A Polynomial Time Algorithm for the Braid Diffie-Hellman Conjugacy Problem

Abstract: Abstract. We propose the first polynomial time algorithm for the braid Diffie-Hellman conjugacy problem (DHCP) on which the braid key exchange scheme and the braid encryption scheme are based [9]. We show the proposed method solves the DHCP for the image of braids under the Lawrence-Krammer representation and the solutions play the equivalent role of the original key for the DHCP of braids. Given a braid index n and a canonical length , the complexity is about O(n 14.4 3.2 ) or O(n 4τ +2 2 ) bit operations for… Show more

“…There had already been partial (still exponential) attacks on the general conjugacy problem in braid groups (see for instance [7] for a survey). It turned out a specific polynomial time algorithm exists to attack the Diffie-Hellman assumption in braid groups [3]. The attack uses the property that braid group elements can be represented by invertible matrices over some (complicated) ring.…”

“…As a consequence, when S is a group, the quadratic looking equation z = u z v with unknown (u, v) can be directly turned into a linear looking equation u z = z v with unknown (u = u −1 , v). Of course it is the case in braid groups, where one additionally has u = v. Then, representing braid groups elements by matrices (see [3]), the linear looking equation is turned into a linear relation on matrices (over a ring), which can be solved as shown in [3]. Note that the attack may not solve the DH conjugacy problem.…”

“…A sufficient way of breaking the DH problem is the one of solving the decompositional problem arising in the Diffie-Hellman protocol: given z in D and z in S z S, compute u, v in S such that z = u z v. However, it was noted in [3,12] that breaking a relaxed variant of this problem is enough to break the DH problem: given z in D and z in S z S, compute u, v commuting with the elements of S such that z = u z v. Indeed, if an attacker can recover u A , v A commuting with the elements of S and such that z A = u A z v A , she can compute…”

“…The attack has theoretical complexity in (md) 3 . It takes about a minute with the recommended parameters and with a straightforward implementation in C++ using the NTL library [11].…”

Cryptanalysis of Cryptosystems Based on Non-commutative Skew Polynomials

“…There had already been partial (still exponential) attacks on the general conjugacy problem in braid groups (see for instance [7] for a survey). It turned out a specific polynomial time algorithm exists to attack the Diffie-Hellman assumption in braid groups [3]. The attack uses the property that braid group elements can be represented by invertible matrices over some (complicated) ring.…”

“…As a consequence, when S is a group, the quadratic looking equation z = u z v with unknown (u, v) can be directly turned into a linear looking equation u z = z v with unknown (u = u −1 , v). Of course it is the case in braid groups, where one additionally has u = v. Then, representing braid groups elements by matrices (see [3]), the linear looking equation is turned into a linear relation on matrices (over a ring), which can be solved as shown in [3]. Note that the attack may not solve the DH conjugacy problem.…”

“…A sufficient way of breaking the DH problem is the one of solving the decompositional problem arising in the Diffie-Hellman protocol: given z in D and z in S z S, compute u, v in S such that z = u z v. However, it was noted in [3,12] that breaking a relaxed variant of this problem is enough to break the DH problem: given z in D and z in S z S, compute u, v commuting with the elements of S such that z = u z v. Indeed, if an attacker can recover u A , v A commuting with the elements of S and such that z A = u A z v A , she can compute…”

“…The attack has theoretical complexity in (md) 3 . It takes about a minute with the recommended parameters and with a straightforward implementation in C++ using the NTL library [11].…”

Cryptanalysis of Cryptosystems Based on Non-commutative Skew Polynomials

“…key agreement protocol or public key encryption) [24,9,[21][22][23]13, 2] and a few ways of analyses of attacks (e.g. deterministic or empirical) [3,10,17,12,11,16,7]. A natural question is how we can proceed one more step.…”

Right-Invariance: A Property for Probabilistic Analysis of Cryptography Based on Infinite Groups

A Practical Attack on a Braid Group Based Cryptographic Protocol