Results 1  10
of
16
Thompson’s group and public key cryptography
 In Third International Conference, ACNS 2005
, 2005
"... Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exp ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, several public key exchange protocols based on symbolic computation in noncommutative (semi)groups were proposed as a more efficient alternative to well established protocols based on numeric computation. Notably, the protocols due to AnshelAnshelGoldfeld and KoLee et al. exploited the conjugacy search problem in groups, which is a ramification of the discrete logarithm problem. However, it is a prevalent opinion now that the conjugacy search problem alone is unlikely to provide sufficient level of security no matter what particular group is chosen as a platform. In this paper we employ another problem (we call it the decomposition problem), which is more general than the conjugacy search problem, and we suggest to use R. Thompson’s group as a platform. This group is well known in many areas of mathematics, including algebra, geometry, and analysis. It also has several properties that make it fit for cryptographic purposes. In particular, we show here that the word problem in Thompson’s group is solvable in almost linear time. 1
The conjugacy search problem in public key cryptography: unnecessary and insufficient, IACR ePrint Archive, November 2004, Online available at http://eprint.iacr.org/2004/321.pdf
"... Abstract. The conjugacy search problem in a group G is the problem of recovering an x ∈ G from given g ∈ G and h = x −1 gx. This problem is in the core of several recently suggested public key exchange protocols, most notably the one due to Anshel, Anshel, and Goldfeld, and the one due to Ko, Lee at ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
Abstract. The conjugacy search problem in a group G is the problem of recovering an x ∈ G from given g ∈ G and h = x −1 gx. This problem is in the core of several recently suggested public key exchange protocols, most notably the one due to Anshel, Anshel, and Goldfeld, and the one due to Ko, Lee at al. In this note, we make two observations that seem to have eluded most people’s attention. The first observation is that solving the conjugacy search problem is not necessary for an adversary to get the common secret key in the KoLee protocol. It is sufficient to solve an apparently easier problem of finding x, y∈Gsuch that h = ygx for given g,h∈G. Another observation is that solving the conjugacy search problem is not sufficient for an adversary to get the common secret key in the AnshelAnshelGoldfeld protocol. 1.
BraidBased Cryptography
, 2004
"... We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes. ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
We survey some of the recently developed cryptographic schemes involving Artin's braid groups, as well as the attacks against these schemes.
Conjugacy of Finite Subsets in Hyperbolic Groups
"... There is a quadratictime algorithm that determines conjugacy between finite subsets in any torsionfree hyperbolic group. Moreover, in any kgenerator, #hyperbolic group #, if two finite subsets A and B are conjugate, then x 1 Ax = B for some x less than a linear function of max{### : # A ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
There is a quadratictime algorithm that determines conjugacy between finite subsets in any torsionfree hyperbolic group. Moreover, in any kgenerator, #hyperbolic group #, if two finite subsets A and B are conjugate, then x 1 Ax = B for some x less than a linear function of max{### : # A#B}. (The coe#cients of this linear function depend only on k and #.) These results have implications for groupbased cryptography and the geometry of homotopies in negatively curved spaces.
Lengthbased conjugacy search in the braid group
"... Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbased approac ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
Several key agreement protocols are based on the following Generalized Conjugacy Search Problem: Find, given elements b1,..., bn and xb1x −1,..., xbnx −1 in a nonabelian group G, the conjugator x. In the case of subgroups of the braid group BN, Hughes and Tannenbaum suggested a lengthbased approach to finding x. Since the introduction of this approach, its effectiveness and successfulness were debated. We introduce several effective realizations of this approach. In particular, a length function is defined on BN which possesses significantly better properties than the natural length associated to the Garside normal form. We give experimental results concerning the success probability of this approach, which suggest that an unfeasible computational power is required for this method to successfully solve the Generalized Conjugacy Search Problem when its parameters are as in existing protocols.
On the rational subset problem for groups
, 2007
"... We use language theory to study the rational subset problem for groups and monoids. We show that the decidability of this problem is preserved under graph of groups constructions with finite edge groups. In particular, it passes through free products amalgamated over finite subgroups and HNN exten ..."
Abstract

Cited by 14 (10 self)
 Add to MetaCart
We use language theory to study the rational subset problem for groups and monoids. We show that the decidability of this problem is preserved under graph of groups constructions with finite edge groups. In particular, it passes through free products amalgamated over finite subgroups and HNN extensions with finite associated subgroups. We provide a simple proof of a result of Grunschlag showing that the decidability of this problem is a virtual property. We prove further that the problem is decidable for a direct product of a group G with a monoid M if and only if membership is uniformly decidable for Gautomaton subsets of M. It follows that a direct product of a free group with any abelian group or commutative monoid has decidable rational subset membership.
Cryptanalysis of groupbased key agreement protocols using subgroup distance functions
 in Advances in Cryptology – PKC 2007, LNCS 4450
, 2007
"... Abstract. We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the ShpilrainUshakov protocol, which is based on Thompson’s group F, ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the ShpilrainUshakov protocol, which is based on Thompson’s group F, and show that it can break about half the keys within a few seconds on a single PC.
Lengthbased cryptanalysis: The case of Thompson’s Group
 Journal of Mathematical Cryptology
"... Abstract. The lengthbased approach is a heuristic for solving randomly generated equations in groups which possess a reasonably behaved length function. We describe several improvements of the previously suggested lengthbased algorithms, that make them applicable to Thompson’s group with significa ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The lengthbased approach is a heuristic for solving randomly generated equations in groups which possess a reasonably behaved length function. We describe several improvements of the previously suggested lengthbased algorithms, that make them applicable to Thompson’s group with significant success rates. In particular, this shows that the ShpilrainUshakov public key cryptosystem based on Thompson’s group is insecure, and suggests that no practical public key cryptosystem based on this group can be secure. (Preliminary version. Comments are welcome.) 1.
On the conjugacy search problem and left conjugacy closed loops
 Appl. Algebra Engrg. Comm. Comput
, 2008
"... Abstract. The conjugacy search problem (CSP) is used as a primitive in several braid group based public key encryption schemes. It has been pointed out that, in braid groups, it unlikely provides adequate security. Therefore, new structures need to be found. In this paper, we give a formulation of ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The conjugacy search problem (CSP) is used as a primitive in several braid group based public key encryption schemes. It has been pointed out that, in braid groups, it unlikely provides adequate security. Therefore, new structures need to be found. In this paper, we give a formulation of the CSP for left conjugacy closed loops. In order to construct a generalization of the AnshelAnshelGoldfeld key establishment method, we also define a partial conjugacy search problem PCSP and show it to be equivalent to the CSP, if the underlying structure is a group. We also study closer the PCSP in a class of conjugacy closed loops of order p 2 , where p is a prime.