Chosen-ciphertext attack on noncommutative Polly Cracker

1 Noncommutative Polly Cracker and preliminaries from noncommutative algebra The noncommutative Polly Cracker cryptosystems were developed by T.Rai in his Ph.D. dissertation ([1]), and rely on the fact that there are ideals of noncom-mutative algebras over finite fields that have infinite reduced Groebner bases. First let us briefly present notations that will be used further in the text. Everything in this section is based on [1].We will be working with a noncom-mutative algebra F q < X >, where X = {x 1 ,. .. , x n }, which is an algebra of noncommutative polynomials. By a monomial, we mean a finite noncommuta-tive word in the alphabet X. We use the letter B to denote the set of monomials. We define multiplication in the set B of monomials by concatenation. The next important thing is the notion of an admissible ordering. A well-ordering > on B is said to be admissible if it satisfies the following conditions for all p, q, r, s ∈ B: • if p < q then pr < qr; • if p < q then sp < sq ; • if p = qr then p > q and p > r. Let > be an admissible ordering on the monomials and f ∈ F q < X >. We say that a monomial b i occurs in f if the coefficient of b i in f = α i b i is not zero. We say that b i is the tip of f , denoted tip(f), if b i occurs in f and b i ≥ b j for all b j occurring in f. We denote the coefficient of tip(f) by Ctip(f). If S ⊆ F q < X >, then we write T ip(S) = {b ∈ B : b = tip(f) for some nonzero f ∈ S} and N onT ip(S) = B − T ip(S). Another thing we need is the notion of division of a polynomial g ∈ F q < X >