Polynomial-Time Solutions of Computational Problems in Noncommutative-Algebraic Cryptography

Abstract

We introduce the linear centralizer method, and use it to devise a provable polynomial-time solution of the Commutator Key Exchange Problem, the computational problem on which, in the passive adversary model, the security of the Anshel–Anshel–Goldfeld (Anshel et al., Math. Res. Lett. 6:287–291, 1999) Commutator key exchange protocol is based. We also apply this method to solve, in polynomial time, the computational problem underlying the Centralizer key exchange protocol, introduced by Shpilrain and Ushakov in (Contemp. Math. 418:161–167, 2006).

This is the first provable polynomial-time cryptanalysis of the Commutator key exchange protocol, hitherto the most important key exchange protocol in the realm of noncommutative algebraic cryptography, and the first cryptanalysis (of any kind) of the Centralizer key exchange protocol. Unlike earlier cryptanalyses of the Commutator key exchange protocol, our cryptanalyses cannot be foiled by changing the distributions used in the protocol.

1 Introduction

Since Diffie and Hellman’s 1976 key exchange protocol, few alternative proposals for key exchange protocols (KEPs) resisted cryptanalysis. This, together with the (presently, theoretical) issue that the Diffie–Hellman and other classic KEPs can be broken in polynomial time by quantum computers, is a strong motivation for searching for substantially different KEPs. Lattice-based KEPs [31] seem to be a viable potential alternative. All classic KEPs as well as the Lattice-based ones are based on commutative algebraic structures.

In 1999, Anshel, Anshel, and Goldfeld [2] (cf. [3]) introduced the Commutator KEP, a general method for constructing KEPs based on noncommutative algebraic structures. Around the same time, Ko, Lee, Cheon, Han, Kang, and Park [21] introduced the Braid Diffie–Hellman KEP, another general method achieving the same goal. The security of both KEPs is based on variations of the Conjugacy Search Problem: Given conjugate elements g,h in a noncommutative group, find x in that group such that x ⁻¹ gx=h. Both papers [2] and [21] proposed to use the braid group B _N , a finitely presented, infinite noncommutative group parameterized by a natural number N, as the platform group.

The introduction of the Commutator KEP and the Braid Diffie–Hellman KEP was followed by a stream of heuristic attacks (e.g., [11–13, 15–18, 24–27, 29, 30]),¹ demonstrating that these protocols, when using the two most simple distributions on the braid group B _N , are insecure. Consequently, a program was set forth, by several independent research groups, to find efficiently samplable distributions on the braid group that, when used with the above-mentioned protocols, foil all heuristic attacks (e.g., [1, 14, 22, 25]). The abstract of [14] concludes: “Proper choice … produces a key exchange scheme which is resistant to all known attacks”. Moreover, a very practical distribution is announced in [37], which foils the strongest known methods for solving the Conjugacy Search Problem in B _N .

Most of the mentioned heuristic attacks address the Commutator KEP, and not the Braid Diffie–Hellman KEP. The reason is that in 2003, Cheon and Jun published an expected polynomial-time cryptanalysis of the Braid Diffie–Hellman KEP, using a novel representation theoretic method [8]. In their paper, Cheon and Jun stress that their cryptanalysis does not apply to the Commutator KEP and that an extra ingredient is needed. Thus far, no expected polynomial-time attack was found on the Commutator KEP, whose success does not depend on the distributions used in the protocols.

The main result of the present paper is a Las Vegas, provable expected polynomial-time solution of the Commutator Key Exchange Problem (also referred to as the Anshel–Anshel–Goldfeld Problem [28, §15.1.2]), the computational problem underlying the Commutator KEP. This forms a cryptanalysis of the Commutator KEP [2], in the passive adversary model, which succeeds regardless of the distributions used to generate the keys.

The linear centralizer method, developed for our solution of the Commutator Key Exchange Problem, is applicable to additional computational problems and KEPs in the context of group theory-based cryptography. We present an application of these methods to the Centralizer KEP, introduced by Shpilrain and Ushakov in 2006 [35], to obtain an expected polynomial-time attack. This is the first cryptanalysis, of any kind, of the Centralizer KEP.

We stress that the cryptanalyses presented here, like the Cheon–Jun cryptanalysis, while of expected polynomial time, are impractical for standard values of N (e.g., N=100). These results are of theoretic nature. Ignoring logarithmic factors, the complexity of our cryptanalyses is about N ¹⁷, times a cubic polynomial in the other relevant parameters. Incidentally, though, these cryptanalyses establish the first provable practical attacks in the case where the index N of the braid group B _N is small, e.g., when N=8.

The paper is organized as follows. Section 2 introduces the Commutator KEP and the braid group. In Sect. 3, we eliminate a technical complexity theoretic obstacle. Section 4 applies a method of Cheon and Jun to reduce our problem to matrix groups over finite fields. Section 5 is the main ingredient of our cryptanalysis, presenting the new method and cryptanalyzing the Commutator KEP in matrix groups. This section is independent of the other sections and readers without prior knowledge of the braid group may wish to read it first. Section 6 fills a gap in our proof, by applying the Schwartz–Zippel Lemma to obtain a lower bound on the probability that certain random matrices are invertible. Section 7 is a cryptanalysis of the Centralizer KEP, using the methods introduced in the earlier sections. The Braid Diffie–Hellman KEP is introduced in Sect. 8, where we survey the Cheon–Jun cryptanalysis and explain why it does not apply to the Commutator KEP or to the Centralizer KEP. We also describe applications of the new methods to a generalized version of the Braid Diffie–Hellman KEP and to Stickel’s KEP. Some additional discussion is provided in Sect. 9.

2 The Commutator KEP and the Braid Group B _N

We will use, throughout, the following basic notation.

Notation 1

For a noncommutative group G and group elements g,x∈G, g ^x=x ⁻¹ gx, the conjugate of g by x.

Useful identities involving this notation that are easy to verify, include g ^xy=(g ^x)^y, and g ^c=g for every central element c∈G, that is, such that ch=hc for all h∈G.

The Commutator KEP [2] is described succinctly in Fig. 1.² In some detail:

1. 1.

   A noncommutative group G and elements a ₁,…,a _k ,b ₁,…,b _k ∈G are publicly given.³

2. 2.

   Alice and Bob choose free group words in the variables x ₁,…,x _k , v(x ₁,…,x _k ) and w(x ₁,…,x _k ), respectively.⁴

3. 3.

   Alice substitutes a ₁,…,a _k for x ₁,…,x _k , to obtain a secret element a=v(a ₁,…,a _k )∈G. Similarly, Bob computes b=w(b ₁,…,b _k )∈G.

4. 4.

   Alice sends the conjugated elements b ₁ ^a,…,b _k ^a to Bob, and Bob sends a ₁ ^b,…,a _k ^b to Alice.

5. 5.

   The shared key is the commutator a ⁻¹ b ⁻¹ ab.

As conjugation is a group isomorphism, we have

$$v\bigl({a_1}^b,\dots,{a_k}^b \bigr)=v({a_1},\dots,{a_k})^b=a^b=b^{-1}a b. $$

Thus, Alice can compute the shared key a ⁻¹ b ⁻¹ ab as a ⁻¹ v(a ₁ ^b,…,a _k ^b), using her secret a,v(x ₁,…,x _k ) and the public elements a ₁ ^b,…,a _k ^b. Similarly, Bob computes a ⁻¹ b ⁻¹ ab as w(b ₁ ^a,…,b _k ^a)⁻¹ b.

Fig. 1.

