The root extraction problem in braid group-based cryptography

The root extraction problem in braid groups is the following: given a braid $\beta \in \mathcal{B}_n$ and a number $k\in \mathbb{N}$, find $\alpha\in \mathcal{B}_n$ such that $\alpha^k=\beta$. In the last decades, many cryptosystems such as authentication schemes and digital signatures based on the root extraction problem have been proposed. In this paper, we first describe these cryptosystems built around braid groups. Then we prove that, in general, these authentication schemes and digital signature are not secure by presenting for each of them a possible attack.


Introduction
In the past decades, cryptographers have focused their attention in braid groups to use them as a tool to construct public key exchanges [3,18], authentication schemes and digital signatures.It is interesting to mention about the recent work of Anshel, Atkins, Goldfeld, and Gunnells on the WalnutDSA T M digital signature [4] which has been claimed by its authors to be quantum resistant, which uses braid groups as a platform.In this paper, we will do an exhaustive analysis of proposed cryptosystems based on the root extraction problem for braid groups.
Braid groups were first defined by Artin in 1947 [1].A braid group B n on n strands is the group with the following presentation: Graphically a braid on n strands can be seen as a collection of n paths in a cylinder joining n distinguished points at the top of the cylinder with n points at the bottom, with the restrictions that the paths do not touch each other and run monotonically in the vertical direction.Two braids are considered equivalent if there exists a continuous deformation transforming one into the other.We can obtain the product of two braids by gluing the bottom of the first braid cylinder with the top of the second braid cylinder.
In this setting, a generator σ i is the braid in which only the strands i and i + 1 cross once, and its inverse σ −1 i is the braid in which the strands i and i + 1 cross in the opposite sense.(See Figure 1) The root extraction decision problem in braid groups is the following: Given a braid β ∈ B n and a number k ∈ N, tell if there is α ∈ B n such that When first proposed, the root extraction problem was believed to be hard to solve.The first approach was made in 1979 by Styšnev [22], where it is proved that the root extraction problem in braids is decidable, but no efficient algorithm was given to solve the search problem.Much later, in 2005, a first algorithmic attack to the problem was published in [16] by Groch, Hofheinz and Steinwandt.In this paper the authors provide an algorithm to compute a k-th root of a braid, by reducing the problem to compute roots in symmetric groups.However, this algorithm does not always work.The fact that this algorithm works in most of the cases is not mathematically proven, but they perform computations over different 1000-tests simulations with different parameter choices.With most parameters, the success rate is above 90 percent.But in some tests, the algorithm fails in more than 50 percent of the cases because the computer cannot manage the quantity of roots that appear in the symmetric group.This is still left open different options to create cryptosystems based on the problem: one could use this issue with roots on the symmetric group to choose parameters that make the cryptosystem resistant to the proposed algorithm.
In 2007, Lee [19] gave an algorithm that always work to extract a k-th root of a braid.His techniques strongly rely in an underlying algebraic structure of braid groups, called Garside structure.In his paper, he does not analyze the complexity of his algorithm, but this algorithm involves computing huge sets of braids, and there are certainly cases where the complexity of the algorithm is exponential.The most recent solution to the root extraction search problem is the one given in [8] by the first author, González-Meneses and Silvero.We say that braids have a generic property if the proportion of braids with such a property in a ball of radius r in the Cayley graph tends to 1 as r tends to infinity.Informally, a property is generic if "most of braids" have this property.In this article the problem is also approached by using Garside theory, and it is proven that generically, a k-th root of a braid can be computed in quadratic time.That is, the braids such that this algorithm can be applied to them are generic.More explicitly, the result is as follows: Let β be a randomly picked braid that has a k-th root in a ball of radius r in the Cayley graph of B n .By using standard Garside theory, this braid has an associated length.Then, the probability that we can compute a k-th root of β in quadratic time (with respect to its length) tends to 1 as r tends to infinity.
As we will see later, this latter solution can be used to attack the cryptosystems that are completely based on the root extraction problem that have been proposed so far, having a probability of success that tends to one.This does not mean that the authentication schemes and digital signatures that we will see are not completely insecure, but that the parameters cannot be chosen randomly.That is, we know that these cryptosystems are not secure for most of the parameters, but there are some braids for which the root extraction problem cannot be solved in polynomial time.This leaves the following open question: For which braids the known algorithms to solve the root extraction problem have exponential complexity?
The paper is divided in the following sections: In Section 2 we describe the cryptosystems that claim to be based on the root extraction problem; in Section 3 we recall some definitions from braid theory that we need to understand the attacks; Section 4 is dedicated to the cryptanalysis of the authentication schemes and digital signature; Section 5 is for conclusions.
Acknowledgements.María Cumplido was supported by the Spanish grants US-1263032 and P20 01109 financed by Junta de Andalucía, and the Research Program "Braids" of ICERM (Providence, RI).We thank Juan González-Meneses for useful discussions about braid theory.

