Journal of Cryptology

, Volume 28, Issue 3, pp 601–622 | Cite as

Polynomial-Time Solutions of Computational Problems in Noncommutative-Algebraic Cryptography

  • Boaz TsabanEmail author


We introduce the linear centralizer method, and use it to devise a provable polynomial-time solution of the Commutator Key Exchange Problem, the computational problem on which, in the passive adversary model, the security of the Anshel–Anshel–Goldfeld (Anshel et al., Math. Res. Lett. 6:287–291, 1999) Commutator key exchange protocol is based. We also apply this method to solve, in polynomial time, the computational problem underlying the Centralizer key exchange protocol, introduced by Shpilrain and Ushakov in (Contemp. Math. 418:161–167, 2006).

This is the first provable polynomial-time cryptanalysis of the Commutator key exchange protocol, hitherto the most important key exchange protocol in the realm of noncommutative algebraic cryptography, and the first cryptanalysis (of any kind) of the Centralizer key exchange protocol. Unlike earlier cryptanalyses of the Commutator key exchange protocol, our cryptanalyses cannot be foiled by changing the distributions used in the protocol.

Key words

Noncommutative-algebraic cryptography Group theory-based cryptography Braid-based cryptography Commutator key exchange Centralizer key exchange Braid Diffie–Hellman key exchange Linear cryptanalysis Invertibility lemma Schwartz–Zippel lemma Linear centralizer method Braid infinimum reduction Algebraic cryptanalysis 



I worked on the Commutator KEP, from various other angles, since I was introduced to it at the Hebrew University CS Theory seminar, by Alex Lubotzky [32]. I thank Oleg Bogopolski for inviting me, earlier this year (2012), to deliver a minicourse [37] in the conference Geometric and Combinatorial Group Theory with Applications (Düsseldorf, Germany, July 25–August 3, 2012). Preparing this minicourse, I discovered the linear centralizer attack. Initially, I addressed the Centralizer KEP (Sect. 7). When I moved to consider the Commutator KEP, Arkadius Kalka pointed out an obstacle, mentioned by Shpilrain and Ushakov, that struck me as solvable by linear centralizers. I am indebted to Kalka for making the right comment at the right time.

I also thank David Garber, Arkadius Kalka, and Eliav Levy, and the referees, for comments leading to improvements in the presentation of this paper.


