Cryptographic Primitives in Artin Groups of Finite Type

Transcription

1 Cryptographic Primitives in Artin Groups of Finite Type Neel Kurupassery Duke University (Durham, NC) An honors thesis submitted to the Department of Mathematics as the culmination of independent research in under Professor Michael Abel.

2 ii Abstract Braid groups can be viewed as Coxeter group A n without relations of type s 2 i = 1. Substitution of another Coxeter group results in a different Artin group with distinct relations. Due to the rising importance of noncommutative cryptography, we explore these generalized braid groups for potential cryptographic viability. This paper explores potential cryptographic applications, building up from the fundamentals in Coxeter and braid theory that are prerequisite. We implement cryptographic primitives on generalized braid groups associated with finite irreducible and affine Coxeter systems and quantify results. More specifically, we perform length analysis of keys in input versus output, quantify reducibility based on Coxeter graph and word length, and analyze disparities in results of different Artin groups. Then we discuss potential attacks and further findings. Lastly, we outline possible directions for future research.

3 iii Acknowledgements I would like to thank Professor Michael Abel for his invaluable mentorship and guidance over the past year over which time I have undergone tremendous growth as a mathematician. I thank Professor Leonard Ng for his helpful comments on this draft, as well as Professors Leslie Saper and David Kraines for their help in my mathematical pursuits.

4 Contents 1. Introduction Public-Key Cryptography Non-commutative Cryptography Artin s Braid Group Connection to Knot Theory Pure braids and the Center of B n Coxeter Groups Coxeter Graph Visualization Fundamental Properties of Words in Coxeter Groups Artin Groups of Finite Type Methods and Primitives Word Problem and Normal Form Selection of Commutating Subgroups Transformation of Coxeter matrix m to a Vector Methods Addition (Conjugation) Triple Conjugation (b = rst, where [R, T ] = 1) Cryptographic Primitives on B(W) Conjugacy Search Problem Protocol Simultaneous Conjugacy Search Problem Shift Conjugacy Problem Triple Decomposition Problem Protocol Root Extraction Problem Protocol iv

5 Contents v 3. Analysis and Attacks Preliminary Security Subsequence Attack Length Analysis Reduction Efficiency Intermediate reductions when calculating a k Prediction of the length of v in vuv Prediction of the length of u k for large k Relationship between l(u) and k in l(u k ) Viability of Shift Conjugacy in B(W ) Promising families of B(W ) Analog to Burau Matrices for Artin Groups Random Attack and Brute Force Attack Collision Attack Further Questions A. Data Tables 32 Bibliography 39 List of figures 41 List of tables 43

6 Chapter 1. Introduction 1.1. Public-Key Cryptography When sending any information over the Internet, it is transmitted from one s computer in data packets across a network. As a consequence, this data is easily intercepted. Packet sniffers, for instance, allow interception of data packets, and software for this purpose is so widely available that one can intercept local network data with an Android phone by downloading a free application available on the Google Play Store [1]. Considering the ample opportunity for data interception between sender and receiver, it is wise to assume interception. That is, we consider the internet to be an insecure channel through which we wish to send information unusable by others than the intended recipient. For this purpose we use cryptographic primitives, which obfuscate the data. Consider the Caesar cipher, where one shifts each letter of a message by some fixed amount, the output of which is called the cipher-text. Constructing the cipher-text is very fast. To be more specific, since the letter-shifting algorithm only requires addition on the integers, it has time complexity O(n log(n)). This means that given arbitrary messages of n-bits, as n increases, the entire cipher-text can be constructed in a time that scales directly proportional to n log(n) (in contrast to n k, e n, or n!). However, the difficulty of decryption lies in not knowing what shift occurred. So once a third party intercepts the message and tries unique shifts, it will take at most 25 tries to discover the message, which one can do on paper during a lunch-break. Therefore, the Caesar cipher is an insecure method. Similarly, random substitution of letters is insecure to frequency attacks, since languages use some letters more than others, and the appearance of one letter often helps us predict the next (and we quantify this redundancy in language as entropy in information theory). 1