Cryptosystems based on the Root Extraction Problem
In this section, we present some protocols based on the root extraction problem, namely two authentication schemes, and a digital signature scheme.
2.1.Authentication Schemes.An authentication scheme is a cryptographic tool in which there is a prover Alice who wants to convince a verifier Bob about his/her identity.In 2005 Lal and Chaturvedi proposed two authentication schemes based on algorithmic problems related to the root extraction problem in braid groups.In 2006, another authentication scheme based on the root problem in braid groups is presented by Sibert, Dehornoy, and Girault.In this section we present these schemes and we describe what is known about their security.[20].Let B n be a braid group generated by a set of generators {σ 1 , . . ., σ n } with n even.Write LB n for the braid group generated by {σ 1 , . . ., σ n 2 −1 } and U B n for the group generated by {σ n 2 +1 , . . ., σ n }, so the elements of the first group commute with the elements of the second group.Lal and Chaturvedi claimed that this scheme is secure because of the complexity of finding a root x in a braid group when x m and m ≥ 2 are given.However, this scheme was attacked in [23], where it is proved that there is no need to extract roots to forge a signature.Public key: We will describe a generic attack for this scheme in the Cryptanalysis section.This attack does not need to use the solution to the root extraction problem.[21].This scheme is based on a combination of the Conjugacy Search Problem and Root Problem in braid groups and solving the root extraction problem will suffice to obtain the secret key.Secret key: a Phase 2: Authentication: Repeat the following k times:

Authentication Scheme III
• Alice choses randomly a braid r ∈ B n and sends x = rbr −1 to Bob. • Bob sends a random bit to Alice.
2.2.Digital Signature.Most of the signature schemes proposed in the braid groups are based on the difficulty to solve the conjugacy search problem.In [24], the authors proposed a signature scheme based on the root extraction problem, and it works as follows.
Alice sends to Bob the signature (u, γ) and Bob verifies that

Theory of braids
In this section we explain the tools that we use to attack the previous cryptosystems.Firstly, we review some basic definitions concerning the algebraic manipulation of braids.
If n = 2, Z(B n ) = ∆ .The existence of a Garside structure implies that there is a partial order in B n , , defined by α β ⇔ α −1 β ∈ B + n .The unique great common divisor of two braids α and β with respect to this partial order is denoted by α ∧ β.Also, all the elements s satisfying 1 s ∆ are called simple elements.
The word problem in braids groups has been very well studied [2, 5, 10, 11, 9] and using the latter structure we can associate to each braid α a normal form α = ∆ p x 1 • • • x l , were the x i 's are simple elements and are such that x i x i+1 ∧∆ = x i for i = 1, . . ., l −1.The number l is called the canonical length of α and it is denoted by (α).We can also express α as α −1 1 α 2 , were α −1 1 = 1 and α 2 = α if p ≥ 0, and α −1 1 = ∆ p x 1 . . .x −p and α 2 = x −p+1 • • • x l otherwise.This is very useful if one wants to know if α lies in LB n : we just need to put α in normal form and α ∈ LB n if and only if α 1 and α 2 lie in LB n .Moreover, the normal form can be computed in quadratic time with respect to the canonical length of the braid.
Topologically, B n can also be defined as the mapping class group of the n-puncture disc.In this setting, we can see a generator of the braid group as the switching of two consecutive punctures.The braid group on n strands acts by isometries of the curve complex of the n-punctured disc, whose vertices are isotopy classes of non-degenerate curves (referred just as curves).According with this action, we can use the Nielsen-Thurston classification to locate braids in three disjoint categories: a braid α periodic if α m is central for some m; it is reducible if it is not periodic and α m preserves some curve for some m; and α is pseudo-Anosov if there are two measurable transverse foliations, (F s , µ s ) and (F u , µ u ), and a real number λ such that Being pseudo-Anosov is a generic property [6], so the study of their properties can be very handful when designing generic attacks.Finally, observe that a braid α in LB n has to be reducible, since the only central braids are roots of powers of ∆ [7] and α fixes the curve that circle all the punctures involved in the generators of LB n .

