Results 1  10
of
39
A practical attack on some braid group based cryptographic primitives
 IN PUBLIC KEY CRYPTOGRAPHY, 6TH INTERNATIONAL WORKSHOP ON PRACTICE AND THEORY IN PUBLIC KEY CRYPTOGRAPHY, PKC 2003 PROCEEDINGS, Y.G. DESMEDT, ED., LECTURE NOTES IN COMPUTER SCIENCE 2567
, 2002
"... A simple heuristic approach to the conjugacy problem in braid groups is described. Although it does not provide a general solution to the latter problem, it demonstrates that various proposed key parameters for braid group based cryptographic primitives do not offer acceptable cryptographic securit ..."
Abstract

Cited by 48 (1 self)
 Add to MetaCart
A simple heuristic approach to the conjugacy problem in braid groups is described. Although it does not provide a general solution to the latter problem, it demonstrates that various proposed key parameters for braid group based cryptographic primitives do not offer acceptable cryptographic security. We give experimental evidence that it is often feasible to reveal the secret data by means of a normal PC within a few minutes.
LengthBased Attacks for Certain Group Based Encryption Rewriting Systems
, 2002
"... In this note, we describe a probabilistic attack on public key cryptosystems based on the word/conjugacy problems for finitely presented groups of the type proposed recently by Anshel, Anshel and Goldfeld. In such a scheme, one makes use of the property that in the given group the word problem has a ..."
Abstract

Cited by 42 (1 self)
 Add to MetaCart
In this note, we describe a probabilistic attack on public key cryptosystems based on the word/conjugacy problems for finitely presented groups of the type proposed recently by Anshel, Anshel and Goldfeld. In such a scheme, one makes use of the property that in the given group the word problem has a polynomial time solution, while the conjugacy problem has no known polynomial solution. An example is the braid group from topology in which the word problem is solvable in polynomial time while the only known solutions to the conjugacy problem are exponential. The attack in this paper is based on having a canonical representative of each string relative to which a length function may be computed. Hence the term length attack. Such canonical representatives are known to exist for the braid group.
A Polynomial Time Algorithm for the Braid DiffieHellman Conjugacy Problem
 Proc. of Crypto 2003, Lecture Notes in Computer Science, 2729
, 2003
"... Abstract. We propose the first polynomial time algorithm for the braid DiffieHellman conjugacy problem (DHCP) on which the braid key exchange scheme and the braid encryption scheme are based [10]. We show the proposed method solves the DHCP for the image of braids under the LawrenceKrammer represe ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose the first polynomial time algorithm for the braid DiffieHellman conjugacy problem (DHCP) on which the braid key exchange scheme and the braid encryption scheme are based [10]. We show the proposed method solves the DHCP for the image of braids under the LawrenceKrammer representation and the solutions play the equivalent role of the original key for the DHCP of braids. Given a braid index n and a canonical length ℓ, the complexity is about 2 −2 ℓ 3 n 4τ+2 log n bit operations, where τ = log 2 7 ≈ 2.8 (Theoretically, it can be reduced to O(ℓ 3 n 8.3 log n) using τ = 2.376). Further, we show that the generalization into the decomposition problem causes only 8 times of the complexity. Keywords: Braid group, Nonabelian group, Conjugacy Problem 1
BraidBased Cryptography
, 2004
"... We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes. ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes.
A Survey of PublicKey Cryptosystems
 SIAM Review 46 (2004) 599– 634. OVERVIEW OF BRAID GROUP CRYPTOGRAPHY 13
"... We give an overview of the most important publickey cryptosystems and discuss the di#cult task of evaluating the merit of such systems. ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
We give an overview of the most important publickey cryptosystems and discuss the di#cult task of evaluating the merit of such systems.
Assessing security of some group based cryptosystems, Contemporary Mathematics, to appear. (Cryptology Eprint Archive: Report 2003/123) David Garber, Einstein institute of Mathematics, The Hebrew University, GivatRam 91904
 Kaplan, Mina Teicher, and Uzi Vishne, Department of Mathematics and Statistics, BarIlan University, RamatGan 52900, Israel
"... Abstract. One of the possible generalizations of the discrete logarithm problem to arbitrary groups is the socalled conjugacy search problem (sometimes erroneously called just the conjugacy problem) : given two elements a, b of a group G and the information that a x = b for some x ∈ G, find at leas ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
(Show Context)
Abstract. One of the possible generalizations of the discrete logarithm problem to arbitrary groups is the socalled conjugacy search problem (sometimes erroneously called just the conjugacy problem) : given two elements a, b of a group G and the information that a x = b for some x ∈ G, find at least one particular element x like that. Here a x stands for xax −1. The computational difficulty of this problem in some particular groups has been used in several group based cryptosystems. Recently, a few preprints have been in circulation that suggested various “neighbourhood search ” type heuristic attacks on the conjugacy search problem. The goal of the present survey is to stress a (probably well known) fact that these heuristic attacks alone are not a threat to the security of a cryptosystem, and, more importantly, to suggest a more credible approach to assessing security of group based cryptosystems. Such an approach should be necessarily based on the concept of the average case complexity (or expected running time) of an algorithm. These arguments support the following conclusion: although it is generally feasible to base the security of a cryptosystem on the difficulty of the conjugacy search problem, the group G itself (the “platform”) has to be chosen very carefully. In particular, experimental as well as theoretical evidence collected so far makes it appear likely that braid groups are not a good choice for the platform. We also reflect on possible replacements. 1
On an algorithm to decide whether a free group is a free factor of another
, 2006
"... We revisit the problem of deciding whether a finitely generated subgroup H is a free factor of a given free group F. Known algorithms solve this problem in time polynomial in the sum of the lengths of the generators of H and exponential in the rank of F. We show that the latter dependency can be m ..."
Abstract