The commutator KEP.

For the platform group G, it is proposed in [2] to use the braid group B _N , a group parameterized by a natural number N. Elements of B _N are called braids, for they may be identified with braids on N strands. Braid group multiplication is motivated geometrically, but the details will play no role in the present paper. The interested reader will find detailed information on B _N in almost each of the papers in the bibliography and, in particular, in the survey [6], but prior knowledge is not necessary: we quote here the information needed for the present paper.

Let S _N be the symmetric group of permutations on N symbols. For our purposes, the braid group B _N is a group of elements of the form

$$(i,\mathbf{p}), $$

where i is an integer, and p is a finite (possibly, empty) sequence of elements of S _N , that is, p=(p ₁,…,p _ℓ ) for some ℓ≥0 and p ₁,…,p _ℓ ∈S _N . The sequence p=(p ₁,…,p _ℓ ) is requested to be left weighted (a property whose definition will not be used here), and p ₁ must not be the involution p(k)=N−k+1.⁵

For “generic” braids (i,(p ₁,…,p _ℓ ))∈B _N , i is negative and |i| is O(ℓ), but this is not always the case. Note that the bit-length of an element (i,(p ₁,…,p _ℓ ))∈B _N is O(log|i|+ℓNlogN).

Multiplication is defined on B _N by an algorithm of complexity O(ℓ ² NlogN+log|i|). Inversion is of linear complexity. Explicit implementations are provided, for example, in [7].

For a passive adversary to extract the shared key of the Commutator KEP out of the public information, it suffices to solve the following problem, also referred to as the Anshel–Anshel–Goldfeld Problem [28, §15.1.2].

Problem 2

(Commutator KEP Problem)

Let a ₁,…,a _k ,b ₁,…,b _k ∈B _N , each of the form (i,p) with p of length ≤ℓ. Let a be a product of at most m elements of {a ₁,…,a _k }^±1, and let b be a product of at most m elements of {b ₁,…,b _k }^±1.

Given \(a_{1},\dots,a_{k},b_{1},\dots,b_{k},a_{1}^{b},\dots,a_{k}^{b},b_{1}^{a},\dots ,b_{k}^{a}\), compute a ⁻¹ b ⁻¹ ab.

Our solution of Problem 2 consists of several ingredients.

3 Reducing the Infimum

The infimum of a braid b=(i,p) is the integer inf(b):=i. As the bit-length of b is O(log|i|+ℓNlogN), an algorithm polynomial in |i| would be at least exponential in the bit-length. We first remove this obstacle.

In cases where p is the empty sequence, we write (i) instead of (i,p). The properties of B _N include, among others, the following ones.

1. (a)

   (i)⋅(j,p)=(i+j,p) for all integers i and all (j,p)∈B _N .

   In particular, (i)=(1)ⁱ for all i.

2. (b)

   (2)⋅(i,p)=(i,p)⋅(2) for all for all (i,p)∈B _N .

Thus, (2j) is a central element of B _N for each integer j. If follows that, for each (i,p)∈B _N ,

$$(i,\mathbf{p}) = \bigl(i-(i \bmod2)\bigr)\cdot(i \bmod2,\mathbf{p}). $$

This way, every braid b∈B _N decomposes to a unique product \(c\tilde{b}\), where c is of the form (2j) (and thus central), and \(\inf(\tilde{b})\in\{0,1\}\).

Consider the public information in Fig. 1. For each j=1,…,k, decompose as above

$$\begin{aligned} a_j = & c_j\tilde{a}_j, \\ b_j = & d_j\tilde{b}_j, \end{aligned}$$

with c _j ,d _j central and \(\inf(\tilde{a}_{j}),\inf(\tilde{b}_{j})\in\{ 0,1\}\) for all j=1,…,k. Let

$$\begin{aligned} \tilde{a} = & v(\tilde{a}_1,\dots,\tilde{a}_k); \\ \tilde{b} = & w(\tilde{b}_1,\dots,\tilde{b}_k); \\ c = & v(c_1,\dots,c_k); \\ d = & w(d_1,\dots,\tilde{d}_k). \end{aligned}$$

As the elements c _j ,d _j are central, we have

$$\tilde{a} = v\bigl(c_1^{-1}a_1, \dots,c_k^{-1}a_k\bigr) = v \bigl(c_1^{-1},\dots ,c_k^{-1}\bigr) \cdot v(a_1,\dots, a_k) = c^{-1}a. $$

Similarly, \(\tilde{b}=d^{-1}b\). As c and d are central,

$$a_j^{\, b} = (c_j\tilde{a}_j)^b = c_j \tilde{a}_j^{\, b} = c_j \tilde{a}_j^{\, d\tilde{b}} = c_j\tilde{a}_j^{\, \tilde{b}} $$

for all j=1,…,k. Thus, \(\tilde{a}_{j}^{\tilde{b}}\) can be computed for all j. Similarly, \(\tilde{b}_{j}^{\, \tilde{a}}\) can be computed. Now,

$$a^{-1}b^{-1}ab = (c\tilde{a})^{-1}(d\tilde{b})^{-1}(c\tilde{a}) (d\tilde{b}) = \tilde{a}^{-1}c^{-1} \tilde{b}^{-1}d^{-1}c\tilde{a} d\tilde{b} = \tilde{a}^{-1}\tilde{b}^{-1}\tilde{a} \tilde{b}. $$

This shows that the Commutator KEP Problem is reducible, in linear time, to the same problem using \(\tilde{a}_{1},\dots,\tilde{a}_{k},\tilde{b}_{1},\dots,\tilde{b}_{k}\) instead of a ₁,…,a _k ,b ₁,…,b _k . Thus, we may assume that

$$\inf(a_1),\dots,\inf(a_k),\inf(b_1), \dots,\inf(b_k)\in\{0,1\} $$

to start with. Assume that henceforth.

For a braid x=(i,p), let ℓ(p) be the number of permutations in the sequence p. For integers i,s, let

$$[i,s]=\bigl\{ x\in{\mathbf{B}_N} : i\le\inf(x)\le\inf(x)+\ell(x) \le s\bigr\} . $$

We use the following basic facts about B _N :

1. 1.

   If x ₁∈[i ₁,s ₁] and x ₂∈[i ₂,s ₂], then x ₁ x ₂∈[i ₁+i ₂,s ₁+s ₂].

2. 2.

   If x∈[i,s], then x ⁻¹∈[−s,−i].

Thus, for each x∈{a ₁,…,a _k ,b ₁,…,b _k }^±1, x ^±1∈[−ℓ−1,ℓ+1], and therefore, in the notation of our problem, a,b∈[−m(ℓ+1),m(ℓ+1)]. Thus,

$$a^{-1}b^{-1}ab\in\bigl[-4m(\ell+1),4m(\ell+1)\bigr]. $$

Corollary 3

In the Commutator KEP Problem, a ⁻¹ b ⁻¹ ab∈[−4m(ℓ+1),4m(ℓ+1)].

4 Reducing to a Matrix Group over a Finite Field

In this section, we apply methods of Cheon and Jun [8] in our setting.

Let n be a natural number. As usual, we denote the algebra of all n×n matrices over a field \(\mathbb{F}\) by \(\operatorname {M}_{n}(\mathbb{F})\), and the group of invertible elements of this algebra by \(\operatorname {GL}_{n}(\mathbb{F})\). A matrix group is a subgroup of \(\operatorname{GL}_{n}(\mathbb{F})\). A faithful representation of a group G in \(\operatorname {GL}_{n}(\mathbb{F})\) is a group isomorphism from G onto a matrix group \(H\le\operatorname{GL}_{n}(\mathbb{F})\). A group is linear if it has a faithful representation.

