Decision problems in cryptography Thompson’s Group F Further results and directions Thompson’s group F and group-based cryptography Jennifer Taback Bowdoin College May 2, 2008 1 / 29 Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Thompson’s group F and group-based cryptography
Jennifer Taback
Bowdoin College
May 2, 2008
1 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Attribution
This talk is based on work of1 Vladimir Shpilrain and Alexander Ushakov, City University of New York
2 Alexei Myasnikov, McGill University3 Francesco Matucci, Cornell University
4 Sean Cleary, Murray Elder, Jennifer Taback and Andrew Reichnitzer
2 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Overview
The goal of this talk is to introduce some of the main ideas of group-basedcryptography, and to highlight one of my favorite groups, Thompson’s group F , and it’s15 minutes of fame in this field.
Specifically I will touch on:1 How decision problems are used in cryptography.
2 How to analyze the security of a group-based cryptosystem, in particular, why studying theprobability that a randomly chosen subgroup has a particular form is important.
3 How to make precise that notion of choosing a random subgroup of a group.
4 Thompson’s group F , and why it is so interesting.5 Some examples of group based cryptosystems. I will introduce one due to Shpilrain and
Ushakov which is implemented using Thompson’s group F .6 How one might attempt to attack a cryptosystem. I will discuss a length-based attack given by
Shpilrain and Ushakov to illustrate how this can be done. Then I will describe an alternateapproach to breaking this system.
3 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
The Key Distribution ProblemThe central problem in cryptography is the key distribution problem.
Suppose that Alice wants to send a secret message to Bob.
They must securely agree on a secret key which will allow them to encrypt theirmessages.
Their algorithm must ensure that if Eve intercepts their communication, she cannotrecover the common key and decrypt the message.
4 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Diffie-Hellman key exchange protocol
The main idea
Use a “one-way function”, that is, a function which is easy to calculate and hard toundo.
A simple one-way function
Given a positive integer m and integers a and x , it is easy to compute
ax (mod m)
The discrete logarithm problem
Given ax (mod m), as well as a and m, the problem of computing x is called thediscrete logarithm problem. There is no efficient algorithm to do this.
Diffie-Hellman, 1976
The Diffie-Hellman key exchange protocol will allow Alice and Bob to securelyexchange a least residue mod p (i.e. an element of Zp), which they can use as the key.
Group based cryptography asks: why is this group different from all other groups?Answer: it’s not. Can we make a key exchange protocol which allows Alice and Bob tosecurely exchange a group element?
5 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Diffie-Hellman key exchange protocol
Public data
Choose m ∈ Z+ and y ∈ Z.
Alice
Alice picks a private key A and sends yA(mod m) to Bob.
Bob
Bob picks a private key B and sends yB(mod m) to Alice.
The common key
Alice computes (yB)A = yAB(mod m) and Bob computes (yA)B = yAB(mod m).
6 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Decision problems in group theory
Question
Can we replace the discrete logarithm problem with a sufficiently “hard” problem formgeometric group theory and increase security?
The word problem
Given a finitely generated group G and a word w ∈ G, decide whether or not w is theidentity word in G.
The conjugacy problem
Given two elements a, b ∈ G, decide whether there is some x ∈ G so thatax = xax−1 = b.
Solvable conjugacy problem implies solvable word problem.
7 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Using conjugacy in the key exchange protocol
Conjugacy Search Problem
Let G be a group. Given a, b ∈ G and the information that ax = xax−1 = b for somex ∈ G, find at least one such element x .
This problem can replace the discrete logarithm problem in standard key exchangeprotocols.
Two protocols based on the conjugacy search problem.
1 Ko-Lee, actual security based on the decomposition problem.
2 Anshel et al, may be vulnerable to length based attacks, but a group theoretic attack via theconjugacy search problem actually relies on a much more difficult problem.
Let’s see how the Ko-Lee protocol works.
8 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
The Ko-Lee key exchange protocol relying on theconjugacy search problem
Let G be a group with a solvable word problem.
Public data
Choose an element a ∈ G.