Cited by 12 (9 self)
 Add to MetaCart
(Show Context)
We revisit the problem of deciding whether a finitely generated subgroup H is a free factor of a given free group F. Known algorithms solve this problem in time polynomial in the sum of the lengths of the generators of H and exponential in the rank of F. We show that the latter dependency can be made exponential in the rank difference rank(F) − rank(H), which often makes a significant change.
Random subgroups of braid groups: an approach to cryptanalysis of a braid group based cryptographic protocol
 IN PUBLIC KEY CRYPTOGRAPHY—PKC 2006, VOLUME 3958 OF LECTURE NOTES IN COMPUT. SCI
, 2006
"... Motivated by cryptographic applications, we study subgroups of braid groups Bn generated by a small number of random elements of relatively small lengths compared to n. Our experiments show that “most” of these subgroups are equal to the whole Bn, and “almost all ” of these subgroups are generated ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Motivated by cryptographic applications, we study subgroups of braid groups Bn generated by a small number of random elements of relatively small lengths compared to n. Our experiments show that “most” of these subgroups are equal to the whole Bn, and “almost all ” of these subgroups are generated by positive braid words. We discuss the impact of these experimental results on the security of the AnshelAnshelGoldfeld key exchange protocol [2] with originally suggested parameters as well as with recently updated ones.
DiffieHellman key exchange protocol and nonabelian nilpotent groups
, 2008
"... In this paper we study a key exchange protocol similar to the DiffieHellman key exchange protocol, using abelian subgroups of the automorphism group of a nonabelian nilpotent group. We also generalize group no.92 of the HallSenior table [16] to an arbitrary prime p and show that, for those groups ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
In this paper we study a key exchange protocol similar to the DiffieHellman key exchange protocol, using abelian subgroups of the automorphism group of a nonabelian nilpotent group. We also generalize group no.92 of the HallSenior table [16] to an arbitrary prime p and show that, for those groups, the group of central automorphisms is commutative. We use these for the key exchange we are studying.