Bigelow and, independently, Krammer, established in their breakthrough papers [5, 23] that the braid group B _N is linear, by proving that the so-called Lawrence–Krammer representation

$$\operatorname{LK}\colon{\mathbf{B}_N}\longrightarrow\operatorname {GL}_{\binom{N}{2}}\biggl(\mathbb{Z}\biggl[t^{\pm 1},\frac{1}{2} \biggr]\biggr), $$

whose dimension is

$$n:=\binom{N}{2}, $$

is injective.⁶ The Lawrence–Krammer representation of a braid can be computed in polynomial time.⁷ It is proved implicitly in [23], and explicitly in [8], that this representation is also invertible in (similar) polynomial time. The following result follows from Corollary 1 of [8].

Theorem 4

(Cheon–Jun [8])

Let x∈[i,s] in B _N . Let M≥max(|i|,|s|). Then:

1. 1.

   The degrees of t in \(\operatorname{LK}(x)\in\operatorname {GL}_{n}(\mathbb{Z}[t^{\pm1},\frac {1}{2}])\) are in {−M,−M+1,…,M}.

2. 2.

   The rational coefficients \(\frac{c}{2^{d}}\) in \(\operatorname {LK}(x)\) (c integer, d nonnegative integer) satisfy \(|c|\le2^{N^{2}M}, |d|\le2NM\).

In the notation of Theorem 4, Theorem 2 in Cheon–Jun [8] implies that inversion of \(\operatorname{LK}(x)\) is of order N ⁶logM multiplications of entries. Ignoring logarithmic factors and thus assuming that each entry multiplication costs NM⋅N ² M=N ³ M ², this accumulates to N ⁸ M ². We will invert the function \(\operatorname{LK}\) as part of our cryptanalysis below. However, the complexity of the other steps in our cryptanalysis (in particular, the linear centralizer step—Sect. 5) dominate the complexity of inverting \(\operatorname{LK}\).

Let us return to the Commutator KEP Problem 2. By Corollary 3,

$$K:=a^{-1}b^{-1}ab\in\bigl[-4m(\ell+1),4m(\ell+1)\bigr]. $$

Let M=4m(ℓ+1). By Theorem 4, we have

$$\bigl(2^{2NM}t^M\bigr)\cdot\operatorname{LK}(K)\in \operatorname{GL}_n\bigl(\mathbb{Z}[t]\bigr), $$

the absolute values of the coefficients in this matrix are bounded by \(2^{N^{2}(M+1)}\), and the maximal degree of t in this matrix is bounded by 2M.

Let p be a prime slightly greater than \(2^{N^{2}M}\), and f(t) be an irreducible polynomial over \(\mathbb{Z}_{p}\), of degree d slightly larger than 2M. Then

$$\bigl(2^{2NM}t^M\bigr)\cdot\operatorname{LK}(K)= \bigl(2^{2NM}t^M\bigr)\cdot\operatorname {LK}(K) \bmod \bigl(p, f(t)\bigr) \in\operatorname{GL}_{n}\bigl(\mathbb{Z}[t]/\bigl\langle p, f(t)\bigr\rangle \bigr), $$

under the natural identification of {−(p−1)/2,…,(p−1)/2} with {0,…,p−1}.

Let \(\mathbb{F}=\mathbb{Z}[t]/\langle p, f(t)\rangle= \mathbb {Z}[t^{\pm1},\frac {1}{2}]/\langle p, f(t)\rangle\). \(\mathbb{F}\) is a finite field of cardinality p ^d, where d is the degree of f(t). It follows that the complexity of field operations in \(\mathbb{F}\) is, up to logarithmic factors, of order

$$d^2\log p = O\bigl(M^3 N^2\bigr) = O \bigl(m^3\ell^3N^2\bigr). $$

Thus, the key K can be recovered as follows:

1. 1.

   Apply the composed function \(\operatorname{LK}(x) \bmod(p, f(t))\) to the input of the Commutator KEP Problem, to obtain a version of this problem in \(\operatorname{GL}_{n}(\mathbb{F})\).

2. 2.

   Solve the problem there, to obtain \(\operatorname{LK}(K) \bmod (p, f(t))\).

3. 3.

   Compute \((2^{2NM}t^{M})\cdot\operatorname{LK}(K) \bmod(p, f(t)) = (2^{2NM}t^{M})\cdot\operatorname{LK}(K)\).⁸

4. 4.

   Divide by (2^2NM t ^M) to obtain \(\operatorname{LK}(K)\).

5. 5.

   Compute K using the Cheon–Jun inversion algorithm.

It remains to devise a polynomial-time solution of the Commutator KEP Problem in arbitrary groups of matrices.

5 Linear Centralizers

In this section, we solve the Commutator KEP Problem in matrix groups. We first state the problem in a general form. As usual, for a group G and elements g ₁,…,g _k ∈G, 〈g ₁,…,g _k 〉 denotes the subgroup of G generated by g ₁,…,g _k . Throughout, we assume that the given groups are represented in an efficient way.

Problem 5

(Commutator KEP Problem)

Let G be a group. Let a ₁,…,a _k ,b ₁,…,b _k ∈G. Let a∈〈a ₁,…,a _k 〉,b∈〈b ₁,…,b _k 〉.

Given \(a_{1},\dots,a_{k},b_{1},\dots,b_{k},a_{1}^{b},\dots,a_{k}^{b},b_{1}^{a},\dots ,b_{k}^{a}\), compute a ⁻¹ b ⁻¹ ab.

We recall a classic definition.

Definition 6

Let \(S\subseteq\operatorname{M}_{n}(\mathbb{F})\) be a set. The centralizer of S (in \(\operatorname{M}_{n}(\mathbb{F})\)) is the set

$$C(S)=\bigl\{ c\in\operatorname{M}_n(\mathbb{F}) : cs = sc \mbox{ for all } s\in S\bigr\} . $$

For \(a_{1},\dots,a_{k}\in\operatorname{M}_{n}(\mathbb{F})\), C({a ₁,…,a _k }) is also denoted as C(a ₁,…,a _k ).

Basic properties of C(S) that are easy to verify, include:

1. 1.

   C(S) is a vector subspace (indeed, a matrix subalgebra) of \(\operatorname{M} _{n}(\mathbb{F})\).

2. 2.

   C(C(S))⊇S.

3. 3.

   \(C(S)=C(\operatorname{span}S)\).

4. 4.

   If \(S\subseteq\operatorname{GL}_{n}(\mathbb{F})\), then C(S)=C(〈S〉), where 〈S〉 is the subgroup of \(\operatorname{GL}_{n}(\mathbb {F})\) generated by S.

A key observation is the following one: Let V be a vector subspace of \(\operatorname{M}_{n}(\mathbb{F})\), and \(G\le\operatorname{GL}_{n}(\mathbb{F})\) be a matrix group such that V∩G is nonempty. It may be computationally infeasible to find an element in V∩G. However, it is easy to compute a basis for V∩U for any vector subspace U of \(\operatorname{M}_{n}(\mathbb{F})\). In particular, this is true for U=C(C(G)), which contains G. In certain cases, as the ones below, a “random” element in V∩C(C(G)) is as good as one in V∩G.