Private data
Alice picks a private key x and sends ax = xax−1 to Bob.
Bob picks a private key y and sends ay = yay−1 to Alice.
The common key
Alice computes (ay )x = ayx and Bob computes (ax )y = axy . Choose x and y from aset of commuting elements to generate a common key.
Goal: Find a group with a large set of commuting elements, solvable word problem andhard conjugacy problem.
Proposed Platform
The Braid Groups Bn on n strands.
9 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Choosing a group for implementation
Are the braid groups a good choice for implementing the Ko-Lee protocol?
A practical attack on the Ko-Lee protocol implemented on the braid groups waspresented by Myasnikov, Shpilrain and Ushakov.
Using a combination of algorithms specific to braid groups, they ran 2466 experiments,each allotted 150 minutes (deemed a “reasonable” length of time) and had success in2378 of them, yielding a 96.43% success rate.
Should we implement other protocols using braid groups?
Bad Choices
Groups with fast algorithms for computations within the group.
Groups with unsolvable word problem (required for decryption by legitimate parties).
Good choices
Groups which are not “similar” to any groups on the bad list.
Perhaps the braid groups? (often proposed)
10 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Choosing a group for implementation
Are the braid groups a good choice for implementing the Ko-Lee protocol?
A practical attack on the Ko-Lee protocol implemented on the braid groups waspresented by Myasnikov, Shpilrain and Ushakov.
Using a combination of algorithms specific to braid groups, they ran 2466 experiments,each allotted 150 minutes (deemed a “reasonable” length of time) and had success in2378 of them, yielding a 96.43% success rate.
Should we implement other protocols using braid groups?
Bad Choices
Groups with fast algorithms for computations within the group.
Groups with unsolvable word problem (required for decryption by legitimate parties).
Good choices
Groups which are not “similar” to any groups on the bad list.
Perhaps the braid groups? (often proposed)
10 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Random subgroups of groups
What is the probability that a randomly chosen subgroup of a finitely generatedgroup has a particular form?
What does this mean?
How do we formalize the idea of choosing a random subgroup?
We will consider our subgroups up to isomorphism.
Consequences for group-based cryptography
If with probability one, a randomly chosen subgroup is the free group, then we can justpretend that our group is a free group, and apply free group algorithms to attackgroup-based cryptosystems.
Thus good platforms for these group-based cryptosystems are groups in which:
a randomly chosen isomorphism class of subgroup is not free with probability one.
perhaps a randomly chosen isomorphism class of subgroup is not free with probability p forsome fixed p < 1.
there is no isomorphism class of subgroup which is chosen with probability one.
11 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Making the notion of a random subgroup of G precise
Choose a set X of representatives for elements of G, and define a notion of integersize.For example, the size of a representative might be its length with respect to a fixedfinite generating set.
Let Xk be the set of unordered k -tuples of representatives x ∈ X . Then each memberof Xk corresponds to a k -generated subgroup of G.
Use the notion of size of an element to define the size of a k -tuple.
For example, the size of the k -tuple could be the maximum size of the sizes of itscomponents, or the sum of the sizes of its components.
Divide Xk into spheres, letting the sphere Sphk (n) of radius n consist of all members ofXk of size n. This is called a stratification of Xk .
The asymptotic density of a subset T in Xk is defined to be the limit
limn→∞
|T ∩ Sphk (n)||Sphk (n)|
if this limit exists, where |T | denotes the size of the set T .
12 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Making the notion of a random subgroup of G precise
Choose a set X of representatives for elements of G, and define a notion of integersize.For example, the size of a representative might be its length with respect to a fixedfinite generating set.
Let Xk be the set of unordered k -tuples of representatives x ∈ X . Then each memberof Xk corresponds to a k -generated subgroup of G.
Use the notion of size of an element to define the size of a k -tuple.
For example, the size of the k -tuple could be the maximum size of the sizes of itscomponents, or the sum of the sizes of its components.
Divide Xk into spheres, letting the sphere Sphk (n) of radius n consist of all members ofXk of size n. This is called a stratification of Xk .
