12 research outputs found
Assessing security of some group based cryptosystems
One of the possible generalizations of the discrete logarithm problem to
arbitrary groups is the so-called conjugacy search problem (sometimes
erroneously called just the conjugacy problem): given two elements a, b of a
group G and the information that a^x=b for some x \in G, find at least one
particular element x like that. Here a^x stands for xax^{-1}. The computational
difficulty of this problem in some particular groups has been used in several
group based cryptosystems. Recently, a few preprints have been in circulation
that suggested various "neighbourhood search" type heuristic attacks on the
conjugacy search problem. The goal of the present survey is to stress a
(probably well known) fact that these heuristic attacks alone are not a threat
to the security of a cryptosystem, and, more importantly, to suggest a more
credible approach to assessing security of group based cryptosystems. Such an
approach should be necessarily based on the concept of the average case
complexity (or expected running time) of an algorithm.
These arguments support the following conclusion: although it is generally
feasible to base the security of a cryptosystem on the difficulty of the
conjugacy search problem, the group G itself (the "platform") has to be chosen
very carefully. In particular, experimental as well as theoretical evidence
collected so far makes it appear likely that braid groups are not a good choice
for the platform. We also reflect on possible replacements.Comment: 10 page
Length-based cryptanalysis: The case of Thompson's Group
The length-based approach is a heuristic for solving randomly generated
equations in groups which possess a reasonably behaved length function. We
describe several improvements of the previously suggested length-based
algorithms, that make them applicable to Thompson's group with significant
success rates. In particular, this shows that the Shpilrain-Ushakov public key
cryptosystem based on Thompson's group is insecure, and suggests that no
practical public key cryptosystem based on this group can be secure.Comment: Final version, to appear in JM
Combinatorial group theory and public key cryptography
After some excitement generated by recently suggested public key exchange
protocols due to Anshel-Anshel-Goldfeld and Ko-Lee et al., it is a prevalent
opinion now that the conjugacy search problem is unlikely to provide sufficient
level of security if a braid group is used as the platform. In this paper we
address the following questions: (1) whether choosing a different group, or a
class of groups, can remedy the situation; (2) whether some other "hard"
problem from combinatorial group theory can be used, instead of the conjugacy
search problem, in a public key exchange protocol. Another question that we
address here, although somewhat vague, is likely to become a focus of the
future research in public key cryptography based on symbolic computation: (3)
whether one can efficiently disguise an element of a given group (or a
semigroup) by using defining relations.Comment: 12 page
Cryptanalysis of group-based key agreement protocols using subgroup distance functions
We introduce a new approach for cryptanalysis of key agreement protocols
based on noncommutative groups. This approach uses functions that estimate the
distance of a group element to a given subgroup. We test it against the
Shpilrain-Ushakov protocol, which is based on Thompson's group F
On the rational subset problem for groups
We use language theory to study the rational subset problem for groups and
monoids. We show that the decidability of this problem is preserved under graph
of groups constructions with finite edge groups. In particular, it passes
through free products amalgamated over finite subgroups and HNN extensions with
finite associated subgroups. We provide a simple proof of a result of
Grunschlag showing that the decidability of this problem is a virtual property.
We prove further that the problem is decidable for a direct product of a group
G with a monoid M if and only if membership is uniformly decidable for
G-automata subsets of M. It follows that a direct product of a free group with
any abelian group or commutative monoid has decidable rational subset
membership.Comment: 19 page
A new cramer-shoup like methodology for group based provably secure encryption schemes
Proceedings of: TCC 2005: Theory of Cryptography Conference, 10-12 February 2005, Cambridge, MA, USA.A theoretical framework for the design of - in the sense of IND-CCA - provably secure public key cryptosystems taking non-abelian groups as a base is given. Our construction is inspired by Cramer and Shoup's general framework for developing secure encryption schemes from certain language membership problems; thus all our proofs are in the standard model, without any idealization assumptions. The skeleton we present is conceived as a guiding tool towards the construction of secure concrete schemes from finite non-abelian groups (although it is possible to use it also in conjunction with finite abelian groups)