Cryptography-Research Digest #862, Volume #1 Sat, 20 Nov 99 21:13:10 EST
Contents:
Constructing Public Key Cryptosystems Via Combinatorial Group Theory
([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Constructing Public Key Cryptosystems Via Combinatorial Group Theory
Date: 20 Nov 1999 23:35:22 GMT
Reply-To: [EMAIL PROTECTED]
CONSTRUCTING PUBLIC KEY CRYPTOSYSTEMS VIA
COMBINATORIAL GROUP THEORY
Dr.Michael Anshel
Department of Computer Sciences
CCNY-CUNY,NY NY 10031,USA
http://www-cs.engr.ccny.cuny.edu/~csmma/
email: [EMAIL PROTECTED]
(November 15,1999)
ABSTRACT:
A Public Key Cryptosystem (PKC) is an algorithmic method for securely
sending private information over an insecure channel in which the
communicating parties have no common shared secret (e.g. key). At the heart
of a PKC is a two-party secure computation referred to as a protocol. The
major PKC's and their associated protocols in use today are based on finite
abelian groups. They include the Diffie- Hellman (DH), RSA, and Elliptic
Curve Cryptosystems (ECC). Cryptanalytic attacks on these systems suggest
that it is prudent to develope alternate PKC's. Combinatorial Group Theory
(CGT) is the study of groups by means of generators and defining relators.
We discuss several methods for constructing PKC's via CGT evolved over the
past decade with my co-workers Iris Anshel and Dorian Goldfeld. The
computational security of our protocols are based on the complexity of
problems in CGT.We offer a particular instance employing the computational
theory of braid groups.
"I definitely believe that combinatorial group theory has the potential for
making contributions not only to cryptography but also to computational
complexity." - email to the author from Zeke Zalcstein NSF (October 14,1999)
"I find this report very interesting! Using braids and braid algorithms in
particular,
and combinatorial group theoretic algorithms in general for practical
applications
seems quite crucial to me."- email to the author from Patrick Dehornoy,
University of Caen (October 30,1999)
This report evolved from the following seminar presentations
in which the author participated:
(1) AT&T Research 4/9/99
host:Jeff Lagarias
speaker:D.Goldfeld
(2) CCNY 5/6/99 to The New York Group Theory Cooperative:
host: Alexei Myasnikov
speaker: M.Anshel
(3) CUNY Graduate Center 10/6/99 to the Seminar on Combinatorial Computing:
host: Janos Pach
speaker: M.Anshel
(4) IBM T.J.Watson Research Center 10/7/99
host: Tal Rabin
speaker: D.Goldfeld
(5) Cryptography and Information Security Group of MIT's Laboratory for
Computer Science 10/22/99
host: Ron Rivest
speaker: D.Goldfeld
PRIOR WORK:
1985:
N.R.Wagner and M.R.Magyarik,
"A public key cryptosystem based on the word problem",
Advances in Cryptology: Proceedings of Crypto 84,ed.G.R.Blakely and D.Chaum,
LNCS,196 Springer Verlag (1985) 19-36
(detailed discussion in W.Patterson,"Mathematical Cryptology" Rowman and
Littlefield
(1987) including a discussion of word problems).
1988
Do Long van,AJeyanthi,R.Siromoney and K.G.Subramanian,
"Public key cryptosystems based on word problems"
ICOMIDC Sym.Math.of Computation,Ho Chi Minh City April (1988)
( descibed in the monograph by N.Koblitz cited below)
1991
M.Garzon and Y.Zalcstein,
"The complexity of Grigorchuk groups with applications to cryptography",
Theoretical Computer Science 88:1(1991) 83-98
(additional discussion may be found in M.Garzon, "Models of Massive
Parallelism"
Springer-Verlag (1995))
1993
I. Anshel and M. Anshel,
"From the Post-Markov Theorem through Decision Problems to Public-Key
Cryptography", American Mathematical Monthly Vol.100, No. 9 (November 1993)
835-845.