Algorithm 7 below addresses the Commutator KEP Problem in a matrix group \(G\le\operatorname{GL}_{n}(\mathbb{F})\). The analysis of this algorithm is based on the forthcoming Lemma 9, which shows that one can efficiently find an invertible matrix in a vector space of matrices containing at least one invertible matrix. To this end, we assume that \(|\mathbb{F}|/n\ge c>1\) for some constant c. In the above section, \(|\mathbb{F}|/n\) is at least exponential. Fix a finite set \(S\subseteq\mathbb{F}\) of cardinality greater than cn (the larger the better) that can be sampled efficiently. In the most important case, where \(\mathbb{F}\) is a finite field, take \(S=\mathbb{F}\). By random element of a vector subspace V of \(\operatorname {M}_{n}(\mathbb{F})\), with a prescribed basis {v ₁,…,v _d }, we mean a linear combination

$$\alpha_1 v_1+\cdots+\alpha_kv_k $$

with α ₁,…,α _k ∈S uniform, independently distributed.

It is natural to split the Commutator KEP Problem and the algorithm for solving it into an offline (preprocessing) phase and an online phase.

Algorithm 7

Offline phase:

1. 1.

   Input: b ₁,…,b _k ∈G.

2. 2.

   Execution:

   1. (a)

      Compute a basis S={s ₁,…,s _d } for C(b ₁,…,b _k ), by solving the following homogeneous system of linear equations in the n ² entries of the unknown matrix x:

      $$\begin{array}{rcl} b_1\cdot x & = & x\cdot b_1, \\ & \vdots\\ b_k\cdot x & = & x\cdot b_k. \end{array} $$
   2. (b)

      Compute a basis for C(S)=C(C(b ₁,…,b _k )), by solving the following homogeneous system of linear equations in the n ² entries of the unknown matrix x:

      $$\begin{array}{rcl} s_1\cdot x & = & x\cdot s_1, \\ & \vdots\\ s_d\cdot x & = & x\cdot s_d. \end{array} $$
3. 3.

   Output: A basis for C(C(b ₁,…,b _k )).

Online phase:

1. 1.

   Input: \(a_{1},\dots,a_{k},b_{1},\dots,b_{k},a_{1}^{b},\dots ,a_{k}^{b},b_{1}^{a},\dots,b_{k}^{a}\in G\), where a∈〈a ₁,…,a _k 〉, b∈〈b ₁,…,b _k 〉 are unknown.

2. 2.

   Execution:

   1. (a)

      Solve the following homogeneous system of linear equations in the n ² entries of the unknown matrix x:

      $$\begin{array}{rcl} b_1\cdot x & = & x\cdot{b_1}^{a}, \\ & \vdots\\ b_k\cdot x & = & x\cdot{b_k}^{a}. \end{array} $$
   2. (b)

      Fix a basis for the solution space, and pick random solutions x until x is invertible.

   3. (c)

      Solve the following homogeneous system of linear equations in the n ² entries of the unknown matrix y:

      $$\begin{array}{rcl} a_1\cdot y & = & y\cdot{a_1}^{b}, \\ & \vdots\\ a_k\cdot y & = & y\cdot{a_k}^{b}, \end{array} $$

      subject to the linear constraint that y∈C(C(b ₁,…,b _k )).

   4. (d)

      Fix a basis for the solution space, and pick random solutions y until y is invertible.

   5. (e)

      Output: x ⁻¹ y ⁻¹ xy.

Let ω be the matrix multiplication constant, that is, the minimal such that matrix multiplication is O(n ^ω+o(1)). For our applications, one may take ω=log₂7≈2.81. As usual, Las Vegas algorithm means an algorithm that always outputs the correct answer in finite time. For the proof of the following theorem, note that if g ^x=g ^y, then \(g^{xy^{-1}}=g\), or in other words, xy ⁻¹∈C(g). Finally, note that it does not make much sense to consider the case where k>n ², in which the matrices become linearly dependent and thus redundant.

Theorem 8

Assume that \(|\mathbb{F}|/n\ge c>1\) for some constant c, and k≤n ². Algorithm 7 is a Las Vegas algorithm for the Commutator KEP Problem, with running time, in units of field operations:

1. 1.

   Offline phase: O(n ^2ω+2).

2. 2.

   Online phase: O(kn ^2ω).

Proof

We use the notation of Algorithm 7. First, assume that the algorithm terminates. We prove that its output is a ⁻¹ b ⁻¹ ab.

$$x^{-1}y^{-1}xy = x^{-1}y^{-1}\bigl(x a^{-1}\bigr) ay. $$

The equations 2(a) in the online phase of Algorithm 7 assert that b _i ^x=b _i ^a for all i=1,…,k. Thus, xa ⁻¹∈C(b ₁,…,b _k ). As y∈C(C(b ₁,…,b _k )), y commutes with xa ⁻¹, and therefore so does y ⁻¹. Thus,

$$x^{-1}y^{-1}\bigl(x a^{-1}\bigr) ay = x^{-1}\bigl(xa^{-1}\bigr)y^{-1}ay = a^{-1}y^{-1}ay = a^{-1}a^y. $$

By the equations 2(c) in the online phase of Algorithm 7, a _i ^y=a _i ^b for all i=1,…,k. As a∈〈a ₁,…,a _k 〉, we have a ^y=a ^b. Indeed, let \(a=a_{i_{1}}^{\epsilon_{1}}\cdots a_{i_{m}}^{\epsilon_{m}}\). As conjugation is an isomorphism,

$$\begin{aligned} a^y =& \bigl(a_{i_1}^{\epsilon_1}\bigr)^y \cdots\bigl(a_{i_m}^{\epsilon_m}\bigr)^y = \bigl({a_{i_1}^y}\bigr)^{\epsilon_1}\cdots \bigl({a_{i_m}^y}\bigr)^{\epsilon_m} = \bigl({a_{i_1}^b}\bigr)^{\epsilon_1}\cdots \bigl({a_{i_m}^b}\bigr)^{\epsilon_m} \\ =& \bigl(a_{i_1}^{\epsilon_1}\bigr)^b\cdots \bigl(a_{i_m}^{\epsilon_m}\bigr)^b = a^b. \end{aligned}$$

Thus,

$$a^{-1}a^y=a^{-1}a^b = a^{-1}b^{-1}ab. $$

Thus, the algorithm returns the correct answer when it terminates. It remains to analyze the running time of the algorithm, which we do step-by-step.

Offline phase, Step 2(a): These are kn ² equations in n ² variables, and thus the running time is O(k(n ²)^ω)=O(kn ^2ω).

Offline phase, Step 2(b): As C(b ₁,…,b _k ) is a vector subspace of \(\operatorname {M}_{n}(\mathbb{F})\), its dimension d is at most n ². Thus, the running time of this step is O(n ²⋅n ^2ω)=O(n ^2ω+2).

Online phase, Step 2(a): The running time is O(kn ^2ω), as in Step 2(a) of the offline phase.

Online phase, Step 2(b): There is an invertible solution to the equations 2(a), namely: a. Thus, by the Invertibility Lemma (Lemma 9 below), the probability that a random solution is not invertible may be assumed arbitrarily close to \(n/|\mathbb{F}|\le1/c<1\). Thus, the expected number of random elements picked until an invertible one is found is constant. To generate one random element, one takes a linear combination of a basis of the solution space. If m is the dimension, then m≤n ² and the linear combination takes mn ²≤n ⁴ operations. Checking invertibility is faster. The total expected running time of this step is, therefore, O(n ⁴), and n ⁴≤n ^2ω.

