17 June 2000. Commentators revised.

19 November 1999. A prominent cryptographer writes: "See http://www.arithmetica.com/encrypt/whatitis.html for many errors concerning computing power ..."

18 November 1999
Source: Digital file from Michael Anshel.


CONSTRUCTING PUBLIC KEY CRYPTOSYSTEMS VIA
COMBINATORIAL GROUP THEORY



Dr. Michael Anshel
Department of Computer Sciences
CCNY-CUNY, New York, NY 10031, USA

http://www-cs.engr.ccny.cuny.edu/~csmma/
email: MikeAt1140@aol.com

(November 15,1999)

ABSTRACT:

A Public Key Cryptosystem (PKC) is an algorithmic method for securely sending private information over an insecure channel in which the communicating parties have no common shared secret (e.g., key). At the heart of a PKC is a two-party secure computation referred to as a protocol. The major PKC's and their associated protocols in use today are based on finite abelian groups. They include the Diffie-Hellman (DH), RSA, and Elliptic Curve Cryptosystems (ECC). Cryptanalytic attacks on these systems suggest that it is prudent to develop alternate PKC's. Combinatorial Group Theory (CGT)  is the study of groups by means of generators and defining relators. We discuss several methods for constructing PKC's via CGT evolved over the past decade with my co-workers Iris Anshel and Dorian Goldfeld. The computational security of our protocols are based on the complexity of problems in CGT. We offer a particular instance employing the computational theory of braid groups.

"I definitely believe that combinatorial group theory has the potential for making contributions not only to cryptography but also to computational complexity." - email to the author from Zeke Zalcstein, NSF (October 14, 1999).

"I find this report very interesting! Using braids and braid algorithms in particular, and combinatorial group theoretic algorithms in general for practical applications seems quite crucial to me."- email to the author from Patrick Dehornoy, University of Caen (October 30, 1999).

This report evolved from the following seminar presentations in which the author participated:

(1) AT&T Research 4/9/99 
host: Jeff Lagarias
speaker: D. Goldfeld

(2) CCNY 5/6/99 to The New York Group Theory Cooperative:
host: Alexei Myasnikov
speaker: M. Anshel

(3) CUNY Graduate Center 10/6/99 to the Seminar on Combinatorial Computing:
host: Janos Pach
speaker: M. Anshel

(4) IBM T.J.Watson Research Center 10/7/99
host: Tal Rabin
speaker: D. Goldfeld

(5) Cryptography and Information Security Group of MIT's Laboratory for Computer Science 10/22/99
host: Ron Rivest
speaker: D. Goldfeld

PRIOR WORK:

1985
N.R.Wagner and M.R.Magyarik, "A public key cryptosystem based on the word problem," Advances in Cryptology: Proceedings of Crypto 84, ed. G.R. Blakely and D. Chaum,
LNCS, 196 Springer Verlag (1985) 19-36. (Detailed discussion in W.Patterson, Mathematical Cryptology, Rowman and Littlefield (1987) including a discussion of word problems).

1988
Do Long van, A. Jeyanthi, R. Siromoney and K.G. Subramanian, "Public key cryptosystems based on word problems" ICOMIDC Sym. Math.of Computation, Ho Chi Minh City April (1988) (descibed in the monograph by N. Koblitz cited below).

1991
M. Garzon and Y. Zalcstein, "The complexity of Grigorchuk groups with applications to cryptography," Theoretical Computer Science 88:1 (1991)  83-98. (Additional discussion may be found in M. Garzon, Models of Massive Parallelism, Springer-Verlag (1995)).

1993
I. Anshel and M. Anshel, "From the Post-Markov Theorem through Decision Problems to Public-Key Cryptography," American Mathematical Monthly Vol.100, No. 9 (November 1993) 835-845.

1994
V.M. Sidel'nikov, M.A. Cherepenev and V.V. Yashichenko, "Systems of open distribution of keys on the basis of noncommutative semigroups," Russian. Acad. Sci. Dokl. Math. Vol. 48 No.2 (1994) 384-386.

1997
Rabi, Muhammad, and Alan T. Sherman, "An observation on associative one-way functions in complexity theory,'' Information Processing Letters 64 (2) (1997) 239-244.

1999
I. Anshel, M. Anshel, and D. Goldfeld, "An Algebraic Method for Public-Key Cryptography," Mathematical Research Letters 6, 1-5, (1999).