1994
V.M.Sidel'nikov,M.A.Cherepenev and V,V Yashichenko,
"Systems of open distribution of keys on the basis of noncommutative
semigroups",
Russian. Acad. Sci. Dokl. Math. Vol.48 No.2 (1994) 384-386
1997
Rabi, Muhammad, and Alan T. Sherman,
``An observation on associative one-way functions in complexity theory,''
Information Processing Letters 64 (2) (1997) 239-244,
1999
I. Anshel,M. Anshel,and D. Goldfeld,"An Algebraic Method for Public-Key
Cryptography",
Mathematical Research Letters 6,1-5,(1999)
BACKROUND: Combinatorial Group Theory
The central methodology employed is that of Combinatorial Group Theory- the
algorithmic study of groups specified by presentations,that is by means of
generators and defining relators. The subject emerged from the seminal work:
[MKS] W.Magnus,A.Karrass,and D.Solitar, "Combinatorial Group Theory:Second
Revised Edition", Dover (1977) pbk
Some introductory texts from the computational point of view:
[Co] D.E.Cohen, "Combinatorial Group Theory" CUP (1989) pbk
[Jo] D.L.Johnson, "Presentations of Groups: Second Edition", CUP (1997) pbk
The following CGT monograph has recently appeared:
B.Fine and G.Rosenberger,
"Algebraic Generalizations of Discrete Groups: A Path to Combinatorial Group
Theory Through One-Relator Products", Marcel Dekker,Inc (1999).
Some Examples:
(1) The cyclic group of order two Z/2Z: (a; aa=e)
(2) The infinite cyclic group Z: (a:)
(3) The free abelian group of rank 2, ZxZ: (a,b; ab=ba )
(4) The free group of rank 2, F(2): (a,b; )
(5) The braid group on 3 strands: (a,b; aba=bab)
(6) The symmetric group S(3): (a,b; aba=bab, aa=e,bb=e)
The fundamental questions of CGT include the Word Problem (WP), the Conjugacy
Problem (CP),the Isomorphism Problem (IsoP) defined and investigated by M.
Dehn in the period 1910-1912. Computations with braids appear in the
notebooks of C.F.Gauss. A sytematic study of braid groups was undertaken by
E.Artin in 1925. The WP for groups with one defining relation was solved by
W.Magnus in 1932. In the period 1950-1970 negative solutions to the WP,CP and
IsoP were established for finitely presented groups.
The WP and CP for braid groups arise in connection with the Unknotting
Problem, a central
question in Computational Topology:
J.Hass,J.L.Lagarias,and N.Pippenger,
"The Computational Complexity of Knot and Link Problems",
JACM Vol.46 No.2 (March 1999) 185-211.
The idea of a Cayley Diagram (CD) of a group provides the bridge between CGT
and
Graph Theory. Concepts methods and examples are found in:
[Bol] B.Bollabas,"Modern Graph Theory" Springer-Verlag (1998) pbk.
In turn [Bol] connects Graph Theory to the Theory of Knots and Links.
Backround: Cryptography,Complexity and Computational Security
Cryptography refers to a wide range of security issues in the transmission
and protection of information such as massive file storage, electronic
commerce thru public networks and the use of smart cards. A good mathematical
source for cryptography is:
[Kob] N.Koblitz, "Algebraic Aspects of Cryptography", Springer-Verlag (1998)
A more general reference:
[MOV] A.J.Menzes,P.C.vanOorscot and S.A.Vanstone,
"The Handbook of Applied Cryptography",
CRC Press (1997)
http://cacr.math.uwaterloo.ca/hac/
A central concept in cryptography is that of a private key cryptosystem for
message communication specified by a 5-tuple M=(P,C,K,E,D) consisting of:
(1) plaintext units P
(2) ciphertext units C
(3) a keyspace K whose elements 'k' are keys for coding plaintext and
decoding ciphertext
(4) an encryption map E: PxK->C
(5) a decryption map D: CxK->P
such that for D(E(p,k),k)=p for all p in P and k in K.
