Citation Context

...tions: (1) F = 〈 x0, x1, x2, . . . | x −1 i xkxi = xk+1 (k > i) 〉 Throughout, by atom we mean a generator xi (a positive atom) or its inverse (a negative atom). Each w ∈ F admits a unique normal form =-=[2]-=- w = xi1 · · ·xirx −1 · · ·x jt −1 j1 , where i1 ≤ · · · ≤ ir, j1 ≤ · · · ≤ jt, and if xi and x −1 i both occur in this form, then either xi+1 or x −1 i+1 occurs as well. The transformation of an elem...

Citation Context

...s suggested in [3], and the method was extended in [4] to imply high success rates for subgroups of the braid group, which are of the type considered in some previously suggested cryptosystems (e.g., =-=[1]-=-). This length-based cryptanalysis usually has smaller success rates than specialized attacks, but it has the advantage of being generic in the sense that, if there is a good length function on a grou...

Citation Context

...als and suggesting alternative ones (some examples are given in our bibliography and in the references therein). One possible approach for attacking such systems was outlined by Hughes and Tannenbaum =-=[5]-=-. This approach relies on the existence of a good length function on the underlying group, i.e., a function ℓ(g) that tends to grow as the number of generators multiplied to obtain g grows. Such a len...

Citation Context

...Φ| is large, then we are likely to succeed. In the case of Thompson’s group F, the family of automorphisms is well understood (they are all conjugations by elements of some well defined larger group) =-=[2]-=-. However, since we are interested in “generic” attacks, we considered only inner automorphisms. 8.1. Results. All experiments were run for parameters s = 3, L = 256 and without memory extensions (M =...

Citation Context

...nderlying subgroup has few relations, i.e., it is not too far from the free group. In 2004, Shpilrain and Ushakov proposed a key exchange protocol that uses Richard Thompson’s group F as its platform =-=[10]-=-. The particular subgroups suggested for the protocol have many relations and indeed, Shpilrain and Ushakov report a complete failure of a length-based attack on their cryptosystem [10]. In the sequel...

Citation Context

...ent setting. 9. Alternative solutions Thus far, we have concentrated on the problem: Given w and awb, find the original a, or rather, a short list containing a. But as Shpilrain and Ushakov point out =-=[12]-=-, it suffices to solve the following.10 DIMA RUINSKIY, ADI SHAMIR, AND BOAZ TSABAN Problem 1 (Decomposition). Given w ∈ F and u = awb where a ∈ A and b ∈ B, find some elements ã ∈ A and ˜ b ∈ B, such...

Citation Context

... algorithms. Our main aim is to obtain generic algorithms that will also work when other groups are used, or when Thompson’s group is used in a different way. Iterability. As pointed out by Shpilrain =-=[9]-=-, there is a very simple fix for key agreement protocols that are broken in probability less than p: Agree on k independent keys in parallel, and xor them all to obtained the shared key. The probabili...

Citation Context

... i.e., a function ℓ(g) that tends to grow as the number of generators multiplied to obtain g grows. Such a length function can be used to solve, heuristically, arbitrary random equations in the group =-=[3]-=-. In the case of the braid group, a practical realization of this approach was suggested in [3], and the method was extended in [4] to imply high success rates for subgroups of the braid group, which ...

Citation Context

...ved attack was announced in the CGC Bulletin on March 2006 [8]. While we were finalizing our paper for publication, a very elegant specialized attack on the same cryptosystem was announced by Matucci =-=[6]-=-. The main contribution of the present paper is thus the generalization of the length-based algorithms to make them applicable to a wider class of groups. Moreover, while our general attack can be eas...

Citation Context

...re form the first practical cryptanalysis of the Shpilrain-Ushakov cryptosystem: The first version of our attack was announced in the Bochum Workshop Algebraic Methods in Cryptography (November 2005) =-=[7]-=-. An improved attack was announced in the CGC Bulletin on March 2006 [8]. While we were finalizing our paper for publication, a very elegant specialized attack on the same cryptosystem was announced b...

Citation Context

...osystem: The first version of our attack was announced in the Bochum Workshop Algebraic Methods in Cryptography (November 2005) [7]. An improved attack was announced in the CGC Bulletin on March 2006 =-=[8]-=-. While we were finalizing our paper for publication, a very elegant specialized attack on the same cryptosystem was announced by Matucci [6]. The main contribution of the present paper is thus the ge...

Citation Context

...i1 · · · g±1it . After computing the length of each of the peeled-off results, one takes only the first generator of the leading t-tuple, and repeats the process. This is called look-ahead of depth t =-=[6, 5]-=-. The complexity of this approach grows exponentially with t. In order to compare this approach with the memory approach, we should compare attacks using roughly the same number of operations. The pro...