Online phase, Step 2(c): Let {s ₁,…,s _m } be the basis computed in the offline phase. Then m≤n ². In the present step, one sets y=t ₁ s ₁+⋯+t _m s _m , with t ₁,…,t _m variables, and obtains kn ² equations in the m≤n ² variables t ₁,…,t _m . The complexity is \(O(\frac{kn^{2}}{m}m^{\omega})\), and \(\frac{kn^{2}}{m}m^{\omega}=kn^{2}\cdot m^{\omega-1}\le kn^{2\omega}\).

Online phase, Step 2(d): Using the same arguments as in Step 2(b), the running time of this step is O(n ^2ω). □

6 Finding an Invertible Solution when There Is One

The results in the previous section assume that we are able to find, efficiently, an invertible matrix in any subspace of \(\operatorname {M}_{n}(\mathbb{F})\) containing an invertible element. This is taken care of by the following Lemma.

Lemma 9

(Invertibility Lemma)

Let \(a_{1},\dots,a_{m}\in\operatorname{M}_{n}(\mathbb{F})\) be such that

$$\operatorname{span}\{a_1,\dots,a_m\}\cap \operatorname{GL}_n(\mathbb {F})\neq\emptyset. $$

Let S be a finite subset of \(\mathbb{F}\). If α ₁,…,α _m are chosen uniformly and independently from S, then the probability that α ₁ a ₁+⋯+α _m a _m is invertible is at least \(1-\frac{n}{|S|}\).

Proof

Let

$$f(t_1,\dots,t_m)=\det(t_1a_1+ \cdots+t_ma_m)\in\mathbb{F}[t_1, \dots,t_m], $$

where t ₁,…,t _m are scalar variables. This is a determinant of a matrix whose coefficients are linear in the variables. By the definition of determinant as a sum of products of n elements, f is a polynomial of degree n. As \(\operatorname{span}\{a_{1},\dots,a_{m}\}\cap\operatorname {GL}_{n}(\mathbb{F})\neq\emptyset\), f is nonzero.

The proof is completed by applying the Schwartz–Zippel Lemma (Lemma below). □

For the reader’s convenience, we include a proof for the following classic lemma.

Lemma 10

(Schwartz–Zippel)

Let \(f(t_{1},\dots,t_{m})\in\mathbb{F}[t_{1},\dots,t_{m}]\) be a nonzero multivariate polynomial of degree n. Let S be a finite subset of \(\mathbb{F}\). If α ₁,…,α _m are chosen uniformly and independently from S, then the probability that f(α ₁,…,α _m )≠0 is at least \(1-\frac{n}{|S|}\).

Proof

We prove the lemma by induction on m.

If m=1, then f is a univariate polynomial of degree n, and thus has at most n roots.

For the inductive step, assume that m>1 and write

$$\begin{aligned} f(t_1,\dots,t_m) =&f_0(t_2, \dots,t_m)+f_1(t_2,\dots ,t_m)t_1+f_2(t_2, \dots,t_m)t_1^2+\cdots \\ &{}+f_k(t_2, \dots,t_m)t_1^k, \end{aligned}$$

with k≤n maximal such that f _k (t ₂,…,t _m ) is nonzero. The degree of f _k (t ₂,…,t _k ) is at most m−k. For each choice of \(\alpha_{2},\dots,\alpha_{m}\in\mathbb{F}\) with f _k (α ₂,…,α _m )≠0, f(t ₁,α ₂,…,α _m ) is a univariate polynomial of degree k in the variable t ₁. By the induction hypothesis (for m=1), for random α ₁∈S, f(α ₁,α ₂,…,α _m ) is nonzero with probability at least 1−k/|S|. By the induction hypothesis,

$$\begin{aligned} &\operatorname{Pr} \bigl[f(\alpha_1,\dots, \alpha_m)\neq 0 \bigr] \\ & \quad \ge \operatorname{Pr} \bigl[f_k(\alpha_2,\dots, \alpha_m)\neq 0 \bigr]\cdot\operatorname{Pr} \bigl[f(\alpha _1,\dots,\alpha _m)\neq0\mid f_k( \alpha_2,\dots,\alpha_m)\neq 0 \bigr] \\ & \quad \ge \biggl(1-\frac{n-k}{|S|} \biggr) \biggl(1-\frac{k}{|S|} \biggr) \ge1-\frac{n}{|S|}.\end{aligned} $$

 □

7 Application to the Centralizer KEP

Definition 11

For a group G and an element g∈G, the centralizer of g in G is the set

$$C_G(g):=\{h\in G : gh=hg\}. $$

The Centralizer KEP, introduced by Shpilrain and Ushakov in 2006 [35], is described in Fig. 2. In this protocol, a ₁ commutes with b ₁ and a ₂ commutes with b ₂. Consequently, the keys computed by Alice and Bob are identical, and equal to a ₁ b ₁ ga ₂ b ₂.

Fig. 2.

The centralizer KEP.

As in the Commutator KEP, it is proposed in [35] to use the braid group B _N as the platform group G. The group elements are chosen in a special way, so as to foil attacks attempted at earlier braid group-based KEPs. We apply the methods developed in the previous sections to obtain an expected polynomial-time cryptanalysis of this KEP. We omit some details, which are similar to those in the earlier sections.

Problem 12

(Centralizer KEP Problem)

Assume that g,a ₁,b ₂∈B _N , \(g_{1},\dots,g_{k} \in C_{\mathbf{B}_{N}} (a_{1})\), \(h_{1},\dots,h_{k}\in C_{\mathbf{B}_{N}}(b_{2})\), each of the form (i,p) with p of length ≤ℓ. Let a ₂ be a product of at most m elements of {h ₁,…,h _k }^±1, and let b ₁ be a product of at most m elements of {g ₁,…,g _k }^±1.

Given g,g ₁,…,g _k ,h ₁,…,h _k ,a ₁ ga ₂,b ₁ gb ₂, compute a ₁ b ₁ ga ₂ b ₂.

7.1 Solving the Centralizer KEP Problem in Matrix Groups

For a group G, Z(G)=C _G (G) is the set of all central elements of G. Consider the variation of the Centralizer KEP Problem 12, where the group is \(G\le\operatorname{GL}_{n}(\mathbb{F})\) instead of B _N . The following variation of this problem is formally harder than this variation.⁹

Problem 13

Let \(G\le\operatorname{GL}_{n}(\mathbb{F})\). Assume that g,a ₁,b ₂∈G, g ₁,…,g _k ∈C _G (a ₁), h ₁,…,h _k ∈C _G (b ₂), a ₂∈〈{h ₁,…,h _k }∪Z(G)〉, and b ₁∈〈{g ₁,…,g _k }∪Z(G)〉.

Given g,g ₁,…,g _k ,h ₁,…,h _k ,a ₁ ga ₂,b ₁ gb ₂, compute a ₁ b ₁ ga ₂ b ₂.

Following is an algorithm for solving Problem 13. As before, for \(S\subseteq\operatorname{M}_{n}(\mathbb{F})\), C(S) (without subscript) is the centralizer of S in the matrix algebra \(\operatorname {M}_{n}(\mathbb{F})\).

Algorithm 14

1. 1.

   Input: g,g ₁,…,g _k ,h ₁,…,h _k ,a ₁ ga ₂,b ₁ gb ₂∈G.

2. 2.

   Execution:

   1. (a)

      Compute bases for the subspaces C(g ₁,…,g _k ), C(C(h ₁,…,h _k )) of \(\operatorname{M}_{n}(\mathbb{F})\).

   2. (b)

      Solve

      $$x\cdot g = a_1ga_2\cdot y $$

      subject to the linear constraints x∈C(g ₁,…,g _k ),y∈C(C(h ₁,…,h _k )).