The only confidential item needed by two parties for communication is a
common private key. The encoding and decoding algorithms E,D are assummed to
be public knowledge.
One class of private key cryptosystems we have investigated concern stream
ciphers based on cryptographically secure pseudorandom number generators:
M. Anshel and D. Goldfeld,
"Zeta Functions, One-Way Functions, and Pseudorandom Number Generators",
Duke Mathematical Journal Vol. 88 No. 2 (1997) 371-390.
Another central concept in cryptography is that of a one-way function:
informally,we say that
a function f: X->Y is 'one-way' if it is easy to compute f(x) for any x in X
but difficult to find an x such that f(x)=y for most randomly selected y in
Y. The encoding of f(x) should be at most
polynomially longer or shorter then the encoding of x.
For a general reference for complexity issues as they apply to cryptography
consult:
C.H.Papadimitriou, "Computational Complexity", Addison-Wesley (1994)
Let T: K-> RxS be a one-way function and define E(p, k)= E*(p,r) and D(c,k)=
D*(c,s) such that T(k)= (r,s). T is called a 'trapdoor function' associated
with the private key cryptosystem M provided s can only be recovered from r
in reasonable time with additional information such as the value k.
A public-key cryptosystem with trapdoor associated with M and T is a 6-tuple
M*=(P,C,R,S,E*,D*). with E*,D* as indicated above.
Each user of the system is given a public key r and a private key s such
that for some k in K, T(k)= (r,s). The user's public-key is found in a public
directory. Encoding and decoding are performed respectively with E* and D*.
If user A wants to communicate plaintext message p to user B, A looks up B's
public key r and computes E*(p,r)=c in C. User B decodes c by computing
D*(c,s).
The existence of polynomial-time computable one-way functions is an open
question.
Two candidate one-way functions of importance in cryptography today are
integer multiplication and modular exponentiation.The former has given rise
to the RSA system (with trapdoor) and the latter to the Diffie-Hellman
system (without trapdoor).
A group-theoretic public key cryptosystem with trapdoor is sketched in
I.Anshel and M.Anshel
cited above.The example chosen is constructed employing
(1) a finitely presented residually finite group G with unsolvable conjugacy
problem,
(2) two non-conjugate elements x,y in G and
(3) a trapdoor homomorphism h:G->G/N where G/N is finite and h(x), h(y)
are non-conjugate in G/N.
We now turn to a group-theoretic method for secret key agreement over an
insecure channel
and discuss this method in the context of braid groups.
An algorithmic procedure for exchanging messages is referred to as a
'protocol' .
A key exchange protocol is when two or more parties exchange messages over an
insecure channel for the purpose of agreeing on a secret key for use in a
private key cryptosystem.
DESCRIPTION OF THE GROUP-THEORETIC PROTOCOL:
The parties Alice and Bob publish, respectively, words
a(1), a(2), ... ,a(n)
b(1), b(2), ... ,b(m)
specifying group elements from a group G = (S | D) with generating symbols S
and defining relations D. The common key K is created by the following
concurrent actions of Alice and Bob.
ALICE'S ACTIONS:
Alice transforms Bob's public words in the following manner:
(1a) Alice selects a private word X in the subgroup of G generated by
a(1),a(2), ... ,a(n) and conjugates each b(i) by that X producing
b*(1), b*(2), ... ,b*(m)
(2a) Alice selects a word B(i) in the generating symbols such that B(i) and
b*(i) define the same element of G for i =1, ... ,m .
(3a) Alice transmits to Bob
B(1), B(2), ... ,B(m).
BOB'S ACTIONS:
Bob transforms Alice's public words in a similar manner:
(1b) Bob selects a private word Y in the subgroup of G generated
by b(1), b(2), ... ,b(m) and conjugates each a(i) by that Y producing
a*(1), a*(2), ... ,a*(n)
(2b) Bob selects a word A(i) in the generating symbols such that
A(i) and a*(i) define the same element of G for i = 1, ... ,n .