Cryptanalysis
4.1.Authentication Scheme I.As shown by Tsaban [23], one can identify as Alice in the Authentication Scheme I without solving the root extraction problem.Just notice that to do so one just needs to recover a r and b r .The key point to attack this scheme is that a r and b r lie in commuting subgroups of B n .When one computes the normal form of the braid a r b r , it is easy to recover a r and b r .Moreover, one can compute normal forms in braid groups in polynomial time.So this is a very effective attack that always works.4.2.Authentication Scheme II.Notice that if we recover a s and a r , we can forge a signature without solving the root extraction problem.We are going to attack the following (more general) authentication scheme, with B n , LB n and U B n defined as in Section 2.1: Phase 1: Key Generation: Alice chooses two integers three elements a 1 , a 2 ∈ LB n and c ∈ B n .
Public key: Secret key: a Phase 2: Authentication: and sends to Alice Y = b 1 cb 2 .Alice computes Z = a 1 Y a 2 and sends it to Bob.Finally, Bob verifies that Z = b 1 Xb 2 .This cryptosystem includes Authentication Scheme II.Our aim is to prove that using X, Y and Z we have a method that recovers a 1 and a 2 that generically works.First notice that Hence, this scheme is based on the subgroup conjugacy search problem in braids groups, that is, to find a 2 we need to explore what are the elements in LB n doing the same conjugation as a 2 .The best algorithms to solve the search conjugacy problem in braids are the ones in [14,13], and computational experiments in [12] showed that the algorithms efficiently provide solutions that are computable in most of the cases.The conjugacy search problem has been solved in [17] for every Garside group and, in particular, for every braid group.The algorithm is a modification of the solution of the conjugacy problem and the probabilistic efficiency is the same.
We are going to describe another method to attack this problem.This also relies on the solution of the general conjugacy problem and it does not work for every case.However, it generically works and it is easy to describe if one wants to use the (already programmed) solution to the general conjugacy problem as a blackbox.We can use the algorithms in [14,13] to compute α doing the same conjugation as a 2 .We want to recover a 2 from α.Notice any element α that conjugates X −1 Z to c −1 Y has the form α = a 2 z, where z is an element in the centralizer of X −1 Z.In [15] it is proven that, generically, the centralizer of a braid is generated by two mutually commuting elements v = ∆ e and w, that can be computed in polynomial time.Then we can write α = v r w s a 2 and we can recursively multiply α on the left by w −1 until we reach and element of the form ∆ m a , where a ∈ LB n (this can be easily checked by computing the normal form of the element).The last step to see that this algorithm is efficient is to show that there is an upper bound for s.Generically, the canonical length of w linearly increases with respect s; this is due to the generic rigidity proved in [6].Also notice that (w s ) is bounded by (α)+ (a 2 ).The canonical length of a 2 is upper bounded by the parameters of the cryptosystem and, generically, by [12,15] the canonical length of α (and any conjugacy element from X −1 Z to c −1 Y ) linearly depends on the maximal canonical length of the parameters.
We have proven that we can obtain and element a doing the same conjugacy as a 2 using either the algorithm in [17] or the previously describe method, but we want to find precisely a 2 .To see that the scheme is not safe, we prove that generically the only conjugacy element from X −1 Z to c −1 Y that is contained in LB n is a 2 .We know by [6] that X −1 Z is generically pseudo-Anosov and it is well known that elements in the centralizer of a pseudo-Anosov braid β cannot be reducible, as this would imply that β is reducible.Suppose that α ∈ LB n , hence v r w s ∈ LB n cannot be pseudo-Anosov and it must be trivial, because the only power of ∆ that lies in LB n is ∆ 0 = 1.We have then proven that a = a 2 .We can do the same process to obtain a 1 .The previous discussion means that Algorithms 1 and 2 will efficiently forge Alice's signature in almost every case.
Algorithm 1: First algorithm to forge the signature of Authentication Scheme II Input: X, Y, Z, c Output: a 1 , a 2 a := conjugacy element from X −1 Z to c −1 Y that lies in LB n (use algorithm in [17]); b := conjugacy element from ZX −1 to Y that lies in LB n (use algorithm in [17]); return b −1 , a 4.3.Authentication Scheme III.The authors of Authentication Scheme III make the remark that the public key should be picked so that the square root extraction problem will be hard to solved.However, this was made when no effective generic algorithm existed.Nowadays, if the public key is picked randomly, the secret key can be obtain generically very fast by using the method in [8].Also, there is no method to generate braids for which the algorithm in [8] does not work.α := conjugacy element from X −1 Z to c −1 Y (use algorithm in [13]); {∆ e , w} := generators of the centralizer of X −1 Z (use algorithm in [15]); a ← α; while a = ∆ m a , for some m ∈ Z and a ∈ LB n do a ← w −1 a; α := conjugacy element from ZX −1 to Y (use algorithm in [13]); {∆ e , w} := generators of the centralizer of X −1 Z (use algorithm in [15]); b ← α; while b = ∆ m b , for some m ∈ Z and b ∈ LB n do b ← w −1 b; return b −1 , a 4.4.Digital Signature.The authors of the proposed digital signature in [24] proved that one can forge a signature if one can solve the root extraction problem.Indeed, if we compute v = k i=1 b h i i and we extract a k-th root w of v and choose a random braid β , then (β wβ −1 , β ) is an accepted signature: just check that (β wβ −1 ) k = β w k β −1 = β vβ −1 .
Then, the algorithm in [8] generically works to forge a signature.

