1 Introduction

Cryptography is built upon the computational hardness of certain mathematical problems. One of the main tools within this area is one-way functions (informally, functions that can be efficiently evaluated while there are no efficient methods to compute preimages, possibly unless there is a secret key giving additional information). Computational tasks like factoring large integers or decoding with respect to random codes are flagship examples of mathematical problems naturally defining one-way functions. Of course, considering different computational models has a large impact in how such cryptographic-amenable problems can be selected; in particular, since the 1980 s the appearance of quantum computing has necessitated the search for problems that will remain hard even if a quantum computer is available. The field of post-quantum cryptography revolves around cryptographic designs whose security relies on these kind of problems.

There have been many cryptographic proposals based on problems in group theory, see the recent book and survey by Kahrobaei et al [1, 2]. While it is not easy to classify problems as quantum resistant in a reasonable way, we do know of some problems that quantum computers can tackle with a significant advantage. The main menace is Shor’s [3] quantum algorithm, which gives an exponential gain for solving problems that fit a certain “period-finding” description. Factoring large integers or solving discrete logarithms in finite cyclic groups fall into this category. Remarkably, it seems that the ideas behind Shor’s algorithm can be extended to exploit normal subgroup structure in other groups. Simple groups are those with no non-trivial normal subgroups, so it is natural to ask whether finite simple groups may be harder than other groups for quantum computers to deal with. This leads us to suggest that the finite simple groups may be a good setting for post-quantum cryptographic schemes.

In the literature, there are proposals using finite non-abelian simple groups for constructing many different tools: encryption and digital signature schemes, fully homomorphic encryption designs, and hash functions. In this survey, we will take a closer look at the status of some proposed applications of the theory of finite simple groups to the design of hash functions, public-key encryption, and fully homomorphic encryption. Our aim is not to be exhaustive but simply to give the reader a glimpse of the vast amount of unexplored avenues within this area, with a focus on some challenging group-theoretic and computational problems relevant to building sound cryptographic constructions.

Paper Roadmap. We start with a brief introduction to the finite simple groups and their classification in Sect. 2. In Sect. 3, we introduce Cayley hash functions and give an example of a cryptographic construction. We then discuss the difficulty of a certain factorization problem in groups that is linked to their security, and a related group-theoretic conjecture. In Sect. 4, we define logarithmic signatures and another factorization problem in groups which has been used as justification for several public key cryptosystems. We give an example of a cryptographic construction and discuss a related group-theoretic conjecture. Sect. 5 discusses fully homomorphic encryption schemes and a method of building them from homomorphic encryption on groups, while in Sect. 6 we discuss the Hidden Subgroup Problem for cryptanalysis of proposed schemes using finite non-abelian simple groups against possible quantum attacks. Section 7 concludes the paper with a summary of the exciting open problems we discussed.

2 Preliminaries: Finite Simple Groups

A simple group is a non-trivial group whose only normal subgroups are itself and the trivial group. We are also interested in some quasisimple groups: G is quasisimple if it is perfect (i.e., equal to its own commutator subgroup \(G=[G,G]\)) and its group of inner automorphisms \(\textrm{Inn}(G)\) is simple. We focus here on finite groups since our cryptographic applications require finite data structures.

There is a classification of all finite simple groups whose proof was completed in the 2000 s after many years of work by a large number of mathematicians. For a brief historical overview, see [4]. The list of finite simple groups is as follows:

Theorem 1

If G is a finite simple group then either G is abelian, in which case it is a cyclic group of prime order, or G is non-abelian, in which case one of the following holds:

  • \(G\cong A_n\) is an alternating group on \(n\ge 5\) letters

  • G is a group of Lie type

  • G is one of 26 sporadic groups.

The proof takes up many books, see for example the series [5]. For a more introductory textbook describing all the groups in detail, see [6].

