# Polynomial-Time Solutions of Computational Problems in Noncommutative-Algebraic Cryptography

- 744 Downloads
- 10 Citations

## Abstract

We introduce the *linear centralizer method*, and use it to devise a provable polynomial-time solution of the Commutator Key Exchange Problem, the computational problem on which, in the passive adversary model, the security of the Anshel–Anshel–Goldfeld (Anshel et al., Math. Res. Lett. 6:287–291, 1999) *Commutator* key exchange protocol is based. We also apply this method to solve, in polynomial time, the computational problem underlying the *Centralizer* key exchange protocol, introduced by Shpilrain and Ushakov in (Contemp. Math. 418:161–167, 2006).

This is the first provable polynomial-time cryptanalysis of the Commutator key exchange protocol, hitherto the most important key exchange protocol in the realm of noncommutative algebraic cryptography, and the first cryptanalysis (of any kind) of the Centralizer key exchange protocol. Unlike earlier cryptanalyses of the Commutator key exchange protocol, our cryptanalyses cannot be foiled by changing the distributions used in the protocol.

## Key words

Noncommutative-algebraic cryptography Group theory-based cryptography Braid-based cryptography Commutator key exchange Centralizer key exchange Braid Diffie–Hellman key exchange Linear cryptanalysis Invertibility lemma Schwartz–Zippel lemma Linear centralizer method Braid infinimum reduction Algebraic cryptanalysis## Notes

### Acknowledgements

I worked on the Commutator KEP, from various other angles, since I was introduced to it at the Hebrew University CS Theory seminar, by Alex Lubotzky [32]. I thank Oleg Bogopolski for inviting me, earlier this year (2012), to deliver a minicourse [37] in the conference *Geometric and Combinatorial Group Theory with Applications* (Düsseldorf, Germany, July 25–August 3, 2012). Preparing this minicourse, I discovered the linear centralizer attack. Initially, I addressed the Centralizer KEP (Sect. 7). When I moved to consider the Commutator KEP, Arkadius Kalka pointed out an obstacle, mentioned by Shpilrain and Ushakov, that struck me as solvable by linear centralizers. I am indebted to Kalka for making the right comment at the right time.

I also thank David Garber, Arkadius Kalka, and Eliav Levy, and the referees, for comments leading to improvements in the presentation of this paper.

