On the cycling operation in braid groups

The cycling operation is a special kind of conjugation that can be applied to elements in Artin's braid groups, in order to reduce their length. It is a key ingredient of the usual solutions to the conjugacy problem in braid groups. In their seminal paper on braid-cryptography, Ko, Lee et al. proposed the {\it cycling problem} as a hard problem in braid groups that could be interesting for cryptography. In this paper we give a polynomial solution to that problem, mainly by showing that cycling is surjective, and using a result by Maffre which shows that pre-images under cycling can be computed fast. This result also holds in every Artin-Tits group of spherical type. On the other hand, the conjugacy search problem in braid groups is usually solved by computing some finite sets called (left) ultra summit sets (left-USS), using left normal forms of braids. But one can equally use right normal forms and compute right-USS's. Hard instances of the conjugacy search problem correspond to elements having big (left and right) USS's. One may think that even if some element has a big left-USS, it could possibly have a small right-USS. We show that this is not the case in the important particular case of rigid braids. More precisely, we show that the left-USS and the right-USS of a given rigid braid determine isomorphic graphs, with the arrows reversed, the isomorphism being defined using iterated cycling. We conjecture that the same is true for every element, not necessarily rigid, in braid groups and Artin-Tits groups of spherical type.Comment: 20 page

Conjugacy in Garside Groups III: Periodic braids

An element in Artin's braid group B_n is said to be periodic if some power of it lies in the center of B_n. In this paper we prove that all previously known algorithms for solving the conjugacy search problem in B_n are exponential in the braid index n for the special case of periodic braids. We overcome this difficulty by putting to work several known isomorphisms between Garside structures in the braid group B_n and other Garside groups. This allows us to obtain a polynomial solution to the original problem in the spirit of the previously known algorithms. This paper is the third in a series of papers by the same authors about the conjugacy problem in Garside groups. They have a unified goal: the development of a polynomial algorithm for the conjugacy decision and search problems in B_n, which generalizes to other Garside groups whenever possible. It is our hope that the methods introduced here will allow the generalization of the results in this paper to all Artin-Tits groups of spherical type.Comment: 33 pages, 13 figures. Classical references implying Corollaries 12 and 15 have been added. To appear in Journal of Algebr

Improving an algorithm to solve multiple simultaneous conjugacy problems in braid groups

There are recent cryptographic protocols that are based on Multiple Simultaneous Conjugacy Problems in braid groups. We improve an algorithm, due to Sang Jin Lee and Eonkyung Lee, to solve these problems, by applying a method developed by the author and Nuno Franco, originally intended to solve the Conjugacy Search Problem in braid groups

Conjugacy in Garside groups I: Cyclings, powers, and rigidity

In this paper a relation between iterated cyclings and iterated powers of elements in a Garside group is shown. This yields a characterization of elements in a Garside group having a rigid power, where 'rigid' means that the left normal form changes only in the obvious way under cycling and decycling. It is also shown that, given X in a Garside group, if some power X^m is conjugate to a rigid element, then m can be bounded above by ||\Delta||^3. In the particular case of braid groups, this implies that a pseudo-Anosov braid has a small power whose ultra summit set consists of rigid elements. This solves one of the problems in the way of a polynomial solution to the conjugacy decision problem (CDP) and the conjugacy search problem (CSP) in braid groups. In addition to proving the rigidity theorem, it will be shown how this paper fits into the authors' program for finding a polynomial algorithm to the CDP/CSP, and what remains to be done.Comment: 41 page

Assessing security of some group based cryptosystems

One of the possible generalizations of the discrete logarithm problem to arbitrary groups is the so-called conjugacy search problem (sometimes erroneously called just the conjugacy problem): given two elements a, b of a group G and the information that a^x=b for some x \in G, find at least one particular element x like that. Here a^x stands for xax^{-1}. The computational difficulty of this problem in some particular groups has been used in several group based cryptosystems. Recently, a few preprints have been in circulation that suggested various "neighbourhood search" type heuristic attacks on the conjugacy search problem. The goal of the present survey is to stress a (probably well known) fact that these heuristic attacks alone are not a threat to the security of a cryptosystem, and, more importantly, to suggest a more credible approach to assessing security of group based cryptosystems. Such an approach should be necessarily based on the concept of the average case complexity (or expected running time) of an algorithm. These arguments support the following conclusion: although it is generally feasible to base the security of a cryptosystem on the difficulty of the conjugacy search problem, the group G itself (the "platform") has to be chosen very carefully. In particular, experimental as well as theoretical evidence collected so far makes it appear likely that braid groups are not a good choice for the platform. We also reflect on possible replacements.Comment: 10 page

On the genericity of pseudo-Anosov braids II: conjugations to rigid braids

International audienceWe prove that generic elements of braid groups are pseudo-Anosov, in the following sense: in the Cayley graph of the braid group with n $\ge$ 3 strands, with respect to Garside's generating set, we prove that the proportion of pseudo-Anosov braids in the ball of radius l tends to 1 exponentially quickly as l tends to infinity. Moreover, with a similar notion of genericity, we prove that for generic pairs of elements of the braid group, the conjugacy search problem can be solved in quadratic time. The idea behind both results is that generic braids can be conjugated "easily" into a rigid braid