The groups of Lie type are the classical groups and the exceptional groups over finite fields. We describe these groups briefly here, and refer the reader to a standard textbook by Carter [7] for more details. These groups are defined over finite fields. We use p to denote the characteristic of the field, which is a prime, and q to denote the order of the field, which is a power of p. Each finite group of Lie type has an underlying root system which determines an integer known as the rank of the group.

The classical groups are those which are natural matrix groups, and there are four types for every integer \(n\ge 2\) and prime power q. For example, the projective special linear group of \(n\times n\) matrices over a field of order q, denoted \(PSL_n(q)\), has rank \(n-1\) and is simple except when \(n=2\) and \(q=2, 3\). The other classical groups are the groups of unitary, orthogonal, and symplectic matrices over finite fields. We are also interested in finite quasisimple classical groups, for example, the special linear group \(SL_n(q)\). In characteristic 2,proposed we have that \(SL_n(2^k)=PSL_n(2^k)\) which is simple for \(k>1\).

The exceptional groups do not have such natural representations as groups of matrices, and all have rank at most 8. There are 10 infinite families indexed by prime powers q. One such family is the Suzuki groups which are defined over fields of order \(2^{2n+1}\) which we denote by \(Sz(2^{2n+1})\).

3 Geodesic Problem and Cayley Hash Functions

A hash function is a function whose input is an arbitrarily large message and whose output is a fixed-length hash. Hash functions are a cryptographic primitive with a variety of cryptographic applications, each requiring different security properties (see any cryptography textbook, for example [8, Chapter 6]). Desirable properties of a hash function \(h:M \rightarrow N\) include preimage resistance – given \(n \in N\) it should be computationally infeasible to find \(m \in M\) such that \(h(m)=n\) – and collision resistance – it should be computationally infeasible to find \(m \ne m' \in M\) such that \(h(m)=h(m')\).

Zémor [9] defined group-theoretic hash functions based on Cayley graphs of finitely generated groups, following work of Bosset and Camion [10].

Definition 3.1

Let G be a finitely generated group with a generating set \(S=\{g_1,\ldots , g_k\}\) which is closed under taking inverses.

  • The Cayley graph \(\Gamma (G,S)\) is a graph with vertex set G and an edge from g to h if and only if \(g=g_i h\) for some i.

  • The Cayley hash function \(h_{G,S}:\{1,\ldots , k\}^* \rightarrow G\) is defined by \(h_{G,S}(m_1, m_2,..., m_r)=g_{m_1}g_{m_2}\cdots g_{m_r}\). We refer to \((m_1, m_2,..., m_r)\in \{1,..., k\}^*\) as a word of length r.

Note that evaluation of \(h_{G,S}\) at \((m_1, m_2,\ldots , m_r)\) corresponds to traversing the path \((1, g_{m_1}, g_{m_1}g_{m_2}, \cdots , g_{m_1}g_{m_2}\cdots g_{m_r})\) in the Cayley graph \(\Gamma (G,S)\).

Preimage resistance for Cayley hash functions is equivalent to the difficulty of writing a given element of G as a product of elements of S, or finding a path from 1 to the given element in the Cayley graph. This is called the Geodesic Problem.

Geodesic ProblemGiven \(h \in G\) find a “short” word \((m_i)_i\) such that \(\prod _i g_{m_i}=h\). Equivalently, given \(h \in G\) find a “short” path from 1 to h in \(\Gamma (G,S)\).

It should be noted that finding minimal such words or paths is the NP-hard Minimum Generator Sequence Problem [11]. (This problem is also called the Unary Length Problem, and was shown to be \(\Pi _2^P\)-complete [12]).

3.1 Cryptographic Constructions

There have been several choices of generating sets proposed for Cayley hash functions over \(SL_2(q)\) [9, 13,14,15,16,17,18], but there are known attacks in each case [19,20,21,22,23]. Recently, Le Coz, Battarbee, Flores, Koberda, and Kahrobaei [24] proposed a generating set for the quasisimple group \(SL_n(p)\) for prime p. The Geodesic Problem in this case can be reduced to solving a system of \(n^2\) multivariate polynomial equations in \(O(\log p)\) unknowns over \(\mathbb {F}_p\) [24, Section 3.2] which is known to be NP-hard in the worst case.

