Table Of Content

CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL ALEXD.MYASNIKOVANDALEXANDERUSHAKOV 8 0 0 2 Abstract. The Anshel-Anshel-Goldfeld-Lemieux (abbreviated AAGL) key agreement protocol [2] is pro- n posed to be used on low-cost platforms which constraint the use of computational resources. The core of a the protocol is the concept of an Algebraic EraserTM (abbreviated AE) which is claimed to be a suitable J primitiveforusewithinlightweight cryptography. TheAEprimitiveisbasedon anew andingenious idea 0 of using an action of a semidirect product on a (semi)group to obscure involved algebraic structures. The 3 underlying motivation for AAGL protocol is the need to secure networks which deploy Radio Frequency Identification (RFID)tagsusedforidentification, authentication, tracingandpoint-of-saleapplications. ] In this paper we revisit the computational problem on which AE relies and heuristically analyze its R hardness. We show that for proposed parameter values it is impossible to instantiate the secure protocol. G Tobe moreprecise, in100% of randomlygenerated instances ofthe protocol wewere ableto findasecret conjugator z generated byTTPalgorithm(partofAAGLprotocol). . h at 1. The Colored Burau Key Agreement Protocol m A general mathematical framework of AAGL protocol is quite complicated. In this paper we try to omit [ unnecessarydetails and simplify the notationof [2] as much as possible. We refer aninterested reader to [2, 1 Sections 2 and3] for a complete description. Here we startout by givinga particularimplementation of the v primitive called the Colored Burau Key Agreement Protocol(CBKAP). 6 8 1.1. A platform group. Fix an integer n ≥ 7 and a prime p. Let t = (t1,...,tn) be a tuple of formal 7 variables. Define matrices 4 −t 1 1 1.  1  0 x1(t)= ...  8   0  1    v: and for i=2,...,n−1 i 1 X  ...  r a xi(t)= ti −ti 1     ..   .     1    which is the identity matrix except for the ith row where it has successive entries t , −t , 1 with −t on i i i the diagonal. We look at the matrices x1(t),...,xn−1(t) as elements of the group GL(n,Fp(t)) of n×n matriceswith entriesasLaurentpolynomialsoverthe finite fieldF . The symmetric grouponn symbolsS p n acts on GL(n,F (t)) by permuting the variables t ,...t . We denote the result of the action of s ∈ S on p 1 n n x∈GL(n,F (t)) by sx. p ThesemidirectproductGL(n,F (t))⋊S ofthegroupsGL(n,F (t))andS relativetothedefinedaction p n p n of S on matrices GL(n,F (t)) is a set of pairs n p {(m,s)|m∈GL(n,F (t)), s∈S } p n Date:Version4•September 30,2007. 1 2 CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL with multiplication given by (m ,s )·(m ,s ):=(m ·s1 m ,s ·s ). 1 1 2 2 1 2 1 2 Denote by s =(i,i+1)∈S the transposition which interchanges i and i+1 and by g the element of the i n i semidirect product GL(n,F (t))⋊S p n g =(x (t),s ). i i i A subgroup G=hg1,...,gn−1i of GL(n,F (t))⋊S is called the colored Burau group. The group G is a platform group for AAGL key p n agrement protocol. Recall that the group B of n-strand braids has the classical Artin’s presentation: n σ σ σ =σ σ σ if |i−j|=1 Bn =(cid:28) σ1,...,σn−1 (cid:12) σiiσjj =i σjσji i j if |i−j|>1 (cid:29). (cid:12) (cid:12) Awordoverthegroupalphabet{σ1,...,σn−1}(cid:12) iscalledabraid word. Anyn-strandbraidcanberepresented by a braid word. The length of a shortest braid word representing an element g ∈B is called the geodesic n lengthofg relativeto the Artin’s setofgeneratorsandis denotedby|g|. The function|·|:B →N iscalled n the geodesic length function on B . n Lemma 1.1. The elements g = (x (t),s ), for i = 1,2,...,n−1, satisfy the braid relations and hence i i i ϕ determine a representation of the braid group B , i.e., the mapping σ 7→g defines a group epimorphism n i i ϕ:B →G. n Proof. Straightforwardcheck. (cid:3) 1.2. Action of the platform group on GL(n,F ). Fix elements τ ,...,τ ∈ F and define a homo- p 1 n p morphism π which maps GL(n,F (t)) into GL(n,F ) by assigning the value τ to the variable t , i.e., by p p i i evaluating a matrix at τ ,...,τ . We call π the evaluation function. 1 n Assumption on τ ,...,τ . We assume that π defines a correct group homomorphism. 1 n Relative to the chosen tuple τ ,...,τ ∈ F and the corresponding function π one can define an action of 1 n p GL(n,F (t))⋊S on GL(n,F )×S by putting p n p n (m ,s )⋆(m ,s )=(m ·π(s1m ),s s ) 1 1 2 2 1 2 1 2 where ⋆ denotes the action. Indeed, it is not difficult to check that ⋆ is an action and satisfies the property ((m ,s )⋆(m ,s ))⋆(m ,s )=(m ,s )⋆((m ,s )·(m ,s )). 1 1 2 2 3 3 1 1 2 2 3 3 We say that (m ,t ) and (m ,t ) ⋆-commute if the equality 1 1 2 2 (π(m ),s )⋆(m ,s )=(π(m ),s )⋆(m ,s ) 1 1 2 2 2 2 1 1 holds. The next lemma is obvious. Lemma 1.2. Let w = m (x (t),s ) and v = l (x (t),s ) be such that |i −j | > 1 for every k=1 ik ik p=1 jp jp k p k =1,...,m and p=1,.Q..,l. Then the elements w aQnd v ⋆-commute. 1.3. The protocol. Before the parties perform actual transmissions the following data is being prepared by the Third Trusted Party (TTP). • A matrix m ∈GL(n,F ) which has an irreducible characteristicpolynomial over F . The choice of 0 p p m is not relevant for the purposes of this paper, we refer the reader to [2] for more information on 0 how m can be generated randomly. 0 • ⋆-commuting subgroups A = hw ,...,w i and B = hu ,...,u i of the group G. We want to point 1 γ 1 γ out that the elements w and v are given to us as products of generators of G and there inverses, i j i.e., as formal words in group alphabet {g1,...,gn−1}. We prefer this form because it allows us to avoid time consuming matrix multiplication in GL(n,F (t)). p CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL 3 Both, the matrix m and subgroups A and B, can be chosen only once. Now, the public and private keys 0 are chosen as follows: Alice’s Private Key: is a pair which consists of a matrix of the form n =l mα1 +l mα2 +...+l mαr ∈GL(n,F ) a 1 0 2 0 r 0 p (where l ,...,l ∈ F and r,α ,...,α ∈ Z+) and a random sequence wε1,...,wεm of generators of A and 1 r p 1 r i1 im their inverses. Alice’s Public Key: is an element A =(n ,id)⋆wε1 ⋆...⋆wεm ∈GL(n,F )×S . public a i1 im p n Recallthateachw isgivenasaformalproductofthegeneratorsofG. Toperformthe⋆-operationefficiently ik one should not directly compute w , but consequently apply the factors of w to the argument. ik ik Bob’s Private Key: is a pair which consists of a matrix of the form nb =l1′mβ01 +l2′mβ02 +...