BACKGROUND: Combinatorial Group Theory

The central methodology employed is that of Combinatorial Group Theory -- the algorithmic study of groups specified by presentations, that is by means of generators and defining relators. The subject emerged from the seminal work:

[MKS] W. Magnus, A. Karrass,and D. Solitar, Combinatorial Group Theory: Second
Revised Edition
, Dover (1977) pbk.

Some introductory texts from the computational point of view:

[Co] D.E. Cohen, Combinatorial Group Theory, CUP (1989) pbk.
[Jo] D.L. Johnson, Presentations of Groups: Second Edition, CUP (1997) pbk.

The following CGT monograph has recently appeared:

B. Fine and G. Rosenberger, Algebraic Generalizations of Discrete Groups: A Path to Combinatorial Group Theory Through One-Relator Products" Marcel Dekker, Inc. (1999).

Some Examples:

(1) The cyclic group of order two Z/2Z:  (a; aa = e)
(2) The infinite cyclic group Z:  (a:)
(3) The free abelian group of rank 2, ZxZ: (a, b; ab = ba )
(4) The free group of rank 2,  F(2): (a, b; )
(5) The braid group on 3 strands: (a, b; aba = bab)
(6) The symmetric group S(3): (a, b; aba = bab, aa = e, bb = e)

The fundamental questions of CGT include the Word Problem (WP), the Conjugacy Problem (CP), the Isomorphism Problem (IsoP) defined and investigated by M. Dehn in the period 1910-1912. Computations with braids appear in the notebooks of C.F. Gauss. A sytematic study of braid groups was undertaken by E. Artin in 1925. The WP for groups with one defining relation was solved by W. Magnus in 1932. In the period 1950-1970 negative solutions to the WP, CP and IsoP were established for finitely presented groups.

The WP and CP for braid groups arise in connection with the Unknotting Problem, a central question in Computational Topology:

J. Hass, J.L. Lagarias,and N. Pippenger, "The Computational Complexity of Knot and Link Problems," JACM Vol.46 No.2 (March 1999) 185-211.

The idea of a Cayley Diagram (CD) of a group provides the bridge between CGT and Graph Theory. Concepts methods and examples are found in:

[Bol] B. Bollabas, Modern Graph Theory, Springer-Verlag (1998) pbk.

In turn [Bol] connects Graph Theory to the Theory of Knots and Links.

Backround: Cryptography,Complexity and Computational Security

Cryptography refers to a wide range of security issues in the transmission and protection of information such as massive file storage, electronic commerce thru public networks and the use of smart cards. A good mathematical source for cryptography is:

[Kob] N. Koblitz, Algebraic Aspects of Cryptography, Springer-Verlag (1998).

A more general reference:

[MOV] A.J. Menzes,P.C. van Oorscot and S.A. Vanstone, The Handbook of Applied Cryptography, CRC Press (1997). http://cacr.math.uwaterloo.ca/hac/

A central concept in cryptography is that of a private key cryptosystem for message communication specified by a 5-tuple  M = (P, C, K, E, D) consisting of:

(1) plaintext units P
(2) ciphertext units C
(3) a keyspace K whose elements 'k' are keys for coding plaintext and decoding ciphertext
(4) an encryption map E: PxK -> C  
(5) a decryption map D: CxK -> P

such that for D(E(p, k), k) = p for all p in P and k in K.

The only confidential item needed by two parties for communication is a common private key. The encoding and decoding algorithms E, D are assumed to be public knowledge.

One class of private key cryptosystems we have investigated concern stream ciphers based on cryptographically secure pseudorandom number generators:

M. Anshel and D. Goldfeld, "Zeta Functions, One-Way Functions, and Pseudorandom Number Generators," Duke Mathematical Journal Vol. 88 No. 2 (1997) 371-390.

Another central concept in cryptography is that of a one-way function:

informally, we say that a function f: X -> Y  is 'one-way' if it is easy to compute f(x) for any x in X but difficult to find an x such that f(x) = y for most randomly selected y in Y. The encoding of f(x) should be at most polynomially longer or shorter then the encoding of x.

For a general reference for complexity issues as they apply to cryptography consult:

C.H. Papadimitriou, Computational Complexity, Addison-Wesley (1994).

Let T: K -> RxS be a  one-way function and define E(p, k) = E*(p, r) and D(c, k) = D*(c, s) such that T(k) = (r, s). T is called a 'trapdoor function' associated with the private key cryptosystem M provided s can only be recovered from r in reasonable time  with additional information such as the value k.