As an example, we describe a particularly simple scheme proposed by Zémor [9].

Let p be a prime and \(SL_2(p)\) the special linear group of \(2\times 2\) matrices over the finite field of p elements with determinant 1. Further, associate to the bit 0 the matrix \(A=\begin{pmatrix}1&{}1\\ 0&{}1\end{pmatrix} \in SL_2(p)\) and to the bit 1 the matrix \(B=\begin{pmatrix}1&{}0\\ 1&{}1\end{pmatrix}\in SL_2(p)\). Then, the hash function \(h_{SL_2(p), \{A, B\}}\) sends a binary number of arbitrary length to the appropriate product of As and Bs. For example, if \(p=3\) the hash for the bitstring 010110 would be the matrix

$$ABABBA = \begin{pmatrix} 2 &{} 2 \\ 2 &{} 1\end{pmatrix} $$

These parameters were chosen to allow efficient evaluation of the hash function, but the resulting hash function is not collision resistant: Tillich and Zémor [13, 25] show it is possible to find many factorizations of the group identity. Inserting any such factorization into any word gives a collision.

3.2 Progress Toward Solving the Geodesic Problem

Babai and Seress conjectured [26] that short paths exist in the Cayley graphs of finite simple groups:

Babai’s conjecture. There exists a constant \(c > 0\) such that, for any h in a finite simple non-abelian group G, and any generating set S, there is a path from 1 to h in \(\Gamma (G,S)\) of length at most \((\log |G|)^c\). That is, every element of G may be written as a word of length at most \((\log |G|)^c\) in the elements of S.

For groups of Lie type of bounded rank, Babai’s conjecture has been proved by Helfgott, Pyber, Szabó, Breuillard, Green and Tao [27,28,29]. For sporadic groups, there is certainly some c large enough to give the conjectured result, since there are finitely many such groups. The remaining cases are the alternating groups (for which Helfgott and Seress [30] have the best bound) and groups of Lie type of unbounded rank. In many cases, there are partial results proving Babai’s conjecture for certain generating sets. For example, Babai and Hayes [31] prove Babai’s conjecture for almost all generating sets of alternating groups, and Eberhard and Jezernik recently showed [32] that Babai’s conjecture holds for large rank groups of Lie type for almost all large enough sets S. See [32, Section 1] for more details on the current status of Babai’s conjecture.

Babai’s conjecture would imply that for every \(h \in G\) there is a path of length \((\log |G|)^{O(1)}\) from 1 to h in the Cayley graph, and the goal of cryptanalysts is to explicitly construct such short paths, while the goal of cryptographers is to find generating sets that make this as difficult as possible. There has been much activity in this area: Minkwitz [33] provided an optimization for the Schreier-Sims algorithm [34, 35] for solving the Geodesic Problem in permutation groups. Babai and Hayes [31] (see also [36]) give a Las Vegas algorithm based on a random walk which is able to factorize elements of \(A_n\) for almost all generating sets, and Kalka, Teicher, and Tsaban [37, Section 5] provide an algorithm which conjecturally and experimentally gives even shorter words. Babai, Kantor, and Lubotzky [38] showed that every finite simple non-abelian group G has a set of generators S of size at most 7 for which there is an algorithm that finds words of length \(O(\log |G|)\) in \(O(\log |G|)\) time. Of the groups of Lie type, \(PSL_n(q)\) and \(SL_n(q)\) have been most closely studied and there are a handful of specially chosen generating sets for which there are efficient algorithms [19, 39,40,41]. Another approach of Kantor and Seress and Dietrich, Leedham-Green, and O’Brien is to represent classical groups as so-called black-box groups and use a Las Vegas algorithm to attempt to construct standard generating sets in which to solve the Geodesic Problem [42, 43]. For all generating sets of \(SL_2(2^k)\), there is a subexponential-time algorithm giving subexponential-length words [44]. However, there is no efficient algorithm which works for all groups and generating sets.