The asymptotic density of a subset T in Xk is defined to be the limit
limn→∞
|T ∩ Sphk (n)||Sphk (n)|
if this limit exists, where |T | denotes the size of the set T .
12 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Making the notion of a random subgroup of G precise
The asymptotic density of a subset T in Xk is defined to be the limit
limn→∞
|T ∩ Sphk (n)||Sphk (n)|
if this limit exists, where |T | denotes the size of the set T .
Let TH be the set of k -tuples that generate a subgroup of G isomorphic to someparticular subgroup H.
1 If the density of TH is positive we say that H is visible in the space of k -generated subgroupsof G.
We call the set of all visible k -generated subgroups of G the k-subgroup spectrum, denotedby Speck (G).
2 If the density of TH is one, we say that H is generic.3 If this density is zero we say that H is negligible.
13 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Random subgroups of braid groupsσ1
σ2
σ3
Group Presentation
Generators: {σ1, · · · , σn−1} where in σi the only crossing isof the i − th strand over the next strand.Relations:
1 σiσj = σj σi for |i − j| ≥ 2
2 σiσi+1σi = σi+1σiσi+1.
Random subgroups of Bn
The pure braid group PBn is the kernel of the canonical mapBn → Sn. It has finite index in Bn.
A k -tuple of group elements has the free basis property in Gif it freely generates a free subgroup of G.
Theorem[Myasnikov-Ushakov]: The free basis property isgeneric in the pure braid group PBn for n ≥ 3.
They conjecture that this is true in Bn as well.
14 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Thompson’s group F
Algebraic Interpretation
Infinite Presentation⟨x0, x1, · · · |x−1
i xj xi = xj+1, i < j⟩
Geometric Interpretation
Pairs of finite rooted binary trees
Analytic Interpretation
Piecewise-linear homeomorphisms of [0, 1], such that1 all slopes are powers of 2
2 all break points have coordinates in the set of dyadic rationals
15 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Thompson’s group F
Algebraic Interpretation
Infinite Presentation⟨x0, x1, · · · |x−1
i xj xi = xj+1, i < j⟩
Geometric Interpretation
Pairs of finite rooted binary trees
Analytic Interpretation
Piecewise-linear homeomorphisms of [0, 1], such that1 all slopes are powers of 2
2 all break points have coordinates in the set of dyadic rationals
15 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Thompson’s group F
Algebraic Interpretation
Infinite Presentation⟨x0, x1, · · · |x−1
i xj xi = xj+1, i < j⟩
Geometric Interpretation
Pairs of finite rooted binary trees
Analytic Interpretation
Piecewise-linear homeomorphisms of [0, 1], such that1 all slopes are powers of 2
2 all break points have coordinates in the set of dyadic rationals
15 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Moving between interpretations of Thompson’s group F
The generators x0 and xk of F as piecewise-linear homeomorphisms.
16 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Generic subgroups of Thompson’s group F
Note that Thompson’s group F has no free subgroups.
Theorem
For any fixed k, the subgroup spectrum Speck (G) (with respect to the “Max”stratification) contains many isomorphism classes of subgroups with small, but positive,asymptotic density.
Thompson’s group F provides the first example of1 a group without a generic type of subgroup.
2 a group with persistent subgroups, that is, they appear in Speck (G) for all sufficiently large k .Persistent subgroups of F include F n × Zm , for n, m ≥ 0 and F n o Z.
3 a group with subgroups that disappear from the subgroup spectrum as k increases.
Does this make Thompson’s group a good candidate for a group-based cryptosystem?
This is joint work with Sean Cleary, Murray Elder and Andrew Reichnitzer.
17 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
The decomposition Problem
Replaces the conjugacy search problem in key exchange protocols.
Problem
Given an element w of a group G, a subset A ⊂ Gand an element x · w · y , find elements x ′, y ′ ∈ Aso that x ′ · w · y ′ = x · w · y .
Special case of the decomposition problem
w = 1 and G = Z∗p ⇒ RSA factorization problem.
Revised decomposition problem
Given an element w of a group G, and subsets A, B ⊂ G and an element x · w · y , findelements x ′ ∈ A and y ′ ∈ B so that x ′ · w · y ′ = x · w · y .
