Short expressions of permutations as products and cryptanalysis of the Algebraic Eraser

On March 2004, Anshel, Anshel, Goldfeld, and Lemieux introduced the \emph{Algebraic Eraser} scheme for key agreement over an insecure channel, using a novel hybrid of infinite and finite noncommutative groups. They also introduced the \emph{Colored Burau Key Agreement Protocol (CBKAP)}, a concrete realization of this scheme. We present general, efficient heuristic algorithms, which extract the shared key out of the public information provided by CBKAP. These algorithms are, according to heuristic reasoning and according to massive experiments, successful for all sizes of the security parameters, assuming that the keys are chosen with standard distributions. Our methods come from probabilistic group theory (permutation group actions and expander graphs). In particular, we provide a simple algorithm for finding short expressions of permutations in $S_n$, as products of given random permutations. Heuristically, our algorithm gives expressions of length $O(n^2\log n)$, in time and space $O(n^3)$. Moreover, this is provable from \emph{the Minimal Cycle Conjecture}, a simply stated hypothesis concerning the uniform distribution on $S_n$. Experiments show that the constants in these estimations are small. This is the first practical algorithm for this problem for $n\ge 256$. Remark: \emph{Algebraic Eraser} is a trademark of SecureRF. The variant of CBKAP actually implemented by SecureRF uses proprietary distributions, and thus our results do not imply its vulnerability. See also arXiv:abs/12020598Comment: Final version, accepted to Advances in Applied Mathematics. Title slightly change

How long does it take to generate a group?

The diameter of a finite group $G$ with respect to a generating set $A$ is the smallest non-negative integer $n$ such that every element of $G$ can be written as a product of at most $n$ elements of $A \cup A^{-1}$. We denote this invariant by \diam_A(G). It can be interpreted as the diameter of the Cayley graph induced by $A$ on $G$ and arises, for instance, in the context of efficient communication networks. In this paper we study the diameters of a finite abelian group $G$ with respect to its various generating sets $A$. We determine the maximum possible value of \diam_A(G) and classify all generating sets for which this maximum value is attained. Also, we determine the maximum possible cardinality of $A$ subject to the condition that \diam_A(G) is "not too small". Connections with caps, sum-free sets, and quasi-perfect codes are discussed

Diameters of Chevalley groups over local rings

Let G be a Chevalley group scheme of rank l. We show that the following holds for some absolute constant d>0 and two functions p_0=p_0(l) and C=C(l,p). Let p>p_0 be a prime number and let G_n:=G(\Z/p^n\Z) be the family of finite groups for n>0. Then for any n>0 and any subset S which generates G_n we have diam(G_n,S)< C n^d, i.e., any element of G_n is a product of Cn^d elements from S\cup S^{-1}. In particular, for some C'=C'(l,p) and for any n>0 we have, diam(G_n,S)< C' log^d(|G_n|). Our proof is elementary and effective, in the sense that the constant d and the functions p_0(l) and C(l,p) are calculated explicitly. Moreover, there exists an efficient algorithm to compute a short path between any two vertices in any Cayley graph of the groups G_n.Comment: 8 page

A Sharp Diameter Bound for Unipotent Groups of Classical Type Overℤ /pℤ

The unipotent subgroup of a finite group of Lie type over a prime field Fp comes equipped with a natural set of generators; the properties of the Cayley graph associated to this set of generators have been much studied. In the present paper, we show that the diameter of this Cayley graph is bounded above and below by constant multiples of np + n2 log p, where n is the rank of the associated Lie group. This generalizes the result of Ellenberg, A sharp diameter bound for an upper triangular matrix group, Harvard University, 1993, which treated the case of SLn(Fp)