4 Public-Key Constructions from Logarithmic Signatures

Since the 1980 s, there have been several attempts to exploit the computational properties of the so-called factorization sequences of finite groups to derive one-way functions, including trapdoor functions – one-way functions for which it becomes easy to compute preimages given some extra information (see for instance [45]).

Definition 4.1

Let G be a finite group. We may identify G with a permutation group acting on n points where \(n\le |G|\). Call this n the degree of G. Fix \(s \in \mathbb {N}\) and for each \(i=1,..., s\) let \(\alpha _{ij}\in G\) and consider \(\alpha = (\alpha _1,\dots , \alpha _s)\) where \(\alpha _i=(\alpha _{i1},\dots , \alpha _{in_i})\). We denote by \(\ell (\alpha )=\sum _{i=1}^sn_i\) the length of \(\alpha \). We say that \((i_1,\dots , i_s)\in \mathbb {N}^s\) is a factorization sequence for \(g\in G\) w.r.t. \(\alpha \) if \(g=\alpha _{1i_1}\cdots \alpha _{si_s}.\) Indeed, for a given \(g\in G\), the number of such factorization sequences may vary – it could be that there are many ways of writing g as an ordered product of elements in the blocks of \(\alpha ,\) or none at all. Denote by \(n[\alpha ,g]\) the number of different factorization sequences for g induced by \(\alpha .\) We say that \(\alpha \) is a

  • cover if \(n[\alpha , g] >0\) for any \(g\in G\).

  • logarithmic signature if \(n[\alpha , g] =1\) for any \(g\in G\). A logarithmic signature \(\alpha \) is called tame if factorization sequences may be computed in polynomial time in the degree of G for every g w.r.t. \(\alpha \), and wild otherwise.

Note that by definition \(\alpha \) is a logarithmic signature if and only if \(\alpha \) is a cover and \(\prod _{i=1}^s n_i = |G|\).

If the group law can be computed efficiently, it is “easy” to construct group elements by simply selecting one element from each \(\alpha _i\); the reverse process may, however, be rather involved computationally. The next section reviews several proposals exploiting this dichotomy to define useful one-way functions.

4.1 Cryptographic Constructions

The first private-key cryptographic construction using factorization sequences was PGM (Permutation Group Mappings) which was proposed by Magliveras [46] and uses logarithmic signatures for permutation groups to create one-way functions. Later, Magliveras et al. [47] proposed \(\mathrm{MST_1}\), a public-key cryptosystem built upon the same idea with an additional trapdoor for the one-way function of PGM. They also proposed a variant called \(\mathrm{MST_2}\) based on a special kind of cover called a mesh. Later, Lempken et al. [48] proposed \(\mathrm{MST_3}\) based on the difficulty of factoring group elements with respect to random covers for large subsets of finite non-abelian groups with large center.

We now give a description of \(MST_1\), the simplest of these constructions. For a natural number m, we denote by \({\mathbb {Z}}_m=\{0,1,\dots ,m-1\}\) the ring of integers modulo m. Fix a finite permutation group G and a tame logarithmic signature \(\eta \) for G, both publicly known. For any logarithmic signature \(\alpha =(\alpha _1,\dots ,\alpha _s)\), we construct the mappings

$$\begin{aligned} \begin{array}{rccc} \lambda : &{}{\mathbb {Z}}_{n_1}\times \dots \times {\mathbb {Z}}_{n_s}&{}\longrightarrow &{} {\mathbb {Z}}_{|G|}\\ &{}(r_1,\dots ,r_s)&{}\longmapsto &{}\sum _{i=1}^s\left( r_i\cdot \prod _{j=1}^{i-1 }n_j\right) \end{array} \end{aligned}$$