A public-key cryptosystem with trapdoor associated with M and T is a 6-tuple M* = (P, C, R, S, E*, D*), with E*, D* as indicated above.

Each user of the system is given a public key r and a private key s such that for some k in K, T(k) = (r, s). The user's public-key is found in a public directory. Encoding and decoding are performed respectively with E* and D*. If user A wants to communicate plaintext message p to user B, A looks up B's public key r and computes E*(p, r) = c in C. User B decodes c by computing D*(c, s).

The existence of polynomial-time computable one-way functions is an open question.

Two candidate one-way functions of importance in cryptography today are integer multiplication and modular exponentiation.The former has given rise to the RSA system (with trapdoor) and the latter to the  Diffie-Hellman system (without trapdoor).

A group-theoretic public key cryptosystem with trapdoor is sketched in I. Anshel and M. Anshel
cited above. The example chosen is constructed employing :

(1) a finitely presented residually finite group G with unsolvable conjugacy problem,
(2) two non-conjugate elements x, y in G and
(3) a trapdoor homomorphism h: G-> G/N where G/N is finite and h(x), h(y) are non-conjugate in G/N.

We now turn to a group-theoretic method for secret key agreement over an insecure channel and discuss this method in the context of braid groups.

An algorithmic procedure for exchanging messages is referred to as a "protocol."

A key exchange protocol is when two or more parties exchange messages over an insecure channel for the purpose of agreeing on a secret key for use in a private key cryptosystem.

DESCRIPTION OF THE GROUP-THEORETIC PROTOCOL:

The parties Alice and Bob publish, respectively, words

a(1), a(2), ... , a(n)

b(1), b(2), ... , b(m)

specifying group elements from a group G = (S | D) with generating symbols S and defining relations D. The common key K is created by the following concurrent actions of Alice and Bob.

ALICE'S ACTIONS:

Alice transforms Bob's public words in the following manner:

(1a) Alice selects a private word X in the subgroup of G generated by a(1),a(2), ... , a(n)  and conjugates each b(i) by that X producing

b*(1), b*(2), ... , b*(m)

(2a) Alice selects a word B(i) in the generating symbols such that B(i) and b*(i) define the same element of G for i = 1, ... , m.

(3a) Alice transmits to Bob

B(1), B(2), ... , B(m).

BOB'S ACTIONS:

Bob transforms Alice's public words in a similar manner:

(1b) Bob selects a private word Y in the subgroup of G generated by b(1), b(2), ... , b(m) and conjugates each a(i) by that Y producing

a*(1), a*(2), ... , a*(n)

(2b) Bob selects a word A(i) in the generating symbols such that A(i) and a*(i) define the same element of G for i = 1, ... , n.

(3b) Bob transmits to Alice

A(1), A(2), ... , A(n).

COMMON ACTIONS:

(4 ab) Alice and Bob now compute, respectively ,V and W each of which specifies the commutator C = [X, Y] defined by the words X and Y.
Remark: This is accomplished by noting that since X and Y are words  X = x(a(1), ..., a(n) ) and Y = y(b(1), ..., b(m)) then Alice may computes a word V representing the commutator C = [X, Y]  from

[X, Y] = X * (YXY')' = X * x( A(1), ..., A(n))'

and Bob may computes a word V representing the commutator C = [X, Y]  from

[X, Y] = (XYX') * Y' = y(B(1), ..., B(m)) * Y'.

where X' and Y' respectively denote the inverses of X and Y.

(5 ab) Alice and Bob compute a common key

K = F(V) = F(W)

where F is a one-way hash function from the words in the generating symbols to words in the binary alphabet {0, 1} such that F(W) = F(Z) whenever W and Z define the same element of G.

THE BRAID GROUP PLATFORM

By a platform for the protocol we mean a choice of  group(s) G to support both security and performance requirements of a cryptographic system. One such group is the braid group B(n) generated by s(1), ..., s(n-1) and with two classes of defining relations:

(1) s(i)s(i+1)s(i)  = s(i+1)s(i)s(i+1) 1 i<n and 
(2) s(j)s(k) = s(k)s(j)  j, k < n , |j-k|  2

These generators are referred to in the literature as the Artin generators. For basics consult:

V.L.Hansen, Braids and Coverings: Selected Topics, CUP (1989) pbk.

