Cryptography-Research Digest #862, Volume #1 Sat, 20 Nov 99 21:13:10 EST Contents: Constructing Public Key Cryptosystems Via Combinatorial Group Theory ([EMAIL PROTECTED]) ---------------------------------------------------------------------------- From: [EMAIL PROTECTED] Subject: Constructing Public Key Cryptosystems Via Combinatorial Group Theory Date: 20 Nov 1999 23:35:22 GMT Reply-To: [EMAIL PROTECTED] CONSTRUCTING PUBLIC KEY CRYPTOSYSTEMS VIA COMBINATORIAL GROUP THEORY Dr.Michael Anshel Department of Computer Sciences CCNY-CUNY,NY NY 10031,USA http://www-cs.engr.ccny.cuny.edu/~csmma/ email: [EMAIL PROTECTED] (November 15,1999) ABSTRACT: A Public Key Cryptosystem (PKC) is an algorithmic method for securely sending private information over an insecure channel in which the communicating parties have no common shared secret (e.g. key). At the heart of a PKC is a two-party secure computation referred to as a protocol. The major PKC's and their associated protocols in use today are based on finite abelian groups. They include the Diffie- Hellman (DH), RSA, and Elliptic Curve Cryptosystems (ECC). Cryptanalytic attacks on these systems suggest that it is prudent to develope alternate PKC's. Combinatorial Group Theory (CGT) is the study of groups by means of generators and defining relators. We discuss several methods for constructing PKC's via CGT evolved over the past decade with my co-workers Iris Anshel and Dorian Goldfeld. The computational security of our protocols are based on the complexity of problems in CGT.We offer a particular instance employing the computational theory of braid groups. "I definitely believe that combinatorial group theory has the potential for making contributions not only to cryptography but also to computational complexity." - email to the author from Zeke Zalcstein NSF (October 14,1999) "I find this report very interesting! Using braids and braid algorithms in particular, and combinatorial group theoretic algorithms in general for practical applications seems quite crucial to me."- email to the author from Patrick Dehornoy, University of Caen (October 30,1999) This report evolved from the following seminar presentations in which the author participated: (1) AT&T Research 4/9/99 host:Jeff Lagarias speaker:D.Goldfeld (2) CCNY 5/6/99 to The New York Group Theory Cooperative: host: Alexei Myasnikov speaker: M.Anshel (3) CUNY Graduate Center 10/6/99 to the Seminar on Combinatorial Computing: host: Janos Pach speaker: M.Anshel (4) IBM T.J.Watson Research Center 10/7/99 host: Tal Rabin speaker: D.Goldfeld (5) Cryptography and Information Security Group of MIT's Laboratory for Computer Science 10/22/99 host: Ron Rivest speaker: D.Goldfeld PRIOR WORK: 1985: N.R.Wagner and M.R.Magyarik, "A public key cryptosystem based on the word problem", Advances in Cryptology: Proceedings of Crypto 84,ed.G.R.Blakely and D.Chaum, LNCS,196 Springer Verlag (1985) 19-36 (detailed discussion in W.Patterson,"Mathematical Cryptology" Rowman and Littlefield (1987) including a discussion of word problems). 1988 Do Long van,AJeyanthi,R.Siromoney and K.G.Subramanian, "Public key cryptosystems based on word problems" ICOMIDC Sym.Math.of Computation,Ho Chi Minh City April (1988) ( descibed in the monograph by N.Koblitz cited below) 1991 M.Garzon and Y.Zalcstein, "The complexity of Grigorchuk groups with applications to cryptography", Theoretical Computer Science 88:1(1991) 83-98 (additional discussion may be found in M.Garzon, "Models of Massive Parallelism" Springer-Verlag (1995)) 1993 I. Anshel and M. Anshel, "From the Post-Markov Theorem through Decision Problems to Public-Key Cryptography", American Mathematical Monthly Vol.100, No. 9 (November 1993) 835-845. 1994 V.M.Sidel'nikov,M.A.Cherepenev and V,V Yashichenko, "Systems of open distribution of keys on the basis of noncommutative semigroups", Russian. Acad. Sci. Dokl. Math. Vol.48 No.2 (1994) 384-386 1997 Rabi, Muhammad, and Alan T. Sherman, ``An observation on associative one-way functions in complexity theory,'' Information Processing Letters 64 (2) (1997) 239-244, 1999 I. Anshel,M. Anshel,and D. Goldfeld,"An Algebraic Method for Public-Key Cryptography", Mathematical Research Letters 6,1-5,(1999) BACKROUND: Combinatorial Group Theory The central methodology employed is that of Combinatorial Group Theory- the algorithmic study of groups specified by presentations,that is by means of generators and defining relators. The subject emerged from the