and

$$\begin{aligned} \begin{array}{rccc} \Theta _{\alpha }: &{}{\mathbb {Z}}_{n_1}\times \dots \times {\mathbb {Z}}_{n_s}&{}\longrightarrow &{}G\\ &{}(r_1,\dots ,r_s)&{}\longmapsto &{}\alpha _{1 r_1}\cdots \alpha _{s r_s} \end{array}, \end{aligned}$$

which one may check are bijective. Thus, the functional composition of \(\Theta _{\alpha }\) and \(\lambda ^{-1}\) yields a bijection

$$\begin{aligned} \begin{array}{rccc} \breve{\alpha }:&{} \mathbb {Z}_{|G|}&{}\longrightarrow &{}G\\ &{}n&{}\longmapsto &{}(\Theta _{\alpha }\lambda ^{-1})(n)=\Theta _{\alpha }\left( \lambda ^{-1}(n) \right) . \end{array} \end{aligned}$$

We will use \(\breve{\eta }^{-1}\) to identify G with \(\mathbb {Z}_{|G|}\), allowing us to associate to each logarithmic signature \(\alpha \) a permutation \(\hat{\alpha }:=\breve{\eta }^{-1}\breve{\alpha }\in S_{|G|}\).

For \(\mathrm{MST_1}\), the public key is a wild logarithmic signature \(\alpha = (\alpha _1,\dots , \alpha _s)\) and a tame logarithmic signature \(\beta = (\beta _1,\dots , \beta _s)\) for the same group G. The private key consists of a sequence \([\theta _1,\dots ,\theta _k]\) of tame logarithmic signatures such that \(\hat{\beta }^{-1}\hat{\alpha }=\hat{\theta }_1\cdots \hat{\theta }_k\), which opens the trapdoor to efficient computation of factorization sequences w.r.t. \(\alpha \). As discussed in [46], it is not known how to efficiently compute an appropriate sequence \([\theta _1,\dots ,\theta _k]\). The encryption scheme is depicted in Fig. 1.

Fig. 1
figure 1

\(MST_1\) encryption scheme

Full size image

4.2 Producing Hard Factorizations

All the above constructions base their security on the claimed hardness of computing factorizations of group elements with respect to some public cover. To support such a claim, the problem of factoring w.r.t a cover should be reduced as closely as possible to another computational problem that we can “safely" assume to be hard enough.

In the construction of \(\mathrm{MST_1},\) a critical point is the choice of the public wild logarithmic signature \(\alpha \) along with a trapdoor (the factorization into the tame logarithmic signatures \(\theta _i\) (\(1\le i\le k\))). Magliveras et al. [47] suggested picking \(\alpha \) to be a totally-non-transversal logarithmic signature, meaning that none of the \(\alpha _i\) is a coset of a non-trivial subgroup of G. This was later proven in [49] to be insufficient since for \(n\ge 5\) there are tame totally non-transversal logarithmic signatures for all alternating groups \(A_n\) and symmetric groups \(S_n\).

Similarly, the security of \(MST_3\) was questioned in [50] and further cryptanalyzed in [51], where it was proven that factoring with respect to the random covers used is not always a hard problem. While further schemes have been proposed in recent years (see, for instance, [52, 53]) at the writing of this survey, we are unfortunately not aware of a secure method for inducing hard group factorizations suited for cryptographic purposes.

4.3 In search of Minimal Length Logarithmic Signatures

Cryptographic applications motivate nice group-theoretic questions. For example, since the length of covers is a relevant parameter in real-life implementations, one may ask what the minimal length of a logarithmic signature can be, and try to construct logarithmic signatures of this length.