There is strong evidence to support the difficulty of solving a simultaneous system of conjugacy equations with constraints in the braid group B(n) for large n. Moreover there are efficient algorithms for solving the word problem and computing normal forms for elements of B(n).

[BKL] J. Birman, K. H. Ko and S.J. Lee, "A new solution to the word and conjugacy problems in the braid groups," Advances in Mathematics 139 (1998), 322-353.

The generators employed by [BKL] are called the band generators. Among the band generators are the Artin generators. Lee Rudolph raised the following question to the author on October 11, 1999 in email discussion:

Problem:  Call a braid in B(n) "quasipositive" if it's in the subsemigroup of B(n) generated by the positive bands. These braids are (geometrically at least) very interesting! It would be of great interest to determine almost anything algorithmic about them; for instance, do they form a recursive set?

Secure methods for transmission and hashing arise from an algorithm given in:

P. Dehornoy, "A fast method for comparing braids," Advances in Mathematics 123 (1997), 205-235.

Another method of secure hashing arises by employing Colored Burau Matrices (CBM):

H.R.Morton, "The Multivariable Alexander Polynomial for a Closed Braid," Contemporary Mathematics 233 AMS (1999), 167-172.

The CBM method is detailed and will be discussed elsewhere.

Stephen Bigelow has recently reported at John Stalling's Combinatorial Group Theory Seminar, University of California Berkeley, that braid groups are linear. He employs a representation by D. Krammer that maps the braid group B(n) to the group of invertible (n choose 2)-by-(n choose 2) matrices with entries in Z[q, q-1, t, t-1]. He raises the question:

Problem: Can Krammer's (faithful) representation  be used for hashing?

CRYPTANALYTIC ATTACKS:

There are two methods of attack. The first is a linear algebraic attack. The second  employs a heuristic search algorithm involving the length function associated to Birman-Ko-Lee normal forms. So far these attacks have been fended off by  choice of parameters. At the same time  efficiency has been maintained. Testing is critical to hardening the method and to building trust.

Jim Hughes, of Storage Technology Corporation and a consultant Allan Tannenbaum of the University of Minnesota are preparing a report on the testing. Parameters for testing were developed by Dorian Goldfeld after discussions with Benji Fisher and Jim Hughes. The researchers report that the testing has gone well and they are  optimistic concerning the method and the choice of the braid group as a platform.

However it is far to early to claim success and the following survey reveals:

Dan Boneh, "Twenty Years of Attacks on the RSA Cryptosystem," Notices of the American Mathematical Society, Volume 46, Number 2 (February 1999) 203- 213.

The author has urged researchers interested in the cryptanlysis to consider the fact that the minimal braid problem is Co-NP complete.

M.S. Paterson and A.A. Razborov,"The Set of Minimal Braids is Co-NP Complete," Journal of Algorithms 12, 393-408 (1991).

For related items the reader should consult:

D.J.A. Welsh, "Complexity: Knots, Colourings and Counting" LMS 186 CUP (1993) pbk.

GENERALIZATIONS AND OPEN PROBLEMS:

By a protocol algebra we mean a 5-tuple PA = (U, V, F, G, H) where U and V are feasibly computable monoids and F : UxU -> V, G, H : UxV -> V are feasibly computable functions
satisfying the following properties:

(i) (U, V, F) satisfies the distributive property: For all x, y, z in U, F(x, yz) = F(x, y)F(x, z)
(ii) G, H are compatible with F : for all x, y in U, G(x, F(y, x)) = H(y,F(x, y))
(iii) Infeasiblity condition: for y1, y2, ..., yk in U and F(x, y1), F(x, y2), ..., F(x, yk) publicly known for some secret element x in U.

Then, in general, it is infeasible to determine the secret element x.

The users Alice and Bob are publically assigned finitely generated submonoids S(A),T(B) on the indictated generators S(A) = <s1, s2, ..., sm>, T(B) = <t1, t2, ..., tn>.

The protocol associated to PA is given by:

(1): Alice chooses a secret element a in S(A) and transmits the elements F(a, t1),F(a, t2), ..., F(a, tn) to  Bob.

(2): Bob chooses a secret element b in T(B) and transmits the elements F(b, s1), F(b, s2), ..., F(b, sm) to Alice.

(3): Alice computes F(b, a) using the distributive property (i) of PA and the data transmitted in Step 2.

