We give a systematic exposition of memory-length algorithms for solving equations in noncommutative groups. This exposition clarifies some points untouched in earlier expositions. We then focus on the main ingredient in these attacks: Length functions.
After a self-contained introduction to Garside groups, we describe length functions induced by the greedy normal form and by the rational normal form in these groups, and compare their worst-case performances.
Our main concern is Artin’s braid groups, with their two known Garside presentations, due to Artin and due to Birman-Ko-Lee (BKL). We show that in B3 equipped with the BKL presentation, the (efficiently computable) rational normal form of each element is a geodesic, i.e., is a representative of minimal length for that element. (For Artin’s presentation of B3, Berger supplied in 1994 a method to obtain geodesic representatives in B3.)
For arbitrary BN, finding the geodesic length of an element is NP-hard, by a 1991 result of by Paterson and Razborov. We show that a good estimation of the geodesic length of an element of BN in Artin’s presentation is measuring the length of its rational form in the BKL presentation. This is proved theoretically for the worst case, and experimental evidence is provided for the generic case.
Mathematics Subject Classification (2000)
Random equations Garside groups length functions braid group Artin presentation Birman-Ko-Lee presentation minimal length geodesics
This is a preview of subscription content, log in to check access.
P. Dehornoy and L. Paris, Gaussian groups and Garside groups, two generalisations of Artin groups, Proceedings of the London Mathematical Society 79 (1999), 569–604.zbMATHCrossRefMathSciNetGoogle Scholar
D. Epstein, J. Cannon, D. Holt, S. Levy, M. Paterson, and W. Thurston, Word Processing in Groups, Jones and Bartlett Publishers, Boston: 1992.zbMATHGoogle Scholar
D. Garber, Braid group cryptography, www.ims.nus.edu.sg/Programs/braids/files/david.pdfGoogle Scholar
D. Garber, S. Kaplan, M. Teicher, B. Tsaban, and U. Vishne, Length-based conjugacy search in the Braid group, Contemporary Mathematics 418 (2006), 75–87.MathSciNetGoogle Scholar
D. Garber, S. Kaplan, M. Teicher, B. Tsaban, and U. Vishne, Probabilistic solutions of equations in the braid group, Advances in Applied Mathematics 35 (2005), 323–334.zbMATHCrossRefMathSciNetGoogle Scholar
J. Hughes and A. Tannenbaum, Length-based attacks for certain group based encryption rewriting systems, Workshop SECI02 Sécuritée de la Communication sur Internet, September 2002.Google Scholar
K.H. Ko, S.J. Lee, J.H. Cheon, J.W. Han, S.J. Kang and C.S. Park, New Publickey Cryptosystem using Braid Groups, CRYPTO 2000, Lecture Notes in Computer Science 1880 (2000), 166–183.CrossRefMathSciNetGoogle Scholar
A. Myasnikov, V. Shpilrain, and A. Ushakov, A practical attack on some braid group based cryptographic protocols, in: CRYPTO 2005, Lecture Notes in Computer Science 3621 (2005), 86–96.CrossRefMathSciNetGoogle Scholar
A. Myasnikov, V. Shpilrain, and A. Ushakov, Group-based cryptography, Advanced Courses in Mathematics — CRM Barcelona, Birkhäuser, 2008.Google Scholar