  1. [1]
    B. An, K. Ko, A family of pseudo-Anosov braids with large conjugacy invariant sets. arXiv:1203.2320 (2012)
  2. [2]
    I. Anshel, M. Anshel, D. Goldfeld, An algebraic method for public-key cryptography. Math. Res. Lett. 6, 287–291 (1999) zbMATHMathSciNetCrossRefGoogle Scholar
  3. [3]
    I. Anshel, M. Anshel, B. Fisher, D. Goldfeld, New key agreement protocols in braid group cryptography, in CT-RSA 2001. Lecture Notes in Computer Science, vol. 2020 (2001), pp. 13–27 Google Scholar
  4. [4]
    L. Babai, R. Beals, Á. Seress, Polynomial-time theory of matrix groups, in ACM STOC (2009), pp. 55–64 Google Scholar
  5. [5]
    S. Bigelow, Braid groups are linear. J. Am. Math. Soc. 14, 471–486 (2001) zbMATHMathSciNetCrossRefGoogle Scholar
  6. [6]
    J. Birman, T. Brendle, Braids: a survey, in Handbook of Knot Theory, ed. by W. Menasco, M. Thistlethwaite (Elsevier, Amsterdam, 2005), pp. 19–103 CrossRefGoogle Scholar
  7. [7]
    J. Cha, K. Ko, S. Lee, J. Han, J. Cheon, An efficient implementation of braid groups, in ASIACRYPT 2001. Lecture Notes in Computer Science, vol. 2248 (2001), pp. 144–156 CrossRefGoogle Scholar
  8. [8]
    J. Cheon, B. Jun, A polynomial time algorithm for the braid Diffie–Hellman conjugacy problem, in CRYPTO 2003. Lecture Notes in Computer Science, vol. 2729 (2003), pp. 212–224 CrossRefGoogle Scholar
  9. [9]
    P. Dehornoy, Braid-based cryptography. Contemp. Math. 360, 5–33 (2004) MathSciNetGoogle Scholar
  10. [10]
    D. Garber, Braid group cryptography, in Braids: Introductory Lectures on Braids, Configurations and Their Applications, ed. by J. Berrick, F.R. Cohen, E. Hanbury, Y.L. Wong, J. Wu. IMS Lecture Notes Series, vol. 19 (National University of Singapore, Singapore, 2009), pp. 329–403 CrossRefGoogle Scholar
  11. [11]
    D. Garber, S. Kaplan, M. Teicher, B. Tsaban, U. Vishne, Probabilistic solutions of equations in the braid group. Adv. Appl. Math. 35, 323–334 (2005) zbMATHMathSciNetCrossRefGoogle Scholar
  12. [12]
    V. Gebhardt, A new approach to the conjugacy problem in Garside groups. J. Algebra 292, 282–302 (2005) zbMATHMathSciNetCrossRefGoogle Scholar
  13. [13]
    V. Gebhardt, Conjugacy search in braid groups. Appl. Algebra Eng. Commun. Comput. 17, 219–238 (2006) zbMATHMathSciNetCrossRefGoogle Scholar
  14. [14]
    R. Gilman, A. Miasnikov, A. Miasnikov, A. Ushakov, New developments in commutator key exchange, in Proceedings of the First International Conference on Symbolic Computation and Cryptography, Beijing (2008), pp. 146–150. Google Scholar
  15. [15]
    D. Hofheinz, R. Steinwandt, A practical attack on some braid group based cryptographic primitives, in PKC 2003. Lecture Notes in Computer Science, vol. 2567 (2002), pp. 187–198 Google Scholar
  16. [16]
    J. Hughes, A. Tannenbaum, Length-based attacks for certain group based encryption rewriting systems, in SECI02: Sécurité de la Communication sur Internet (2002). Google Scholar
  17. [17]
    J. Hughes, A linear algebraic attack on the AAFG1 braid group cryptosystem, in Information Security and Privacy. Lecture Notes in Computer Science, vol. 2384 (2002), pp. 107–141 CrossRefGoogle Scholar
  18. [18]
    A. Kalka, Representation attacks on the braid Diffie–Hellman public key encryption. Appl. Algebra Eng. Commun. Comput. 17, 257–266 (2006) zbMATHMathSciNetCrossRefGoogle Scholar
  19. [19]
    A. Kalka, Representations of braid groups and braid-based cryptography. PhD thesis, Ruhr-Universität Bochum (2007).
  20. [20]
    A. Kalka, Non-associative public key cryptography. 1210.8270 (2012)
  21. [21]
    K. Ko, S. Lee, J. Cheon, J. Han, J. Kang, C. Park, New public-key cryptosystem using braid groups, in CRYPTO 2000. Lecture Notes in Computer Science, vol. 1880 (2000), pp. 166–183 CrossRefGoogle Scholar
  22. [22]
    K. Ko, J. Lee, T. Thomas, Towards generating secure keys for braid cryptography. Des. Codes Cryptogr. 45, 317–333 (2007) zbMATHMathSciNetCrossRefGoogle Scholar
  23. [23]
    D. Krammer, Braid groups are linear. Ann. Math. 155, 131–156 (2002) zbMATHMathSciNetCrossRefGoogle Scholar
  24. [24]
    S. Lee, E. Lee, Potential weaknesses of the commutator key agreement protocol based on braid groups, in EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332 (2002), pp. 14–28 CrossRefGoogle Scholar
  25. [25]
    S. Maffre, A weak key test for braid-based cryptography. Des. Codes Cryptogr. 39, 347–373 (2006) zbMATHMathSciNetCrossRefGoogle Scholar
  26. [26]
    A. Miasnikov, V. Shpilrain, A. Ushakov, A practical attack on some braid group based cryptographic protocols, in CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621 (2005), pp. 86–96 CrossRefGoogle Scholar
  27. [27]
    A. Miasnikov, V. Shpilrain, A. Ushakov, Random subgroups of braid groups: an approach to cryptanalysis of a braid group based cryptographic protocol, in PKC 2006. Lecture Notes in Computer Science, vol. 3958 (2006), pp. 302–314 Google Scholar
  28. [28]
    A. Miasnikov, V. Shpilrain, A. Ushakov, Non-commutative Cryptography and Complexity of Group-Theoretic Problems. American Mathematical Society Surveys and Monographs, vol. 177 (2011) Google Scholar
  29. [29]
    A. Miasnikov, A. Ushakov, Length based attack and braid groups: cryptanalysis of Anshel–Anshel–Goldfeld key exchange protocol, in PKC 2007. Lecture Notes in Computer Science, vol. 4450 (2007), pp. 76–88 Google Scholar
  30. [30]
    A. Myasnikov, A. Ushakov, Random subgroups and analysis of the length-based and quotient attacks. J. Math. Cryptol. 2, 29–61 (2008) zbMATHMathSciNetCrossRefGoogle Scholar
  31. [31]
    D. Micciancio, O. Regev, Lattice-based cryptography, in Post-quantum Cryptography, ed. by D. Bernstein, J. Buchmann (Springer, Berlin, 2008) Google Scholar
  32. [32]
    A. Lubotzky, Braid group cryptography, in CS Theory Seminar, Hebrew University, March (2001). Google Scholar
  33. [33]
    V. Shpilrain, Cryptanalysis of Stickel’s key exchange scheme, in Computer Science in Russia. Lecture Notes in Computer Science, vol. 5010 (2008), pp. 283–288 Google Scholar
  34. [34]
    V. Shpilrain, A. Ushakov, Thompson’s group and public key cryptography, in ACNS 2005. Lecture Notes in Computer Science, vol. 3531 (2005), pp. 151–164 Google Scholar
  35. [35]
    V. Shpilrain, A. Ushakov, A new key exchange protocol besed on the decomposition problem, in Algebraic Methods in Cryptography, ed. by L. Gerritzen, D. Goldfeld, M. Kreuzer, G. Rosenberger, V. Shpilrain. Contemporary Mathematics, vol. 418 (2006), pp. 161–167 CrossRefGoogle Scholar
  36. [36]
    E. Stickel, A new method for exchanging secret keys, in Proceedings of the Third International Conference on Information Technology and Applications (ICITA05) (2005), pp. 426–430 CrossRefGoogle Scholar
  37. [37]
    B. Tsaban, The conjugacy problem: cryptoanalytic approaches to a problem of Dehn, Minicourse, Düsseldorf University, Germany, July–August 2012.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Department of MathematicsBar-Ilan UniversityRamat GanIsrael

Personalised recommendations