Shpilrain-Ushakov Key Exchange Protocol
Goal: Impose additional restrictions on the subgroups A and B of G needed for thedecomposition problem to ensure a common key.
18 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Shpilrain-Ushakov Key Exchange Protocol
Public Data
A group G, an element w ∈ G, and two subgroups A, B of G with the property thatab = ba for all a ∈ A and b ∈ B.
Private Data
Alice chooses a1 ∈ A and b1 ∈ B.
Bob chooses a2 ∈ A and b2 ∈ B.
Computing the shared key
Alice sends a1wb1 to Bob.
Bob sends b2wa2 to Alice.
The key is then K = b2(a1wb1)a2 = a1(b2wa2)b1
Implementation
How do we choose a group G to implement this protocol? We need a simple way offinding commuting subgroups A and B of G. Is this protocol vulnerable to length basedattack?
19 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Shpilrain-Ushakov Key Exchange Protocol
Public Data
A group G, an element w ∈ G, and two subgroups A, B of G with the property thatab = ba for all a ∈ A and b ∈ B.
Private Data
Alice chooses a1 ∈ A and b1 ∈ B.
Bob chooses a2 ∈ A and b2 ∈ B.
Computing the shared key
Alice sends a1wb1 to Bob.
Bob sends b2wa2 to Alice.
The key is then K = b2(a1wb1)a2 = a1(b2wa2)b1
Implementation
How do we choose a group G to implement this protocol? We need a simple way offinding commuting subgroups A and B of G. Is this protocol vulnerable to length basedattack?
19 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Shpilrain-Ushakov Key Exchange Protocol
Public Data
A group G, an element w ∈ G, and two subgroups A, B of G with the property thatab = ba for all a ∈ A and b ∈ B.
Private Data
Alice chooses a1 ∈ A and b1 ∈ B.
Bob chooses a2 ∈ A and b2 ∈ B.
Computing the shared key
Alice sends a1wb1 to Bob.
Bob sends b2wa2 to Alice.
The key is then K = b2(a1wb1)a2 = a1(b2wa2)b1
Implementation
How do we choose a group G to implement this protocol? We need a simple way offinding commuting subgroups A and B of G. Is this protocol vulnerable to length basedattack?
19 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Implementing the protocol with Thompson’s group F
Some special elements of F
For k ∈ Z+, define φk = 1− 12k+1
From the definition of xk , we see thatx−1
k ([φk , 1]) = [φk+1, 1] ⊂ [ 34 , 1].
For t ∈ [φk , 1], we haveddt x0x−1
k (t) = x ′0(x−1k (t))(x−1
k )′(t) = 2 · 12 = 1
Figure: Elements of the form x0 and xk .
20 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Implementing the protocol with Thompson’s group F
Elements of the form x0x−1k
For t ∈ [φk , 1], the element x0x−1k is the identity.
The group A
Let As be the group generated by the elements {x0x−11 , x0x−1
2 , · · · , x0x−1s }
The group B
Let Bs be the group generated by the elements {xs+1, xs+2, · · · , x2s}.
Figure: An example of an element of As and one of Bs .
21 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
The Shpilrain-Ushakov Lemma
Lemma (Shpilrain-Ushakov)
For every fixed s ∈ N, and elements a ∈ As and b ∈ Bs , we have ab = ba.
Proof:
Figure: An example of an element of As and one of Bs .
Figures drawn by Francesco Matucci.
22 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Parameters and Key Generation
Shpilrain and Ushakov suggest the following parameters for practical key generation:1 Select randomly and uniformly: s ∈ [3, 8] and M ∈ {256, 258, · · · , 318, 320}
2 Select the word w as a product of length M of generators in the set {x0, x1, x2, · · · , xs+2}and their inverses
3 Select a1, a2 ∈ As as products of length M of the generators {x0x−11 , x0x−1
2 , · · · , x0x−1s }
and their inverses
4 Select b1, b2 ∈ Bs as products of length M of the generators {xs+1, xs+2, · · · , x2s} and theirinverses
23 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Constructing a length-based attack
Is length-based attack a concern for this protocol, using Thompson’s group?