Let G be a finite group of order \(|G| = \prod _{j=1}^kp_j^{a_j}\) with \(p_1,\dots ,p_k\) distinct primes. González Vasco and Steinwandt [54] showed that for each logarithmic signature \(\alpha \) for G, we have

$$\begin{aligned} \ell (\alpha ) \ge \sum _{j=1}^ka_jp_j, \end{aligned}$$
(1)

and defined a minimal length logarithmic signature \(\alpha \) to be a logarithmic signature for which equality in (1) holds. Then, they constructed minimal length logarithmic sequences for symmetric and solvable groups. It is not yet known if minimal length logarithmic signatures exist for each finite group, although Magliveras [55] reduced the problem to simple groups, showing that a minimal counterexample of a group without a minimal length logarithmic signature must be simple. He also constructed minimal length logarithmic signatures for the alternating groups. The work in [54, 55] leads to the following conjecture for which a constructive proof is desired.

MLS Conjecture. Every finite simple group has a minimal length logarithmic signature.

This conjecture remains open in general, but has been proved in several cases. The constructive proofs for symmetric and alternating groups are in essence obtained by the same technique: given a permutation representation of a group G, identify a point P so that its stabilizer \(G_{P}\) can be factored through a minimal length logarithmic signature and such that there exists a complete set of representatives of G modulo \(G_{P}\) which moves P cyclically. The underlying idea is to factor the group into a ‘product of disjoint pieces’ for which a minimal length logarithmic signature exists. In the case that these ‘disjoint pieces’ are two subgroups, this is a rewriting of the group as a knit (or Zappa-Szép) product [56, 57].

Lempken and van Trung [58] use double coset decomposition to find minimal length logarithmic signatures for a number of special linear groups and projective special linear groups. Constructions of minimal length logarithmic sequences for all of the simple linear and symplectic groups, as well as some orthogonal groups, are found in [59, 60]. These papers consider the action of the group on the natural module, looking at point stabilizers and geometric objects called spreads. Furthermore, Holmes [61] produced minimal logarithmic signatures for the sporadic groups \(J_1\), \(J_2\), HS, McL, He, and \(Co_3\). Rahimipour, Ashrafi, and Gholami [62,63,64] treat the cases of the sporadic groups \(J_3\), \(Fi_{22}\), Ru, and Suz, as well as the Tits group \(^2F_4(2)'\), the Ree groups \(^2G_2(3^{2n+1})\), and some unitary and exceptional groups.

5 Fully Homomorphic Encryption Schemes

Broadly, homomorphic encryption enables computation over encrypted data. A fully homomorphic encryption (FHE) procedure is an encryption algorithm E taking as input an element from a ring \((R,+,\cdot )\) and producing an output in another ring \((S,+,\cdot )\) such that \(E(r+s)=E(r)+E(s)\) and \(E(r\cdot s)=E(r)\cdot E(s)\). Such an encryption mechanism allows a third party to do any computations involving \(+\) and \(\cdot \) without ever decrypting the data. For example, one can take the boolean circuit \((\{0,1\}, XOR, AND)\) as the ring, so that a fully homomorphic encryption function respects both AND and XOR.

There are several known encryption schemes on rings \((\mathbb {Z}_n,+,\cdot )\) which allow homomorphic computation of only one of the two operations, for example, textbook RSA, ElGamal, and Goldwasser-Micali, but it appears far more difficult to construct a fully homomorphic scheme. For a detailed survey, see [65].

The most widely known existing fully homomorphic encryption scheme appeared originally in the thesis of Craig Gentry [66]. The security of this solution relies on variants of the so-called bounded-distance decoding problem. This problem enjoys a very relevant property for cryptographic purpose, namely, it is random self reducible, which basically means that it is about as hard on average as it is in the worst case. While this property allows for (practically meaningful) security proofs, it is unfortunately the case that the resulting homomorphic encryption algorithm is too inefficient to be practical. Very informally, the reason is that, to provide semantic security, encryption has to be randomized, but on the other hand, a homomorphism should map zero to zero. To resolve this conflict, the ciphertext zero is “masked by noise." The problem now is that during any computation on encrypted data, this “noise” tends to accumulate and has to be occasionally reduced by re-encryption (also known as bootstrapping), a process that produces the equivalent ciphertext but with less noise. This is an expensive procedure, and its results in real-life computation being prohibitively slow.

