Assessing security of some group based cryptosystems

One of the possible generalizations of the discrete logarithm problem to arbitrary groups is the so-called conjugacy search problem (sometimes erroneously called just the conjugacy problem): given two elements a, b of a group G and the information that a^x=b for some x \in G, find at least one particular element x like that. Here a^x stands for xax^{-1}. The computational difficulty of this problem in some particular groups has been used in several group based cryptosystems. Recently, a few preprints have been in circulation that suggested various "neighbourhood search" type heuristic attacks on the conjugacy search problem. The goal of the present survey is to stress a (probably well known) fact that these heuristic attacks alone are not a threat to the security of a cryptosystem, and, more importantly, to suggest a more credible approach to assessing security of group based cryptosystems. Such an approach should be necessarily based on the concept of the average case complexity (or expected running time) of an algorithm. These arguments support the following conclusion: although it is generally feasible to base the security of a cryptosystem on the difficulty of the conjugacy search problem, the group G itself (the "platform") has to be chosen very carefully. In particular, experimental as well as theoretical evidence collected so far makes it appear likely that braid groups are not a good choice for the platform. We also reflect on possible replacements.Comment: 10 page

Search and witness problems in group theory

Decision problems are problems of the following nature: given a property P and an object O, find out whether or not the object O has the property P. On the other hand, witness problems are: given a property P and an object O with the property P, find a proof of the fact that O indeed has the property P. On the third hand(?!), search problems are of the following nature: given a property P and an object O with the property P, find something "material" establishing the property P; for example, given two conjugate elements of a group, find a conjugator. In this survey our focus is on various search problems in group theory, including the word search problem, the subgroup membership search problem, the conjugacy search problem, and others

Automorphisms of one-relator groups

It is a well-known fact that every group $G$ has a presentation of the form $G = F/R$, where $F$ is a free group and $R$ the kernel of the natural epimorphism from $F$ onto $G$. Driven by the desire to obtain a similar presentation of the group of automorphisms $Aut(G)$, we can consider the subgroup $Stab(R) \subseteq Aut(F)$ of those automorphisms of $F$ that stabilize $R$, and try to figure out if the natural homomorphism $Stab(R) \to Aut(G)$ is onto, and if it is, to determine its kernel. Both parts of this task are usually quite hard. The former part received considerable attention in the past, whereas the latter, more difficult, part (determining the kernel) seemed unapproachable. Here we approach this problem for a class of one-relator groups with a special kind of small cancellation condition. Then, we address a somewhat easier case of 2-generator (not necessarily one-relator) groups, and determine the kernel of the above mentioned homomorphism for a rather general class of those groups.Comment: LaTex file, 8 page

Using decision problems in public key cryptography

There are several public key establishment protocols as well as complete public key cryptosystems based on allegedly hard problems from combinatorial (semi)group theory known by now. Most of these problems are search problems, i.e., they are of the following nature: given a property P and the information that there are objects with the property P, find at least one particular object with the property P. So far, no cryptographic protocol based on a search problem in a non-commutative (semi)group has been recognized as secure enough to be a viable alternative to established protocols (such as RSA) based on commutative (semi)groups, although most of these protocols are more efficient than RSA is. In this paper, we suggest to use decision problems from combinatorial group theory as the core of a public key establishment protocol or a public key cryptosystem. By using a popular decision problem, the word problem, we design a cryptosystem with the following features: (1) Bob transmits to Alice an encrypted binary sequence which Alice decrypts correctly with probability "very close" to 1; (2) the adversary, Eve, who is granted arbitrarily high (but fixed) computational speed, cannot positively identify (at least, in theory), by using a "brute force attack", the "1" or "0" bits in Bob's binary sequence. In other words: no matter what computational speed we grant Eve at the outset, there is no guarantee that her "brute force attack" program will give a conclusive answer (or an answer which is correct with overwhelming probability) about any bit in Bob's sequence.Comment: 12 page

Embeddings of curves in the plane

In this paper, we contribute toward a classification of two-variable polynomials by classifying (up to an automorphism of $C^2$) polynomials whose Newton polygon is either a triangle or a line segment. Our classification has several applications to the study of embeddings of algebraic curves in the plane. In particular, we show that for any $k \ge 2$, there is an irreducible curve with one place at infinity, which has at least $k$ inequivalent embeddings in $C^2$. Also, upon combining our method with a well-known theorem of Zaidenberg and Lin, we show that one can decide "almost" just by inspection whether or not a polynomial fiber is an irreducible simply connected curve.Comment: 11 page

Combinatorial group theory and public key cryptography

After some excitement generated by recently suggested public key exchange protocols due to Anshel-Anshel-Goldfeld and Ko-Lee et al., it is a prevalent opinion now that the conjugacy search problem is unlikely to provide sufficient level of security if a braid group is used as the platform. In this paper we address the following questions: (1) whether choosing a different group, or a class of groups, can remedy the situation; (2) whether some other "hard" problem from combinatorial group theory can be used, instead of the conjugacy search problem, in a public key exchange protocol. Another question that we address here, although somewhat vague, is likely to become a focus of the future research in public key cryptography based on symbolic computation: (3) whether one can efficiently disguise an element of a given group (or a semigroup) by using defining relations.Comment: 12 page