+lr′′mβ0r′ ∈GL(n,Fp) (where l1′,...,lr′′ ∈ Fp and r′,β1,...,βr′ ∈ Z+) and a random sequence vjδ11,...,vjδll of generators of B and their inverses. Bob’s Public Key: is a pair B =(n ,id)⋆vδi ⋆...⋆vδl ∈GL(n,F )×S . public b j1 jl p n Again, each v is given as a formal product of the generators of G. To perform the ⋆-operation efficiently jk one should not directly compute v , but consequently apply the factors of v to the argument. jk jk The shared key: is an element of GL(n,F )×S obtained by Alice in the form p n [(n ,id)·B ]⋆wε1 ⋆...⋆wεm a public i1 im and by Bob in the form [(n ,id)·A ]⋆vδi ⋆...⋆vδl b public j1 jl It requires a little work to prove that the obtained elements are indeed equal in GL(n,F ). We omit the p proof. 1.4. TTP algorithm. The cornerstone part of the proposed key-exchange is the choice of ⋆-commuting subgroups of the group G. The basic idea is to use Lemma 1.1 and choose commuting subgroups A and B in B and then pull them into G using the epimorphism ϕ. The resulting subgroups ϕ(A) and ϕ(B) of G n commute. Moreover,for any choice of π the subgroups ϕ(A) and ϕ(B) ⋆-commute. Before we present the algorithm we need to give some details about the braid group B . The group B n n has a cyclic center generated by an element ∆2 where ∆ is an element called the half twist and can be expressed in the generators of B as follows: n ∆=(σ1...σn−1)·(σ1...σn−2)·...·(σ1). Any element g ∈B can be uniquely represented in a form n ∆pξ ...ξ 1 p satisfying certain conditions and called the left Garside normal form. Now, since ∆2 is a central element it follows that element u,w commute in B if and only u∆2p and n w∆2r do (for any choiceof p,r∈Z). Hence, we may alwaysassume that the normalformsof the generators {w ,...,w } and {v ,...,v } have the power of ∆ equal to 0 or −1. When we say that we reduce a braid 1 γ 1 γ modulo ∆2 we mean changing the ∆-power of its normal form to −1 or 0 depending on parity. The algorithm below (originally proposed in [2]) generates two ⋆-commuting subgroups. Algorithm 1.3. (TTP algorithm) (1) Choose two secret subsets BL = {b ,...,b }, BR = {b ,...,b } of the set of generators of B , l1 lα r1 rβ n where |l −r |≥2 for all 1≤i≤l and 1≤j ≤r . i j α β (2) Choose a secret element z ∈B . n 4 CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL (3) Choose words {w ,...,w } of bounded length over the generatorsBL. 1 γ (4) Choose words {v ,...,v } of bounded length over the generatorsBR. 1 γ (5) For each i=1,...,γ: (a) calculate the left normal form of zw z−1 and reduce the result modulo ∆2; i ′ (b) put w to be a braid word corresponding to the element calculated in (a); i (c) calculate the left normal form of zv z−1 and reduce the result modulo ∆2; i (d) put v′ to be a braid word corresponding to the element calculated in (c). i (6) Publish the sets {v′,...,v′} and {w′,...,w′}. 1 γ 1 γ Wewantto pointoutthatTTPalgorithmproducesgeneratorsoftwocommutingsubgroupsinB . Alice n and Bob need to compute their images in GL(n,F (t)) to obtain ⋆-commuting subgroups. p 1.5. Security assumptions. It was noticed in [2] that if the conjugator z generated randomly by TTP algorithm is known then there exists an efficient linear attack on the scheme which is able to recover the shared key of the parties. The problem of recovering the exact z seems like a very difficult mathematical problem because it reduces to solving the system of equations w′ =∆2p1zw z−1 1 1  ... (1)  vw1′γ′==∆∆22rp1γzzvw1zγ−z1−1 ... whichhastoomanyunknowns,onlylefthandvsγ′id=es∆(i2.reγ.,zevlγezm−e1ntsw′,...,w′,v′,...,v′)areknown. Hence, 1 γ 1 γ it might be difficult to find the original z. Now observe that the AAGL key exchange protocol uses only the output of TTP algorithm, namely the tuples {v′,...,v′} and {w′,...,w′} since all internal values in TTP algorithm are not available to the 1 γ 1 γ parties. In other words it is irrelevant for the protocol how two particular commuting generating sets were constructed. This observation leads us to the following problem Fortuples{v′,...,v′}and{w′,...,w′}findanyz′ andanynumbersp ,...,p ,r ,...,r ∈ 1 γ 1 γ 1 γ 1 γ Zsuchthatthewords{∆2p1z′−1v′z′,...,∆2pγz′−1v′z′}and{∆2r1z′−1w′z′,...,∆2rγz′−1w′z′} 1 γ 1 γ can be expressed as words over two disjoint commuting subsets of generators of B . n Thisisanewproblemforcomputationalgrouptheory. Letusrefertoitassimultaneousconjugacyseparation search problem (abbreviated SCSSP). We want to emphasize that SCSSP has little in common with the simultaneous conjugacy search problem oftenreferencedinthe papersonthe braidgroupcryptanalysis. The main difference is that in the conjugacy search problem both conjugate elements are available and the goal is to recover the secret conjugator. And in case of SCSSP only the left side of the equation is known. It is not clear if one of the problems can be reduced to the other. It follows from the observation above that any solution z′ to a problem stated above plays a role of a conjugator z and can be used in a linear attack outlined in [2]. The main goal of this paper is to present an algorithm which for proposed parameter values solves SCSSP. Experimental results convince us that our attack is a serious threat for AAGL as the success rate is 100%. Furthermore, a slight modification of the algorithm produces the exact z generated by TTP in 40% of randomly generated instances. 1.6. Proposed parameter values. To provide 80 bits of security against the exhaustive search for z for the scheme the authors propose two slightly different sets of parameters: • Parameter set # 1. – Let n=14, p=13, and r =3. – Choose the conjugator z randomly of length 17. – Choose the words w and v randomly of length approximately 10. i j – The number γ of the words w and v is 27. i j • Parameter set # 2. CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL 5 – Let n=12, p=13, and r =3. – Choose the conjugator z randomly of length 18. – Choose the words w and v randomly of length approximately 10. i j – The number γ of the words w and v is 27. i j 2. TTP attack In this section we describe a heuristic attack which finds a solution to a given instance of SCSSP. The main ingredient in our attack is a length function on the group B . As it is explained in [6] there are no n known efficiently computable and ”sharp” length functions for braid groups. Therefore, for our attack we adopt the method of approximation of the geodesic length function originally proposed in [5]. In all our algorithms by |·| we denote approximation of the geodesic length function. We present results of experiments which show that a fast heuristic procedure based on the length-based reduction is extremely successful for the suggested parameters. In fact, every instance of TTP algorithm generated in our experiments has been broken. 