The quest for more efficient techniques to overcome this issue has resulted in a number of rather efficient schemes. For instance, in [67, 68], a much slower growth of the noise during homomorphic computations was achieved, providing enough efficiency for practical applications. Later, in 2013, Gentry, Sahai, and Waters [69] put forward the GSW scheme, a new method to derive more efficient FHE schemes. These techniques were further improved to develop efficient ring variants of the GSW scheme [70]. New efficient constructions are constantly being proposed (see [71]), and fully homomorphic encryption is indeed a reality in many practical applications.

5.1 Simple Groups and Fully Homomorphic Encryption

The relevance of finite non-abelian simple groups to fully homomorphic encryption is that they open a door to designing new noise-free fully homomorphic encryption schemes, thus with the potential of being much more efficient than those needing some sort of bootstrapping.

This idea is quantified by the following theorem of Werner [72].

Theorem 2

[72, 73] There is a fully homomorphic encryption scheme (over a non-zero ring) if and only if there is a finite non-abelian simple group over which there is a homomorphic encryption scheme.

Ostrovsky and Skeith gave a constructive proof of this theorem [73, Corollary 4.26], see [74, Section 6] for more discussion. To construct a noise-free fully homomorphic encryption scheme from a group homomorphism \(\phi :G \rightarrow H\), Ostrovsky and Skeith pick an element \(g \in G\) of order 2 and identify the bit 0 with the identity of G, and the bit 1 with the element g. Since any binary function can be written as compositions of the NAND function, it is enough to construct NAND in the group. Recall that the NAND function can be defined as a Boolean operator which takes the value zero if and only if all the involved statements it is applied to have a value of one, and has a value of one otherwise (it is thus a negation of a conjunction of logical statements, or a \(NOT \, AND\)). Ostrovsky and Skeith’s proof gives a general formula, and they display an example for the group \(A_5\). The details for \(A_n\) for \(n\ge 6\) are especially short, so we describe them here.

Let \(g=(1\,2)(3\,4)\) and e be the identity permutation. For \(a, b\in \{e, g\}\). We will give a formula for NAND(ab). We follow Ostrovsky and Skeith’s proof, noting that

$$\begin{aligned} g=[(1\,2)(5\,6),(1\,4)(2\,3)]=[g^{(3\,5)(4\,6)},g^{(2\,4)(5\,6)}]. \end{aligned}$$

Therefore,

$$\begin{aligned}NAND(a,b)&=g [a^{(3\,5)(4\,6)},b^{(2\,4)(5\,6)}]\\ {}&=(1\,2)(3\,6\,4\,5)a(3\,6\,2\,4\,5)b(2\,6\,3\,5\,4)a(3\,6\,2\,4\,5)b(2\,4)(5\,6). \end{aligned}$$

Armknecht, Gagliardoni, Katzenbeisser, and Peter [75] give an attack using quantum computers that undermines the security of any homomorphic encryption scheme whose plaintext and ciphertext spaces are abelian groups, thereby showing that it is impossible to have a quantum secure group homomorphic encryption scheme in this scenario. We are not aware of any literature proposing homomorphic encryption over non-abelian groups, but this is a research avenue worth exploring (see [76] for more discussion).

6 Hidden Subgroup Problem: Post-Quantum Analysis

The search for quantum-resistant alternatives to today’s common public-key constructions is extremely active. As we mentioned in the introduction, it is of paramount importance to identify and understand which mathematical problems are hard enough in a “post-quantum” sense. The Hidden Subgroup Problem (HSP) is a generic formulation englobing many such potentially hard problems. HSP can be seen as a way to understand the power of quantum algorithms and the limits of Shor’s algorithm in group theoretical language.

Hidden Subgroup Problem (HSP).Given a finitely generated group G, a finite set S and an efficiently computable function \(f:G \rightarrow S\) such that f is constant and distinct on left cosets of a subgroup \(H\le G\) of finite index, find a generating set for H.