Recall:Revised decomposition problem
Given an element w of a group G, and subsets A, B ⊂ G and an element x · w · y , findelements x ′ ∈ A and y ′ ∈ B so that x ′ · w · y ′ = x · w · y .
Construct a directed graph Γ
The vertices of Γ are the elements of Thompson’s group F .There is an edge from v1 to v2 labeled (w1, w2) if v2 = w1v1w2 where
1 (w1, w2) = (w1, 1) and w1 ∈ As , or
2 (w1, w2) = (1, w2) and w2 ∈ Bs
Breaking Alice’s key is equivalent to finding a path from w (the initial base word) tow ′ = a1wb1 in Γ.
24 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Constructing a length-based attack
Is length-based attack a concern for this protocol, using Thompson’s group?
Recall:Revised decomposition problem
Given an element w of a group G, and subsets A, B ⊂ G and an element x · w · y , findelements x ′ ∈ A and y ′ ∈ B so that x ′ · w · y ′ = x · w · y .
Construct a directed graph Γ
The vertices of Γ are the elements of Thompson’s group F .There is an edge from v1 to v2 labeled (w1, w2) if v2 = w1v1w2 where
1 (w1, w2) = (w1, 1) and w1 ∈ As , or
2 (w1, w2) = (1, w2) and w2 ∈ Bs
Breaking Alice’s key is equivalent to finding a path from w (the initial base word) tow ′ = a1wb1 in Γ.
24 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Algorithm for a length-based attack
Input: The original public word w and the word w ′ = a1wb1 transmitted by Alice.Output: A pair of words x1 ∈ As and x2 ∈ Bs so that w ′ = x1wx2.
Initializations for Algorithm: Let Sw = {w}, Sw′ = {w ′}, Mw = ∅, Mw′ = ∅.Let SA and SB denote the sets of generators forAs and Bs respectively.
A. Find a shortest word u ∈ Sw − Mw .
B. Multiply u by elements of S±1A on the left and by elements of S±1
B on the right, and add eachresult into Sw with edges labelled accordingly.
C. Add u into Mw .
D. Perform steps A-C with Sw and Mw replaced by Sw′ and Mw′ .
E. If Sw ∩ Sw′ = ∅, then goto step A.
F. If there exists w ∈ Sw ∩ Sw′ , then find a path in Sw from w to w and a path in sw′ from w tow ′. Concatenate and output the label of the result.
In trials, the success rate of the length-based attack was zero.
25 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Algorithm for a length-based attack
Input: The original public word w and the word w ′ = a1wb1 transmitted by Alice.Output: A pair of words x1 ∈ As and x2 ∈ Bs so that w ′ = x1wx2.
Initializations for Algorithm: Let Sw = {w}, Sw′ = {w ′}, Mw = ∅, Mw′ = ∅.Let SA and SB denote the sets of generators forAs and Bs respectively.
A. Find a shortest word u ∈ Sw − Mw .
B. Multiply u by elements of S±1A on the left and by elements of S±1
B on the right, and add eachresult into Sw with edges labelled accordingly.
C. Add u into Mw .
D. Perform steps A-C with Sw and Mw replaced by Sw′ and Mw′ .
E. If Sw ∩ Sw′ = ∅, then goto step A.
F. If there exists w ∈ Sw ∩ Sw′ , then find a path in Sw from w to w and a path in sw′ from w tow ′. Concatenate and output the label of the result.
In trials, the success rate of the length-based attack was zero.
25 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Algorithm for a length-based attack
Input: The original public word w and the word w ′ = a1wb1 transmitted by Alice.Output: A pair of words x1 ∈ As and x2 ∈ Bs so that w ′ = x1wx2.
Initializations for Algorithm: Let Sw = {w}, Sw′ = {w ′}, Mw = ∅, Mw′ = ∅.Let SA and SB denote the sets of generators forAs and Bs respectively.