(4): Bob computes F(a, b) using the distributive property (i) of PA and the data transmitted in Step 1.

(5):  Alice and Bob compute a common key K= G(a, F(b, a)) = H(b, F(a, b)) using the compatability condition (ii) of PA.

The secrecy of the key K computed in step 5 is insured by condition (iii) of PA.

Ron Rivest asks:

Problem: What is the relationship between protocol algebra and Rabi and Sherman research on one-way associative functions cited above.

In the email to the author cited above Patrick Dehornoy remarks and  raises the following question after reading an earlier draft of this report:

"I have seen briefly that self-distributive operations are involved in what is called "protocol algebra"; I am especially interested in such operations, and I know in particular non-classical examples and algorithms (a book of mine "Braids and self-distributivity" is due to appear in the Birkhauser Progress in Maths series in March 2000).

Problem: "Perhaps some interesting examples of protocol algebras could be described using the methods of the book."

QUANTUM CRYPTOGRAPHY

Dorian Goldfeld presented this work at AT&T Research on the invitation of Jeff Lagarias. Also attending was Peter Shor (and myself). Within a few weeks the following appeared:

C.H. Bennett and P. Shor, "Quantum Cryptography: Privacy in a Quantum World," Science Vol 284 Number 5415 (30 April 1999) pp 747-748.

In their paper Bennett and Shor raise the possibility that quantum cryptanalysis could develop methods to break classical two-party protocols.

Charles Bennett suggests in email to the author (November 5, 1999) "a more comprehensive paper by Shor amd me on quantum information, computation and cryptography." 

C.H. Bennett and P. W. Shor, "Quantum Information Theory,"  IEEE Trans. Info. Theory 44, 2724-2742 (1998).

He points that in their discussion in the journal Science

"the criterion of security for quantum cryptosystems is subtly incorrect."

He offers the following correction:

"Sometimes (e.g., if the Eve jams or interacts strongly with the quantum signals) Alice and Bob will conclude that the quantum signals have been excessively disturbed, and therefore that no key can safely be agreed upon (designated by a frown in the figure); but, for every eavesdropping strategy, the probability should be negligible that Alice and Bob will decide to trust a key on which Eve has significant information."

With this correction in hand we ask:

Problem: Perform both classical and quantum cryptanalysis of classical cryptographic two-party computations based on protocol algebra.

OBSERVATION: The emerging disciple of Quantum Computation provides link GCT to P/NP/, Knots, and to Quantum Field Theory are explored in:

M.H. Freedman, "Limit, logic and computation," PNAS USA Vol 95 pp. 95-97 (January 1998).

M.H. Freedman, " P/NP and the quantum field computer," PNAS USA Vol 95 pp. 98-101 (January 1998).

Adrian Kent and his co-workers have extensively investigated bit commitment. For a recent publication consult:

A. Kent, "Unconditionally Secure Bit Commitment," Phys. Rev. Lett. 83 (1999) 1447-1450.

For backround see:

Jozef Gruska, Quantum Computing, McGraw-Hill UK (1999) pbk.

CRYPTOGRAPHIC APPLICATIONS:

It was suggested to the authors by Ari Juels, Burt Kaliski, and Ron Rivest that zero knowledge proof systems (ZKPS) and digital signatures may be constructed using the methods above. They illustrated their point as follows.

Suppose Alice wishes to convince Bob that she knows the secret element X. Alice selects a second private word X* in the subgroup of G generated by a(1), a(2), ..., a(n) and conjugates each b(i) by that XX* . Then Alice proceeds as above to create:

b**(1), b**(2), ... , b**(m)

Bob challenges Alice to  produce exactly one of  X* or XX*. If Bob chooses X*  and Alice replies correctly the result is recorded as a '0'. If Bob chooses XX* and Alices replies correctly the result is recorded as a '1'. Note that Bob's knowledge of

b(1), b(2), ... , b(m)
b*(1), b*(2), ... , b*(m)
b**(1), b**(2), ... , b**(m)

allow him to detremine the correctness of Alice's response. If this procedure is repeated using random X* a digital signature may be created.

The reader may recognize Juels-Kaliski- Rivest ZKPS as a group-theoretic version of the original 1986 ZKPS popularized by Adi Shamir.

Problem:  Investigate the computational security of the Juels-Kaliski-Rivest ZKPS.