   3. (c)

      Take random linear combinations of the basis of the solution space to obtain solutions (x,y), until y is invertible.

3. 3.

   Output: x⋅b ₁ gb ₂⋅y ⁻¹.

Theorem 15

Let \(G\le\operatorname{GL}_{n}(\mathbb{F})\). Assume that \(|\mathbb {F}|/n\ge c>1\) for some constant c, and k≤n ². Algorithm 14 is a Las Vegas algorithm for Problem 13, with running time, in units of field operations, O(n ^2ω+2).

Proof

The proof is similar to that of Theorem 8.

First, assume that the algorithm terminates. We prove that its output is a ₁ b ₁ ga ₂ b ₂. As x∈C(g ₁,…,g _k ) and b ₁∈〈g ₁,…,g _k 〉, x commutes with b ₁. As b ₂ commutes with h ₁,…,h _k , b ₂∈C(h ₁,…,h _k ). As y∈C(C(h ₁,…,h _k )), y commutes with b ₂, and therefore so does y ⁻¹. Thus,

$$xb_1gb_2y^{-1}= b_1xgy^{-1}b_2. $$

As xg=a ₁ ga ₂ y, xgy ⁻¹=a ₁ ga ₂. Thus,

$$b_1xgy^{-1}b_2 = b_1a_1ga_2b_2 = a_1b_1ga_2b_2. $$

The analysis of the running time of the algorithm is essentially identical to the analysis in Theorem 8. In Step 2(c), let

$$H=\bigl\{ (x,y)\in C(g_1,\dots,g_k)\times C \bigl(C(h_1,\dots,h_k)\bigr) : x\cdot g = a_1ga_2\cdot y\bigr\} $$

be the solution space, and let (x ₁,y ₁),…,(x _d ,y _d ) be a basis for H. As H is a subspace of \(\operatorname{M}_{n}(\mathbb{F})\times \operatorname{M}_{n}(\mathbb{F})\), d≤2n ². Let H ₂={y:(x,y)∈H}, the projection of H on the second coordinate. Then

$$H_2=\operatorname{span}\{y_1,\dots,y_d\}. $$

\((a_{1},a_{2}^{-1})\in H\), and thus \(a_{2}^{-1}\in H_{2}\). In particular, there is an invertible element in H ₂. By the Invertibility Lemma (Lemma 9), a random linear combination of y ₁,…,y _d is invertible with probability at least 1/c. The total expected running time of this step is, therefore, O(n ⁴), and n ⁴≤n ^2ω. □

7.2 Solving the Centralizer KEP Problem in the Braid Group

We now address Problem 12. We begin by reducing to the case where our braids have a restricted form.

In Sect. 3, we explained how each x∈B _N can be decomposed (in linear time) as \(x=c\tilde{x}\) with c central and inf(x)∈{0,1}.

We may assume that

$$\inf(g)\in\{0,1\}. $$

Indeed, assume that we have an algorithm solving the problem when inf(g)∈{0,1}. Write \(g=c\tilde{g}\) with c central and inf(g)∈{0,1}. Compute

$$\begin{aligned} c^{-1}a_1ga_2 = & a_1c^{-1}ga_2 = a_1\tilde{g}a_2; \\ c^{-1}b_1gb_2 = & b_1c^{-1}gb_2 = b_1\tilde{g}b_2. \end{aligned}$$

Apply the given algorithm to \(\tilde{g}, g_{1},\dots,g_{k},h_{1},\dots,h_{k}, a_{1}\tilde{g}a_{2},b_{1}\tilde{g}b_{2}\), to obtain \(a_{1}b_{1}\tilde{g}a_{2}b_{2}\). Multiply by c to obtain a ₁ b ₁ ga ₂ b ₂.

We may, in addition, assume that

$$\inf(g_1),\dots,\inf(g_k),\inf(h_1), \dots,\inf(h_k)\in\{0,1\}, $$

since when we apply Algorithm 14 in the image of our group in a matrix group, we have in Problem 13 that

$$\begin{aligned} \bigl\langle \{h_1,\dots,h_k\}\cup Z(G)\bigr\rangle = & \bigl\langle \{\tilde{h}_1,\dots,\tilde{h}_k\}\cup Z(G) \bigr\rangle ; \\ \bigl\langle \{g_1,\dots,g_k\}\cup Z(G)\bigr\rangle = & \bigl\langle \{\tilde{g}_1,\dots,\tilde{g}_k\}\cup Z(G) \bigr\rangle . \end{aligned}$$

As in Sect. 3, it follows that

$$a_2,b_1\in\bigl[-m(\ell+1),m(\ell+1)\bigr]. $$

Let u=a ₁ ga ₂ and v=b ₁ gb ₂. Decompose \(u=c\tilde{u}\) and \(v=d\tilde{v}\) with c,d central and \(\inf(\tilde{u}),\inf(\tilde{v})\in\{0,1\}\). As g∈[0,ℓ+1] and a ₁∈[inf(a ₁),inf(a ₁)+ℓ],

$$u=a_1ga_2\in\bigl[\inf(a_1), \inf(a_1)+(m+1) (\ell+1)+\ell\bigr], $$

and thus

$$\begin{aligned} a_1g\bigl(c^{-1}a_2\bigr) =& \tilde{u} \in \bigl[0,(m+1) (\ell+2)\bigr]; \\ c^{-1}a_1 =& \tilde{u} a_2^{-1}g^{-1} \in \bigl[-(m+1) (\ell+1),(m+1) (2\ell+3)\bigr]. \end{aligned}$$

Similarly,

$$\bigl(d^{-1}b_1\bigr)gb_2=\tilde{v}\in \bigl[0,(m+1) (\ell+2)\bigr]. $$

Finally,

$$\begin{aligned} K' :=&a_1\bigl(d^{-1}b_1 \bigr)gb_2\bigl(c^{-1}a_2\bigr) = a_1\tilde{v}\bigl(c^{-1}a_2\bigr) \\ =& \bigl(c^{-1} a_1\bigr) \tilde{v} a_2 \in \bigl[-(m+2) (\ell+1),(m+1) (4\ell+6)\bigr]. \end{aligned}$$

Let M=(m+2)(4ℓ+6). Continue as in Sect. 3.

By Theorem 4, we have

$$\bigl(2^{2NM}t^M\bigr)\cdot\operatorname{LK} \bigl(K'\bigr)\in\operatorname {GL}_n\bigl( \mathbb{Z}[t]\bigr), $$

the absolute values of the coefficients in this matrix are bounded by \(2^{N^{2}(M+1)}\), and the maximal degree of t in this matrix is bounded by 2M. Let p be a prime slightly greater than \(2^{N^{2}M}\), and f(t) be an irreducible polynomial over \(\mathbb{Z}_{p}\), of degree d slightly larger than 2M. Then

$$\bigl(2^{2NM}t^M\bigr)\cdot\operatorname{LK} \bigl(K'\bigr)=\bigl(2^{2NM}t^M\bigr)\cdot \operatorname{LK}\bigl(K'\bigr) \bmod\bigl(p, f(t)\bigr) \in \operatorname{GL}_{n}\bigl(\mathbb{Z}[t]/\bigl\langle p, f(t)\bigr\rangle \bigr), $$

under the natural identification of {−(p−1)/2,…,(p−1)/2} with {0,…,p−1}. Let \(\mathbb{F}=\mathbb{Z}[t]/\langle p, f(t)\rangle= \mathbb {Z}[t^{\pm1},\frac {1}{2}]/\langle p, f(t)\rangle\). \(\mathbb{F}\) is a finite field of cardinality p ^d, where d is the degree of f(t). It follows that the complexity of field operations in \(\mathbb{F}\) is, up to logarithmic factors, of order

$$d^2\log p = O\bigl(M^3 N^2\bigr) = O \bigl(m^3\ell^3N^2\bigr). $$

Thus, the key K can be recovered as follows:

1. 1.