seminal work: [MKS] W.Magnus,A.Karrass,and D.Solitar, "Combinatorial Group Theory:Second Revised Edition", Dover (1977) pbk Some introductory texts from the computational point of view: [Co] D.E.Cohen, "Combinatorial Group Theory" CUP (1989) pbk [Jo] D.L.Johnson, "Presentations of Groups: Second Edition", CUP (1997) pbk The following CGT monograph has recently appeared: B.Fine and G.Rosenberger, "Algebraic Generalizations of Discrete Groups: A Path to Combinatorial Group Theory Through One-Relator Products", Marcel Dekker,Inc (1999). Some Examples: (1) The cyclic group of order two Z/2Z: (a; aa=e) (2) The infinite cyclic group Z: (a:) (3) The free abelian group of rank 2, ZxZ: (a,b; ab=ba ) (4) The free group of rank 2, F(2): (a,b; ) (5) The braid group on 3 strands: (a,b; aba=bab) (6) The symmetric group S(3): (a,b; aba=bab, aa=e,bb=e) The fundamental questions of CGT include the Word Problem (WP), the Conjugacy Problem (CP),the Isomorphism Problem (IsoP) defined and investigated by M. Dehn in the period 1910-1912. Computations with braids appear in the notebooks of C.F.Gauss. A sytematic study of braid groups was undertaken by E.Artin in 1925. The WP for groups with one defining relation was solved by W.Magnus in 1932. In the period 1950-1970 negative solutions to the WP,CP and IsoP were established for finitely presented groups. The WP and CP for braid groups arise in connection with the Unknotting Problem, a central question in Computational Topology: J.Hass,J.L.Lagarias,and N.Pippenger, "The Computational Complexity of Knot and Link Problems", JACM Vol.46 No.2 (March 1999) 185-211. The idea of a Cayley Diagram (CD) of a group provides the bridge between CGT and Graph Theory. Concepts methods and examples are found in: [Bol] B.Bollabas,"Modern Graph Theory" Springer-Verlag (1998) pbk. In turn [Bol] connects Graph Theory to the Theory of Knots and Links. Backround: Cryptography,Complexity and Computational Security Cryptography refers to a wide range of security issues in the transmission and protection of information such as massive file storage, electronic commerce thru public networks and the use of smart cards. A good mathematical source for cryptography is: [Kob] N.Koblitz, "Algebraic Aspects of Cryptography", Springer-Verlag (1998) A more general reference: [MOV] A.J.Menzes,P.C.vanOorscot and S.A.Vanstone, "The Handbook of Applied Cryptography", CRC Press (1997) http://cacr.math.uwaterloo.ca/hac/ A central concept in cryptography is that of a private key cryptosystem for message communication specified by a 5-tuple M=(P,C,K,E,D) consisting of: (1) plaintext units P (2) ciphertext units C (3) a keyspace K whose elements 'k' are keys for coding plaintext and decoding ciphertext (4) an encryption map E: PxK->C (5) a decryption map D: CxK->P such that for D(E(p,k),k)=p for all p in P and k in K. The only confidential item needed by two parties for communication is a common private key. The encoding and decoding algorithms E,D are assummed to be public knowledge. One class of private key cryptosystems we have investigated concern stream ciphers based on cryptographically secure pseudorandom number generators: M. Anshel and D. Goldfeld, "Zeta Functions, One-Way Functions, and Pseudorandom Number Generators", Duke Mathematical Journal Vol. 88 No. 2 (1997) 371-390. Another central concept in cryptography is that of a one-way function: informally,we say that a function f: X->Y is 'one-way' if it is easy to compute f(x) for any x in X but difficult to find an x such that f(x)=y for most randomly selected y in Y. The encoding of f(x) should be at most polynomially longer or shorter then the encoding of x. For a general reference for complexity issues as they apply to cryptography consult: C.H.Papadimitriou, "Computational Complexity", Addison-Wesley (1994) Let T: K-> RxS be a one-way function and define E(p, k)= E*(p,r) and D(c,k)= D*(c,s) such that T(k)= (r,s). T is called a 'trapdoor function' associated with the private key cryptosystem M provided s can only be recovered from r in reasonable time with additional information such as the value k. A public-key cryptosystem with trapdoor associated with M and T is a 6-tuple M*=(P,C,R,S,E*,D*). with E*,D* as indicated above. Each user of the system is given a public key r and a private key s such that for some k in K, T(k)= (r,s). The user's public-key is found in a public directory. Encoding and decoding are performed respectively with E* and D*. If