect. In 2019, a group of researchers from Google published a paper [8] announcing that they realized a 53 qubits quantum computation system capable of running quantum algorithms. Hence all the above well-known cryptographic schemes would be no safer under a quantum computation circumstance. It is then obviously urgent for cryptologists to find new public key cryptosystems that can resist quantum computer attacks. Consequently, a varieties of post-quantum cryptographic schemes have been proposed. For example, lattice-based cryptography and multivariate public key cryptography (MPKC) are two ways to construct post-quantum cryptographic schemes. In [9], a general multivariate public key cryptographic proxy signature scheme (MPKC) was proposed by Chen et al.. The security of MPKC is based on an NP-hard problem. The main drawback of MPKC is that the length of the public key is too long, which makes the signature algorithm very heavy. With the performance of faster calculation, less communication cost, and having some computationally hard problems, lattices are widely believed to be promising platforms to set up post-quantum cryptographic schemes. In [10,11], signature schemes based on lattices were proposed. The security of these schemes is guaranteed by NP-hard problems. Alternatively, new quantum signature schemes which are based on the quantum information theory of physical essence have also been considered. For example, Zheng et al. [12] proposed an arbitrated quantum signature scheme with quantum teleportation by using two three-qubit GHZ states. Yang et al. [13] proposed an arbitrated quantum signature scheme based on cluster states.

Due to the work of Anshell et al. [14] and Ko et al. [15], braid groups have been intensively used as a platform to construct public key cryptographic schemes where the safety of the schemes was claimed mainly by the conjugate search problem (for examples see [16,17,18,19,20,21,22] for references). However, people have found a variety of security drawbacks of these schemes, and therefore, some attack techniques have been developed [23,24,25,26,27,28,29,30,31,32]. It seems then that the conjugate search problem of braid groups is no more reliable for guaranteeing the safety of a braid group cryptography application.

The root extraction problem (REP) is another decision problem with braid groups. This decision problem is believed to be much harder than the conjugate search problem [33]. There are a number of public cryptosystems [19,34,35] that are based on the root extraction problems in braid groups. In [19], an entity authentication scheme which is based on the hardness of the REP has been put forward by Sibert et al.. Groch et al. provided a practical algorithm [36] for root extraction of a braid, and therefore, it seems that Sibert et al.’s scheme is not secure. We will show that Groch et al.’s algorithm is actually not applicable for root extraction of a braid. In [34], Lal and Chaturvedi proposed two authentication schemes that were claimed to be also based on the REP. However, the first of these two schemes has been attacked [37] without requiring solving the REP and it was pointed out [23] that the second one actually relies on the difficulty of the Deffie–Hellman decomposition problem which can be solved in polynomial time. In 2009, Wang and Hu proposed a signature scheme [35] based on the root extraction problem of braid groups. Wang and Hu proved that for an attacker to forge a valid signature for a given message m if and only if he can extract the eth root of the braid v generated in the scheme corresponding the message m. One may note that Myasnikov et al. gave a practical algorithm [38] for decomposition of a braid. This then may allow the attacker to decompose a braid v into a product of $v_i$’s where the eth root of these $v_i$’s are known. Therefore, the eth root of v can be computed as Wang and Hu pointed out in Section 5.3 of [35]. Therefore, Wang and Hu’s signature scheme would not be sufficiently secure.

In [39], Wang, Li, and Lin have given an explicit presentation of the Mihailova subgroups of $F_2\times F_2$, which experience unsolvable subgroup membership problems. Then by using an isomorphism, we show that for an index $n\ge 6$, a braid group $B_n$ contains such Mihailova subgroups. This provides us a choice to enforce the safety of some braid group-based cryptosystems. In this paper, by introducing the Mihailova subgroups of a braid group and choosing some elements of Mihailova subgroups as part of public keys and secret keys, we propose a reformed signature scheme of Wang–Hu’s. In the following section, we show the security of this reformed scheme is free of all known attacks, including the quantum computational attack.