2.1. Generation. The original paper [2] lacks any details on how to randomly generate the secret element z and the words {w ,...,w }, {v ,...,v } in TTP algorithm. Hence, in all our experiments: 1 γ 1 γ • Thewordz istakenuniformlyrandomlyasawordofaparticularlengthfromtheambientfreegroup F(σ1,...,σn−1). • The words w ,...,w and v ,...,v are taken uniformly randomly as words of particular lengths 1 γ 1 γ from the ambient free groups F(BL) and F(BR). Also, the authors suggest to take the sets BL and BR randomly on step (1) of TTP algorithm. Observe that in general this might result in a choice of BL such that for some 1≤i<j <k ≤n−1 σ ,σ ∈BL, but σ ∈BR. i k j We think that this situation is not desirable as it excludes the use of at least two braid generators in the words w and v . We think that the choice of the following sets i j BL={σ1,...,σl} and BR={σl+2,...,σn−1} (where n is an even number and l =(n−2)/2)is optimal as it excludes only σ which maximizes the size l+1 of a space for the words w ,...,w and v ,...,v . 1 γ 1 γ 2.2. Recovering ∆-powers. The first stage in our attack is recovering ∆ powers in the system (1), i.e., computing numbers p ,...,p and r ,...,r . The main tool in our computations below is the triangular 1 γ 1 γ inequality for the Cayley graph of the braid group B . Observe that the following inequalities hold. n (Parameter set #1) For each i=1,...,γ |z−1u z|≤2|z|+|u |=44 and |z−1w z|≤2|z|+|w |=44 i i j j and |∆2p|=pn(n−1)=182p. Hence, |∆2pz−1u z|,|∆2pz−1w z|∈[182p−44,182p+44] and i j |∆2pz−1u z|−|∆2(p−1)z−1u z|≥182−2·44=94 i i |∆2pz−1w z|−|∆2(p−1)z−1w z|≥182−2·44=94. j j (Parameter set #2) For each i=1,...,γ |z−1u z|≤2|z|+|u |=46 and |z−1w z|≤2|z|+|w |=46 i i j j and |∆2p|=pn(n−1)=132p. Hence |∆2pz−1u z|,|∆2pz−1w z|∈[132p−46,132p+46] and i j |∆2pz−1u z|−|∆2(p−1)z−1u z|≥132−2·46=40 i i 6 CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL |∆2pz−1w z|−|∆2(p−1)z−1w z|≥132−2·46=40. j j Thisobservationimpliesthatforbothparametersetsthesequences{|∆2pz−1u z|}∞ and{|∆2pz−1w z|}∞ i p=0 j p=0 are strictly increasing. Thus, to recoverthe originalpower of ∆ one can repeatedly multiply u′ (and w′) on i j theleftby∆2 untilthelengthcannotbereducedanymore(seeAlgorithm2.1). Moreover,sincethedifference between two elements differing by ∆2 is at least 40 even crude approximations of the length function must work. Algorithm 2.1 (∆-power recovery). Input: An element w ∈B . n Output: An element u minimal in the left coset ∆−2 w. Computations: (cid:10) (cid:11) A. Set u=w. B. If |u|>|∆−2u| then set u=∆−2u and goto B. C. If |u|>|∆2u| then set u=∆2u and goto B. D. Otherwise output u. ClearlyAlgorithm2.1alwaysterminates. Thetimecomplexityofthealgorithmdependsonthecomplexity of the procedure which approximates the geodesic length. The procedure is heuristic and its worst case complexityisnotknown. Experimentalresultsin[5]suggestthatthelengthapproximationcanbeefficiently computed for most braid words and we estimate the expected complexity of the procedure as O(n). Under this assumption, it is easy to see that the power-recovery algorithm can be executed in at most O((|w|+ n2)|w|/n2)=O(|w|2/n2+|w|) steps asthe algorithmperformsupto |w|/n2 iterationsandoneachiteration for a word u of length up to |w| the length of a word ∆2u is estimated. 2.3. Recovering conjugator. The second part of the attack computes a secret conjugator. At this point we assume that all ∆-powers from the system (1) are successfully found and we have a system of equations of the form w′′ =zw z−1 z−1w′′z =w 1 1 1 1  ...  ... (2)  vw1′γ′′′==zzvw1zγz−−11 or  zz−−11wv1′γ′′′zz==vw1γ ... ... where only elements u′′ =∆−2piu′ avnγ′d′ =w′z′v=γz∆−1−2riw′ are knz−ow1vnγ′.′zL=etvuγs call two sets of braids separated if i i j j they can be expressed as words over disjoint commuting sets of generators of B . As mentioned in Section n ′ 1.5 to break the protocol it is sufficient to find any conjugator z which conjugates two tuples of elements (u′′,...,u′′) and (w′′,...,w′′) into two separated tuples of elements (u ,...,u ) and (w ,...,w ). This is 1 γ 1 γ 1 γ 1 γ the main goal of our attack. Let u¯ = (u ,...,u ) be a tuple of elements in B and x is an element of B . Denote by |u¯| the total 1 m n n length of elements in u¯, i.e., put m |u¯|= |u |. i Xi=1 Denote by u¯x a tuple obtained from u¯ by conjugation of each its element by x. It is intuitively clear that conjugation of a tuple of braids by a random element x almost always increases the length of the tuple. In other words, for a random element x the inequality (3) |u¯x|>|u¯| is almost always true. We do not have a proof of this fact, but numerous experiments convince us that it is true. Moreover,conjugation by longer elements almost always results in longer tuples. The idea that conjugation consequently increases the length of tuples is not new. It was used in papers [4], [3] for different length functions with different success. But the most successful is a recent attack [6] CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL 7 which uses approximation of the geodesic length. In this paper we use the idea of separating two tuples of braids. To find z′ we repeatedly conjugate the tuple (u′′,...,u′′,w′′,...,w′′) by generators of B and their 1 γ 1 γ n inverses and if for some generator σ±1 the decrease of the total length of the tuple is observed then it is k reasonable to guess that σ±1 is involved in z′. k Algorithm 2.2 (Recovering conjugator - I). Input: Tuples a¯={a ,...,a } and¯b={b ,...,b }. 