A. Find a shortest word u ∈ Sw − Mw .
B. Multiply u by elements of S±1A on the left and by elements of S±1
B on the right, and add eachresult into Sw with edges labelled accordingly.
C. Add u into Mw .
D. Perform steps A-C with Sw and Mw replaced by Sw′ and Mw′ .
E. If Sw ∩ Sw′ = ∅, then goto step A.
F. If there exists w ∈ Sw ∩ Sw′ , then find a path in Sw from w to w and a path in sw′ from w tow ′. Concatenate and output the label of the result.
In trials, the success rate of the length-based attack was zero.
25 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Recovering the shared secret keyEvil Eve, knowing the elements w , u1 = a1wb1 and u2 = b2wa2, can always recoverone of Alice and Bob’s private keys.
If the graph of w is1 below (φs, φs) ⇒ recover Bob’s secret key.2 above (φs, φs) ⇒ recover Alice’s secret key.
Figure: An example of an element of As and one of Bs .
Recall that for k ∈ Z+, define φk = 1− 12k+1 .
26 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
Recovering Bob’s private key
Suppose that w(φ(s)) ≤ φ(s). In particular, w(t) ≤ φs for all t ∈ [0, φs]. Thus:
u2(t) = b2wa2(t) = wa2(t) for all t ∈ [0, φs].
Since Eve knows the element w , she can obtain a2(t) for all t ∈ [0, φs]. She thenknows that
a2(t) =
{w−1u2(t) t ∈ [0, ϕs]
t t ∈ [ϕs, 1].
Now Eve has the elements a2, w and u2 = b2wa2 and she computes
b2 = u2a−12 w−1
thereby detecting Bob’s private keys and the shared secret key K .
Using slightly more mathematics, we can recover Alice’s secret key even whenw(φ(s)) ≤ φ(s).
27 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
What type of groups should be proposed for cryptographicprotocols based on the conjugacy search and related
problems?
The conjugacy search problem in G should be well-studied or related to a differentwell-known problem in mathematics.
The word problem in G should have a fast (linear- or quadratic-time) solution by adeterministic algorithm. This is required for efficient common key extraction bylegitimate parties.
The conjugacy search problem (or other appropriate problem) should not have asubexponential-time solution by a deterministic algorithm.
Proposing a better platform: (Less crucial, but useful.) There should be a way of“disguising” elements of G via the relators so that it would be impossible to recover xfrom xax−1 by inspection.
28 / 29Thompson’s group F and group-based cryptography
Decision problems in cryptography Thompson’s Group F Further results and directions
References
1 S. Cleary, M. Elder, A. Reichnitzer and J. Taback, Random subgroups of Thompson’sgroup F , preprint.
2 F. Matucci, The Shpilrain-Ushakov protocol for Thompson’s group F is alwaysbreakable, to appear in the Journal of Cryptology.
3 A. Myasnikov, V. Shpilrain and A. Ushakov, A practical attack on a braid group basedcryptographic protocolCRYPTO 2005, Lecture Notes Comp. Sci. 3621 (2005), 86-96.
4 A. Myasnikov and A. Ushakov, Random subgroups and analysis of the length-based andquotient attacks, preprint.
5 D. Ruinsky, A. Shamir and B. Tsaban, Length-based cryptanalysis: the case ofThompson’s group, Journal of Mathematical Cryptology 1 (2007), 359–372.
6 V. Shpilrain, Assessing security of some group based cryptosystems, Contemp. Math.,Amer. Math. Soc. 360 (2004), 167-177.
7 V. Shpilrain and A. Ushakov, The conjugacy search problem in public key cryptography:unnecessary and insufficient, Applicable Algebra in Engineering, Communication andComputing 17 (2006), 285-289.
8 V. Shpilrain and A. Ushakov, Thompson’s group and public key cryptography, LectureNotes Comp. Sc. 3531 (2005), 151-164.
9 V. Shpilrain and G. Zapata, Combinatorial group theory and public key cryptography,Applicable Algebra in Engineering, Communication and Computing 17 (2006), 291-302.
29 / 29Thompson’s group F and group-based cryptography