The rest of this paper is organized as follows. In the Section 2, a brief review of braid groups is stated and then by an isomorphism, an explicit presentation of Mihailova subgroups of a braid group $B_n$ with $n\ge 6$ is given. These Mihailova subgroups experience unsolvable subgroup membership problems. Section 3 serves to propose a reformed signature scheme of Wang–Hu’s [35]. In the Section 4, we show that the security of the proposed reformed signature scheme is free of all known attacks.

2. Braid Groups and Mihailova Subgroups

2.1. Braid Groups and $\Delta$-Normal Forms

A braid group $B_n$, which will be taken as the platform group for the post-quantum scheme, is defined by the following presentation

$$B_n=\langle {\sigma }_1,{\sigma }_2,\dots ,{\sigma }_{n-1}|{\sigma }_i{\sigma }_j{\sigma }_i={\sigma }_j{\sigma }_i{\sigma }_j,|i-j|=1,{\sigma }_i{\sigma }_j={\sigma }_j{\sigma }_i,|i-j|\ge 2\rangle$$

where ${\sigma }_1,{\sigma }_2,\dots ,{\sigma }_{n-1}$ are called the Artin generators of $B_n$, and the elements of $B_n$ are called braids.

For any elements $x,y\in B_n$, if there exists another element $a\in B_n$, such that $y=a^{-1}xa$, we then say that $x,y$ are conjugate.

Let G be a group, $x,y,g$ be the elements of G, such that $y=g^{-1}xg$. The conjugate search problem is defined to ask for finding an element $g^{{}^{\prime }}\in G$, such that $y=g^{{}^{\prime }-1}x{g}^{{}^{\prime }}$.

Let G be a group, x be an element of G, and $e\ge 2$ be an integer, such that $x=y^e$ for some unknown element $y\in G$. The root extraction problem is defined to ask for finding an element $z\in G$, such that $x=z^e$.

Let G be a group, H be a subgroup generated by elements $b_1,b_2,\dots ,b_k$ of G. The membership problem of H is defined to ask for any element x of G if $x\in H$ is true. Equivalently, that is to ask if x can be expressed as the product of the powers of $b_1,b_2,\dots ,b_k$.

Let ${\Delta }_n$ denote the positive braid of $B_n^{+}$ inductively defined by

$${\Delta }_1={\sigma }_1,{\Delta }_i={\sigma }_1\cdots {\sigma }_{i-1}{\Delta }_{i-1}(1<i\le n)$$

(1)

We say that a positive braid $u\in B_n^{+}$ is canonical if it is a left divisor of ${\Delta }_n$, i.e., if we have ${\Delta }_n=uv$ for some positive braid v. If u is any positive braid, then there exists a maximal canonical braid $u_1$ that divides u, namely the left gcd of u and ${\Delta }_n$. We can then write $u=u_1{u}^{\prime }$, and repeat the operation, i.e., look for the maximal simple left divisor $u_2$ of $u^{\prime }$, and so we can write $u=u_1{u}_2\cdots u_s$ with all $u_i$’s are canonical. Every braid u in $B_n$ admits a unique decomposition of the form [40,41]

$$u={\Delta }_n^k{u}_1{u}_2\cdots u_r$$

(2)

where each $u_i$ is canonical and is distinct of ${\Delta }_n$ and 1 and is the maximal left canonical left divisor of $u_i{u}_{i+1}\cdots u_r$. We call (2) the $\Delta$-normal form of u and r the canonical length of u. There then is a homomorphism $\pi :B_n\to S_n$ from $B_n$ to the symmetric group $S_n$ defined by $\pi \left({\sigma }_i\right)=(i,i+1)$ and restricting $\pi$ to the set of canonical factors in $B_n$ induces a bijection [40].

