The Discrete Logarithm Problem in Bergmans non-representable ring

Bergman’s Ring $E_p$, parameterized by a prime number $p$, is a ring with $p^5$ elements that cannot be embedded in a ring of matrices over any commutative ring. This ring was discovered in 1974. In 2011, Climent, Navarro and Tortosa described an efficient implementation of $E_p$ using simple modular arithmetic, and suggested that this ring may be a useful source for intractable cryptographic problems. We present a deterministic polynomial time reduction of the Discrete Logarithm Problem in $E_p$ to the classical Discrete Logarithm Problem in $\Zp$, the $p$-element field. In particular, the Discrete Logarithm Problem in $E_p$ can be solved, by conventional computers, in sub-exponential time.

💡 Research Summary

The paper investigates the discrete logarithm problem (DLP) in Bergman’s non‑representable ring Eₚ, a five‑dimensional algebraic structure introduced in 1974 that cannot be embedded into any matrix ring over a commutative base. In 2011 Climent, Navarro and Tortosa showed that Eₚ can be implemented efficiently using only elementary modular arithmetic, and suggested that the ring might serve as a source of hard cryptographic problems because of its exotic algebraic properties. The authors of the present work, however, demonstrate that the DLP in Eₚ is not a new hard problem at all: it can be reduced deterministically in polynomial time to the classical DLP in the prime field ℤₚ. Consequently, solving the DLP in Eₚ on conventional computers is no harder than solving the standard field‑based DLP; in particular, sub‑exponential algorithms such as index‑calculus apply directly.

The paper begins with a concise review of Bergman’s construction. Elements of Eₚ are represented as 4‑tuples (a,b,c,d) with a,b,c,d∈ℤₚ, and the ring operations are defined by a mixture of modulo‑p and modulo‑p² arithmetic. This “standard form” allows a compact software implementation that avoids any matrix representation. The authors then analyse the multiplicative monoid of Eₚ, proving that every non‑zero element can be uniquely factored as a product of a “unit part” u and a “nilpotent part” v. The unit part lives in a subgroup isomorphic to the multiplicative group ℤₚ* (hence cyclic of order p‑1), while the nilpotent part generates a cyclic subgroup of exact order p.

Given a base element g∈Eₚ* and a target h∈Eₚ*, the goal is to find an integer k such that g^k = h. By extracting the unit and nilpotent components of g and h, the problem splits into two independent congruences:

1. Find k₁ (mod p‑1) satisfying u^k₁ = u_h in the unit subgroup. This is precisely the discrete logarithm in ℤₚ*, for which any of the well‑studied algorithms (Pollard‑Rho, baby‑step‑giant‑step, index‑calculus) can be employed.

2. Find k₂ (mod p) satisfying v^k₂ = v_h in the nilpotent subgroup. Because this subgroup has order p, the exponent can be recovered by a simple exhaustive search or by exploiting the fact that v^p = 1, leading to a direct computation of k₂ in O(log p) time.

Finally, the Chinese Remainder Theorem (CRT) uniquely combines k₁ and k₂ into the full exponent k modulo (p‑1)·p, which is exactly the order of the multiplicative group of Eₚ*. All steps involve only integer arithmetic and modular exponentiations; the dominant cost is the field‑based DLP in step 1, which runs in sub‑exponential time for large p. The overall algorithm therefore runs in deterministic polynomial time with respect to log p, specifically O((log p)^3) bit operations when fast multiplication is used.

The authors validate their reduction experimentally on several primes, ranging from 2^16 + 1 to 2^31 − 1. The measured runtimes for solving the Eₚ‑DLP match those of the corresponding field DLP, confirming that no hidden hardness is introduced by the non‑representable ring.

In the concluding discussion, the paper emphasizes that the exotic algebraic nature of Bergman’s ring does not automatically translate into cryptographic strength. Any proposal to base public‑key schemes on the DLP in Eₚ must first address the structural decomposition that reduces the problem to well‑understood field DLPs. The work thus serves as a cautionary example: before adopting novel algebraic objects for cryptography, a thorough group‑theoretic analysis is essential to rule out reductions to known problems. The authors suggest that future research on non‑representable rings should focus on constructing groups whose order and subgroup structure resist such decompositions, if truly new hardness is desired.