On the cryptanalysis of the generalized simultaneous conjugacy search problem and the security of the Algebraic Eraser

The Algebraic Eraser (AE) is a cryptographic primitive that can be used to obscure information in certain algebraic cryptosystems. The Colored Burau Key Agreement Protocol (CBKAP), which is built on the AE, was introduced by I. Anshel, M. Anshel, D. Goldfeld, and S. Lemieux in 2006 as a protocol suitable for use on platforms with constrained computational resources, such as RFID and wireless sensors. In 2009 A. Myasnikov and A. Ushnakov proposed an attack on CBKAP that attempts to defeat the generalized simultaneous conjugacy search problem, which is the public-key computational problem underlying CBKAP. In this paper we investigate the effectiveness of this attack. Our findings are that success of the attack only comes from applying it to short keys, and that with appropriate keys the attack fails in 100% of cases and does not pose a threat against CBKAP. Moreover, the attack makes assumptions about CBKAP that do not hold in practical implementations, and thus does not represent a threat to the use of CBKAP in applications

Defeating the Kalka--Teicher--Tsaban linear algebra attack on the Algebraic Eraser

The Algebraic Eraser (AE) is a public key protocol for sharing information over an insecure channel using commutative and noncommutative groups; a concrete realization is given by Colored Burau Key Agreement Protocol (CBKAP). In this paper, we describe how to choose data in CBKAP to thwart an attack by Kalka--Teicher--Tsaban

Short expressions of permutations as products and cryptanalysis of the Algebraic Eraser

On March 2004, Anshel, Anshel, Goldfeld, and Lemieux introduced the \emph{Algebraic Eraser} scheme for key agreement over an insecure channel, using a novel hybrid of infinite and finite noncommutative groups. They also introduced the \emph{Colored Burau Key Agreement Protocol (CBKAP)}, a concrete realization of this scheme. We present general, efficient heuristic algorithms, which extract the shared key out of the public information provided by CBKAP. These algorithms are, according to heuristic reasoning and according to massive experiments, successful for all sizes of the security parameters, assuming that the keys are chosen with standard distributions. Our methods come from probabilistic group theory (permutation group actions and expander graphs). In particular, we provide a simple algorithm for finding short expressions of permutations in $S_n$, as products of given random permutations. Heuristically, our algorithm gives expressions of length $O(n^2\log n)$, in time and space $O(n^3)$. Moreover, this is provable from \emph{the Minimal Cycle Conjecture}, a simply stated hypothesis concerning the uniform distribution on $S_n$. Experiments show that the constants in these estimations are small. This is the first practical algorithm for this problem for $n\ge 256$. Remark: \emph{Algebraic Eraser} is a trademark of SecureRF. The variant of CBKAP actually implemented by SecureRF uses proprietary distributions, and thus our results do not imply its vulnerability. See also arXiv:abs/12020598Comment: Final version, accepted to Advances in Applied Mathematics. Title slightly change

Analysis of a Group of Automorphisms of a Free Group as a Platform for Conjugacy-Based Group Cryptography

Let F be a finitely generated free group and Aut(F) its group of automorphisms. In this monograph we discuss potential uses of Aut(F) in group-based cryptography. Our main focus is on using Aut(F) as a platform group for the Anshel-Anshel-Goldfeld protocol, Ko-Lee protocol, and other protocols based on different versions of the conjugacy search problem or decomposition problem, such as Shpilrain-Ushakov protocol. We attack the Anshel-Anshel-Goldfeld and Ko-Lee protocols by adapting the existing types of the length-based attack to the specifics of Aut(F). We also present our own version of the length-based attack that significantly increases the attack\u27 success rate. After discussing attacks, we discuss the ways to make keys from Aut(F) resistant to the different versions of length-based attacks including our own