2.2. A Practical Attack on Root Problem

In [36] Groch et al. proposed a practical attack on the root problem in braid groups. First they proved that a braid $u\in B_n$ has $\Delta$-normal form

$$u={\Delta }_n^k{u}_1{u}_2\cdots u_r$$

(3)

and that a braid $w\in B_n$ with $w=u^e$ with $e>1$ an integer has $\Delta$-normal form

$$w={\Delta }_n^{k^{\prime }}{w}_1{w}_2\cdots w_{r^{\prime }}$$

(4)

such that $l=r^{\prime }-(e-1)r>0$. Then the last l canonical factors $w_{(e-1)r+1}\cdots w_{r^{\prime }}$ of the $\Delta$-normal form of w form a tail of $u_1\cdots u_r$, i.e.,

$$u_1{u}_2\cdots u_r=u^{\prime }{w}_{(e-1)r+1}\cdots w_{r^{\prime }}$$

for some positive braid $u^{\prime }\in B_n$. They then let $u_R$ be the tail of u and $u_L\in B_n^{+}$ be the remaining canonical part of u, such that

$$u={\Delta }_n^k{u}_L{u}_R$$

For any canonical factor $v\in B_n$, by writing $\overline{v}$ for $\pi \left(v\right)$, they then claimed that by extracting the eth roots of permutation $\overline{w}$ one can extracting the eth roots of w in $B_n$. To find the solution to the equation

$$\overline{w}=x^e$$

(5)

in the symmetric group $S_n$, they let $y=\overline{w}$ and suppose $x\in S_n$ is a solution to Equation (5). Let x be a product of disjoint cycles $C_1,C_2,\cdots ,C_q$. Then

$$y=x^e=C_1^e{C}_2^e\cdots C_q^e$$

By writing y as a product of disjoint cycles $D_1,D_2,\cdots ,D_v$ and letting $\mathcal{L}={\bigcup }_{i=1}^v\left\{\right|D_i\left|\right\}$ each eth root x of y then can be expressed as

$$x=\prod _{l\in \mathcal{L}}{x}_l$$

such that each $x_l$ is an eth root of the product

$$y_l=\prod _{|D_i|=l}{D}_i$$

They, of course, can effectively find solutions to Equation (5). It followed that they then claimed that by the inverse of $\pi$ the eth root of w may be extracted by checking if ${\left({\Delta }_n^k{\pi }^{-1}\left(\overline{u_L}\right)u_R\right)}^e=w$ where ${\pi }^{-1}\left(\overline{u_L}\right)$ is obtained in turn from $\overline{u}$ by setting $\overline{u}=x$.

2.3. Mihailova Subgroups

Consider H as a group that is defined by

$$\Gamma =\langle x_1,x_2,\dots ,x_k|R_1,R_2,\dots ,R_m\rangle$$

with integer $k⩾2$, and let $F_k$ denote the free group on $x_1,x_2,\dots ,x_k$. Then, in the article [42], Mihailova associated with H in the Mihailova subgroup, denoted as M$\left(H\right)$, of the direct product of $F_k\times F_k$ defined by

$$M\left(H\right)=\left\{({\omega }_1,{\omega }_2)\right|{\omega }_1={\omega }_2,{\omega }_1\in H,{\omega }_2\in H\}$$

Mihailova [42] then proved the following theorem.

Theorem 1

(Mihailova [42]). The subgroup membership problem for M$\left(H\right)$ in $F_k$ × $F_k$ is solvable if and only if the word problem for H is solvable.