(3b) Bob transmits to Alice
A(1), A(2), ... ,A(n).
COMMON ACTIONS:
(4 ab) Alice and Bob now compute, respectively ,V and W each of
which specifies the commutator C = [X,Y] defined by the words X and Y.
Remark: This is accomplished by noting that since X and Y are
words X = x(a(1), ..., a(n) ) and Y = y( b(1), ...,b(m) ) then
Alice may computes a word V representing the commutator
C = [X,Y] from
[X,Y] = X * (YXY')' = X * x( A(1), ..., A(n) )'
and Bob may computes a word V representing the commutator
C = [X,Y] from
[X,Y] = (XYX') * Y' = y( B(1), ..., B(m) ) * Y'.
where X' and Y' respectively denote the inverses of X and Y.
(5 ab) Alice and Bob compute a common key
K = F(V) = F(W)
where F is a one-way hash function from the words in the generating symbols
to words in the binary alphabet {0,1} such that F(W) = F(Z) whenever W and Z
define the same element of G.
THE BRAID GROUP PLATFORM
By a platform for the protocol we mean a choice of group(s) G to support
both security and performance requirements of a cryptographic system. One
such group is the braid group B(n)
generated by s(1),...,s(n-1) and with two classes of defining relations:
(1) s(i)s(i+1)s(i) = s(i+1)s(i)s(i+1) 1 i<n and
(2) s(j)s(k)=s(k)s(j) j,k < n , |j-k| 2
These generators are referred to in the literature as the Artin generators
For basics consult:
V.L.Hansen, "Braids and Coverings: Selected topics" CUP (1989) pbk
There is strong evidence to support the difficulty of solving a simultaneous
system of conjugacy equations with constraints in the braid group B(n) for
large n. Moreover there are efficient algorithms for solving the word problem
and computing normal forms for elements of B(n).
[BKL] J. Birman, K. H. Ko and S. J. Lee,
"A new solution to the word and conjugacy problems in the braid groups,"
Advances in Mathematics139 (1998), 322-353
The generators employed by [BKL] are called the band generators. Among the
band generators are the Artin generators. Lee Rudolph raised the following
question to the author on
October 11,199 in email discussion:
Problem: Call a braid in B(n) "quasipositive"if it's in the subsemigroup of
B(n) generated
by the positive bands. These braids are (geometrically at least) very
interesting!
It would be of great interest to determine almost anything algorithmic about
them;
for instance, do they form a recursive set?
Secure methods for transmission and hashing arise from an algorithm given in,
P.Dehornoy,
"A fast method for comparing braids",
Advances in Mathematics123 (1997), 205-235.
Another method of secure hashing arises by employing Colored Burau Matrices
(CBM):
H.R.Morton,
"The Multivariable Alexander Polynomial for a Closed Braid",
Contemporary Mathematics 233 AMS (1999), 167-172
The CBM method is detailed and will be discussed elsewhere.
Stephen Bigelow has recently reported at John Stalling's Combinatorial Group
Theory Seminar,
University of California Berkeley ,that braid groups are linear. He employs a
representation by D.Krammer that maps the braid group B(n) to the group of
invertible (n choose 2)-by-(n choose 2) matrices with entries in
Z[q,q^-1,t,t^-1]. He raises the question:
Problem: Can Krammer's (faithful) representation be used for hashing?
CRYPTANALYTIC ATTACKS:
There are two methods of attack. The first is a linear algebraic attack . The
second employs a heuristic search algorithm involving the length function
associated to Birman-Ko-Lee normal forms. So far these attacks have been
fended off by choice of parameters. At the same time efficiency has been
maintained. Testing is critical to hardening the method and to building trust.
Jim Hughes, of Storage Technology Corporation and a consultant Allan
Tannenbaum
of the University of Minnesota are preparing a report on the
testing.Parameters for testing
were developed by Dorian Goldfeld after discussions with Benji Fisher and Jim
Hughes. The researchers report that the testing has gone well and they are
optimistic concerning the method and the choice of the braid group as a
platform.
