Results 1  10
of
34
Thompson’s group and public key cryptography
 In Third International Conference, ACNS 2005
, 2005
"... Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exp ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exploited the conjugacy search problem in groups, which is a ramification of the discrete logarithm problem. However, it is a prevalent opinion now that the conjugacy search problem alone is unlikely to provide sufficient level of security no matter what particular group is chosen as a platform. In this paper we employ another problem (we call it the decomposition problem), which is more general than the conjugacy search problem, and we suggest to use R. Thompson’s group as a platform. This group is well known in many areas of mathematics, including algebra, geometry, and analysis. It also has several properties that make it fit for cryptographic purposes. In particular, we show here that the word problem in Thompson’s group is solvable in almost linear time. 1
A Linear Algebraic Attack on the AAFG1 Braid Group Cryptosystem
 In 7th Australasian Conference on Information Security and Privacy, ACISP’02, Lecture Notes in Computer Science
, 2002
"... Our purpose is to describe a promising linear algebraic attack on the AAFG1 braid group cryptosystem proposed in [2] employing parameters suggested by the authors. Our method employs the well known Burau matrix representation of the braid group and techniques from computational linear algebra and pr ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Our purpose is to describe a promising linear algebraic attack on the AAFG1 braid group cryptosystem proposed in [2] employing parameters suggested by the authors. Our method employs the well known Burau matrix representation of the braid group and techniques from computational linear algebra and provide evidence which shows that at least a certain class of keys are weak. We argue that if AAFG1 is to be viable the parameters must be fashioned to defend against this attack. 1
Lengthbased conjugacy search in the braid group, preprint http://arXiv.org/abs/math.GR/0209267
"... Abstract. Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbase ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
Abstract. Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbased approach to finding x. Since the introduction of this approach, its effectiveness and successfulness were debated. We introduce several effective realizations of this approach. In particular, a length function is defined on BN which possesses significantly better properties than the natural length associated to the Garside normal form. We give experimental results concerning the success probability of this approach, which suggest that an unfeasible computational power is required for this method to successfully solve the Generalized Conjugacy Search Problem when its parameters are as in existing protocols. 1.
The conjugacy search problem in public key cryptography: unnecessary and insufficient, IACR ePrint Archive, November 2004, Online available at http://eprint.iacr.org/2004/321.pdf
"... Abstract. The conjugacy search problem in a group G is the problem of recovering an x ∈ G from given g ∈ G and h = x −1 gx. This problem is in the core of several recently suggested public key exchange protocols, most notably the one due to Anshel, Anshel, and Goldfeld, and the one due to Ko, Lee at ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. The conjugacy search problem in a group G is the problem of recovering an x ∈ G from given g ∈ G and h = x −1 gx. This problem is in the core of several recently suggested public key exchange protocols, most notably the one due to Anshel, Anshel, and Goldfeld, and the one due to Ko, Lee at al. In this note, we make two observations that seem to have eluded most people’s attention. The first observation is that solving the conjugacy search problem is not necessary for an adversary to get the common secret key in the KoLee protocol. It is sufficient to solve an apparently easier problem of finding x, y∈Gsuch that h = ygx for given g,h∈G. Another observation is that solving the conjugacy search problem is not sufficient for an adversary to get the common secret key in the AnshelAnshelGoldfeld protocol. 1.
Combinatorial Group Theory and Public Key Cryptography
 in Engineering, Communication and Computing
, 2004
"... After some excitement generated by recently suggested public key exchange protocols due to AnshelAnshelGoldfeld and KoLee et al., it is a prevalent opinion now that the conjugacy search problem is unlikely to provide su#cient level of security if a braid group is used as the platform. In this ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
After some excitement generated by recently suggested public key exchange protocols due to AnshelAnshelGoldfeld and KoLee et al., it is a prevalent opinion now that the conjugacy search problem is unlikely to provide su#cient level of security if a braid group is used as the platform. In this paper we address the following questions: (1) whether choosing a di#erent group, or a class of groups, can remedy the situation; (2) whether some other "hard" problem from combinatorial group theory can be used, instead of the conjugacy search problem, in a public key exchange protocol. Another question that we address here, although somewhat vague, is likely to become a focus of the future research in public key cryptography based on symbolic computation: (3) whether one can e#ciently disguise an element of a given group (or a semigroup) by using defining relations.