In their paper [43], Bogopolski and Venura proved a theorem that gives an explicit representation of Mihailova subgroup M$\left(H\right)$ in $F_k\times F_k$ under the assumption that the group H satisfies certain conditions. In [39], Wang, Li, and Lin gave a finite presentation of a group H, which is generated by just two elements and experiences an unsolvable word problem. Additionally, they proved that the presentation of H satisfies the conditions required in Bogopolski and Venura’s theorem in [43]. It followed that they then gave an explicit presentation of the generators and infinitely countable defining relators of the Mihailova subgroup M$\left(H\right)$ in $F_2\times F_2$ as the following:

$$D=\langle (u,u),(t,t),(1,{\mathcal{S}}_i)|{\mathcal{S}}_i^{-1}{\left({\delta }^{-1}{\mathcal{S}}_k^{-1}{\gamma }_k^{-1}\delta \right)}^{-1}{\mathcal{S}}_i\left({\delta }^{-1}{\mathcal{S}}_k^{-1}{\gamma }_k^{-1}\delta \right),{\mathcal{S}}_i^{-1}{\gamma }_i^{-1}{\mathcal{S}}_i{\gamma }_i\rangle$$

where $\delta \in F_2\times F_2,{\mathcal{S}}_i={\left({\mathcal{R}}_i^{\left(r\right)}(t,u)\right)}^{-1}{\mathcal{R}}_i^{\left(l\right)}(t,u),{\mathcal{R}}_i^{\left(r\right)}(t,u)$ and ${\mathcal{R}}_i^{\left(l\right)}(t,u)$ are defined in the Presentation C in [39], i, $k=1,2,\dots ,27$.

Since the word problem in H is unsolvable using the main theorem in [42], it followed that the membership problem for the Mihailova subgroup $M_{F_2\times F_2}\left(H\right)$ of $F_2\times F_2$ is unsolvable

For a braid group $B_n$ with $n⩾6$, a result established by Collins in [44] indicated that the subgroups $G_i$ of $B_n$ generated by ${\sigma }_i^2,{\sigma }_{i+1}^2,{\sigma }_{i+3}^2$ and ${\sigma }_{i+4}^2$ ($1\le i\le n-5$) denoted by

$$G_i=\langle {\sigma }_i^2,{\sigma }_{i+1}^2,{\sigma }_{i+3}^2,{\sigma }_{i+4}^2\rangle ,1\le i\le n-5$$

is isomorphic to the direct product $F_2$ × $F_2$.

In Theorem 1.1 of [43], we let k = 2 and let $\varphi$ be the isomorphism that maps the group $F_2$ × $F_2$ to the subgroup $G_i$ and defined by

$$\varphi :(x_1,1)\mapsto {\sigma }_i^2,(x_2,1)\mapsto {\sigma }_{i+1}^2,(1,x_1)\mapsto {\sigma }_{i+3}^2,(1,x_2)\mapsto {\sigma }_{i+4}^2$$

Through this isomorphism we obtained the Mihailova subgroups $M_{G_i}\left(H\right)$ of $B_n$ which have an unsolvable membership problem. Since the defining relations of Presentation C′ in [39] are of the following form

$${\mathcal{R}}_j:{\mathcal{R}}_j^{\left(r\right)}(u,t)={\mathcal{R}}_j^{\left(l\right)}(u,t),j=1,2,\cdots ,27$$

we denote

$$\begin{array}{cc}\hfill {\mathcal{S}}_{ij}=& {\mathcal{R}}_j^{\left(r\right)}({\sigma }_i^2,{\sigma }_{i+1}^2){)}^{-1}{\mathcal{R}}_j^{\left(l\right)}({\sigma }_i^2,{\sigma }_{i+1}^2),\hfill \end{array}$$

where $j=1,2,\cdots ,27,$ and

$$\begin{array}{c}\hfill {\mathcal{T}}_{ij}={\mathcal{R}}_j^{\left(r\right)}({\sigma }_{i+3}^2,{\sigma }_{i+4}^2){)}^{-1}{\mathcal{R}}_j^{\left(l\right)}({\sigma }_{i+3}^2,{\sigma }_{i+4}^2)\end{array}$$

where $j=1,2,\cdots ,27.$ Then for each i, by the above isomorphism $\varphi$, the generators of $M_{G_i}\left(H\right)$ are as follows:

$$\begin{array}{cc}& d_1={\sigma }_i^2{\sigma }_{i+3}^2,d_2={\sigma }_{i+1}^2{\sigma }_{i+4}^2,\hfill \\ & 1{\mathcal{T}}_{ij}={\mathcal{T}}_{ij},{\mathcal{S}}_{ij}1={\mathcal{S}}_{ij}\hfill \end{array}$$

where $j=1,2,\cdots ,27$ and all the ${\mathcal{S}}_{ij}$ are listed in the Appendix A at the end of the article (one can obtain the descriptions of all the ${\mathcal{T}}_{ij}$’s by replacing all occurrences of ${\sigma }_i^2$ with ${\sigma }_{i+3}^2$ and all occurrences of ${\sigma }_{i+1}^2$ with ${\sigma }_{i+4}^2$ in ${\mathcal{S}}_{ij},j=1,2,\dots ,\cdots ,27$).

3. The Post-Quantum Scheme

In the signature scheme, Alice acts as the signer, while Bob serves as the recipient responsible for verifying the signature message.

3.1. The Wang–Hu Scheme

In [35], Wang and Hu proposed the following signature scheme.

The public information consists of a braid group $B_n$ of index n, an integer $e\ge 2$, and a collision-free one-way hash function $\Theta$ that hashes an arbitrary message m of arbitrary length into a fixed k-bit binary string with k a positive integer, that is

$$\Theta :{\{0,1\}}^{*}\to {\{0,1\}}^k$$

Key generation: Alice randomly chooses $k+1$ non-trivial braids $b_1,b_2,\cdots ,b_k,r$ in $B_n$ such that $b_i$ and $b_j$ commute, $i,j=1,2,\cdots ,k$. Then she computes

$$a_i=r{b}_i^e{r}^{-1},i=1,2,\cdots ,k$$

The public key is $\{a_1,a_2,\cdots ,a_k\}$ and the secret key is $\{b_1,b_2,\cdots ,b_k,r\}$.

Signing a message: Assuming that the message $m\in {\{0,1\}}^{*}$ is to be signed. Firstly, Alice randomly chooses a braid s in $B_n$. Then she calculates $\Theta \left(m\right)$$=h_1{h}_2\cdots h_k(h_i\in \{0,1\})$, $t=s{r}^{-1}$ and

$$v=s(\prod _{i=1}^k{b}_i^{h_i})s^{-1}$$

The signature for the message m is $(v,t)$.

Verification: Bob computes

$$w=\prod _{i=1}^k{a}_i^{h_i}$$

and verifies the equation

$$v^e=tw{t}^{-1}$$

If the equation holds, he accepts the signature $(v,t)$ as a valid signature of Alice’s for the message m. Otherwise, Bob discards the signature.

3.2. The Post-Quantum Scheme

The public information:

• An integer $e\ge 2$;
• A collision-free one way hash function $\Theta$ that hashes an arbitrary message m of arbitrary length into a fixed k-bit binary string with k a positive integer, that is

  $$\Theta :{\{0,1\}}^{*}\to {\{0,1\}}^k$$
• A braid group $B_n$ of index n with $n\ge 6k$;
• The Mihailova subgroups $A_i=M_{G_{6(i-1)+1}}\left(H\right),i=1,2,\cdots k$, as defined in the previous section.

One can see that since $A_i=M_{G_i}\left(H\right)$ is a subgroup of $G_i$ where $G_i$ is generated by ${\sigma }_i,{\sigma }_{i+1},{\sigma }_{i+3},{\sigma }_{i+4}$, for each pair of i and j, if $i\ne j$ then for any braid $b_i\in A_i$ and any $b_j\in A_j$, $b_i{b}_j=b_j{b}_i$ if $i\ne j$.

Key generation: Alice randomly chooses k non-trivial braids $b_i\in A_i,i=1,2,\cdots ,k$, and an element $r\in B_n$. Then she computes

$$a_i=r{b}_i^e{r}^{-1},i=1,2,\cdots ,k$$

The public key is $\{a_1,a_2,\cdots ,a_k\}$ and the secret key is $\{b_1,b_2,\cdots ,b_k,r\}$.

