Results 1 -
9 of
9
Cryptanalysis of group-based key agreement protocols using subgroup distance functions
- in Advances in Cryptology – PKC 2007, LNCS 4450
, 2007
"... Abstract. We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the Shpilrain-Ushakov protocol, which is based on Thompson’s group F, ..."
Abstract
-
Cited by 10 (0 self)
- Add to MetaCart
(Show Context)
Abstract. We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the Shpilrain-Ushakov protocol, which is based on Thompson’s group F, and show that it can break about half the keys within a few seconds on a single PC.
On an authentication scheme based on the root problem in the braid groups, ArXiv preprint
, 2005
"... Abstract. Lal and Chaturvedi proposed two authentication schemes presumably based on the difficulty of the Root Problem in the braid group. We describe a deterministic linear time algorithm to crack the first scheme, and show that the second scheme is not more secure than schemes based on the Conjug ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Lal and Chaturvedi proposed two authentication schemes presumably based on the difficulty of the Root Problem in the braid group. We describe a deterministic linear time algorithm to crack the first scheme, and show that the second scheme is not more secure than schemes based on the Conjugacy Search Problem, and can therefore be cracked by existing heuristic attacks with very good success probability, as long as the parameters are practical. 1. The first authentication scheme Lal and Chaturvedi propose in [6] two authentication schemes based on the difficulty of the Root Problem in the braid group. The basic definitions are given in [6]. Their first scheme is defined as follows. We work in the braid group Bn where n is even. In the sequel, multiplication of elements of Bn means concatenation and reduction to left canonical form. Let LBn = 〈σ1,..., σn/2−1 〉 and UBn = 〈σn/2+1,..., σn〉. Key Generation. Alice chooses integers r, s ≥ 2, a ∈ LBn, and b ∈
A BETTER LENGTH FUNCTION FOR ARTIN’S BRAID GROUPS
, 2006
"... Abstract. Having a good length function on a group is the main ingredient in a recent combined memory/length approach to solving random equations in that group. Currently, the groups of greatest interest in this respect are Artin’s braid groups. We demonstrate, by a series of experiments, that a len ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Having a good length function on a group is the main ingredient in a recent combined memory/length approach to solving random equations in that group. Currently, the groups of greatest interest in this respect are Artin’s braid groups. We demonstrate, by a series of experiments, that a length function based on the Birman-Ko-Lee presentation of the braid group is substantially better than the corresponding function based on the Artin presentation. 1.
SOLVING RANDOM EQUATIONS IN GARSIDE GROUPS USING LENGTH FUNCTIONS
, 2008
"... Abstract. We give a systematic exposition of memory-length algorithms for solving equations in noncommutative groups. This exposition clarifies some points untouched in earlier expositions. We then focus on the main ingredient in these attacks: Length functions. After a self-contained introduction t ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. We give a systematic exposition of memory-length algorithms for solving equations in noncommutative groups. This exposition clarifies some points untouched in earlier expositions. We then focus on the main ingredient in these attacks: Length functions. After a self-contained introduction to Garside groups, we describe length functions induced by the greedy normal form and by the rational normal form in these groups, and compare their worst-case performances. In the case of Artin’s Braid group, we show that a better approach for estimating the minimal length in Artin generators is measuring the length in Birman-Ko-Lee (BKL) generators of the rational BKL form. This is proved theoretically for the worst case, and experimentally for the generic case. 1. Solving random equations All groups considered in this paper are multiplicative noncommutative groups, with an efficiently solvable word problem, that is, there is an efficient algorithm for deciding whether two given (finite products of) elements in the group are equal as elements of the group. Throughout this paper, G denotes such a group. Problems involving solutions of equations in groups have a long history, and are nowadays also explored towards applications in public-key cryptography [13]. We mention some of the more elegant problems of this type. Problem 1 (Conjugacy Search). Given conjugate a, b ∈ G, find x ∈ G such that b = xax −1. Problem 2 (Root Search). Given a ∈ G, find x ∈ G such that a = x 2, provided that such x exists. Problem 3 (Decomposition Search). Let H be a proper subgroup of G. Given a, b ∈ G, find x, y ∈ H such that b = xay, provided that there exist such x, y.
Algorithms and . . . PIECEWISE-LINEAR HOMEOMORPHISMS
, 2008
"... The first part (Chapters 2 through 5) studies decision problems in Thompson’s groups F, T, V and some generalizations. The simultaneous conjugacy problem is determined to be solvable for Thompson’s group F and suitable larger groups of piecewise-linear homeomorphisms of the unit interval. We describ ..."
Abstract
- Add to MetaCart
(Show Context)
The first part (Chapters 2 through 5) studies decision problems in Thompson’s groups F, T, V and some generalizations. The simultaneous conjugacy problem is determined to be solvable for Thompson’s group F and suitable larger groups of piecewise-linear homeomorphisms of the unit interval. We describe a conjugacy invariant both from the piecewise-linear point of view and a combinatorial one using strand diagrams. We determine algorithms to compute roots and centralizers in these groups and to detect periodic points and their behavior by looking at the closed strand diagram associated to an element. We conclude with a complete cryptanalysis of an encryption protocol based on the decomposition problem. In the second part (Chapters 6 and 7), we describe the structure of subgroups of the group of all homeomorphisms of the unit circle, with the additional requirement that they contain no non-abelian free subgroup. It is shown that in this setting the rotation number map is a group homomorphism. We give a classification of such subgroups as subgroups of certain wreath products and we show that such subgroups can exist by building examples. Similar techniques are then used to compute centralizers in these groups and to provide the base to generalize the techniques of the first part and to solve the simultaneous conjugacy problem.
Non-Abelian Analogs of Lattice Rounding
, 2015
"... Lattice rounding in Euclidean space can be viewed as finding the nearest point in the orbit of an action by a discrete group, relative to the norm inherited from the ambient space. Using this point of view, we initiate the study of non-abelian analogs of lattice rounding involving matrix groups. In ..."
Abstract
- Add to MetaCart
Lattice rounding in Euclidean space can be viewed as finding the nearest point in the orbit of an action by a discrete group, relative to the norm inherited from the ambient space. Using this point of view, we initiate the study of non-abelian analogs of lattice rounding involving matrix groups. In one direction, we give an algorithm for solving a normed word problem when the inputs are random products over a basis set, and give theoretical justification for its success. In another direction, we prove a general inapproximability result which ∗Supported by NSF grant DMS-1201362. 1 essentially rules out strong approximation algorithms (i.e., whose ap-proximation factors depend only on dimension) analogous to LLL in the general case.