## References

- [1]B. An, K. Ko, A family of pseudo-Anosov braids with large conjugacy invariant sets. arXiv:1203.2320 (2012)
- [2]I. Anshel, M. Anshel, D. Goldfeld, An algebraic method for public-key cryptography.
*Math. Res. Lett.***6**, 287–291 (1999) zbMATHMathSciNetCrossRefGoogle Scholar - [3]I. Anshel, M. Anshel, B. Fisher, D. Goldfeld, New key agreement protocols in braid group cryptography, in
*CT-RSA 2001*. Lecture Notes in Computer Science, vol. 2020 (2001), pp. 13–27 Google Scholar - [4]L. Babai, R. Beals, Á. Seress, Polynomial-time theory of matrix groups, in
*ACM STOC*(2009), pp. 55–64 Google Scholar - [5]S. Bigelow, Braid groups are linear.
*J. Am. Math. Soc.***14**, 471–486 (2001) zbMATHMathSciNetCrossRefGoogle Scholar - [6]J. Birman, T. Brendle, Braids: a survey, in
*Handbook of Knot Theory*, ed. by W. Menasco, M. Thistlethwaite (Elsevier, Amsterdam, 2005), pp. 19–103 CrossRefGoogle Scholar - [7]J. Cha, K. Ko, S. Lee, J. Han, J. Cheon, An efficient implementation of braid groups, in
*ASIACRYPT 2001*. Lecture Notes in Computer Science, vol. 2248 (2001), pp. 144–156 CrossRefGoogle Scholar - [8]J. Cheon, B. Jun, A polynomial time algorithm for the braid Diffie–Hellman conjugacy problem, in
*CRYPTO 2003*. Lecture Notes in Computer Science, vol. 2729 (2003), pp. 212–224 CrossRefGoogle Scholar - [9]
- [10]D. Garber, Braid group cryptography, in
*Braids: Introductory Lectures on Braids, Configurations and Their Applications*, ed. by J. Berrick, F.R. Cohen, E. Hanbury, Y.L. Wong, J. Wu. IMS Lecture Notes Series, vol. 19 (National University of Singapore, Singapore, 2009), pp. 329–403 CrossRefGoogle Scholar - [11]D. Garber, S. Kaplan, M. Teicher, B. Tsaban, U. Vishne, Probabilistic solutions of equations in the braid group.
*Adv. Appl. Math.***35**, 323–334 (2005) zbMATHMathSciNetCrossRefGoogle Scholar - [12]V. Gebhardt, A new approach to the conjugacy problem in Garside groups.
*J. Algebra***292**, 282–302 (2005) zbMATHMathSciNetCrossRefGoogle Scholar - [13]V. Gebhardt, Conjugacy search in braid groups.
*Appl. Algebra Eng. Commun. Comput.***17**, 219–238 (2006) zbMATHMathSciNetCrossRefGoogle Scholar - [14]R. Gilman, A. Miasnikov, A. Miasnikov, A. Ushakov, New developments in commutator key exchange, in
*Proceedings of the First International Conference on Symbolic Computation and Cryptography*, Beijing (2008), pp. 146–150. http://www-calfor.lip6.fr/~jcf/Papers/scc08.pdf Google Scholar - [15]D. Hofheinz, R. Steinwandt, A practical attack on some braid group based cryptographic primitives, in
*PKC 2003*. Lecture Notes in Computer Science, vol. 2567 (2002), pp. 187–198 Google Scholar - [16]J. Hughes, A. Tannenbaum, Length-based attacks for certain group based encryption rewriting systems, in
*SECI02: Sécurité de la Communication sur Internet*(2002). www.ima.umn.edu/preprints/apr2000/1696.pdf Google Scholar - [17]J. Hughes, A linear algebraic attack on the AAFG1 braid group cryptosystem, in
*Information Security and Privacy*. Lecture Notes in Computer Science, vol. 2384 (2002), pp. 107–141 CrossRefGoogle Scholar - [18]A. Kalka, Representation attacks on the braid Diffie–Hellman public key encryption.
*Appl. Algebra Eng. Commun. Comput.***17**, 257–266 (2006) zbMATHMathSciNetCrossRefGoogle Scholar - [19]A. Kalka, Representations of braid groups and braid-based cryptography. PhD thesis, Ruhr-Universität Bochum (2007). www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS/Diss/KalkaArkadiusG/
- [20]A. Kalka, Non-associative public key cryptography. 1210.8270 (2012)
- [21]K. Ko, S. Lee, J. Cheon, J. Han, J. Kang, C. Park, New public-key cryptosystem using braid groups, in
*CRYPTO 2000*. Lecture Notes in Computer Science, vol. 1880 (2000), pp. 166–183 CrossRefGoogle Scholar - [22]K. Ko, J. Lee, T. Thomas, Towards generating secure keys for braid cryptography.
*Des. Codes Cryptogr.***45**, 317–333 (2007) zbMATHMathSciNetCrossRefGoogle Scholar - [23]D. Krammer, Braid groups are linear.
*Ann. Math.***155**, 131–156 (2002) zbMATHMathSciNetCrossRefGoogle Scholar - [24]S. Lee, E. Lee, Potential weaknesses of the commutator key agreement protocol based on braid groups, in
*EUROCRYPT 2002*. Lecture Notes in Computer Science, vol. 2332 (2002), pp. 14–28 CrossRefGoogle Scholar - [25]S. Maffre, A weak key test for braid-based cryptography.
*Des. Codes Cryptogr.***39**, 347–373 (2006) zbMATHMathSciNetCrossRefGoogle Scholar - [26]A. Miasnikov, V. Shpilrain, A. Ushakov, A practical attack on some braid group based cryptographic protocols, in
*CRYPTO 2005*. Lecture Notes in Computer Science, vol. 3621 (2005), pp. 86–96 CrossRefGoogle Scholar - [27]A. Miasnikov, V. Shpilrain, A. Ushakov, Random subgroups of braid groups: an approach to cryptanalysis of a braid group based cryptographic protocol, in
*PKC 2006*. Lecture Notes in Computer Science, vol. 3958 (2006), pp. 302–314 Google Scholar - [28]A. Miasnikov, V. Shpilrain, A. Ushakov,
*Non-commutative Cryptography and Complexity of Group-Theoretic Problems*. American Mathematical Society Surveys and Monographs, vol. 177 (2011) Google Scholar - [29]A. Miasnikov, A. Ushakov, Length based attack and braid groups: cryptanalysis of Anshel–Anshel–Goldfeld key exchange protocol, in
*PKC 2007*. Lecture Notes in Computer Science, vol. 4450 (2007), pp. 76–88 Google Scholar - [30]A. Myasnikov, A. Ushakov, Random subgroups and analysis of the length-based and quotient attacks.
*J. Math. Cryptol.***2**, 29–61 (2008) zbMATHMathSciNetCrossRefGoogle Scholar - [31]D. Micciancio, O. Regev, Lattice-based cryptography, in
*Post-quantum Cryptography*, ed. by D. Bernstein, J. Buchmann (Springer, Berlin, 2008) Google Scholar - [32]A. Lubotzky, Braid group cryptography, in
*CS Theory Seminar*, Hebrew University, March (2001). http://www.cs.huji.ac.il/theorys/2001/Alex_Lubotzky Google Scholar - [33]V. Shpilrain, Cryptanalysis of Stickel’s key exchange scheme, in
*Computer Science in Russia*. Lecture Notes in Computer Science, vol. 5010 (2008), pp. 283–288 Google Scholar - [34]V. Shpilrain, A. Ushakov, Thompson’s group and public key cryptography, in
*ACNS 2005*. Lecture Notes in Computer Science, vol. 3531 (2005), pp. 151–164 Google Scholar - [35]V. Shpilrain, A. Ushakov, A new key exchange protocol besed on the decomposition problem, in
*Algebraic Methods in Cryptography*, ed. by L. Gerritzen, D. Goldfeld, M. Kreuzer, G. Rosenberger, V. Shpilrain. Contemporary Mathematics, vol. 418 (2006), pp. 161–167 CrossRefGoogle Scholar - [36]E. Stickel, A new method for exchanging secret keys, in
*Proceedings of the Third International Conference on Information Technology and Applications (ICITA05)*(2005), pp. 426–430 CrossRefGoogle Scholar - [37]B. Tsaban,
*The conjugacy problem: cryptoanalytic approaches to a problem of Dehn*, Minicourse, Düsseldorf University, Germany, July–August 2012. http://reh.math.uni-duesseldorf.de/~gcgta/slides/Tsaban_minicourses.pdf