Assessing security of some group based cryptosystems

One of the possible generalizations of the discrete logarithm problem to arbitrary groups is the so-called conjugacy search problem (sometimes erroneously called just the conjugacy problem): given two elements a, b of a group G and the information that a^x=b for some x \in G, find at least one particular element x like that. Here a^x stands for xax^{-1}. The computational difficulty of this problem in some particular groups has been used in several group based cryptosystems. Recently, a few preprints have been in circulation that suggested various "neighbourhood search" type heuristic attacks on the conjugacy search problem. The goal of the present survey is to stress a (probably well known) fact that these heuristic attacks alone are not a threat to the security of a cryptosystem, and, more importantly, to suggest a more credible approach to assessing security of group based cryptosystems. Such an approach should be necessarily based on the concept of the average case complexity (or expected running time) of an algorithm. These arguments support the following conclusion: although it is generally feasible to base the security of a cryptosystem on the difficulty of the conjugacy search problem, the group G itself (the "platform") has to be chosen very carefully. In particular, experimental as well as theoretical evidence collected so far makes it appear likely that braid groups are not a good choice for the platform. We also reflect on possible replacements.Comment: 10 page

Length-based cryptanalysis: The case of Thompson's Group

The length-based approach is a heuristic for solving randomly generated equations in groups which possess a reasonably behaved length function. We describe several improvements of the previously suggested length-based algorithms, that make them applicable to Thompson's group with significant success rates. In particular, this shows that the Shpilrain-Ushakov public key cryptosystem based on Thompson's group is insecure, and suggests that no practical public key cryptosystem based on this group can be secure.Comment: Final version, to appear in JM

Combinatorial group theory and public key cryptography

After some excitement generated by recently suggested public key exchange protocols due to Anshel-Anshel-Goldfeld and Ko-Lee et al., it is a prevalent opinion now that the conjugacy search problem is unlikely to provide sufficient level of security if a braid group is used as the platform. In this paper we address the following questions: (1) whether choosing a different group, or a class of groups, can remedy the situation; (2) whether some other "hard" problem from combinatorial group theory can be used, instead of the conjugacy search problem, in a public key exchange protocol. Another question that we address here, although somewhat vague, is likely to become a focus of the future research in public key cryptography based on symbolic computation: (3) whether one can efficiently disguise an element of a given group (or a semigroup) by using defining relations.Comment: 12 page

Cryptanalysis of group-based key agreement protocols using subgroup distance functions

We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given subgroup. We test it against the Shpilrain-Ushakov protocol, which is based on Thompson's group F

On the rational subset problem for groups

We use language theory to study the rational subset problem for groups and monoids. We show that the decidability of this problem is preserved under graph of groups constructions with finite edge groups. In particular, it passes through free products amalgamated over finite subgroups and HNN extensions with finite associated subgroups. We provide a simple proof of a result of Grunschlag showing that the decidability of this problem is a virtual property. We prove further that the problem is decidable for a direct product of a group G with a monoid M if and only if membership is uniformly decidable for G-automata subsets of M. It follows that a direct product of a free group with any abelian group or commutative monoid has decidable rational subset membership.Comment: 19 page

A new cramer-shoup like methodology for group based provably secure encryption schemes

Proceedings of: TCC 2005: Theory of Cryptography Conference, 10-12 February 2005, Cambridge, MA, USA.A theoretical framework for the design of - in the sense of IND-CCA - provably secure public key cryptosystems taking non-abelian groups as a base is given. Our construction is inspired by Cramer and Shoup's general framework for developing secure encryption schemes from certain language membership problems; thus all our proofs are in the standard model, without any idealization assumptions. The skeleton we present is conceived as a guiding tool towards the construction of secure concrete schemes from finite non-abelian groups (although it is possible to use it also in conjunction with finite abelian groups)