1 γ 1 γ Output: An element z′ separating tuples a¯ and¯b. Initialization: Set z′ =1. Computations: A. For each i=1,...,n−1 and ε=±1 conjugate tuples a¯ and¯b by a generator σε and compute i δi,ε =|a¯σiε|+|¯bσiε|−(|a¯|+|¯b|). B. If for some σiε the sets a¯σiε and¯bσiε are separated then output z′ =σiεz′. C. Otherwise, if all δ are positive (i.e., conjugation by σε cannot further decrease the total length) i,ε i then output FAILURE. D. Otherwise choose i and ε for which δi,ε is minimal. Set z′ =σiεz′, a¯ =a¯σiε, and¯b =¯bσiε. Goto step A. The described attack is similar to the one described in [6]. Recall that the main problem in [6] was the existence of so-called peaks (see [6, Definition 2.5]). This phenomenon is a consequence of difficult structure of finitely generatedsubgroups of braidgroups. In this paper,we do not have this problemas z is chosenin the whole group B . n NotethatAlgorithm2.2isagreedydescendprocedure. Itmayfailduetothefactthatthereexistsasmall fraction of words for which the inequality (3) does not hold. It is also prone to the length approximation errors. One can significantly reduce the failure rate of a descent procedure by introducing a backtracking algorithm which allows exploration of more than one search paths. Algorithm 2.3 gives an implementation of the attack with backtracking. Algorithm 2.3 (Recovering conjugator with Backtracking). Input: Tuples a¯={a ,...,a } and¯b={b ,...,b }. 1 γ 1 γ Output: An element z′ separating tuples a¯ and¯b. Initialization: Set S ={(a¯,¯b,1)}. Computations: A. If S =∅ then output FAILURE. B. Choose (x¯,y¯,c)∈S such that |x¯|+|y¯| is the minimal. C. For each i=1,...,n−1 and ε=±1 conjugate tuples x¯ and y¯by a generator σε and compute i δi,ε =|x¯σiε|+|y¯σiε|−(|x¯|+|y¯|). D. If for some σiε the sets x¯σiε and y¯σiε are separated then output z′ =σiεc. E. Otherwise,for eachi=1,...,n−1 andε=±1addthe tuple (x¯σiε,x¯σiε,σiεc) tothe setS. Goto step A. We must mentionhere that, althoughthere is a possibility that Algorithm2.3 outputs FAILURE ordoes not terminate on some inputs, this situation has never occurred in our experiments. Finally, we present another modification of Algorithm 2.2. Algorithm 2.4 (Recovering conjugator - II). Input: Tuples a¯={a ,...,a } and¯b={b ,...,b }. 1 γ 1 γ Output: An element z′ separating tuples a¯ and¯b. Initialization: Set z′ =1. Computations: 8 CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL A. For each i=1,...,n−1 and ε=±1 conjugate tuples a¯ and¯b by a generator σε and compute i δi,ε =|a¯σiε|+|¯bσiε|−(|a¯|+|¯b|). B. If all δ are positive (i.e., conjugation by σε cannot further decrease the total length) and the sets i,ε i a¯ and¯b are separated then output z′. C. If all δ are positive (i.e., conjugation by σε cannot further decrease the total length), but the sets i,ε i a¯ and¯b are not separated then output FAILURE. D. Otherwise choose i and ε for which δi,ε is minimal. Set z′ =σiεz′, a¯ =a¯σiε, and¯b =¯bσiε. Goto step A. Algorithms 2.2 and 2.4 are almost the same except that they have different termination conditions. Algorithm 2.2 stops as soon as the tuples are separated, while Algorithm 2.4 tries to minimize the total length of the tuple and when the minimal value is reached it checks if the current tuples are separated. ThecomplexityofstepAinAlgorithms2.2and2.4isO(γn(|a |+|b |)). Themaximalnumberofiterations i i can be bounded by the total length of the input |a |+|b |. A very crude upper bound on the complexity of i i the two algorithms is O(γn(|a |+|b |)2). i i The complexity of Algorithm 2.3 is harder to estimate. Potentially, the backtracking mechanism may causethe algorithmto exploreexponentially many potentialsolutions. However,our experimentsshow that a very few backtracking steps are required to find a solution. 2.4. Results of experiments. The attack was tested on different sets of instances of the protocol. In particular we generated the sets BL and BR randomly and used fixed sets BL = {σ ,...,σ } and BR = 1 l {σl+2,...,σn−1}. We used the proposed values of the parameters (see Section 1.6). In addition the attack was tested on instances generated with the increased length of the secret conjugator z. In all the experiments Algorithm 2.3 had 100% success of producing a separating conjugator z′. The average time of a run of the algorithm was 4.5 seconds when executed on a Dual Core Opteron 2.2 GHz machine with 4GB of ram. The algorithm without backtracking had slightly smaller but still respectable success rate of 90%. It is very interesting to notice that Algorithm 2.4 actually recoveredthe originalsecret conjugator z in about 40% of the cases. That is the reason we mention this algorithm in the paper. ExperimentswithinstancesofTTPprotocolgeneratedusing|z|=50(whichisalmostthreetimesgreater than the suggested value) again showed 100% success rate. However, we need to point out that the attack mayfailwhenthelengthofz islargerelativetothelengthof∆2. Forinstancewheninthesecondparameter set the length of z is increased to 100, the algorithm recovering ∆-powers sometimes output wrong values. Nevertheless, the success rate of Algorithm 2.3 is still about 90% in this case. We think it is possible to modify our algorithms to work with increased parameter values. But the biggest concern here is that the protocol with increased parameter values might be not suitable for purposes of lightweight cryptography. References [1] I. Anshel, M. Anshel, D. Goldfeld, An algebraic method for public-key cryptography, Math. Res. Lett. 6 (1999), 287–291. [2] I.Anshel,M.Anshel,D.Goldfeld,S.Lemieux,”KeyAgreement,TheAlgebraicEraserTM,andLightweightCryp- tography”. In”AlgebraicMethods inCryptography”, ContemporaryMath.418(2006), 1–17. [3] D. Garber, S. Kaplan, M. Teicher, B. Tsaban, U. Vishne ”Length-based conjugacy search in the Braid group”, availableathttp://arxiv.org/abs/math.GR/0209267. [4] J. Hughes, A. Tannenbaum, ”Length-based attacks for certain group based encryption rewriting systems”. In: WorkshopSECI02Securit`edelaCommunicationsurIntenet, September 2002,Tunis,Tunisia. [5] A.G.Myasnikov,V.Shpilrain,A.Ushakov.A practical attack onsome braid group based cryptographic protocols. InCRYPTO2005,LectureNotesComp.Sc.3621(2005), 86-96. [6] A. D. Myasnikov, A. Ushakov. Length Based Attack and Braid Groups: Cryptanalysis of Anshel-Anshel-Goldfeld Key Exchange Protocol. T.OkamotoandX.Wang(Eds.): PKC2007,LNCS4450, 2007,768. CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL 9 Departmentof Mathematics,StevensInstituteof Technology,Hoboken, NJ 07030 E-mail address: [email protected] Departmentof Mathematics,StevensInstituteof Technology,Hoboken, NJ 07030 E-mail address: [email protected]

ebook img

Cryptanalysis of Anshel-Anshel-Goldfeld-Lemieux key agreement protocol PDF

0.15 MB·English
by  Alex D. Myasnikov
#additional_collections #journals #arxiv