user A wants to communicate plaintext message p to user B, A looks up B's public key r and computes E*(p,r)=c in C. User B decodes c by computing D*(c,s). The existence of polynomial-time computable one-way functions is an open question. Two candidate one-way functions of importance in cryptography today are integer multiplication and modular exponentiation.The former has given rise to the RSA system (with trapdoor) and the latter to the Diffie-Hellman system (without trapdoor). A group-theoretic public key cryptosystem with trapdoor is sketched in I.Anshel and M.Anshel cited above.The example chosen is constructed employing (1) a finitely presented residually finite group G with unsolvable conjugacy problem, (2) two non-conjugate elements x,y in G and (3) a trapdoor homomorphism h:G->G/N where G/N is finite and h(x), h(y) are non-conjugate in G/N. We now turn to a group-theoretic method for secret key agreement over an insecure channel and discuss this method in the context of braid groups. An algorithmic procedure for exchanging messages is referred to as a 'protocol' . A key exchange protocol is when two or more parties exchange messages over an insecure channel for the purpose of agreeing on a secret key for use in a private key cryptosystem. DESCRIPTION OF THE GROUP-THEORETIC PROTOCOL: The parties Alice and Bob publish, respectively, words a(1), a(2), ... ,a(n) b(1), b(2), ... ,b(m) specifying group elements from a group G = (S | D) with generating symbols S and defining relations D. The common key K is created by the following concurrent actions of Alice and Bob. ALICE'S ACTIONS: Alice transforms Bob's public words in the following manner: (1a) Alice selects a private word X in the subgroup of G generated by a(1),a(2), ... ,a(n) and conjugates each b(i) by that X producing b*(1), b*(2), ... ,b*(m) (2a) Alice selects a word B(i) in the generating symbols such that B(i) and b*(i) define the same element of G for i =1, ... ,m . (3a) Alice transmits to Bob B(1), B(2), ... ,B(m). BOB'S ACTIONS: Bob transforms Alice's public words in a similar manner: (1b) Bob selects a private word Y in the subgroup of G generated by b(1), b(2), ... ,b(m) and conjugates each a(i) by that Y producing a*(1), a*(2), ... ,a*(n) (2b) Bob selects a word A(i) in the generating symbols such that A(i) and a*(i) define the same element of G for i = 1, ... ,n . (3b) Bob transmits to Alice A(1), A(2), ... ,A(n). COMMON ACTIONS: (4 ab) Alice and Bob now compute, respectively ,V and W each of which specifies the commutator C = [X,Y] defined by the words X and Y. Remark: This is accomplished by noting that since X and Y are words X = x(a(1), ..., a(n) ) and Y = y( b(1), ...,b(m) ) then Alice may computes a word V representing the commutator C = [X,Y] from [X,Y] = X * (YXY')' = X * x( A(1), ..., A(n) )' and Bob may computes a word V representing the commutator C = [X,Y] from [X,Y] = (XYX') * Y' = y( B(1), ..., B(m) ) * Y'. where X' and Y' respectively denote the inverses of X and Y. (5 ab) Alice and Bob compute a common key K = F(V) = F(W) where F is a one-way hash function from the words in the generating symbols to words in the binary alphabet {0,1} such that F(W) = F(Z) whenever W and Z define the same element of G. THE BRAID GROUP PLATFORM By a platform for the protocol we mean a choice of group(s) G to support both security and performance requirements of a cryptographic system. One such group is the braid group B(n) generated by s(1),...,s(n-1) and with two classes of defining relations: (1) s(i)s(i+1)s(i) = s(i+1)s(i)s(i+1) 1 i<n and (2) s(j)s(k)=s(k)s(j) j,k < n , |j-k| 2 These generators are referred to in the literature as the Artin generators For basics consult: V.L.Hansen, "Braids and Coverings: Selected topics" CUP (1989) pbk There is strong evidence to support the difficulty of solving a simultaneous system of conjugacy equations with constraints in the braid group B(n) for large n. Moreover there are efficient algorithms for solving the word problem and computing normal forms for elements of B(n). [BKL] J. Birman, K. H. Ko and S. J. Lee, "A new solution to the word and conjugacy problems in the braid groups," Advances in Mathematics139 (1998), 322-353 The generators employed by [BKL] are called the band generators. Among the band generators are the Artin generators. Lee Rudolph raised the following question to the author on October 11,199 in email discussion: Problem: Call a braid in B(n) "quasipositive"if it's