Results 1  10
of
20
Thompson’s group and public key cryptography
 In Third International Conference, ACNS 2005
, 2005
"... Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exp ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exploited the conjugacy search problem in groups, which is a ramification of the discrete logarithm problem. However, it is a prevalent opinion now that the conjugacy search problem alone is unlikely to provide sufficient level of security no matter what particular group is chosen as a platform. In this paper we employ another problem (we call it the decomposition problem), which is more general than the conjugacy search problem, and we suggest to use R. Thompson’s group as a platform. This group is well known in many areas of mathematics, including algebra, geometry, and analysis. It also has several properties that make it fit for cryptographic purposes. In particular, we show here that the word problem in Thompson’s group is solvable in almost linear time. 1
Lengthbased conjugacy search in the braid group
"... Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbased approac ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbased approach to finding x. Since the introduction of this approach, its effectiveness and successfulness were debated. We introduce several effective realizations of this approach. In particular, a length function is defined on BN which possesses significantly better properties than the natural length associated to the Garside normal form. We give experimental results concerning the success probability of this approach, which suggest that an unfeasible computational power is required for this method to successfully solve the Generalized Conjugacy Search Problem when its parameters are as in existing protocols.
Length based attack and braid groups: cryptanalysis of AnshelAnshelGoldfeld key exchange protocol
 IN PUBLIC KEY CRYPTOGRAPHY – PKC 2007
, 2007
"... The length based attack on AnshelAnshelGoldfeld commutator keyexchange protocol [1] was initially proposed by Hughes and Tannenbaum in [9]. Several attempts have been made to implement the attack [6], but none of them had produced results convincing enough to believe that attack works. In this pa ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
(Show Context)
The length based attack on AnshelAnshelGoldfeld commutator keyexchange protocol [1] was initially proposed by Hughes and Tannenbaum in [9]. Several attempts have been made to implement the attack [6], but none of them had produced results convincing enough to believe that attack works. In this paper we show that accurately designed length based attack can successfully break a random instance of the simultaneous conjugacy search problem for certain parameter values and argue that the public/private information chosen uniformly random leads to weak keys.
Cryptanalysis of groupbased key agreement protocols using subgroup distance functions
 in Advances in Cryptology – PKC 2007, LNCS 4450
, 2007
"... Abstract. We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the ShpilrainUshakov protocol, which is based on Thompson’s group F, ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the ShpilrainUshakov protocol, which is based on Thompson’s group F, and show that it can break about half the keys within a few seconds on a single PC.
Constructions in publickey cryptography over matrix groups
 Contemp. Math., Amer. Math. Soc
"... The purpose of the paper is to give new key agreement protocols (a multiparty extension of the protocol due to AnshelAnshelGoldfeld and a generalization of the DiffieHellman protocol from abelian to solvable groups) and a new homomorphic publickey cryptosystem. They rely on difficulty of the co ..."
Abstract

Cited by 10 (6 self)
 Add to MetaCart
(Show Context)
The purpose of the paper is to give new key agreement protocols (a multiparty extension of the protocol due to AnshelAnshelGoldfeld and a generalization of the DiffieHellman protocol from abelian to solvable groups) and a new homomorphic publickey cryptosystem. They rely on difficulty of the conjugacy and membership problems for subgroups of a given group. To support these and other known cryptographic schemes we present a general technique to produce a family of instances being matrix groups (over finite commutative rings) which play a role for these schemes similar to the groups Z ∗ n in the existing cryptographic constructions like RSA or discrete logarithm. Partially supported by RFFI, grants, 030100349, NSH2251.2003.1. The paper was done during the
Lengthbased cryptanalysis: The case of Thompson’s Group
 Journal of Mathematical Cryptology
"... Abstract. The lengthbased approach is a heuristic for solving randomly generated equations in groups which possess a reasonably behaved length function. We describe several improvements of the previously suggested lengthbased algorithms, that make them applicable to Thompson’s group with significa ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The lengthbased approach is a heuristic for solving randomly generated equations in groups which possess a reasonably behaved length function. We describe several improvements of the previously suggested lengthbased algorithms, that make them applicable to Thompson’s group with significant success rates. In particular, this shows that the ShpilrainUshakov public key cryptosystem based on Thompson’s group is insecure, and suggests that no practical public key cryptosystem based on this group can be secure. (Preliminary version. Comments are welcome.) 1.
Random subgroups of braid groups: an approach to cryptanalysis of a braid group based cryptographic protocol
 IN PUBLIC KEY CRYPTOGRAPHY—PKC 2006, VOLUME 3958 OF LECTURE NOTES IN COMPUT. SCI
, 2006
"... Motivated by cryptographic applications, we study subgroups of braid groups Bn generated by a small number of random elements of relatively small lengths compared to n. Our experiments show that “most” of these subgroups are equal to the whole Bn, and “almost all ” of these subgroups are generated ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Motivated by cryptographic applications, we study subgroups of braid groups Bn generated by a small number of random elements of relatively small lengths compared to n. Our experiments show that “most” of these subgroups are equal to the whole Bn, and “almost all ” of these subgroups are generated by positive braid words. We discuss the impact of these experimental results on the security of the AnshelAnshelGoldfeld key exchange protocol [2] with originally suggested parameters as well as with recently updated ones.
A Practical Attack on the Root Problem in Braid Groups
, 2005
"... Using a simple heuristic approach to the root problem in braid groups, we show that cryptographic parameters proposed in this context must be considered as insecure. In our experiments we can, often within seconds, extract the secret key of an authentication system based on the root problem in b ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Using a simple heuristic approach to the root problem in braid groups, we show that cryptographic parameters proposed in this context must be considered as insecure. In our experiments we can, often within seconds, extract the secret key of an authentication system based on the root problem in braid groups.
New Developments in Commutator Key Exchange
"... We study the algorithmic security of the AnshelAnshelGoldfeld (AAG) key exchange scheme and show that contrary to prevalent opinion, the computational hardness of AAG depends on the structure of the chosen subgroups, rather than on the conjugacy problem of the ambient braid group. Proper choice of ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
We study the algorithmic security of the AnshelAnshelGoldfeld (AAG) key exchange scheme and show that contrary to prevalent opinion, the computational hardness of AAG depends on the structure of the chosen subgroups, rather than on the conjugacy problem of the ambient braid group. Proper choice of these subgroups produces a key exchange scheme which is resistant to all known attacks on AAG.