Signing a message: Assuming that the message $m\in {\{0,1\}}^{*}$ is to be signed. Firstly, Alice randomly chooses a braid s in $B_n$. Then she calculates $\Theta \left(m\right)=h_1{h}_2\cdots h_k(h_i\in \{0,1\})$, $t=s{r}^{-1}$ and

$$v_i=s{b}_i^{h_i}{s}^{-1},i=1,2,\cdots ,k$$

The signature for the message m is $(v_1,v_2,\cdots ,v_k,t)$.

Verification: Bob computes $w_i=a_i^{h_i},i=1,2,\cdots ,k$, and verifies the equations

$$v_i^e=t{w}_i{t}^{-1},i=1,2,\cdots ,k$$

If all the equations hold, he accepts the signature $(v,t)$ as a valid signature of Alice’s for the message m. Otherwise, Bob discards the signature.

Why verification works: The following shows that the verification works

$$t{w}_i{t}^{-1}=t{a}_i^{h_i}{t}^{-1}=t{\left(r{b}_i^e{r}^{-1}\right)}^{h_i}{t}^{-1}={\left(tr{b}_i^{h_i}{r}^{-1}{t}^{-1}\right)}^e={\left(s{b}_i^{h_i}{s}^{-1}\right)}^e=v_i^e,i=1,2,\cdots ,k$$

4. Security Analysis and Parameters

4.1. Key Recovery Attack

As Wang and Hu pointed out in [35], since any attacker does not know the secret key $(b_1,b_2,\cdots ,b_k)$, he cannot construct k equations $a_i=r{b}_i^e{r}^{-1},i=1,2,\cdots ,k$. Therefore, it is impossible for him to find $r^{\prime }\in B_n$ such that $r^{\prime }{b}_i^e{r}^{\prime -1}=a_i,i=1,2,\cdots ,k$.

4.2. On Forging a Signature

Let m be a given message and let $\Theta \left(m\right)=h_1{h}_2\cdots h_k$. Then

$$w_i=a_i^{h_i}={\left(r{b}_i^e{r}^{-1}\right)}^{h_i}={\left(r{b}_i^{h_i}{r}^{-1}\right)}^e,i=1,2,\cdots ,k$$

Provided an attacker wants to forge a valid signature for m, say $(v_1^{\prime },v_2^{\prime },\cdots ,v_k^{\prime },t^{\prime })$. Then he must have the following equations:

$$v_i^e=t^{\prime }{w}_i{t}^{\prime -1}=t^{\prime }{\left(r{b}_i^{h_i}{r}^{-1}\right)}^e{t}^{\prime -1}={\left(t^{\prime }r{b}_i^{h_i}{r}^{-1}{t}^{\prime -1}\right)}^e,i=1,2,\cdots ,k$$

Hence, as Wang and Hu pointed in [35], an attacker is able to forge Alice’s signature in our post-quantum scheme in the previous section if and only if he can extract the eth roots for the braids $w_i$, $i=1,2,\cdots ,k$.

We first show that Groch et al.’s root extraction algorithm is not applicable. Clearly, the bijection $\pi$ in Section 2.1 from the set of all canonical braids in $B_n$ to the symmetric group $S_n$ is not a bijection from $B_n^{+}$ to $S_n$. Now, for each i if we choose $b_i\in A_i$ such that in the $\Delta$-normal form of $w_i={\Delta }_n^{r_i^{\prime }}{w}_{i_1^{\prime }}\cdots w_{i_s^{\prime }}$ (as in (4)) the length of the product of canonical factors $w_{i_1}\cdots w_{i_s^{\prime }}$ is greater than $e{n}^2+n$. Let $\pi \left(w_i\right)=\overline{w_i}$. Working with Groch et al.’s root extraction algorithm one can find all solutions in $S_n$ of equation $\overline{w_i}=x_i^e$ as in Equation (5). Let $x_i$ be any one of the solutions and write $x_i=C_{i_1}{C}_{i_2}\cdots C_{i_q}$ being a product of disjoint cycles. Then $i_q<n$. Since the inverse of $\pi$ of each cycle $C_{i_j}$ is a canonical braid of length less than n, then the length of e power of ${\pi }^{-1}\left(x_i\right)$ (product of canonical factors) is less than $e{n}^2$. However, the length of the product of canonical factors of $w_i$ is greater than $e{n}^2+n$. Thus, the inverse of $\pi$ of $x_i$ could not be an eth root of $w_i$.