However it is far to early to claim success and the following survey reveals:
Dan Boneh, "Twenty Years of Attacks on the RSA Cryptosystem", Notices of the
American Mathematical Society, Volume 46, Number 2 (February 1999) 203- 213
The author has urged researchers interested in the cryptanlysis to consider
the fact
that the minimal braid problem is Co-NP complete.
M.S.Paterson and A.A.Razborov,"The Set of Minimal Braids is Co-NP Complete",
Journal of Algorithms 12,393-408 (1991)
For related items the reader should consult:
D.J.A.Welsh, "Complexity: Knots,Colourings and Counting" LMS 186 CUP (1993)
pbk
GENERALIZATIONS AND OPEN PROBLEMS:
By a protocol algebra we mean a 5-tuple PA= (U,V,F,G,H) where U and V are
feasibly computable
monoids and F:UxU->V, G,H :UxV->V are feasibly computable functions
satisfying the following
properties:
(i) (U,V,F) satisfies the distributive property: For all x,y,z in U ,
F(x,yz)=F(x,y)F(x,z)
(ii) G,H are compatible with F : for all x,y in U, G(x,F(y,x))=H(y,F(x,y))
(iii) Infeasiblity condition: for y1,y2,...,yk in U and
F(x,y1),F(x,y2),...,F(x,yk)
publicly known for some secret element x in U. Then, in general, it is
infeasible to determine the secret element x.
The users Alice and Bob are publically assigned finitely generated submonoids
S(A),T(B) on the indictatd generators S(A)=<s1,s2,...,sm>,
T(B)=<t1,t2,...,tn>.
The protocol associated to PA is given by:
(1): Alice chooses a secret element a in S(A) and transmits the elements
F(a,t1),F(a,t2),...,F(a,tn) to Bob.
(2): Bob chooses a secret element b in T(B) and transmits the elements
F(b,s1),F(b,s2),...,F(b,sm) to Alice.
(3): Alice computes F(b,a) using the distributive property (i) of PA and the
data transmitted in Step 2.
(4): Bob computes F(a,b) using the distributive property (i) of PA and the
data transmitted
in Step 1.
(5): Alice and Bob compute a common key K= G(a,F(b,a))=H(b,F(a,b)) using the
compatability
condition (ii) of PA.
The secrecy of the key K computed in step 5 is insured by condition (iii) of
PA.
Ron Rivest asks
Problem: What is the relationship between protocol algebra and Rabi and
Sherman research
on one-way associative functions cited above.
In the email to the author cited above Patrick Dehornoy remarks and raises
the following question after reading an earlier draft of this report:
"I have seen briefly that self-distributive operations are involved in what
is called
"protocol algebra"; I am especially interested in such operations, and I know
in particular
non-classical examples and algorithms (a book of mine"Braids and
self-distributivity"
is due to appear in the Birkhauser Progress in maths series in March 2000).
Problem: "Perhaps some interesting examples of protocol algebras could be
described
using the methods of the book."
QUANTUM CRYPTOGRAPHY
Dorian Goldfeld presented this work at AT&T Research on the invitation of
Jeff Lagarias.
Also attending was Peter Shor (and myself). Within a few weeks the following
appeared:
C.H.Bennett and P.Shor,
"Quantum Cryptography: Privacy in a Quantum World",
Science Vol 284 Number 5415 (30 April 1999) pp 7447-748.
In their paper Bennett and Shor raise the possibility that quantum
cryptanalysis could
develope methods to break classical two-party protocols.
Charles Bennett suggests in email to the author (November 5,1999)
"a more comprehensive paper by Shor amd me on quantum information,
computation and cryptography.
C.H. Bennett and P. W. Shor, "Quantum Information Theory",
IEEE Trans. Info. Theory 44, 2724-2742 (1998).