Conclusions
The Authentication Scheme I was already efficiently broken.The Authentication scheme II does not really depends on the solution of the kth root extraction problem, but in the solution of the subgroup conjugacy problem in braids.We have described a generic attack to identify as Alice using the algorithm in [17].We can forge the signature in the Authentication Scheme III and the Digital Signature by using the solution to the root extraction problem, so we can use the algorithm in [8] to attack those cryptosystems.
This means that the last three proposed cryptosystems are not secure if we randomly choose the parameters.However, generic attacks do not work in every case.It is an open question whether we can build a method to generate braids such that solving the root extraction problem or the subgroup conjugacy search problem takes exponential time.

Phase 1 :
Key Generation: Alice chooses two integers r, s ≥ 2, and two elements a and b in LB n and U B n , respectively.Public key: B n , LB n , U B n , X = a r b s , r, s Secret key: a, b Phase 2: Authentication: Bob chooses two elements c and d in U B n and LB n , respectively, and sends to Alice Y = c r d s .Alice computes Z = a r Y b s and sends it to Bob.Finally, Bob verifies that Z = c r Xd s .
r, s Secret key: a Phase 2: Authentication:: Bob chooses an element b ∈ U B n , and sends to Alice Y = b r cb s .Alice computes Z = a r Y a s and sends it to Bob.Finally, Bob verifies that Z = b r Xb s .

Phase 1 :
Key Generation: Alice chooses a braid a ∈ B n and computes b = a 2 .Public key: n, b

Phase 1 :
Key Generation: Alice chooses a set of k + 1 braids a 1 , a 2 , . . ., a m , α ∈ B n such that the a i 's pairwise commute, and com-putes b i = αa k α −1 .Public key: n, m, b 1 , . . ., b m Secret key: (a 1 , • • • , a k ) Phase 2: Signature: Alice want to sign a message hashed into a kbit binary string h 1 . . .h r .She randomly chooses a braid β and computes:

Algorithm 2 :
Second algorithm to forge the signature of Authentication Scheme II Data: X, Y, Z, c Result: a 1 , a 2 2.1.2.Authentication Scheme II [20].Again, let B n be a braid group generated by a set of generators {σ 1 , . . ., σ n } with n even.Write LB n for the braid group generated by {σ 1 , . . ., σ n 2 −1 } and U B n for the group generated by {σ n 2 +1 , . . ., σ n }.Phase 1: Key Generation: Alice chooses two integers r, s ≥ 2, and two elements a ∈ LB n and c ∈ B n .