   Apply the composed function \(\operatorname{LK}(x) \bmod(p, f(t))\) to

   $$g,g_1,\dots,g_k,h_1,\dots,h_k, \tilde{u}= a_1g\bigl(c^{-1} a_2 \bigr),\tilde{v}=\bigl(d^{-1}b_1\bigr)gb_2, $$

   to obtain an input to Problem 13.

2. 2.

   Solve the problem there, to obtain \(\operatorname{LK}(K') \bmod (p, f(t))\).

3. 3.

   Compute \((2^{2NM}t^{M})\cdot\operatorname{LK}(K') \bmod(p, f(t)) = (2^{2NM}t^{M})\cdot\operatorname{LK}(K')\).

4. 4.

   Divide by (2^2NM t ^M) to obtain \(\operatorname{LK}(K')\).

5. 5.

   Compute K′ using the Cheon–Jun inversion algorithm.

6. 6.

   Multiply by cd to obtain a ₁ b ₁ ga ₂ b ₂.

8 Further Applications

8.1 The Braid Diffie–Hellman KEP

Figure 3 illustrates the well known Diffie–Hellman KEP. Here, G is a cyclic group of prime order, generated by a group element g, and exponentiation denotes ordinary exponentiation.

Fig. 3.

The Diffie–Hellman KEP.

Interpreting exponentiation in noncommutative groups as conjugation leads to the Ko–Lee–Cheon–Han–Kang–Park Braid Diffie–Hellman KEP [21]. For subsets A,B of a group G, [A,B]=1 means that a and b commute, ab=ba, for all a∈A,b∈B. The Braid Diffie–Hellman KEP is illustrated in Fig. 4. Since, in the Braid Diffie–Hellman KEP, the subgroups A and B of G commute element-wise, the keys computed by Alice and Bob are identical. It is proposed in [21] to use Artin’s braid group B _N as the platform group G for the Braid Diffie–Hellman KEP, hence the term Braid in the name of this KEP.

Fig. 4.

The braid Diffie–Hellman KEP.

In the passive adversary model, the security of the Braid Diffie–Hellman KEP for a platform group G (Fig. 4) is captured by the following problem.

Problem 16

(Diffie–Hellman Conjugacy Problem)

Let A and B be subgroups of G with [A,B]=1, and let g∈G, be given. Given a pair (g ^a,g ^b) where a∈A and b∈B, find g ^ab.

The Cheon–Jun attack on the Braid Diffie–Hellman KEP [8] forms a solution to the Diffie–Hellman Conjugacy Problem in the case where G is the braid group B _N . Their solution can be described, roughly, as follows. Using the methods described in Sect. 4, the problem is reduced to the case where \(G\le\operatorname{GL}_{n}(\mathbb{F})\), a matrix group over a finite field. Since we are dealing with solutions that are supposed to work for all problem instances, this problem is not harder than that where \(G=\operatorname{GL}_{n}(\mathbb{F})\), the group of all invertible matrices in \(\operatorname{M}_{n}(\mathbb{F})\). However, the latter problem is easy: Assume that B=〈b ₁,…,b _k 〉≤G. Solve the system

$$\begin{aligned} x g^a = & gx, \\ x b_1 = & b_1x, \\ \vdots \\ xb_k = & b_kx \end{aligned}$$

of (k+1)n ² linear equations in the n ² entries of the unknown matrix x. There is an invertible solution to this system, namely, a. Now, any invertible solution \(\tilde{a}\) of this system can be used to compute g ^ab: By the first equation,

$$g^{\tilde{a}}=\tilde{a}^{-1}(g\tilde{a}) = \tilde{a}^{-1} \bigl(\tilde{a} g^a\bigr) = g^a. $$

By the remaining equations, \(\tilde{a}\) commutes with the generators of B, and consequently with all elements of B. Thus, we can compute

$$\bigl(g^b\bigr)^{\tilde{a}}=g^{b\tilde{a}} = g^{\tilde{a} b} = \bigl(g^{\tilde{a}}\bigr)^b = \bigl(g^a \bigr)^b=g^{ab}. $$

This essentially establishes that the Diffie–Hellman Conjugacy Problem in this scenario can be solved in time O(kn ^2ω).

Comparison with Our Approach

The reason why the above-mentioned approach of Cheon and Jun is not applicable, as is, to the Commutator KEP or to the Centralizer KEP is that, in either case, there is no prescribed set of generators with which it suffices that the solution commutes: In the Commutator KEP (Fig. 1) it is not clear that a has to commute with anything. In the Centralizer KEP (Fig. 2), we need a ₂ to commute with b ₂, but b ₂ is secret. The main ingredient in our solution, in both cases, is the replacement of membership in a subgroup with membership in the double centralizer (in the full matrix algebra) of that subgroup, and the observation that the latter is efficiently computable. In other words, instead of adding equations that guarantee that the solution commutes with prescribed elements, we enlarge the set of solutions by moving to the double centralizer, and prove the increase in the set of solutions is not too large.

The secondary ingredients of our approach also have something to contribute to the Cheon–Jun attack: First, in [8] the dependence of the complexity on the infimum i is exponential (in the bit-length of i). This can be eliminated using the infimum reduction methods of Sects. 3 and 7.2. Second, the fact that the solution to the above-mentioned system of equations is invertible with overwhelming probability is not proved in [8].¹⁰ This gap may be filled using the Invertibility Lemma (Lemma 9). Third, our approach may be used to push most of the work to the offline phase.

Theorem 17

Assume that \(|\mathbb{F}|/n\ge c>1\). The Diffie–Hellman Conjugacy Problem for a matrix group \(G\le \operatorname{GL} _{n}(\mathbb{F})\) and B=〈b ₁,…,b _k 〉 is solvable in O(kn ^2ω) offline time and O(n ^2ω) online Las Vegas time. More precisely, the running time of the online phase is O(n ^2ω), plus O(n ^ω) Las Vegas time.

Proof

Offline phase: Compute a basis for the centralizer C(B) in the matrix algebra \(\operatorname{M}_{n}(\mathbb{F})\), a solution space of a system of kn ² linear equations in the n ² entries of the variable matrix x. Since C(B) is a subspace of the vector space \(\operatorname {M}_{n}(\mathbb{F})\), its dimension d is at most n ². Let c ₁,…,c _d be a basis for C(B).

Online phase: Given g ^a, solve xg ^a=gx subject to x∈C(B), a linear system of n ² equations in d scalar variables. Let H be the solution space. Let \(h_{1},\dots,h_{\tilde{d}}\) be a basis for H. Then \(\tilde{d}\le d\).

There is an invertible element in H, namely: a. By the Invertibility Lemma (Lemma 9), if \(t_{1},\dots,t_{\tilde{d}}\) are chosen uniformly and independently from a large subset of \(\mathbb{F}\), then the matrix \(\tilde{a} = t_{1} h_{1}+\cdots+t_{\tilde{d}}h_{\tilde{d}}\) is invertible with probability at least 1/c. Having found such invertible \(\tilde{a}\), compute

$$g^{\tilde{a}}=\tilde{a}^{-1}(g\tilde{a}) = \tilde{a}^{-1} \bigl(\tilde{a} g^a\bigr) = g^a. $$

The running time of the online phase is O(n ^2ω), plus O(n ^ω) Las Vegas time for the expected constant number of n×n matrix inversions. □

Remark 18

In the complexity of the offline phase in Theorem 17, k can be taken to be the minimum among the number of generators of A and the number of generators of B, by exchanging the roles of A and B.