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cryptanalysis of Anshel-Anshel-Goldfeld-Lemieux key agreement protocol

CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL ALEXD.MYASNIKOVANDALEXANDERUSHAKOV 8 0 0 2 Abstract. The Anshel-Anshel-Goldfeld-Lemieux (abbreviated AAGL) key agreement protocol [2] is pro- n posed to be used on low-cost platforms which constraint the use of computational resources. The core of a the protocol is the concept of an Algebraic EraserTM (abbreviated AE) which is claimed to be a suitable J primitiveforusewithinlightweight cryptography. TheAEprimitiveisbasedon anew andingenious idea 0 of using an action of a semidirect product on a (semi)group to obscure involved algebraic structures. The 3 underlying motivation for AAGL protocol is the need to secure networks which deploy Radio Frequency Identification (RFID)tagsusedforidentification, authentication, tracingandpoint-of-saleapplications. ] In this paper we revisit the computational problem on which AE relies and heuristically analyze its R hardness. We show that for proposed parameter values it is impossible to instantiate the secure protocol. G Tobe moreprecise, in100% of randomlygenerated instances ofthe protocol wewere ableto findasecret conjugator z generated byTTPalgorithm(partofAAGLprotocol). . h at 1. The Colored Burau Key Agreement Protocol m A general mathematical framework of AAGL protocol is quite complicated. In this paper we try to omit [ unnecessarydetails and simplify the notationof [2] as much as possible. We refer aninterested reader to [2, 1 Sections 2 and3] for a complete description. Here we startout by givinga particularimplementation of the v primitive called the Colored Burau Key Agreement Protocol(CBKAP). 6 8 1.1. A platform group. Fix an integer n ≥ 7 and a prime p. Let t = (t1,...,tn) be a tuple of formal 7 variables. Define matrices 4 −t 1 1 1.  1  0 x1(t)= ...  8   0  1    v: and for i=2,...,n−1 i 1 X  ...  r a xi(t)= ti −ti 1     ..   .     1    which is the identity matrix except for the ith row where it has successive entries t , −t , 1 with −t on i i i the diagonal. We look at the matrices x1(t),...,xn−1(t) as elements of the group GL(n,Fp(t)) of n×n matriceswith entriesasLaurentpolynomialsoverthe finite fieldF . The symmetric grouponn symbolsS p n acts on GL(n,F (t)) by permuting the variables t ,...t . We denote the result of the action of s ∈ S on p 1 n n x∈GL(n,F (t)) by sx. p ThesemidirectproductGL(n,F (t))⋊S ofthegroupsGL(n,F (t))andS relativetothedefinedaction p n p n of S on matrices GL(n,F (t)) is a set of pairs n p {(m,s)|m∈GL(n,F (t)), s∈S } p n Date:Version4•September 30,2007. 1 2 CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL with multiplication given by (m ,s )·(m ,s ):=(m ·s1 m ,s ·s ). 1 1 2 2 1 2 1 2 Denote by s =(i,i+1)∈S the transposition which interchanges i and i+1 and by g the element of the i n i semidirect product GL(n,F (t))⋊S p n g =(x (t),s ). i i i A subgroup G=hg1,...,gn−1i of GL(n,F (t))⋊S is called the colored Burau group. The group G is a platform group for AAGL key p n agrement protocol. Recall that the group B of n-strand braids has the classical Artin’s presentation: n σ σ σ =σ σ σ if |i−j|=1 Bn =(cid:28) σ1,...,σn−1 (cid:12) σiiσjj =i σjσji i j if |i−j|>1 (cid:29). (cid:12) (cid:12) Awordoverthegroupalphabet{σ1,...,σn−1}(cid:12) iscalledabraid word. Anyn-strandbraidcanberepresented by a braid word. The length of a shortest braid word representing an element g ∈B is called the geodesic n lengthofg relativeto the Artin’s setofgeneratorsandis denotedby|g|. The function|·|:B →N iscalled n the geodesic length function on B . n Lemma 1.1. The elements g = (x (t),s ), for i = 1,2,...,n−1, satisfy the braid relations and hence i i i ϕ determine a representation of the braid group B , i.e., the mapping σ 7→g defines a group epimorphism n i i ϕ:B →G. n Proof. Straightforwardcheck. (cid:3) 1.2. Action of the platform group on GL(n,F ). Fix elements τ ,...,τ ∈ F and define a homo- p 1 n p morphism π which maps GL(n,F (t)) into GL(n,F ) by assigning the value τ to the variable t , i.e., by p p i i evaluating a matrix at τ ,...,τ . We call π the evaluation function. 1 n Assumption on τ ,...,τ . We assume that π defines a correct group homomorphism. 1 n Relative to the chosen tuple τ ,...,τ ∈ F and the corresponding function π one can define an action of 1 n p GL(n,F (t))⋊S on GL(n,F )×S by putting p n p n (m ,s )⋆(m ,s )=(m ·π(s1m ),s s ) 1 1 2 2 1 2 1 2 where ⋆ denotes the action. Indeed, it is not difficult to check that ⋆ is an action and satisfies the property ((m ,s )⋆(m ,s ))⋆(m ,s )=(m ,s )⋆((m ,s )·(m ,s )). 1 1 2 2 3 3 1 1 2 2 3 3 We say that (m ,t ) and (m ,t ) ⋆-commute if the equality 1 1 2 2 (π(m ),s )⋆(m ,s )=(π(m ),s )⋆(m ,s ) 1 1 2 2 2 2 1 1 holds. The next lemma is obvious. Lemma 1.2. Let w = m (x (t),s ) and v = l (x (t),s ) be such that |i −j | > 1 for every k=1 ik ik p=1 jp jp k p k =1,...,m and p=1,.Q..,l. Then the elements w aQnd v ⋆-commute. 1.3. The protocol. Before the parties perform actual transmissions the following data is being prepared by the Third Trusted Party (TTP). • A matrix m ∈GL(n,F ) which has an irreducible characteristicpolynomial over F . The choice of 0 p p m is not relevant for the purposes of this paper, we refer the reader to [2] for more information on 0 how m can be generated randomly. 0 • ⋆-commuting subgroups A = hw ,...,w i and B = hu ,...,u i of the group G. We want to point 1 γ 1 γ out that the elements w and v are given to us as products of generators of G and there inverses, i j i.e., as formal words in group alphabet {g1,...,gn−1}. We prefer this form because it allows us to avoid time consuming matrix multiplication in GL(n,F (t)). p CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL 3 Both, the matrix m and subgroups A and B, can be chosen only once. Now, the public and private keys 0 are chosen as follows: Alice’s Private Key: is a pair which consists of a matrix of the form n =l mα1 +l mα2 +...+l mαr ∈GL(n,F ) a 1 0 2 0 r 0 p (where l ,...,l ∈ F and r,α ,...,α ∈ Z+) and a random sequence wε1,...,wεm of generators of A and 1 r p 1 r i1 im their inverses. Alice’s Public Key: is an element A =(n ,id)⋆wε1 ⋆...⋆wεm ∈GL(n,F )×S . public a i1 im p n Recallthateachw isgivenasaformalproductofthegeneratorsofG. Toperformthe⋆-operationefficiently ik one should not directly compute w , but consequently apply the factors of w to the argument. ik ik Bob’s Private Key: is a pair which consists of a matrix of the form nb =l1′mβ01 +l2′mβ02 +...