Therefore, if $h_i$ is not 0, then $r{b}_i^{h_i}{r}^{-1}\in r{A}_i{r}^{-1}$. However, $w_i$ is an element of the subgroup $r{A}_i{r}^{-1}$, which is isomorphic to the Mihailova subgroup $A_i$. Hence the membership problem of $r{A}_i{r}^{-1}$ is also unsolvable. Furthermore, based on González-Meneses’ result in [45], we know that the eth root of a braid is unique up to conjugacy. Therefore, the only way for an attacker to extract the eth root of $w_i$ is to find an element $d_i\in r{A}_i{r}^{-1}$ such that $d_i^e=w_i$ for all $i\ne 0$. However, firstly since he does not know r, he is not sure which conjugate of $A_i$ is. Furthermore, since $r{A}_i{r}^{-1}$ is a Mihailova subgroup, there is no algorithm for him to find such $d_i$’s.

As the above security analysis showed, the reformed signature scheme is unforgettable and resistant to key-recovery attacks. Hence, no one else could create any valid evidence that the signature originated from Alice, which guarantees the non-repudiation of the signer’s signature.

4.3. Suggested Parameters

To work against Groch et al.’s root extraction algorithm attack, we require in our post-quantum scheme that the word size of each $b_i\in A_i$ should be large enough such that in the $\Delta$-normal form of $w_i={\Delta }_n^{r_i^{\prime }}{w}_{i_1^{\prime }}\cdots w_{i_s^{\prime }}$ (as in (4)) the length of the product of canonical factors $w_{i_1}\cdots w_{i_s^{\prime }}$ is greater than $e{n}^2+n$. Moreover, for less computational complexity, we suggest that for each i, $b_i$ can be chosen to be generated by the same strategy in terms of the generators of the Mihailova subgroup $A_i$. Thus, to compute the normal forms of all $b_i$’s (similarly all $a_i$’s), one can compute just one of them and then use replacements to have all the normal forms of all others. For example, from the normal form of $b_1$, by replacing ${\sigma }_1$ with ${\sigma }_{6(j-1)+1}$, ${\sigma }_2$ with ${\sigma }_{6(j-1)+2}$, ${\sigma }_4$ with ${\sigma }_{6(j-1)+4}$, and ${\sigma }_5$ with ${\sigma }_{6(j-1)+5}$ one can have all the normal forms of $b_j$, $j=1,2,\cdots ,k$.

5. Conclusions

In order to set up a highly safe braid group-based post-quantum signature scheme, in this paper, we first introduced Mihailova subgroups of a braid group $B_n$ with $n\ge 6$ and gave its explicit presentation. These Mihailova subgroups experience an unsolvable subgroup membership problem. This unsolvability provides us with the possibility of proposing subgroup-based post-quantum cryptosystems. In fact, by choosing secret keys and public keys from the elements of some Mihailova subgroups, we proposed a reformed signature scheme of Wang–Hu’s. Security analysis shows that our reformed scheme satisfies verifiability, non-forgeability, and non-repudiation. Additionally, our proposed signature scheme is free of the quantum computational attack as well as all the other known attacks.

In further studies, we may apply the unsolvability of the subgroup membership problem of Mihailova subgroups of a braid group to construct other cryptographic systems, such as identity verification, information authenticity, and integrity verification.