BraidBased Cryptography
, 2004
"... We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes. ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes.
Cryptanalysis of the Publickey Encryption Based on Braid Groups
 EUROCRYPT 2003, Lecture Notes in Computer Science 2656
, 2003
"... At CRYPTO 2000, a new publickey encryption based on braid groups was introduced. This paper demonstrates how to solve its underlying problem using the Burau representation. By this method, we show that the privatekey can be recovered from the publickey for several parameters with significant ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
At CRYPTO 2000, a new publickey encryption based on braid groups was introduced. This paper demonstrates how to solve its underlying problem using the Burau representation. By this method, we show that the privatekey can be recovered from the publickey for several parameters with significant probability in a reasonable time. Our attack can be mounted directly on the revised scheme mentioned at ASIACRYPT 2001 as well. On the other hand, we give a new requirement for secure parameters against our attack, which more or less conflicts with that against brute force attack.
A new key exchange protocol based on the decomposition problem
 Contemp. Math., Amer. Math. Soc
"... Abstract. In this paper we present a new key establishment protocol based on the decomposition problem in noncommutative groups which is: given two elements w, w1 of the platform group G and two subgroups A, B ⊆ G (not necessarily distinct), find elements a ∈ A, b ∈ B such that w1 = awb. Here we in ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. In this paper we present a new key establishment protocol based on the decomposition problem in noncommutative groups which is: given two elements w, w1 of the platform group G and two subgroups A, B ⊆ G (not necessarily distinct), find elements a ∈ A, b ∈ B such that w1 = awb. Here we introduce two new ideas that improve the security of key establishment protocols based on the decomposition problem. In particular, we conceal (i.e., do not publish explicitly) one of the subgroups A, B, thus introducing an additional computationally hard problem for the adversary, namely, finding the centralizer of a given finitely generated subgroup. 1.
Random subgroups and analysis of the lengthbased and quotient attacks
, 2007
"... In this paper we discuss generic properties of ”random subgroups ” of a given group G. It turns out that in many groups G (even in most exotic of them) the random subgroups have a simple algebraic structure and they ”sit ” inside G in a very particular way. This gives a strong mathematical foundatio ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
In this paper we discuss generic properties of ”random subgroups ” of a given group G. It turns out that in many groups G (even in most exotic of them) the random subgroups have a simple algebraic structure and they ”sit ” inside G in a very particular way. This gives a strong mathematical foundation for cryptanalysis of several groupbased cryptosystems and indicates on how to chose ”strong keys”. To illustrate our technique we analyze the AnshelAnshelGoldfeld (AAG) cryptosystem and give a mathematical explanation of recent success of some heuristic lengthbased attacks on it. Furthermore, we design and analyze a new type of attacks, which we term the quotient attacks. Mathematical methods we develop here also indicate how one can try to choose ”parameters ” in AAG to foil the attacks.
Length Based Attack and Braid Groups: Cryptanalysis of AnshelAnshelGoldfeld Key Exchange Protocol
 PKC 2007, LECTURE NOTES IN COMPUTER SCIENCE 4450
, 2007
"... The length based attack on AnshelAnshelGoldfeld commutator keyexchange protocol [1] was initially proposed by Hughes and Tannenbaum in [9]. Several attempts have been made to implement the attack [6], but none of them had produced results convincing enough to believe that attack works. In this p ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
The length based attack on AnshelAnshelGoldfeld commutator keyexchange protocol [1] was initially proposed by Hughes and Tannenbaum in [9]. Several attempts have been made to implement the attack [6], but none of them had produced results convincing enough to believe that attack works. In this paper we show that accurately designed length based attack can successfully break a random instance of the simultaneous conjugacy search problem for certain parameter values and argue that the public/private information chosen uniformly random leads to weak keys.