+lr′′mβ0r′ ∈GL(n,Fp) (where l1′,...,lr′′ ∈ Fp and r′,β1,...,βr′ ∈ Z+) and a random sequence vjδ11,...,vjδll of generators of B and their inverses. Bob’s Public Key: is a pair B =(n ,id)⋆vδi ⋆...⋆vδl ∈GL(n,F )×S . public b j1 jl p n Again, each v is given as a formal product of the generators of G. To perform the ⋆-operation efficiently jk one should not directly compute v , but consequently apply the factors of v to the argument. jk jk The shared key: is an element of GL(n,F )×S obtained by Alice in the form p n [(n ,id)·B ]⋆wε1 ⋆...⋆wεm a public i1 im and by Bob in the form [(n ,id)·A ]⋆vδi ⋆...⋆vδl b public j1 jl It requires a little work to prove that the obtained elements are indeed equal in GL(n,F ). We omit the p proof. 1.4. TTP algorithm. The cornerstone part of the proposed key-exchange is the choice of ⋆-commuting subgroups of the group G. The basic idea is to use Lemma 1.1 and choose commuting subgroups A and B in B and then pull them into G using the epimorphism ϕ. The resulting subgroups ϕ(A) and ϕ(B) of G n commute. Moreover,for any choice of π the subgroups ϕ(A) and ϕ(B) ⋆-commute. Before we present the algorithm we need to give some details about the braid group B . The group B n n has a cyclic center generated by an element ∆2 where ∆ is an element called the half twist and can be expressed in the generators of B as follows: n ∆=(σ1...σn−1)·(σ1...σn−2)·...·(σ1). Any element g ∈B can be uniquely represented in a form n ∆pξ ...ξ 1 p satisfying certain conditions and called the left Garside normal form. Now, since ∆2 is a central element it follows that element u,w commute in B if and only u∆2p and n w∆2r do (for any choiceof p,r∈Z). Hence, we may alwaysassume that the normalformsof the generators {w ,...,w } and {v ,...,v } have the power of ∆ equal to 0 or −1. When we say that we reduce a braid 1 γ 1 γ modulo ∆2 we mean changing the ∆-power of its normal form to −1 or 0 depending on parity. The algorithm below (originally proposed in [2]) generates two ⋆-commuting subgroups. Algorithm 1.3. (TTP algorithm) (1) Choose two secret subsets BL = {b ,...,b }, BR = {b ,...,b } of the set of generators of B , l1 lα r1 rβ n where |l −r |≥2 for all 1≤i≤l and 1≤j ≤r . i j α β (2) Choose a secret element z ∈B . n 4 CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL (3) Choose words {w ,...,w } of bounded length over the generatorsBL. 1 γ (4) Choose words {v ,...,v } of bounded length over the generatorsBR. 1 γ (5) For each i=1,...,γ: (a) calculate the left normal form of zw z−1 and reduce the result modulo ∆2; i ′ (b) put w to be a braid word corresponding to the element calculated in (a); i (c) calculate the left normal form of zv z−1 and reduce the result modulo ∆2; i (d) put v′ to be a braid word corresponding to the element calculated in (c). i (6) Publish the sets {v′,...,v′} and {w′,...,w′}. 1 γ 1 γ Wewantto pointoutthatTTPalgorithmproducesgeneratorsoftwocommutingsubgroupsinB . Alice n and Bob need to compute their images in GL(n,F (t)) to obtain ⋆-commuting subgroups. p 1.5. Security assumptions. It was noticed in [2] that if the conjugator z generated randomly by TTP algorithm is known then there exists an efficient linear attack on the scheme which is able to recover the shared key of the parties. The problem of recovering the exact z seems like a very difficult mathematical problem because it reduces to solving the system of equations w′ =∆2p1zw z−1 1 1  ... (1)  vw1′γ′==∆∆22rp1γzzvw1zγ−z1−1 ... whichhastoomanyunknowns,onlylefthandvsγ′id=es∆(i2.reγ.,zevlγezm−e1ntsw′,...,w′,v′,...,v′)areknown. Hence, 1 γ 1 γ it might be difficult to find the original z. Now observe that the AAGL key exchange protocol uses only the output of TTP algorithm, namely the tuples {v′,...,v′} and {w′,...,w′} since all internal values in TTP algorithm are not available to the 1 γ 1 γ parties. In other words it is irrelevant for the protocol how two particular commuting generating sets were constructed. This observation leads us to the following problem Fortuples{v′,...,v′}and{w′,...,w′}findanyz′ andanynumbersp ,...,p ,r ,...,r ∈ 1 γ 1 γ 1 γ 1 γ Zsuchthatthewords{∆2p1z′−1v′z′,...,∆2pγz′−1v′z′}and{∆2r1z′−1w′z′,...,∆2rγz′−1w′z′} 1 γ 1 γ can be expressed as words over two disjoint commuting subsets of generators of B . n Thisisanewproblemforcomputationalgrouptheory. Letusrefertoitassimultaneousconjugacyseparation search problem (abbreviated SCSSP). We want to emphasize that SCSSP has little in common with the simultaneous conjugacy search problem oftenreferencedinthe papersonthe braidgroupcryptanalysis. The main difference is that in the conjugacy search problem both conjugate elements are available and the goal is to recover the secret conjugator. And in case of SCSSP only the left side of the equation is known. It is not clear if one of the problems can be reduced to the other. It follows from the observation above that any solution z′ to a problem stated above plays a role of a conjugator z and can be used in a linear attack outlined in [2]. The main goal of this paper is to present an algorithm which for proposed parameter values solves SCSSP. Experimental results convince us that our attack is a serious threat for AAGL as the success rate is 100%. Furthermore, a slight modification of the algorithm produces the exact z generated by TTP in 40% of randomly generated instances. 1.6. Proposed parameter values. To provide 80 bits of security against the exhaustive search for z for the scheme the authors propose two slightly different sets of parameters: • Parameter set # 1. – Let n=14, p=13, and r =3. – Choose the conjugator z randomly of length 17. – Choose the words w and v randomly of length approximately 10. i j – The number γ of the words w and v is 27. i j • Parameter set # 2. CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL 5 – Let n=12, p=13, and r =3. – Choose the conjugator z randomly of length 18. – Choose the words w and v randomly of length approximately 10. i j – The number γ of the words w and v is 27. i j 2. TTP attack In this section we describe a heuristic attack which finds a solution to a given instance of SCSSP. The main ingredient in our attack is a length function on the group B . As it is explained in [6] there are no n known efficiently computable and ”sharp” length functions for braid groups. Therefore, for our attack we adopt the method of approximation of the geodesic length function originally proposed in [5]. In all our algorithms by |·| we denote approximation of the geodesic length function. We present results of experiments which show that a fast heuristic procedure based on the length-based reduction is extremely successful for the suggested parameters. In fact, every instance of TTP algorithm generated in our experiments has been broken. 