in the subsemigroup of B(n) generated by the positive bands. These braids are (geometrically at least) very interesting! It would be of great interest to determine almost anything algorithmic about them; for instance, do they form a recursive set? Secure methods for transmission and hashing arise from an algorithm given in, P.Dehornoy, "A fast method for comparing braids", Advances in Mathematics123 (1997), 205-235. Another method of secure hashing arises by employing Colored Burau Matrices (CBM): H.R.Morton, "The Multivariable Alexander Polynomial for a Closed Braid", Contemporary Mathematics 233 AMS (1999), 167-172 The CBM method is detailed and will be discussed elsewhere. Stephen Bigelow has recently reported at John Stalling's Combinatorial Group Theory Seminar, University of California Berkeley ,that braid groups are linear. He employs a representation by D.Krammer that maps the braid group B(n) to the group of invertible (n choose 2)-by-(n choose 2) matrices with entries in Z[q,q^-1,t,t^-1]. He raises the question: Problem: Can Krammer's (faithful) representation be used for hashing? CRYPTANALYTIC ATTACKS: There are two methods of attack. The first is a linear algebraic attack . The second employs a heuristic search algorithm involving the length function associated to Birman-Ko-Lee normal forms. So far these attacks have been fended off by choice of parameters. At the same time efficiency has been maintained. Testing is critical to hardening the method and to building trust. Jim Hughes, of Storage Technology Corporation and a consultant Allan Tannenbaum of the University of Minnesota are preparing a report on the testing.Parameters for testing were developed by Dorian Goldfeld after discussions with Benji Fisher and Jim Hughes. The researchers report that the testing has gone well and they are optimistic concerning the method and the choice of the braid group as a platform. However it is far to early to claim success and the following survey reveals: Dan Boneh, "Twenty Years of Attacks on the RSA Cryptosystem", Notices of the American Mathematical Society, Volume 46, Number 2 (February 1999) 203- 213 The author has urged researchers interested in the cryptanlysis to consider the fact that the minimal braid problem is Co-NP complete. M.S.Paterson and A.A.Razborov,"The Set of Minimal Braids is Co-NP Complete", Journal of Algorithms 12,393-408 (1991) For related items the reader should consult: D.J.A.Welsh, "Complexity: Knots,Colourings and Counting" LMS 186 CUP (1993) pbk GENERALIZATIONS AND OPEN PROBLEMS: By a protocol algebra we mean a 5-tuple PA= (U,V,F,G,H) where U and V are feasibly computable monoids and F:UxU->V, G,H :UxV->V are feasibly computable functions satisfying the following properties: (i) (U,V,F) satisfies the distributive property: For all x,y,z in U , F(x,yz)=F(x,y)F(x,z) (ii) G,H are compatible with F : for all x,y in U, G(x,F(y,x))=H(y,F(x,y)) (iii) Infeasiblity condition: for y1,y2,...,yk in U and F(x,y1),F(x,y2),...,F(x,yk) publicly known for some secret element x in U. Then, in general, it is infeasible to determine the secret element x. The users Alice and Bob are publically assigned finitely generated submonoids S(A),T(B) on the indictatd generators S(A)=<s1,s2,...,sm>, T(B)=<t1,t2,...,tn>. The protocol associated to PA is given by: (1): Alice chooses a secret element a in S(A) and transmits the elements F(a,t1),F(a,t2),...,F(a,tn) to Bob. (2): Bob chooses a secret element b in T(B) and transmits the elements F(b,s1),F(b,s2),...,F(b,sm) to Alice. (3): Alice computes F(b,a) using the distributive property (i) of PA and the data transmitted in Step 2. (4): Bob computes F(a,b) using the distributive property (i) of PA and the data transmitted in Step 1. (5): Alice and Bob compute a common key K= G(a,F(b,a))=H(b,F(a,b)) using the compatability condition (ii) of PA. The secrecy of the key K computed in step 5 is insured by condition (iii) of PA. Ron Rivest asks Problem: What is the relationship between protocol algebra and Rabi and Sherman research on one-way associative functions cited above. In the email to the author cited above Patrick Dehornoy remarks and raises the following question after reading an earlier draft of this report: "I have seen briefly that self-distributive operations are involved in what is called "protocol algebra"; I am especially interested in such operations, and I know in particular non-classical examples and algorithms (a book of mine"Braids