He points that in their discussion in the journal Science
"the criterion of security for quantum cryptosystems
is subtly incorrect."
He offers the following correction:
"Sometimes (eg if the Eve jams or interacts strongly with the quantum
signals) Alice and Bob will conclude that the quantum signals have been
excessively disturbed, and therefore that no key can safely be agreed
upon (designated by a frown in the figure); but, for every eavesdropping
strategy,
the probability should be negligible that Alice and Bob will decide to trust
a key on which Eve has significant information."
With this correction in hand we ask:
Problem: Perform both classical and quantum cryptanalysis of classical
cryptographic
two-party computations based on protocol algebra.
OBSERVATION: The emerging disciple of Quantum Computation provides link GCT
to P/NP/,Knots,
and to Quantum Field Theory are explored in:
M.H. Freedman, "Limit,logic and computation",
PNAS USA Vol 95 pp.95-97 (January 1998)
M.H. Freedman, " P/NPand the quantum field computer",
PNAS USA Vol 95 pp.98-101 (January 1998)
Adrian Kent and his co-workers have extensiveliy investigated bit
commitment.
For a recent publication consult:
A. Kent
Unconditionally Secure Bit Commitment
Phys. Rev. Lett. 83 (1999) 1447-1450
For backround see:
Jozef Gruska, "QUANTUM COMPUTING", McGraw-Hill UK (1999) pbk
CRYPTOGRAPHIC APPLICATIONS:
It was suggested to the authors by Ari Juels ,Burt Kaliski, and Ron Rivest
that zero knowledge
proof systems (ZKPS) and digital signatures may be constructed using the
methods above. They
illustrated their point as follows.
Suppose Alice wishes to convince Bob that she knows the secret element X.
Alice selects a second private word X* in the subgroup of G generated by
a(1),a(2), ... ,a(n)
and conjugates each b(i) by that XX* .Then Alice proceeds as above to create:
b**(1), b**(2), ... ,b**(m)
Bob challenges Alice to produce exactly one of X* or XX*. If Bob chooses X*
and Alices
reply's correctly the result is recorded as a '0'. If Bob chooses XX* and
Alices
reply's correctly the result is recorded as a '1'. Note that Bob's knowledge
of
b(1), b(2), ... ,b(m)
b*(1), b*(2), ... ,b*(m)
b**(1), b**(2), ... ,b**(m)
allow him to detremine the correctness of Alice's response. If this procedure
is repeated
using random X* a digital signature may be created.
The reader may recognize Juels-Kaliski- Rivest ZKPS as a group-theoretic
version
of the original 1986 ZKPS popularized by Adi Shamir.
Problem: Investigate the computational security of the Juels-Kaliski- Rivest
ZKPS.
In conversation it was suggested to Dorian Goldfeld and the author by
Ari Juels ,Burt Kaliski, and Ron Rivest that the method and braid group
platform
are ready for exploration by the wider cryptographic and mathematical
community.
DISCUSSION:
Vladimir Shpilrain raises the possibility that a group with unsolvable word
problem
could be used as a platform to insure computational security.
Leonid Bokut indicates that the school of group-theorists at Institute of
Mathematics, Novosibirsk have studied a normal form for elements which Bokut
pioneered. The Bokut normal form could be the pivotal mechanism in bringing
groups with unsolvable word problem
into play.
Gene Cooperman asks: Are there theoretical results reducing some of the
group-theoretic cryptographic problems to a single cryptographic assumption,
just as the difficulty
of RSA and some other systems reduces to the difficulty of factoring integers?
Should such theoretical results emerge it would have a far reaching impact
on the course of group-theoretic research.
Comments may be sent to the author at: [EMAIL PROTECTED]
CORPORATE SUPPORT:
We have been generously supported by Arithmetica Inc.
http://www.arithmetica.com/
We have been informed by Mark Ungerman of Fulbright and Jaworski L.L.P that a
patent application was published under the Patent Application Treaty on
September 2,1999.
