#### DMCA

## A practical attack on a braid group based cryptographic protocol

### Cached

### Download Links

- [www.iacr.org]
- [www.sci.ccny.cuny.edu]
- [www.sci.ccny.cuny.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 6 - 1 self |

### Citations

304 |
links and mapping class groups
- BIRMAN, Braids
- 1974
(Show Context)
Citation Context ...problem. 1. Introduction Braid group cryptography has attracted a lot of attention recently due to several suggested key exchange protocols (see [1, 10]) using braid groups as a platform. We refer to =-=[2]-=- for more information on braid groups. Here we start out by giving a brief description of the Ko, Lee et al. key exchange protocol (subsequently called just the Ko-Lee protocol). Let B2n be the group ... |

153 | An algebraic method for public-key cryptography,
- Anshel, Anshel, et al.
- 1999
(Show Context)
Citation Context ...blem in a braid group rather than the conjugacy search problem. 1. Introduction Braid group cryptography has attracted a lot of attention recently due to several suggested key exchange protocols (see =-=[1, 10]-=-) using braid groups as a platform. We refer to [2] for more information on braid groups. Here we start out by giving a brief description of the Ko, Lee et al. key exchange protocol (subsequently call... |

126 | New public-key cryptosystem using braid group,
- Ko, Lee, et al.
- 2000
(Show Context)
Citation Context ...TOCOL ALEXEI MYASNIKOV, VLADIMIR SHPILRAIN, AND ALEXANDER USHAKOV Abstract. In this paper we present a practical heuristic attack on the Ko, Lee et al. key exchange protocol introduced at Crypto 2000 =-=[10]-=-. One of the ideas behind our attack is using Dehornoy’s handle reduction method as a counter measure to diffusion provided by the Garside normal form, and as a tool for simplifying braid words. Anoth... |

104 | Word processing in groups, Jones and Bartlett - Epstein, Cannon, et al. - 1992 |

48 | A practical attack on some braid group based cryptoraphic primitives,”
- Hofheinz, Steinwandt
- 2003
(Show Context)
Citation Context ...he role of a diffusion algorithm. We show (experimentally) that Dehornoy’s algorithm can be used to weaken the diffusion and make the protocol vulnerable to a special kind of length based attack (see =-=[6, 7, 8]-=- for different versions of length based attacks). 2. Converting Garside normal forms to words The Garside normal form of an element a ∈ Bn is the pair (k, (ξ1, . . . , ξm)), where k ∈ Z and (ξ1, . . .... |

42 | Length-based attacks for certain group based encryption rewriting systems
- Hughes, Tannenbaum
- 2000
(Show Context)
Citation Context ...he role of a diffusion algorithm. We show (experimentally) that Dehornoy’s algorithm can be used to weaken the diffusion and make the protocol vulnerable to a special kind of length based attack (see =-=[6, 7, 8]-=- for different versions of length based attacks). 2. Converting Garside normal forms to words The Garside normal form of an element a ∈ Bn is the pair (k, (ξ1, . . . , ξm)), where k ∈ Z and (ξ1, . . .... |

40 | A fast method for comparing braids,
- Dehornoy
- 1997
(Show Context)
Citation Context ...rch problem [3], but the authors of [3] acknowledge themselves that their attack is not practical and, in fact, has not been implemented. Another idea employed in our attack is using Dehornoy’s forms =-=[4]-=- for recovering words from Garside normal forms and for solving the decomposition problem. In the Ko-Lee protocol, Garside’s algorithm for converting braid words into normal forms plays the role of a ... |

27 | A polynomial time algorithm for the braid Diffie-Hellman conjugacy problem,”
- Cheon, Jun
- 2003
(Show Context)
Citation Context ...ck program was over 96%; see Section 5 for more details. We note that there is a polynomial-time deterministic attack on the Ko-Lee protocol based on solving a variant of the conjugacy search problem =-=[3]-=-, but the authors of [3] acknowledge themselves that their attack is not practical and, in fact, has not been implemented. Another idea employed in our attack is using Dehornoy’s forms [4] for recover... |

27 |
Razborov: The set of minimal braids is co-NP-complete,
- Paterson, A
- 1991
(Show Context)
Citation Context ... > 1), xixi+1xi = xi+1xixi+1〉 be its standard presentation. Let w be a word in generators of Bn and their inverses. The problem of computing a geodesic word for w in B∞ was shown to be NP-complete in =-=[11]-=-. It is known however (see e.g. [9, 14]) that many NP-complete problems have polynomial time generic- or average-case solutions, or have good approximate solutions. In this section we present heuristi... |

20 |
Average-case complexity for the word and membership problems
- Kapovich, Myasnikov, et al.
- 2005
(Show Context)
Citation Context ... standard presentation. Let w be a word in generators of Bn and their inverses. The problem of computing a geodesic word for w in B∞ was shown to be NP-complete in [11]. It is known however (see e.g. =-=[9, 14]-=-) that many NP-complete problems have polynomial time generic- or average-case solutions, or have good approximate solutions. In this section we present heuristic algorithms for approximating geodesic... |

20 | The conjugacy search problem in public key cryptography: unnecessary and insufficient.
- Shpilrain, Ushakov
- 2006
(Show Context)
Citation Context ...e conjugacy search problem in B2n which is: for a given pair of words w1, w2 such that w1 is conjugate to w2 in B2n, find a conjugator, i.e. a word x such that w1 = x −1 w2x. However, it was shown in =-=[12]-=- that solving the conjugacy search problem is not necessary to break the Ko-Lee protocol. More precisely, it was shown that for an adversary to get the shared secret key, it is sufficient to find a pa... |

19 | Combinatorial group theory and public key cryptography. - Shpilrain, Zapata - 2006 |

8 |
Average-case computational complexity theory, in Complexity Theory Retrospective 2
- Wang
- 1997
(Show Context)
Citation Context ... standard presentation. Let w be a word in generators of Bn and their inverses. The problem of computing a geodesic word for w in B∞ was shown to be NP-complete in [11]. It is known however (see e.g. =-=[9, 14]-=-) that many NP-complete problems have polynomial time generic- or average-case solutions, or have good approximate solutions. In this section we present heuristic algorithms for approximating geodesic... |