and self-distributivity" is due to appear in the Birkhauser Progress in maths series in March 2000). Problem: "Perhaps some interesting examples of protocol algebras could be described using the methods of the book." QUANTUM CRYPTOGRAPHY Dorian Goldfeld presented this work at AT&T Research on the invitation of Jeff Lagarias. Also attending was Peter Shor (and myself). Within a few weeks the following appeared: C.H.Bennett and P.Shor, "Quantum Cryptography: Privacy in a Quantum World", Science Vol 284 Number 5415 (30 April 1999) pp 7447-748. In their paper Bennett and Shor raise the possibility that quantum cryptanalysis could develope methods to break classical two-party protocols. Charles Bennett suggests in email to the author (November 5,1999) "a more comprehensive paper by Shor amd me on quantum information, computation and cryptography. C.H. Bennett and P. W. Shor, "Quantum Information Theory", IEEE Trans. Info. Theory 44, 2724-2742 (1998). He points that in their discussion in the journal Science "the criterion of security for quantum cryptosystems is subtly incorrect." He offers the following correction: "Sometimes (eg if the Eve jams or interacts strongly with the quantum signals) Alice and Bob will conclude that the quantum signals have been excessively disturbed, and therefore that no key can safely be agreed upon (designated by a frown in the figure); but, for every eavesdropping strategy, the probability should be negligible that Alice and Bob will decide to trust a key on which Eve has significant information." With this correction in hand we ask: Problem: Perform both classical and quantum cryptanalysis of classical cryptographic two-party computations based on protocol algebra. OBSERVATION: The emerging disciple of Quantum Computation provides link GCT to P/NP/,Knots, and to Quantum Field Theory are explored in: M.H. Freedman, "Limit,logic and computation", PNAS USA Vol 95 pp.95-97 (January 1998) M.H. Freedman, " P/NPand the quantum field computer", PNAS USA Vol 95 pp.98-101 (January 1998) Adrian Kent and his co-workers have extensiveliy investigated bit commitment. For a recent publication consult: A. Kent Unconditionally Secure Bit Commitment Phys. Rev. Lett. 83 (1999) 1447-1450 For backround see: Jozef Gruska, "QUANTUM COMPUTING", McGraw-Hill UK (1999) pbk CRYPTOGRAPHIC APPLICATIONS: It was suggested to the authors by Ari Juels ,Burt Kaliski, and Ron Rivest that zero knowledge proof systems (ZKPS) and digital signatures may be constructed using the methods above. They illustrated their point as follows. Suppose Alice wishes to convince Bob that she knows the secret element X. Alice selects a second private word X* in the subgroup of G generated by a(1),a(2), ... ,a(n) and conjugates each b(i) by that XX* .Then Alice proceeds as above to create: b**(1), b**(2), ... ,b**(m) Bob challenges Alice to produce exactly one of X* or XX*. If Bob chooses X* and Alices reply's correctly the result is recorded as a '0'. If Bob chooses XX* and Alices reply's correctly the result is recorded as a '1'. Note that Bob's knowledge of b(1), b(2), ... ,b(m) b*(1), b*(2), ... ,b*(m) b**(1), b**(2), ... ,b**(m) allow him to detremine the correctness of Alice's response. If this procedure is repeated using random X* a digital signature may be created. The reader may recognize Juels-Kaliski- Rivest ZKPS as a group-theoretic version of the original 1986 ZKPS popularized by Adi Shamir. Problem: Investigate the computational security of the Juels-Kaliski- Rivest ZKPS. In conversation it was suggested to Dorian Goldfeld and the author by Ari Juels ,Burt Kaliski, and Ron Rivest that the method and braid group platform are ready for exploration by the wider cryptographic and mathematical community. DISCUSSION: Vladimir Shpilrain raises the possibility that a group with unsolvable word problem could be used as a platform to insure computational security. Leonid Bokut indicates that the school of group-theorists at Institute of Mathematics, Novosibirsk have studied a normal form for elements which Bokut pioneered. The Bokut normal form could be the pivotal mechanism in bringing groups with unsolvable word problem into play. Gene Cooperman asks: Are there theoretical results reducing some of the group-theoretic cryptographic problems to a single cryptographic assumption, just as the difficulty of RSA and some other systems reduces to the difficulty of factoring integers? Should such theoretical results emerge