In conversation it was suggested to Dorian Goldfeld and the author by Ari Juels, Burt Kaliski, and Ron Rivest that the method and braid group platform are ready for exploration by the wider cryptographic and mathematical community.

DISCUSSION:

Vladimir  Shpilrain raises the possibility that a group with unsolvable word problem could be used as a platform to insure computational security.

Leonid Bokut indicates that the school of group-theorists at Institute of Mathematics, Novosibirsk have studied a normal form for elements which Bokut pioneered. The Bokut normal form could be the pivotal mechanism in bringing groups with unsolvable word problem into play.

Gene Cooperman asks:

Are there theoretical results reducing some of the group-theoretic cryptographic problems to a single cryptographic assumption, just as the difficulty of RSA and some other systems reduces to the difficulty of factoring integers?

Should such theoretical results emerge it would have a far reaching impact on the course of group-theoretic research.

Comments may be sent to the author at: MikeAt1140@aol.com

CORPORATE SUPPORT:

We have been generously supported by Arithmetica Inc. http://www.arithmetica.com/

We have been informed by Mark Ungerman of Fulbright and Jaworski L.L.P that a patent application was published under the Patent Application Treaty on September 2, 1999. The international publication number for this application is WO 99/44324.

ACKNOWLEDGMENTS:

We wish to thank Benji Fisher and Boris Klebansky of Arithmetica Inc for their programming and mathematical contributions. We also wish to thank the following individuals for their comments,suggestions, patience during lectures and co-teaching assignments and for circulating versions of this manuscript to interested parties.

The listing is in rough chronological order relative to the comments received by the author and is intended for informational puposes. It does not imply a judgement on the methods described above one way or the other.

Jim Hughes, Storage Technology Corporation
Joan Birman, Columbia University
Jeff Lagarias, Andrew M Odlyzko, Jim Reeds, and Peter Shor, AT&T Research
Allan Tannenbaum, University of Minnesota
Gilbert Baumslag, Alexei Miasnikov and Vladimir Shpilrain, CCNY/CUNY
Janos Pach, CCNY/CUNY&CIMS/NYU
Joel Gersten, Dan Greenberger, CCNY/CUNY
Mel Lax, CCNY/CUNY & Bell Labs/Lucent
Bob Gilman, Stevens Institute of Technology
Alex Heller, Burton Randol and Al Vasquez, CUNY Graduate School
Victor Miller, Institute for Defense Analysis, Princeton
Zeph Grunschlag, Columbia University
Don Coppersmith, Joan Dyer, Tal Rabin and Michael Shub, IBM Research
Stephen Bigelow, University of California Berkeley
Lee Rudolph, Clark University
Zeke Zalcstein, National Science Foundation
Zvi Galil, Columbia University
Yuri Gurevich, Microsoft Research and University of Michigan
Victor Pan, Lehman College/CUNY
Ron Rivest, MIT
Ari Juels and Burt Kaliski, RSA Security Inc.
Jean-Michel Kantor, University of Paris
Patrick Dehornoy, University of Caen
Peter M. Neumann, Queen's College, Oxford
Simon Blackburn, Royal Holloway, University of London
Mark Ettinger, Los Alamos National Laboratory
Charles H. Bennett, IBM Research
Cris Moore, Santa Fe Institute
Gene Cooperman, Northeastern University
Sam Braunstein, University of Wales
Leonid Bokut, Institute of Mathematics, Novosibirsk
Adrian Kent, Cambridge University

BIOGRAPHICAL SKETCH:

Dr.Michael Anshel has taught at the City College of New York (CUNY) for more than 30 years. He has been a member of the doctoral faculty since 1973, teaching in the Engineering, Computer Science and Mathematics programs. He has mentored over thirty doctoral dissertations and is currently mentoring several doctoral students. Prior to accepting his position at CUNY, Dr. Anshel served at the Polytechnic Institute of New York and the University of Arizona. He has also lectured at the Mt. Sinai School of Medicine and the National Science Foundation Summer Institute for High School Teachers at Adelphi University.

Over the course of his career, Dr. Anshel has received numerous fellowships and honors, including the CUNY Faculty Fellowship Award, a NASA-ASEE Faculty Fellowship, a National Science Foundation Fellowship and an award from Goddard Space Flight Center.

He has consulted with several corporations including AT&T Bell Laboratories, Delphic Associates, Mathematica, and Lambda Corp.

