#### DMCA

## Length-based cryptanalysis: The case of Thompson’s Group

### Cached

### Download Links

Venue: | Journal of Mathematical Cryptology |

Citations: | 9 - 4 self |

### Citations

250 |
Introductory notes on Richard Thompson’s groups,
- Cannon, Floyd, et al.
- 1996
(Show Context)
Citation Context ...tions: (1) F = 〈 x0, x1, x2, . . . | x −1 i xkxi = xk+1 (k > i) 〉 Throughout, by atom we mean a generator xi (a positive atom) or its inverse (a negative atom). Each w ∈ F admits a unique normal form =-=[2]-=- w = xi1 · · ·xirx −1 · · ·x jt −1 j1 , where i1 ≤ · · · ≤ ir, j1 ≤ · · · ≤ jt, and if xi and x −1 i both occur in this form, then either xi+1 or x −1 i+1 occurs as well. The transformation of an elem... |

153 | An algebraic method for public-key cryptography,
- Anshel, Anshel, et al.
- 1999
(Show Context)
Citation Context ...s suggested in [3], and the method was extended in [4] to imply high success rates for subgroups of the braid group, which are of the type considered in some previously suggested cryptosystems (e.g., =-=[1]-=-). This length-based cryptanalysis usually has smaller success rates than specialized attacks, but it has the advantage of being generic in the sense that, if there is a good length function on a grou... |

42 | Length-based attacks for certain group based encryption rewriting systems
- Hughes, Tannenbaum
- 2000
(Show Context)
Citation Context ...als and suggesting alternative ones (some examples are given in our bibliography and in the references therein). One possible approach for attacking such systems was outlined by Hughes and Tannenbaum =-=[5]-=-. This approach relies on the existence of a good length function on the underlying group, i.e., a function ℓ(g) that tends to grow as the number of generators multiplied to obtain g grows. Such a len... |

34 | The chameleon groups of Richards J. Thompson: automorphisms and dynamics
- Brin
- 1996
(Show Context)
Citation Context ...Φ| is large, then we are likely to succeed. In the case of Thompson’s group F, the family of automorphisms is well understood (they are all conjugations by elements of some well defined larger group) =-=[2]-=-. However, since we are interested in “generic” attacks, we considered only inner automorphisms. 8.1. Results. All experiments were run for parameters s = 3, L = 256 and without memory extensions (M =... |

25 | Thompson’s group and public key cryptography,”
- Shpilrain, Ushakov
- 2005
(Show Context)
Citation Context ...nderlying subgroup has few relations, i.e., it is not too far from the free group. In 2004, Shpilrain and Ushakov proposed a key exchange protocol that uses Richard Thompson’s group F as its platform =-=[10]-=-. The particular subgroups suggested for the protocol have many relations and indeed, Shpilrain and Ushakov report a complete failure of a length-based attack on their cryptosystem [10]. In the sequel... |

20 | The conjugacy search problem in public key cryptography: unnecessary and insufficient.
- Shpilrain, Ushakov
- 2006
(Show Context)
Citation Context ...ent setting. 9. Alternative solutions Thus far, we have concentrated on the problem: Given w and awb, find the original a, or rather, a short list containing a. But as Shpilrain and Ushakov point out =-=[12]-=-, it suffices to solve the following.10 DIMA RUINSKIY, ADI SHAMIR, AND BOAZ TSABAN Problem 1 (Decomposition). Given w ∈ F and u = awb where a ∈ A and b ∈ B, find some elements ã ∈ A and ˜ b ∈ B, such... |

16 | Assessing security of some group based cryptosystems. In: Group theory, statistics, and cryptography,
- Shpilrain
- 2004
(Show Context)
Citation Context ... algorithms. Our main aim is to obtain generic algorithms that will also work when other groups are used, or when Thompson’s group is used in a different way. Iterability. As pointed out by Shpilrain =-=[9]-=-, there is a very simple fix for key agreement protocols that are broken in probability less than p: Agree on k independent keys in parallel, and xor them all to obtained the shared key. The probabili... |

12 |
Length-based conjugacy search
- Garber, Kaplan, et al.
(Show Context)
Citation Context ... i.e., a function ℓ(g) that tends to grow as the number of generators multiplied to obtain g grows. Such a length function can be used to solve, heuristically, arbitrary random equations in the group =-=[3]-=-. In the case of the braid group, a practical realization of this approach was suggested in [3], and the method was extended in [4] to imply high success rates for subgroups of the braid group, which ... |

5 | The Shpilrain-Ushakov Protocol for Thompson’s Group F is always breakable, preprint
- Matucci
(Show Context)
Citation Context ...ved attack was announced in the CGC Bulletin on March 2006 [8]. While we were finalizing our paper for publication, a very elegant specialized attack on the same cryptosystem was announced by Matucci =-=[6]-=-. The main contribution of the present paper is thus the generalization of the length-based algorithms to make them applicable to a wider class of groups. Moreover, while our general attack can be eas... |

4 |
Cryptanalysis of the Shpilrain-Ushakov Thompson group cryptosystem (preliminary announcement
- Ruinskiy, Shamir, et al.
- 2005
(Show Context)
Citation Context ...re form the first practical cryptanalysis of the Shpilrain-Ushakov cryptosystem: The first version of our attack was announced in the Bochum Workshop Algebraic Methods in Cryptography (November 2005) =-=[7]-=-. An improved attack was announced in the CGC Bulletin on March 2006 [8]. While we were finalizing our paper for publication, a very elegant specialized attack on the same cryptosystem was announced b... |

2 |
A substantial improvement on the decomposition problem
- Ruinskiy, Shamir, et al.
(Show Context)
Citation Context ...osystem: The first version of our attack was announced in the Bochum Workshop Algebraic Methods in Cryptography (November 2005) [7]. An improved attack was announced in the CGC Bulletin on March 2006 =-=[8]-=-. While we were finalizing our paper for publication, a very elegant specialized attack on the same cryptosystem was announced by Matucci [6]. The main contribution of the present paper is thus the ge... |

1 |
conjugacy search in the Braid group
- Length-based
- 2006
(Show Context)
Citation Context ...i1 · · · g±1it . After computing the length of each of the peeled-off results, one takes only the first generator of the leading t-tuple, and repeats the process. This is called look-ahead of depth t =-=[6, 5]-=-. The complexity of this approach grows exponentially with t. In order to compare this approach with the memory approach, we should compare attacks using roughly the same number of operations. The pro... |