Results 1  10
of
40
Potential Weaknesses of the Commutator Key Agreement Protocol Based on Braid Groups
 In: Advances in cryptology – EUROCRYPT 2002, 14–28 (Lecture Notes Comp. Sc
"... Abstract. The braid group with its conjugacy problem is one of the recent hot issues in cryptography. At CTRSA 2001, Anshel, Anshel, Fisher, and Goldfeld proposed a commutator key agreement protocol (KAP) based on the braid groups and their colored Burau representation. Its security is based on the ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The braid group with its conjugacy problem is one of the recent hot issues in cryptography. At CTRSA 2001, Anshel, Anshel, Fisher, and Goldfeld proposed a commutator key agreement protocol (KAP) based on the braid groups and their colored Burau representation. Its security is based on the multiple simultaneous conjugacy problem (MSCP) plus a newly adopted key extractor. This article shows how to reduce finding the shared key of this KAP to the listMSCPs in a permutation group and in a matrix group over a finite field. We also develop a mathematical algorithm for the MSCP in braid groups. The former implies that the usage of colored Burau representation in the key extractor causes a new weakness, and the latter can be used as a tool to investigate the security level of their KAP.
Thompson’s group and public key cryptography
 In Third International Conference, ACNS 2005
, 2005
"... Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exp ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exploited the conjugacy search problem in groups, which is a ramification of the discrete logarithm problem. However, it is a prevalent opinion now that the conjugacy search problem alone is unlikely to provide sufficient level of security no matter what particular group is chosen as a platform. In this paper we employ another problem (we call it the decomposition problem), which is more general than the conjugacy search problem, and we suggest to use R. Thompson’s group as a platform. This group is well known in many areas of mathematics, including algebra, geometry, and analysis. It also has several properties that make it fit for cryptographic purposes. In particular, we show here that the word problem in Thompson’s group is solvable in almost linear time. 1
A Linear Algebraic Attack on the AAFG1 Braid Group Cryptosystem
 In 7th Australasian Conference on Information Security and Privacy, ACISP’02, Lecture Notes in Computer Science
, 2002
"... Our purpose is to describe a promising linear algebraic attack on the AAFG1 braid group cryptosystem proposed in [2] employing parameters suggested by the authors. Our method employs the well known Burau matrix representation of the braid group and techniques from computational linear algebra and pr ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
(Show Context)
Our purpose is to describe a promising linear algebraic attack on the AAFG1 braid group cryptosystem proposed in [2] employing parameters suggested by the authors. Our method employs the well known Burau matrix representation of the braid group and techniques from computational linear algebra and provide evidence which shows that at least a certain class of keys are weak. We argue that if AAFG1 is to be viable the parameters must be fashioned to defend against this attack. 1
The conjugacy search problem in public key cryptography: unnecessary and insufficient, IACR ePrint Archive, November 2004, Online available at http://eprint.iacr.org/2004/321.pdf
"... Abstract. The conjugacy search problem in a group G is the problem of recovering an x ∈ G from given g ∈ G and h = x −1 gx. This problem is in the core of several recently suggested public key exchange protocols, most notably the one due to Anshel, Anshel, and Goldfeld, and the one due to Ko, Lee at ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
Abstract. The conjugacy search problem in a group G is the problem of recovering an x ∈ G from given g ∈ G and h = x −1 gx. This problem is in the core of several recently suggested public key exchange protocols, most notably the one due to Anshel, Anshel, and Goldfeld, and the one due to Ko, Lee at al. In this note, we make two observations that seem to have eluded most people’s attention. The first observation is that solving the conjugacy search problem is not necessary for an adversary to get the common secret key in the KoLee protocol. It is sufficient to solve an apparently easier problem of finding x, y∈Gsuch that h = ygx for given g,h∈G. Another observation is that solving the conjugacy search problem is not sufficient for an adversary to get the common secret key in the AnshelAnshelGoldfeld protocol. 1.
BraidBased Cryptography
, 2004
"... We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes. ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes.
Lengthbased conjugacy search in the braid group, preprint http://arXiv.org/abs/math.GR/0209267
"... Abstract. Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbase ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbased approach to finding x. Since the introduction of this approach, its effectiveness and successfulness were debated. We introduce several effective realizations of this approach. In particular, a length function is defined on BN which possesses significantly better properties than the natural length associated to the Garside normal form. We give experimental results concerning the success probability of this approach, which suggest that an unfeasible computational power is required for this method to successfully solve the Generalized Conjugacy Search Problem when its parameters are as in existing protocols. 1.
Cryptanalysis of the Publickey Encryption Based on Braid Groups
 EUROCRYPT 2003, Lecture Notes in Computer Science 2656
, 2003
"... At CRYPTO 2000, a new publickey encryption based on braid groups was introduced. This paper demonstrates how to solve its underlying problem using the Burau representation. By this method, we show that the privatekey can be recovered from the publickey for several parameters with significant ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
(Show Context)
At CRYPTO 2000, a new publickey encryption based on braid groups was introduced. This paper demonstrates how to solve its underlying problem using the Burau representation. By this method, we show that the privatekey can be recovered from the publickey for several parameters with significant probability in a reasonable time. Our attack can be mounted directly on the revised scheme mentioned at ASIACRYPT 2001 as well. On the other hand, we give a new requirement for secure parameters against our attack, which more or less conflicts with that against brute force attack.
Combinatorial Group Theory and Public Key Cryptography
 in Engineering, Communication and Computing
, 2004
"... After some excitement generated by recently suggested public key exchange protocols due to AnshelAnshelGoldfeld and KoLee et al., it is a prevalent opinion now that the conjugacy search problem is unlikely to provide su#cient level of security if a braid group is used as the platform. In this ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
After some excitement generated by recently suggested public key exchange protocols due to AnshelAnshelGoldfeld and KoLee et al., it is a prevalent opinion now that the conjugacy search problem is unlikely to provide su#cient level of security if a braid group is used as the platform. In this paper we address the following questions: (1) whether choosing a di#erent group, or a class of groups, can remedy the situation; (2) whether some other "hard" problem from combinatorial group theory can be used, instead of the conjugacy search problem, in a public key exchange protocol. Another question that we address here, although somewhat vague, is likely to become a focus of the future research in public key cryptography based on symbolic computation: (3) whether one can e#ciently disguise an element of a given group (or a semigroup) by using defining relations.
A new key exchange protocol based on the decomposition problem
 Contemp. Math., Amer. Math. Soc
"... Abstract. In this paper we present a new key establishment protocol based on the decomposition problem in noncommutative groups which is: given two elements w, w1 of the platform group G and two subgroups A, B ⊆ G (not necessarily distinct), find elements a ∈ A, b ∈ B such that w1 = awb. Here we in ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we present a new key establishment protocol based on the decomposition problem in noncommutative groups which is: given two elements w, w1 of the platform group G and two subgroups A, B ⊆ G (not necessarily distinct), find elements a ∈ A, b ∈ B such that w1 = awb. Here we introduce two new ideas that improve the security of key establishment protocols based on the decomposition problem. In particular, we conceal (i.e., do not publish explicitly) one of the subgroups A, B, thus introducing an additional computationally hard problem for the adversary, namely, finding the centralizer of a given finitely generated subgroup. 1.
Cryptanalysis of groupbased key agreement protocols using subgroup distance functions
 in Advances in Cryptology – PKC 2007, LNCS 4450
, 2007
"... Abstract. We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the ShpilrainUshakov protocol, which is based on Thompson’s group F, ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the ShpilrainUshakov protocol, which is based on Thompson’s group F, and show that it can break about half the keys within a few seconds on a single PC.