2.1. Generation. The original paper [2] lacks any details on how to randomly generate the secret element z and the words {w ,...,w }, {v ,...,v } in TTP algorithm. Hence, in all our experiments: 1 γ 1 γ • Thewordz istakenuniformlyrandomlyasawordofaparticularlengthfromtheambientfreegroup F(σ1,...,σn−1). • The words w ,...,w and v ,...,v are taken uniformly randomly as words of particular lengths 1 γ 1 γ from the ambient free groups F(BL) and F(BR). Also, the authors suggest to take the sets BL and BR randomly on step (1) of TTP algorithm. Observe that in general this might result in a choice of BL such that for some 1≤i<j <k ≤n−1 σ ,σ ∈BL, but σ ∈BR. i k j We think that this situation is not desirable as it excludes the use of at least two braid generators in the words w and v . We think that the choice of the following sets i j BL={σ1,...,σl} and BR={σl+2,...,σn−1} (where n is an even number and l =(n−2)/2)is optimal as it excludes only σ which maximizes the size l+1 of a space for the words w ,...,w and v ,...,v . 1 γ 1 γ 2.2. Recovering ∆-powers. The first stage in our attack is recovering ∆ powers in the system (1), i.e., computing numbers p ,...,p and r ,...,r . The main tool in our computations below is the triangular 1 γ 1 γ inequality for the Cayley graph of the braid group B . Observe that the following inequalities hold. n (Parameter set #1) For each i=1,...,γ |z−1u z|≤2|z|+|u |=44 and |z−1w z|≤2|z|+|w |=44 i i j j and |∆2p|=pn(n−1)=182p. Hence, |∆2pz−1u z|,|∆2pz−1w z|∈[182p−44,182p+44] and i j |∆2pz−1u z|−|∆2(p−1)z−1u z|≥182−2·44=94 i i |∆2pz−1w z|−|∆2(p−1)z−1w z|≥182−2·44=94. j j (Parameter set #2) For each i=1,...,γ |z−1u z|≤2|z|+|u |=46 and |z−1w z|≤2|z|+|w |=46 i i j j and |∆2p|=pn(n−1)=132p. Hence |∆2pz−1u z|,|∆2pz−1w z|∈[132p−46,132p+46] and i j |∆2pz−1u z|−|∆2(p−1)z−1u z|≥132−2·46=40 i i 6 CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL |∆2pz−1w z|−|∆2(p−1)z−1w z|≥132−2·46=40. j j Thisobservationimpliesthatforbothparametersetsthesequences{|∆2pz−1u z|}∞ and{|∆2pz−1w z|}∞ i p=0 j p=0 are strictly increasing. Thus, to recoverthe originalpower of ∆ one can repeatedly multiply u′ (and w′) on i j theleftby∆2 untilthelengthcannotbereducedanymore(seeAlgorithm2.1). Moreover,sincethedifference between two elements differing by ∆2 is at least 40 even crude approximations of the length function must work. Algorithm 2.1 (∆-power recovery). Input: An element w ∈B . n Output: An element u minimal in the left coset ∆−2 w. Computations: (cid:10) (cid:11) A. Set u=w. B. If |u|>|∆−2u| then set u=∆−2u and goto B. C. If |u|>|∆2u| then set u=∆2u and goto B. D. Otherwise output u. ClearlyAlgorithm2.1alwaysterminates. Thetimecomplexityofthealgorithmdependsonthecomplexity of the procedure which approximates the geodesic length. The procedure is heuristic and its worst case complexityisnotknown. Experimentalresultsin[5]suggestthatthelengthapproximationcanbeefficiently computed for most braid words and we estimate the expected complexity of the procedure as O(n). Under this assumption, it is easy to see that the power-recovery algorithm can be executed in at most O((|w|+ n2)|w|/n2)=O(|w|2/n2+|w|) steps asthe algorithmperformsupto |w|/n2 iterationsandoneachiteration for a word u of length up to |w| the length of a word ∆2u is estimated. 2.3. Recovering conjugator. The second part of the attack computes a secret conjugator. At this point we assume that all ∆-powers from the system (1) are successfully found and we have a system of equations of the form w′′ =zw z−1 z−1w′′z =w 1 1 1 1  ...  ... (2)  vw1′γ′′′==zzvw1zγz−−11 or  zz−−11wv1′γ′′′zz==vw1γ ... ... where only elements u′′ =∆−2piu′ avnγ′d′ =w′z′v=γz∆−1−2riw′ are knz−ow1vnγ′.′zL=etvuγs call two sets of braids separated if i i j j they can be expressed as words over disjoint commuting sets of generators of B . As mentioned in Section n ′ 1.5 to break the protocol it is sufficient to find any conjugator z which conjugates two tuples of elements (u′′,...,u′′) and (w′′,...,w′′) into two separated tuples of elements (u ,...,u ) and (w ,...,w ). This is 1 γ 1 γ 1 γ 1 γ the main goal of our attack. Let u¯ = (u ,...,u ) be a tuple of elements in B and x is an element of B . Denote by |u¯| the total 1 m n n length of elements in u¯, i.e., put m |u¯|= |u |. i Xi=1 Denote by u¯x a tuple obtained from u¯ by conjugation of each its element by x. It is intuitively clear that conjugation of a tuple of braids by a random element x almost always increases the length of the tuple. In other words, for a random element x the inequality (3) |u¯x|>|u¯| is almost always true. We do not have a proof of this fact, but numerous experiments convince us that it is true. Moreover,conjugation by longer elements almost always results in longer tuples. The idea that conjugation consequently increases the length of tuples is not new. It was used in papers [4], [3] for different length functions with different success. But the most successful is a recent attack [6] CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL 7 which uses approximation of the geodesic length. In this paper we use the idea of separating two tuples of braids. To find z′ we repeatedly conjugate the tuple (u′′,...,u′′,w′′,...,w′′) by generators of B and their 1 γ 1 γ n inverses and if for some generator σ±1 the decrease of the total length of the tuple is observed then it is k reasonable to guess that σ±1 is involved in z′. k Algorithm 2.2 (Recovering conjugator - I). Input: Tuples a¯={a ,...,a } and¯b={b ,...,b }. 