Our set G. along with concatenation operator '.*" and these relations, is also a group. Let us denote this group as
This notation gives a finite presentation of the group 5'3, which is a wellknown symmetric group. It is important to note that a group G rnay have many different finite presentations. For example, Problem 6 asks the reader to show that s:j= ( x , y I Z''I , y2, (n:y) 2 ). Sometimes, thc relations in a finite presentation can be used t o rewrite cvery possible word into a canonical form. For example, using the finite prcsmtatiori S;( = (z,y I 2': y 2 , ( z ~ ) ~ ) ,see that the clernent zyzy = Is:, can we be rcwrittcm as z-'(xy;my) = :cP1 . lLy:,, which simplifics to yzy = zP1(:c3), whicli, in turn, simplifies to yxg = x2 and, finally, y x = :c2y. Using the fact that yx = x2y, along with the fact that z 3 = y2 = 1sZJ, can write cvery we word in 5 3 in the form zi:yj, where i E (0, 1 , 2 } arid j E (0, l}. Consequently, tlic group ~ : cim he viewed as t,Iie set, of elements { l s , , ~ , 2 2 , y , z y . x ' y } , j
together with the binary operation of concatenation, and subject t o the relations z3= y2 = zyzy = lss. We are now ready t o give a description of Arithmetica. Suppose that Alice and Bob want to establish a symmetric key. A finitely presented, infinite nonabelian group G is made public. Alice and Bob create their public keys to be subgroups of G, say,
S A= (so, s1,. . , s - ) . ,l
Sg = ( t o , t l , . . . t m - l ) ,
respectively, and these are made public knowledge. The subgroups S A and Sg can be thought of as being the sets of all formal words in the alphabets si and t j respectively, with the binary operation of concatenation, subject t o the relations of G . Alice and Bob select their private keys
a = s ~ .~ . .
si(n-liE SA and
b = t r ( 0 ) . . . tjmpl " 7(m-1)
respectively. Then Alice computes the set of elements {a-ltoa, . . . , a-lt,-la) and sends the result t o Bob. Bob computes the set {b-lslb, . . . , b-'s,-lb} and sends it t o Alice. Before transmission, each of these sets are rewritten (using the specified relations) so as to obscure the private keys a and b. With the information received from Bob, Alice is able t o compute b-lab since
= b-lSi0
b = b-1s2(o)bb-1s2(l)b.. . b- 1s 2 ~ ( ~ - ~ ) , 1 b
. . . (b-l~o(n-l)b)znpl.
Similarly, Bob can compute a-'ba. Using their respective private keys, Alice and Bob each compute a-lb-lab, which can serve as a shared symmetric key. Although this seems very complicated, in fact it really is not, as a simplified example will illustrate. Suppose Alice and Bob decide t o establish a common key, using the Arithmetica key exchange. They first select a group, say,
G = (z, Y I z4,Y2,P Y z )
(z2, Y)
= {IG, 5'9
and make it public. Alice chooses her public key to be
S A = (SO,
and Bob chooses his public key t o be
SB = ( t o ) = (z) = { l G , z , Z , x 3 } ,
which are also made public. Now, Alice generates her private key
= (z2 ) 2 . ( y ) - l = .4y-1
I G .y-1
= y-1
and Bob generates his private key
b = (x)" = x:3.
Next, Alice computes a-ltoa = y-lzy and rewrites it as yzy. She then sends { y z y } to Bob. In a. similar manner, Bob coniputes (and rewrites)