it would have a far reaching impact on the course of group-theoretic research. Comments may be sent to the author at: [EMAIL PROTECTED] CORPORATE SUPPORT: We have been generously supported by Arithmetica Inc. http://www.arithmetica.com/ We have been informed by Mark Ungerman of Fulbright and Jaworski L.L.P that a patent application was published under the Patent Application Treaty on September 2,1999. The internation publication number for this application is WO 99/44324. ACKNOWLEDGMENTS: We wish to thank Benji Fisher and Boris Klebansky of Arithmetica Inc for their programming and mathematical contributions. We also wish to thank the following individuals for their comments,suggestions, patience during lectures and co-teaching assignments and for circulating versions of this manuscript to interested parties. The listing is in rough chronological order relative to the comments received by the author and is intended for informational puposes. It does not imply a judgement on the methods described above one way or the other. Jim Hughes, Storage Technology Corporation Joan Birman, Columbia University Jeff Lagarias,Andrew M Odlyzko,Jim Reeds, and Peter Shor, AT&T Research Allan Tannenbaum, University of Minnesota Gilbert Baumslag, Alexei Miasnikov and Vladimir Shpilrain CCNY/CUNY Janos Pach, CCNY/CUNY&CIMS/NYU Joel Gersten,Dan Greenberger CCNY/CUNY Mel Lax CCNY/CUNY & Bell Labs/Lucent Bob Gilman ,Stevens Institute of Technology Alex Heller,Burton Randol and Al Vasquez,CUNY Graduate School Victor Miller,Institute for Defense Analysis, Princeton Zeph Grunschlag, Columbia University Don Coppersmith,Joan Dyer,Tal Rabin and Michael Shub, IBM Research Stephen Bigelow, University of California Berkeley Lee Rudolph,Clark University Zeke Zalcstein, National Science Foundation Zvi Galil, Columbia University Yuri Gurevich, Microsoft Research and University of Michigan Victor Pan,Lehman College/CUNY Ron Rivest,MIT Ari Juels and Burt Kaliski, RSA Security Inc. Jean-Michel Kantor, University of Paris Patrick Dehornoy, University of Caen Peter M. Neumann, Queen's College, Oxford Simon Blackburn, Royal Holloway, University of London Mark Ettinger, Los Alamos National Laboratory Charles H. Bennett, IBM Research Igor Pak, Yale University Cris Moore, Santa Fe Institute Gene Cooperman, Northeastern University Sam Braunstein, University of Wales Leonid Bokut, Institute of Mathematics, Novosibirsk Adrian Kent, Cambridge University BIOGRAPHICAL SKETCH: Dr.Michael Anshel has taught at the City College of New York (CUNY) for more than 30 years. He has been a member of the doctoral faculty since 1973, teaching in the Engineering, Computer Science and Mathematics programs.He has mentored over thirty doctoral dissertations and is currently mentoring several doctoral students. Prior to accepting his position at CUNY, Dr. Anshel served at the Polytechnic Institute of New York and the University of Arizona. He has also lectured at the Mt. Sinai School of Medicine and the National Science Foundation Summer Institute for High School Teachers at Adelphi University. Over the course of his career, Dr. Anshel has received numerous fellowships and honors, including the CUNY Faculty Fellowship Award, a NASA-ASEE Faculty Fellowship, a National Science Foundation Fellowship and an award from Goddard Space Flight Center. He has consulted with several corporat ions including AT&T Bell Laboratories, Delphic Associates, Mathematica, and Lambda Corp.Dr. Michael Anshel is one of the founders of Arithmetica and a member of its Board of Directors.He serves as the architect of Arithmetica's system designs. Dr. Anshel is co-inventor for three patents in cryptography and has published numerous articles in Mathematics and Cryptography.Dr. Anshel is a member of the AMS,MAA,ACM,IEEE,IACR,Sigma Xi and NYAS. He received a Bachelor of Arts degree magna cum laude, Master of Science degree and a Ph.D. in Mathematics from Adelphi University in Garden City, New York. Dr. Anshel's research and scholarly interests: cryptomathematics,its relationship to advanced computing technologies (e.g. quantum computing) and its historical origins. ------------------------------ ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests to be added to or deleted from it should be directed, is: Internet: [EMAIL PROTECTED] You can send mail to the entire list (and sci.crypt.research) via: Internet: [EMAIL PROTECTED] End of Cryptography-Digest Digest ******************************