Results 1  10
of
48
A Polynomial Time Algorithm for the Braid DiffieHellman Conjugacy Problem
 Proc. of Crypto 2003, Lecture Notes in Computer Science, 2729
, 2003
"... Abstract. We propose the first polynomial time algorithm for the braid DiffieHellman conjugacy problem (DHCP) on which the braid key exchange scheme and the braid encryption scheme are based [10]. We show the proposed method solves the DHCP for the image of braids under the LawrenceKrammer represe ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose the first polynomial time algorithm for the braid DiffieHellman conjugacy problem (DHCP) on which the braid key exchange scheme and the braid encryption scheme are based [10]. We show the proposed method solves the DHCP for the image of braids under the LawrenceKrammer representation and the solutions play the equivalent role of the original key for the DHCP of braids. Given a braid index n and a canonical length ℓ, the complexity is about 2 −2 ℓ 3 n 4τ+2 log n bit operations, where τ = log 2 7 ≈ 2.8 (Theoretically, it can be reduced to O(ℓ 3 n 8.3 log n) using τ = 2.376). Further, we show that the generalization into the decomposition problem causes only 8 times of the complexity. Keywords: Braid group, Nonabelian group, Conjugacy Problem 1
Thompson’s group and public key cryptography
 In Third International Conference, ACNS 2005
, 2005
"... Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exp ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exploited the conjugacy search problem in groups, which is a ramification of the discrete logarithm problem. However, it is a prevalent opinion now that the conjugacy search problem alone is unlikely to provide sufficient level of security no matter what particular group is chosen as a platform. In this paper we employ another problem (we call it the decomposition problem), which is more general than the conjugacy search problem, and we suggest to use R. Thompson’s group as a platform. This group is well known in many areas of mathematics, including algebra, geometry, and analysis. It also has several properties that make it fit for cryptographic purposes. In particular, we show here that the word problem in Thompson’s group is solvable in almost linear time. 1
The conjugacy search problem in public key cryptography: unnecessary and insufficient, IACR ePrint Archive, November 2004, Online available at http://eprint.iacr.org/2004/321.pdf
"... Abstract. The conjugacy search problem in a group G is the problem of recovering an x ∈ G from given g ∈ G and h = x −1 gx. This problem is in the core of several recently suggested public key exchange protocols, most notably the one due to Anshel, Anshel, and Goldfeld, and the one due to Ko, Lee at ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
(Show Context)
Abstract. The conjugacy search problem in a group G is the problem of recovering an x ∈ G from given g ∈ G and h = x −1 gx. This problem is in the core of several recently suggested public key exchange protocols, most notably the one due to Anshel, Anshel, and Goldfeld, and the one due to Ko, Lee at al. In this note, we make two observations that seem to have eluded most people’s attention. The first observation is that solving the conjugacy search problem is not necessary for an adversary to get the common secret key in the KoLee protocol. It is sufficient to solve an apparently easier problem of finding x, y∈Gsuch that h = ygx for given g,h∈G. Another observation is that solving the conjugacy search problem is not sufficient for an adversary to get the common secret key in the AnshelAnshelGoldfeld protocol. 1.
BraidBased Cryptography
, 2004
"... We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes. ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes.
Cryptanalysis of the Publickey Encryption Based on Braid Groups
 EUROCRYPT 2003, Lecture Notes in Computer Science 2656
, 2003
"... At CRYPTO 2000, a new publickey encryption based on braid groups was introduced. This paper demonstrates how to solve its underlying problem using the Burau representation. By this method, we show that the privatekey can be recovered from the publickey for several parameters with significant ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
At CRYPTO 2000, a new publickey encryption based on braid groups was introduced. This paper demonstrates how to solve its underlying problem using the Burau representation. By this method, we show that the privatekey can be recovered from the publickey for several parameters with significant probability in a reasonable time. Our attack can be mounted directly on the revised scheme mentioned at ASIACRYPT 2001 as well. On the other hand, we give a new requirement for secure parameters against our attack, which more or less conflicts with that against brute force attack.
Lengthbased conjugacy search in the braid group
"... Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbased approac ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbased approach to finding x. Since the introduction of this approach, its effectiveness and successfulness were debated. We introduce several effective realizations of this approach. In particular, a length function is defined on BN which possesses significantly better properties than the natural length associated to the Garside normal form. We give experimental results concerning the success probability of this approach, which suggest that an unfeasible computational power is required for this method to successfully solve the Generalized Conjugacy Search Problem when its parameters are as in existing protocols.
A new key exchange protocol based on the decomposition problem
 Contemp. Math., Amer. Math. Soc
"... Abstract. In this paper we present a new key establishment protocol based on the decomposition problem in noncommutative groups which is: given two elements w, w1 of the platform group G and two subgroups A, B ⊆ G (not necessarily distinct), find elements a ∈ A, b ∈ B such that w1 = awb. Here we in ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we present a new key establishment protocol based on the decomposition problem in noncommutative groups which is: given two elements w, w1 of the platform group G and two subgroups A, B ⊆ G (not necessarily distinct), find elements a ∈ A, b ∈ B such that w1 = awb. Here we introduce two new ideas that improve the security of key establishment protocols based on the decomposition problem. In particular, we conceal (i.e., do not publish explicitly) one of the subgroups A, B, thus introducing an additional computationally hard problem for the adversary, namely, finding the centralizer of a given finitely generated subgroup. 1.
Length based attack and braid groups: cryptanalysis of AnshelAnshelGoldfeld key exchange protocol
 IN PUBLIC KEY CRYPTOGRAPHY – PKC 2007
, 2007
"... The length based attack on AnshelAnshelGoldfeld commutator keyexchange protocol [1] was initially proposed by Hughes and Tannenbaum in [9]. Several attempts have been made to implement the attack [6], but none of them had produced results convincing enough to believe that attack works. In this pa ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
(Show Context)
The length based attack on AnshelAnshelGoldfeld commutator keyexchange protocol [1] was initially proposed by Hughes and Tannenbaum in [9]. Several attempts have been made to implement the attack [6], but none of them had produced results convincing enough to believe that attack works. In this paper we show that accurately designed length based attack can successfully break a random instance of the simultaneous conjugacy search problem for certain parameter values and argue that the public/private information chosen uniformly random leads to weak keys.