Dr. Michael Anshel is one of the founders of Arithmetica and a member of its Board of Directors.He serves as the architect of Arithmetica's system designs. 

Dr. Anshel is co-inventor for three patents in cryptography and has published numerous articles in  Mathematics and Cryptography.

Dr. Anshel is a member of the AMS, MAA, ACM, IEEE, IACR, Sigma Xi and NYAS. He received a Bachelor of Arts degree magna cum laude, Master of Science degree and a Ph.D. in Mathematics from Adelphi University in Garden City, New York.

Dr. Anshel's research and scholarly interests: cryptomathematics, its relationship to advanced computing technologies (e.g. quantum computing) and its historical origins.


From: MikeAt1140@aol.com
Date: Thu, 18 Nov 1999 02:58:49 EST
Subject: Arithmetic Inc Consortium
To: jya@pipeline.com

Arithmetica to Introduce Next-Generation Encryption Technology at Consortium Hosted by StorageTek

DALLAS--(BUSINESS WIRE)--Nov. 17, 1999--GT-1 Consortium to Demonstrate How Algorithms Developed With Symbolic Computation Can Meet Market's Need for Increasingly Fast, High-volume Transactions

Arithmetica, Inc., an encryption technology company, has launched GT-1, a consortium to advance next generation security algorithms for the emerging digital economy. StorageTek(tm) (NYSE:STK) will host the first meeting at its New York City location on Dec. 15, 1999. Cryptographers and cryptanalysts from numerous firms will participate.

Arithmetica's technology was developed from contemporary research in advanced mathematics -- group theory arising from geometric topology. Its symbolic computation requires less processing resources than arithmetic computation.

Mathematical science scholars who developed Arithmetica's technology, Dr. Michael Anshel, Dr. Iris Anshel and Dr. Dorian Goldfeld (winner of the American Mathematical Society's Cole Prize in Number Theory and the Vaughn Foundation Prize) will present at GT-1.

"If proven secure, Arithmetica's innovative new public key method holds promise in many areas of interest to StorageTek including encrypted storage and data and access to networked storage," said Dr. Aloke Guha, vice president of corporate architecture for StorageTek. "What particularly interests us is that the algorithm is linear to the key size. Being linear to the key size implies that the implementation can be potentially hundreds of times faster than existing public key methods. We expect this consortium to move this technology forward towards adoption." StorageTek has been examining this algorithm for the past two years.

According to Richard Aguirre, president and CEO of Arithmetica, GT-1 will educate technical experts in the industry about Arithmetica's new public key system. He projects that increased awareness will generate more performance testing in different environments -- and facilitate its introduction to various standards bodies.

"Arithmetica has privately shown this algorithm to some of the top cryptographers and cryptanalysts in the industry. With our positive feedback we want to move forward with the consortium to advance its development for electronic commerce, secure data storage, and wireless applications," said Aguirre. "Our goal is to gain market acceptance for the algorithms."

About StorageTek

StorageTek is the preeminent provider of network storage. The company's strategy is to provide "Open, Intelligent and Integrated"(tm) solutions that combine storage products, storage management software and storage services. StorageTek solutions help customers collect, move, store, share and protect all types of digital content on platforms ranging from laptops to enterprise servers. The company, with headquarters in Louisville, Colo., reported revenue of $2.3 billion in 1998. Information on StorageTek is available on the World Wide Web at www.storagetek.com or phone 800/786-7835.

About Arithmetica

Arithmetica is a next-generation encryption technology company that was founded in 1993. Its scientists -- who have expertise in cryptography, number theory and fast algorithms -- have applied revolutionary mathematical discoveries to reduce computational complexity and increase processing volume and speed. Arithmetica's products provide high performance secure communications for electronic commerce applications and for enterprise, wireless, broadcast and broadband networks. Arithmetica's cryptographic research and product development is based in Tenafly, N.J.; its headquarters is in Dallas. For more information see www.arithmetica.com.

Editor's note: The GT-1 Consortium will take place at StorageTek's New York location -- 10 a.m., Dec. 15, 1999. For more information call Rick Aguirre 972/857-8909. One World Financial Center 200 Liberty Street 21st floor New York, NY 10281 212/416-0700

CONTACT:

Teq Marketing, Dallas
Susan Huber, 972/231-1973
shuber@teq.com

or

Arithmetica, Dallas
Rick Aguirre, 972/857-8909
aguirre@arithmetica.com


HTML by Cryptome.