The internation publication number for this application is WO 99/44324.
ACKNOWLEDGMENTS:
We wish to thank Benji Fisher and Boris Klebansky of Arithmetica Inc for
their programming
and mathematical contributions. We also wish to thank the following
individuals
for their comments,suggestions, patience during lectures and co-teaching
assignments
and for circulating versions of this manuscript to interested parties.
The listing is in rough chronological order relative to the comments received
by the author and is intended for informational puposes. It does not imply a
judgement on the methods described above one way or the other.
Jim Hughes, Storage Technology Corporation
Joan Birman, Columbia University
Jeff Lagarias,Andrew M Odlyzko,Jim Reeds, and Peter Shor, AT&T Research
Allan Tannenbaum, University of Minnesota
Gilbert Baumslag, Alexei Miasnikov and Vladimir Shpilrain CCNY/CUNY
Janos Pach, CCNY/CUNY&CIMS/NYU
Joel Gersten,Dan Greenberger CCNY/CUNY
Mel Lax CCNY/CUNY & Bell Labs/Lucent
Bob Gilman ,Stevens Institute of Technology
Alex Heller,Burton Randol and Al Vasquez,CUNY Graduate School
Victor Miller,Institute for Defense Analysis, Princeton
Zeph Grunschlag, Columbia University
Don Coppersmith,Joan Dyer,Tal Rabin and Michael Shub, IBM Research
Stephen Bigelow, University of California Berkeley
Lee Rudolph,Clark University
Zeke Zalcstein, National Science Foundation
Zvi Galil, Columbia University
Yuri Gurevich, Microsoft Research and University of Michigan
Victor Pan,Lehman College/CUNY
Ron Rivest,MIT
Ari Juels and Burt Kaliski, RSA Security Inc.
Jean-Michel Kantor, University of Paris
Patrick Dehornoy, University of Caen
Peter M. Neumann, Queen's College, Oxford
Simon Blackburn, Royal Holloway, University of London
Mark Ettinger, Los Alamos National Laboratory
Charles H. Bennett, IBM Research
Igor Pak, Yale University
Cris Moore, Santa Fe Institute
Gene Cooperman, Northeastern University
Sam Braunstein, University of Wales
Leonid Bokut, Institute of Mathematics, Novosibirsk
Adrian Kent, Cambridge University
BIOGRAPHICAL SKETCH:
Dr.Michael Anshel has taught at the City College of New York (CUNY) for more
than 30 years.
He has been a member of the doctoral faculty since 1973, teaching in the
Engineering,
Computer Science and Mathematics programs.He has mentored over thirty
doctoral dissertations and is currently mentoring several doctoral students.
Prior to accepting his position at CUNY, Dr. Anshel served at the Polytechnic
Institute of New York and the University of Arizona.
He has also lectured at the Mt. Sinai School of Medicine and the National
Science Foundation Summer Institute for High School Teachers at Adelphi
University. Over the course of his career, Dr. Anshel has received numerous
fellowships and honors, including the CUNY Faculty Fellowship Award, a
NASA-ASEE Faculty Fellowship, a National Science Foundation Fellowship and an
award from Goddard Space Flight Center. He has consulted with several corporat
ions including AT&T Bell Laboratories, Delphic Associates, Mathematica, and
Lambda Corp.Dr. Michael Anshel is one of the founders of Arithmetica and a
member of its Board of Directors.He serves as the architect of Arithmetica's
system designs. Dr. Anshel is co-inventor for three patents in cryptography
and has published numerous articles in Mathematics and Cryptography.Dr.
Anshel is a member of the AMS,MAA,ACM,IEEE,IACR,Sigma Xi and NYAS. He
received a Bachelor of Arts degree magna cum laude, Master of Science degree
and a Ph.D. in Mathematics from Adelphi University in Garden City, New York.
Dr. Anshel's research and scholarly interests: cryptomathematics,its
relationship to advanced computing technologies (e.g. quantum computing) and
its historical origins.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt.research) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
