Results 1 
9 of
9
Length based attack and braid groups: cryptanalysis of AnshelAnshelGoldfeld key exchange protocol
 IN PUBLIC KEY CRYPTOGRAPHY – PKC 2007
, 2007
"... The length based attack on AnshelAnshelGoldfeld commutator keyexchange protocol [1] was initially proposed by Hughes and Tannenbaum in [9]. Several attempts have been made to implement the attack [6], but none of them had produced results convincing enough to believe that attack works. In this pa ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
(Show Context)
The length based attack on AnshelAnshelGoldfeld commutator keyexchange protocol [1] was initially proposed by Hughes and Tannenbaum in [9]. Several attempts have been made to implement the attack [6], but none of them had produced results convincing enough to believe that attack works. In this paper we show that accurately designed length based attack can successfully break a random instance of the simultaneous conjugacy search problem for certain parameter values and argue that the public/private information chosen uniformly random leads to weak keys.
Cryptanalysis of the AnshelAnshelGoldfeldLemieux key agreement protocol,”
 Groups, Complexity, Cryptology,
, 2009
"... The AnshelAnshelGoldfeldLemieux (abbreviated AAGL) key agreement protocol [1] is proposed to be used on lowcost platforms which constraint the use of computational resources. The core of the protocol is the concept of an Algebraic Eraser T M (abbreviated AE) which is claimed to be a suitable pr ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
The AnshelAnshelGoldfeldLemieux (abbreviated AAGL) key agreement protocol [1] is proposed to be used on lowcost platforms which constraint the use of computational resources. The core of the protocol is the concept of an Algebraic Eraser T M (abbreviated AE) which is claimed to be a suitable primitive for use within lightweight cryptography. The AE primitive is based on a new and ingenious idea of using an action of a semidirect product on a (semi)group to obscure involved algebraic structures. The underlying motivation for AAGL protocol is the need to secure networks which deploy Radio Frequency Identification (RFID) tags used for identification, authentication, tracing and pointofsale applications. In this paper we revisit the computational problem on which AE relies and heuristically analyze its hardness. We show that for proposed parameter values it is impossible to instantiate a secure protocol. To be more precise, in 100% of randomly generated instances of the protocol we were able to find a secret conjugator z generated by the TTP algorithm (part of AAGL protocol).
Random subgroups of Thompsons group F
, 2009
"... We consider random subgroups of Thompson’s group F with respect to two natural stratifications of the set of all k generator subgroups of this group. We find that the isomorphism classes of subgroups which occur with positive density vary greatly between the two stratifications. We give the first kn ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
We consider random subgroups of Thompson’s group F with respect to two natural stratifications of the set of all k generator subgroups of this group. We find that the isomorphism classes of subgroups which occur with positive density vary greatly between the two stratifications. We give the first known examples of persistent subgroups, whose isomorphism classes occur with positive density within the set of kgenerator subgroups, for all k greater than some k0. Additionally, Thompson’s group provides the first example of a group without a generic isomorphism class of subgroup. In F, there are many isomorphism classes of subgroups with positive density less than one. Elements of F are represented uniquely by reduced pairs of
Polynomial time solutions of computational problems in noncommutativealgebraic cryptography
"... ..."
PROBABILITY ON GRAPHS AND GROUPS: THEORY AND APPLICATIONS
"... We introduce the notion of the meanset (expectation) of a graph or groupvalued random element. Using this concept, we prove a novel generalization of the strong law of large numbers on graphs and groups. Some other relevant results about configurations of meansets (or centersets) in trees and fr ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We introduce the notion of the meanset (expectation) of a graph or groupvalued random element. Using this concept, we prove a novel generalization of the strong law of large numbers on graphs and groups. Some other relevant results about configurations of meansets (or centersets) in trees and free groups, which may be of independent interest, are discussed. We enhance our theory with other theoretical tools, such as an analogue of Chebyshev inequality for graphs and the notion of central order on graphs. Furthermore, we consider technical difficulties of computing sample meansets and some practical ways of dealing with this issue. Moreover, we provide results of actual experiments supporting many of our conclusions. In addition, we show that our generalized law of large numbers, as a new theoretical tool, provides a framework for motivating practical applications; namely, it has implications for groupbased cryptanalysis. At the end of this exposition, we explain, among other things, how to analyze the security of a particular zeroknowledge, i.e., security preserving, groupbased authentication protocol. Our analysis allows us to conclude that the security and reliability of a wellknown authentication scheme in groupbased cryptography proposed by Sibert is questionable. The present work provides a completely new direction of such analysis – it shows that there is a probabilistic approach to cryptographic problems, which are usually treated only from the algebraic point of view, and that this approach can be very effective. Contents
Polynomial time cryptanalysis of noncommutativealgebraic key exchange protocols
"... We introduce the linear centralizer method for a passive adversary to extract the shared key in grouptheory based key exchange protocols (KEPs). We apply this method to obtain a polynomial time cryptanalysis of the Commutator KEP, introduced by Anshel–Anshel–Goldfeld in 1999 and considered extensiv ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We introduce the linear centralizer method for a passive adversary to extract the shared key in grouptheory based key exchange protocols (KEPs). We apply this method to obtain a polynomial time cryptanalysis of the Commutator KEP, introduced by Anshel–Anshel–Goldfeld in 1999 and considered extensively ever since. We also apply this method to the Centralizer KEP, introduced by Shpilrain–Ushakov in 2006. Our method is proved to be of polynomial time using a technical lemma about sampling invertible matrices from a linear space of matrices.