1 γ 1 γ Output: An element z′ separating tuples a¯ and¯b. Initialization: Set z′ =1. Computations: A. For each i=1,...,n−1 and ε=±1 conjugate tuples a¯ and¯b by a generator σε and compute i δi,ε =|a¯σiε|+|¯bσiε|−(|a¯|+|¯b|). B. If for some σiε the sets a¯σiε and¯bσiε are separated then output z′ =σiεz′. C. Otherwise, if all δ are positive (i.e., conjugation by σε cannot further decrease the total length) i,ε i then output FAILURE. D. Otherwise choose i and ε for which δi,ε is minimal. Set z′ =σiεz′, a¯ =a¯σiε, and¯b =¯bσiε. Goto step A. The described attack is similar to the one described in [6]. Recall that the main problem in [6] was the existence of so-called peaks (see [6, Definition 2.5]). This phenomenon is a consequence of difficult structure of finitely generatedsubgroups of braidgroups. In this paper,we do not have this problemas z is chosenin the whole group B . n NotethatAlgorithm2.2isagreedydescendprocedure. Itmayfailduetothefactthatthereexistsasmall fraction of words for which the inequality (3) does not hold. It is also prone to the length approximation errors. One can significantly reduce the failure rate of a descent procedure by introducing a backtracking algorithm which allows exploration of more than one search paths. Algorithm 2.3 gives an implementation of the attack with backtracking. Algorithm 2.3 (Recovering conjugator with Backtracking). Input: Tuples a¯={a ,...,a } and¯b={b ,...,b }. 1 γ 1 γ Output: An element z′ separating tuples a¯ and¯b. Initialization: Set S ={(a¯,¯b,1)}. Computations: A. If S =∅ then output FAILURE. B. Choose (x¯,y¯,c)∈S such that |x¯|+|y¯| is the minimal. C. For each i=1,...,n−1 and ε=±1 conjugate tuples x¯ and y¯by a generator σε and compute i δi,ε =|x¯σiε|+|y¯σiε|−(|x¯|+|y¯|). D. If for some σiε the sets x¯σiε and y¯σiε are separated then output z′ =σiεc. E. Otherwise,for eachi=1,...,n−1 andε=±1addthe tuple (x¯σiε,x¯σiε,σiεc) tothe setS. Goto step A. We must mentionhere that, althoughthere is a possibility that Algorithm2.3 outputs FAILURE ordoes not terminate on some inputs, this situation has never occurred in our experiments. Finally, we present another modification of Algorithm 2.2. Algorithm 2.4 (Recovering conjugator - II). Input: Tuples a¯={a ,...,a } and¯b={b ,...,b }. 1 γ 1 γ Output: An element z′ separating tuples a¯ and¯b. Initialization: Set z′ =1. Computations: 8 CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL A. For each i=1,...,n−1 and ε=±1 conjugate tuples a¯ and¯b by a generator σε and compute i δi,ε =|a¯σiε|+|¯bσiε|−(|a¯|+|¯b|). B. If all δ are positive (i.e., conjugation by σε cannot further decrease the total length) and the sets i,ε i a¯ and¯b are separated then output z′. C. If all δ are positive (i.e., conjugation by σε cannot further decrease the total length), but the sets i,ε i a¯ and¯b are not separated then output FAILURE. D. Otherwise choose i and ε for which δi,ε is minimal. Set z′ =σiεz′, a¯ =a¯σiε, and¯b =¯bσiε. Goto step A. Algorithms 2.2 and 2.4 are almost the same except that they have different termination conditions. Algorithm 2.2 stops as soon as the tuples are separated, while Algorithm 2.4 tries to minimize the total length of the tuple and when the minimal value is reached it checks if the current tuples are separated. ThecomplexityofstepAinAlgorithms2.2and2.4isO(γn(|a |+|b |)). Themaximalnumberofiterations i i can be bounded by the total length of the input |a |+|b |. A very crude upper bound on the complexity of i i the two algorithms is O(γn(|a |+|b |)2). i i The complexity of Algorithm 2.3 is harder to estimate. Potentially, the backtracking mechanism may causethe algorithmto exploreexponentially many potentialsolutions. However,our experimentsshow that a very few backtracking steps are required to find a solution. 2.4. Results of experiments. The attack was tested on different sets of instances of the protocol. In particular we generated the sets BL and BR randomly and used fixed sets BL = {σ ,...,σ } and BR = 1 l {σl+2,...,σn−1}. We used the proposed values of the parameters (see Section 1.6). In addition the attack was tested on instances generated with the increased length of the secret conjugator z. In all the experiments Algorithm 2.3 had 100% success of producing a separating conjugator z′. The average time of a run of the algorithm was 4.5 seconds when executed on a Dual Core Opteron 2.2 GHz machine with 4GB of ram. The algorithm without backtracking had slightly smaller but still respectable success rate of 90%. It is very interesting to notice that Algorithm 2.4 actually recoveredthe originalsecret conjugator z in about 40% of the cases. That is the reason we mention this algorithm in the paper. ExperimentswithinstancesofTTPprotocolgeneratedusing|z|=50(whichisalmostthreetimesgreater than the suggested value) again showed 100% success rate. However, we need to point out that the attack mayfailwhenthelengthofz islargerelativetothelengthof∆2. Forinstancewheninthesecondparameter set the length of z is increased to 100, the algorithm recovering ∆-powers sometimes output wrong values. Nevertheless, the success rate of Algorithm 2.3 is still about 90% in this case. We think it is possible to modify our algorithms to work with increased parameter values. But the biggest concern here is that the protocol with increased parameter values might be not suitable for purposes of lightweight cryptography. References [1] I. Anshel, M. Anshel, D. Goldfeld, An algebraic method for public-key cryptography, Math. Res. Lett. 6 (1999), 287–291. [2] I.Anshel,M.Anshel,D.Goldfeld,S.Lemieux,”KeyAgreement,TheAlgebraicEraserTM,andLightweightCryp- tography”. In”AlgebraicMethods inCryptography”, ContemporaryMath.418(2006), 1–17. [3] D. Garber, S. Kaplan, M. Teicher, B. Tsaban, U. Vishne ”Length-based conjugacy search in the Braid group”, availableathttp://arxiv.org/abs/math.GR/0209267. [4] J. Hughes, A. Tannenbaum, ”Length-based attacks for certain group based encryption rewriting systems”. In: WorkshopSECI02Securit`edelaCommunicationsurIntenet, September 2002,Tunis,Tunisia. [5] A.G.Myasnikov,V.Shpilrain,A.Ushakov.A practical attack onsome braid group based cryptographic protocols. InCRYPTO2005,LectureNotesComp.Sc.3621(2005), 86-96. [6] A. D. Myasnikov, A. Ushakov. Length Based Attack and Braid Groups: Cryptanalysis of Anshel-Anshel-Goldfeld Key Exchange Protocol. T.OkamotoandX.Wang(Eds.): PKC2007,LNCS4450, 2007,768. CRYPTANALYSIS OF ANSHEL-ANSHEL-GOLDFELD-LEMIEUX KEY AGREEMENT PROTOCOL 9 Departmentof Mathematics,StevensInstituteof Technology,Hoboken, NJ 07030 E-mail address: [email protected] Departmentof Mathematics,StevensInstituteof Technology,Hoboken, NJ 07030 E-mail address: [email protected]

See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users