Famously, Shor’s [3] polynomial-time quantum algorithms for the Integer Factorization Problem and Discrete Logarithm Problem rely on a polynomial-time quantum algorithm for HSP in finite cyclic groups and groups of the form \(\mathbb {Z}_p\times \mathbb {Z}_p\) for prime p. There are efficient quantum algorithms for HSP for all finite abelian groups and for a few classes of finite non-abelian groups. We describe some relevant cases here. See [77] for a full survey.

Hallgren, Russell, and Ta-Shma [78, Theorem 2] gave a quantum algorithm for finding hidden normal subgroups. This result says nothing about finite simple groups since they have no non-trivial normal subgroups. Kuperberg in [79], and Regev in [80] give subexponential-time quantum algorithms for HSP in dihedral groups. Kuperberg’s algorithm requires quantum space \(2^{O({\log r})}\), while a generalized version of Regev’s in [81, Theorem 5.2] is slower but less space-expensive. In [82], the authors extend these algorithms to construct a subexponential quantum algorithm for solving the Discrete Logarithm Problem in semi-direct products.

While we have efficient algorithms in some cases, providing solutions for HSP for all finite groups is considered one of the most important challenges in post-quantum cryptography. A solution to HSP in a finite group implies a solution in all subgroups. Since every finite group is a subgroup of a symmetric group, a solution to HSP for all finite groups is equivalent to a solution to HSP for symmetric groups. Note, however, that the representation of our group G as a subgroup of a symmetric group is relevant here, since if the dimension is large (for example if we consider the group G to be in \(S_{|G|}\)) we will see exponential blow-up in size and parameters.

Many of the techniques that have been successfully employed in the above-mentioned cases have been shown to fail for symmetric groups [79, 83,84,85]. See [86, Section 3.2] for more discussion. Often the obstructions are large subgroups and high-dimensional irreducible representations. Therefore, many of the difficulties in the symmetric case also affect the classical group case [84, 87].

Understanding the complexity of HSP in finite non-abelian groups is a significant open question with strong connections to many well-known hard problems. This suggests study in this area could unearth one-way functions for the design of post-quantum cryptosystems.

7 The Road Ahead: Some Open Problems

We have presented different problems related to non-abelian finite simple groups. We hope we have helped the readers in grasping their potential for cryptographic applications. While it is hard to predict how the field will evolve, we can for sure identify a number of interesting problems on the frontier between cryptography and group theory:

  • Babai’s conjecture that short paths exist in Cayley graphs of finite simple groups is a widely studied open problem in group theory. The Geodesic Problem, equivalent to finding preimages for Cayley hash functions, requires constructing such short paths in Cayley graphs. For cryptographic applications, it is desirable to either find a situation in which the Geodesic Problem is computationally infeasible, or to show that it is always feasible, as discussed in Section 3.2. Progress in constructing short enough paths would imply progress on Babai’s conjecture.

  • Logarithmic signatures are a possible source of useful trapdoor functions for public-key cryptography, but there is more work to be done on understanding and constructing them. One direction, discussed in Section 4.2, is to find an algorithm that can produce wild logarithmic signatures, especially one which can also provide a rewriting in terms of tame ones. Another, discussed in Section 4.3, is to determine whether all finite groups have minimal length logarithmic signatures. This question has been reduced to simple groups, and the MLS Conjecture that minimal length logarithmic signatures exist for all simple groups remains open in some cases.

  • Ostrovsky and Skeith [88] show how to convert a homomorphic encryption procedure on any finite simple group to a fully homomorphic encryption procedure on a ring by constructing NAND in the finite simple groups. As discussed in Section 5.1, this opens up the question of finding secure homomorphic encryption on a finite simple group.

  • The Hidden Subgroup Problem is central to post-quantum cryptography. As discussed in Section 6, understanding the hardness of HSP for symmetric groups could be useful in the analysis of post-quantum group-based cryptographic primitives.