8.2 Double Coset KEPs

In 2001, Cha, Ko, Lee, Han and Cheon [7] proposed a variation of the Braid Diffie–Hellman KEP (Fig. 4). For this variation, Cheon and Jun [8] described a convincing variation of their attack. Another variation of this protocol was proposed in 2005, by Shpilrain and Ushakov [34]. Both variations, as well as the Braid Diffie–Hellman KEP, are special cases of the protocol illustrated in Fig. 5.

Fig. 5.

The double coset KEP.

The methods of Theorem 17 extend to the Double Coset KEP. Here too, the restriction to matrix groups is with no loss of generality, and we obtain an expected polynomial-time solution of the underlying problem in the braid group B _N .

Theorem 19

Assume that \(|\mathbb{F}|/n\ge c>1\). Let \(A_{1},A_{2},B_{1}=\langle b_{1},\dots,b_{k}\rangle,B_{2}=\langle b'_{1},\dots ,b'_{l}\rangle\le G\le\operatorname{GL}_{n}(\mathbb{F})\), with [A ₁,B ₁]=[A ₂,B ₂]=1, and g∈G. After an offline computation of complexity O((k+l)n ^2ω), one can, given a ₁ ga ₂,b ₁ gb ₂, compute a ₁ b ₁ ga ₂ b ₂ in time O(n ^2ω), plus O(n ^ω) Las Vegas time.

Proof

Offline phase: Compute a basis for the centralizers C(B ₁),C(B ₂) in the matrix algebra \(\operatorname{M}_{n}(\mathbb{F})\), by solving one system of kn ² linear equations in n ² variables, and another system of ln ² linear equations in n ² variables. Let \(c_{1},\dots,c_{d_{1}}\) be a basis for C(B ₁), and \(c'_{1},\dots ,c'_{d_{2}}\) be a basis for C(B ₂). d ₁,d ₂≤n ².

Online phase: Given a ₁ ga ₂, solve x(a ₁ ga ₂)=gy subject to x∈C(B ₁),y∈C(B ₂), a system of n ² equations in d ₁+d ₂≤2n ² scalar variables. Let H be the solution space,

$$H=\bigl\{ (x,y)\in C(B_1)\times C(B_2) : x(a_1ga_2) = gy\bigr\} , $$

and let (h ₁,g ₁),…,(h _d ,g _d ) be a basis for H. d≤d ₁+d ₂≤2n ².

Let H ₁={x:(xy)∈H} be the projection of H on the first coordinate. Then {h ₁,…,h _d } spans H ₁. There is an element (x,y)∈H with x (and y) invertible, namely: \((a_{1}^{-1},a_{2})\). Thus, there is an invertible element in H ₁. By Lemma 9, if t ₁,…,t _d are chosen uniformly and independently from a large subset of \(\mathbb{F}\), then the matrix x=t ₁ h ₁+⋯+t _d h _d is invertible with probability at least 1/c. Let \(\tilde{a}_{2}= t_{1} g_{1}+\cdots+t_{d}g_{d}\). Then \((x,\tilde{a}_{2})\in H\). Compute \(\tilde{a}_{1}=x^{-1}\). Then

$$\tilde{a}_1 g\tilde{a}_2=x^{-1}(g\tilde{a}_2) = x^{-1}(xa_1ga_2) = a_1ga_2. $$

As x∈C(B ₁), \(\tilde{a}_{1}\in C(B_{1})\). Compute

$$\tilde{a}_1 b_1gb_2\tilde{a}_2=b_1\tilde{a}_1 g\tilde{a}_2b_2= b_1 a_1 g a_2b_2=a_1b_1 g a_2b_2. $$

 □

An interesting further application is to Stickel’s KEP [36]. This KEP was cryptanalyzed by Shpilrain in [33], describing a heuristic cryptanalysis and supporting it by experimental results. Stickel’s KEP is a special case of the Double Coset KEP, where \(G=\operatorname{GL}_{n}(\mathbb{F})\), A ₁=B ₁=〈{a}∪Z(G)〉, and A ₂=B ₂=〈b〉 (a,b public). By Theorem 19, Shpilrain’s cryptanalysis can be turned into a provable Las Vegas algorithm that runs in expected polynomial time, i.e., one supported by a rigorous mathematical proof. In particular, in this way, it is guaranteed that changing the distributions according to which the protocol chooses the involved group elements would not defeat the mentioned polynomial-time cryptanalysis.

9 Additional Comments

Ignoring logarithmic factors, the overall complexity of the algorithms presented here is n ^2ω+2=N ^4ω+4 field operations that are of complexity m ³ ℓ ³ N ². Thus, the complexity of our algorithms is

$$N^{4\omega+6} m^3\ell^3, $$

ignoring logarithmic factors. While polynomial, this complexity is practical only for braid groups of small index N. However, these algorithms constitute the first provable polynomial-time cryptanalyses of the Commutator KEP and of the Centralizer KEP.

The main novelty of our approach lies in the usage of linear centralizers (and double centralizers). However, also the secondary ingredients of our analysis may be of interest. In particular, we have shown that the Invertibility Lemma can be used to turn the Cheon–Jun cryptanalysis of the Braid Diffie–Hellman KEP [8] and the Shpilrain cryptanalysis of Stickel’s KEP [33] into provable Las Vegas algorithm that runs in expected polynomial time, and that the infimum reduction method can be applied to the Cheon–Jun attack to eliminate the exponential dependence on the bit-length of the infimum.

The major challenge is to reduce the degree of N in the polynomial-time cryptanalyses. By Chinese Remaindering or p-adic lifting methods, it may be possible to reduce the complexity contributed by the field operations. Apparently, this may reduce the power of N by 1. It should be possible to make sure that the Invertibility Lemma is still applicable when these methods are used. Much of the complexity comes from the Lawrence–Krammer representation having dimension quadratic in N. Unfortunately, it is conjectured that there are no faithful representations of B _N of smaller dimension. A more careful analysis of the Lawrence–Krammer representation may yield finer estimates. However, it does not seem that any of these directions would make the attacks practical for, say, N=100.

One may wonder whether, from the complexity theoretic point of view, this paper may be the end of braid-based cryptography. Our belief is that this is not the case. For example, consider Kurt’s Triple Decomposition KEP [28, 4.2.5], described in Fig. 6. In this figure, an edge between two subgroups means that these subgroups commute element-wise. This ensures that the keys computed by Alice and Bob are both equal to ab ₁ a ₁ b ₂ a ₂ b.

Fig. 6.

The triple decomposition KEP.

We do not, at present, know whether the Triple Decomposition KEP can be cryptanalyzed using the methods presented here, or whether there is a provable, efficient cryptanalysis at all. Additional KEPs to which the present methods do not seem to be applicable are introduced by Kalka in [19] and [20]. There are additional types of braid-based schemes (e.g., authentication schemes) that cannot be attacked using the methods presented here. Some examples are reviewed in the monograph [28].

Changing the platform group in any of the studied KEPs is a very interesting option. There are efficiently implementable, infinite groups with no faithful representations as matrix groups (e.g., the braided Thompson group).¹¹