7 Introduction 2 But as it turns out, if we alter each message-letter m i by random shifts x i, our cipher-text c i = m i + x i is provably secure. That is because random shifts can turn any message of length N to any other of length N. For instance, the encrypted message aaaaaa could have originally been yellow or orange, and there exists a sequence of x i for each, converting it to the unrecognizable aaaaaa. Without knowing enough about the shifts x i (the key), one cannot hope to discover the original sequence. Since computing is in binary, in practice, we first convert to binary, and for the resultant binary sequence, each m i (0 or 1) in the plaintext is either shifted (x i = 1) or kept the same (x i = 0), such that m i + x i = c i (mod 2). In essence, a random subset of the binary m i undergo shifts. If we perform the exact same random shift twice, then shifted characters return to their original value, and we again have our plaintext. That is, c i + x i = m i (mod 2). This addition operation in binary is termed the exclusive-or, or xor, function, with symbol, meaning that our relations are more commonly written as m i = c i x i and c i = m i x i for all i {1, 2,..., N}, where N is the length of the message. One notes that the key X, which is the concatenation of all x i, is the same to encrypt and decrypt the message in this protocol. We consider such protocols to be symmetric. Cases in which the encryption key is different from the decryption key are asymmetric. One also notes that X is the same length as the message itself. Then to send a message the size of a book, one requires a key the size of the book, and that the recipient has exact same key of book size. Moreover, such a key can only be used once, or it also becomes vulnerable to frequency attacks. The solution to key-size is to use a pseudorandom number generator (PRNG), which is a function that can take in a much smaller key, and output a longer, statistically random sequence of numbers. Then assuming we can transmit a very small key (relative to the message) securely, both parties can generate the long pseudo-random sequence xor-ed with plaintext, and we have established secure communication. Moreover, because the symmetric protocol simply xors bits, it is very fast. The modern systems of AES (Advanced Encryption Standard), and its predecessor DES (Data Encryption Standard) are examples of such protocols. They take a key and use substitutions and permutations to introduce confusion and diffusion respectively. That is, these protocols include many steps, and small changes in input are not statistically different in output than large changes. In essence, they use a PRNG for turning small keys into much longer pseudo-random strings that are subsequently xor-ed with the plaintext. Now only one problem remains, and that is exchange of the initial key. We need a method that allows for secure exchange of a key over an insecure channel, i.e. a key-exchange protocol. For this purpose, we use asymmetric primitives. They rely on

8 Introduction 3 one-way functions centered on hard problems, which in cryptography means that testing all possible inputs (the brute-force attack), while using all available computing power, takes much longer the age of the universe an actual one-way function would prove P = NP. These functions have a trapdoor, which is an ambiguous term describing useful mathematical properties of these primitives. Despite their resistance to pure brute-force, it is often these same trapdoors that provide avenues for attack, allowing for brute-force on a subset of the key-space. One asymmetric primitive is the factorization of large numbers created from the multiplication of two primes. For example, RSA-2048 of the RSA Factoring Challenge of 1991, is a large number unlikely to be factored for many decades to come, despite being small enough to write on a paper (617 digits) [2]. This primitive is the basis for the Rivest-Shamir-Adleman Protocol (RSA). Elliptic Curve Cryptography (ECC) has higher computational complexity than RSA (O(n 3 ) vs O(log(n) 3 )), but requires much shorter key sizes to be effective (256-bit vs 2048-bits). ECC relies on a finite field of numbers, with an addition operation based on intersecting lines with elliptic curves. Both of these protocols are commutative in that they exist in fields (F ) where ab = ba, where a, b F. However, Shor s algorithm uses the quantum fourier transform to find the period of function f(x) = a x (mod p), which is equivalent to finding (n 1)(m 1), where p = nm, breaking RSA in cubic time (O(n 3 )). It solves the abelian hidden subgroup problem, which also underlies elliptic curve scalar addition. It is the ability to determine global characteristics of a function with discrete inputs and outputs that makes quantum computing dangerous to current cryptographic protocols. Quantum annealing, which can be used to find global minimum of a function, also breaks RSA. Both Shor s algorithm and quantum annealing require use of a quantum computer with a large number of qubits, and they rely on quantum mechanics to superimpose all outputs for all inputs simultaneously while unobserved, allowing one to indirectly determine characteristics of the function (using quantum fourier transformation), such as the period. Quantum computers currently exist on a small number of qubits, and in 2012 factored = [3]. The potential realization of quantum computing on a larger scale has motivated advances of primitives on non-abelian algebraic structures, an area of research termed non-commutative cryptography Non-commutative Cryptography Non-commutative cryptography has no known polynomial time algorithms in quantum computing. Moreover, Artin groups such as Artin s braid group B n have no non-trivial

9 Introduction 4 finite subgroups. Then even available non-polynomial time quantum attacks on noncommutative finite subgroups do not apply [4]. It is on braid groups that the vast majority of non-commutative protocols act Artin s Braid Group The Artin braid group B n is a group generated by n 1 generators σ 1, σ 2,..., σ n 1 and the following braid relations: (i) σ i σ j = σ j σ i for i j 2, and (ii) σ i σ i+1 σ i = σ i+1 σ i σ i+1 for i = 1, 2,..., n 2. Theorem For n 3 is non-abelian. Proof. Consider the homomorphism φ from B n to S n, where φ(σ i ) = s i = φ(σ 1 i ). Suppose we have arbitrary braid b B n. We can write b as a concatenation of generators σ i... σ j. Then φ(b) = φ(σ i... σ j ) = φ(σ i ) φ(σ j ) S n. Since s 1 s 2 s 2 s 1 S n, it follows that σ 1 σ 2 σ 2 σ 1 B n, and therefore B n is non-abelian for n 3. We visualize Artin s braid group as n ordered, parallel strands, where σ i corresponds to the crossing of strand i over i + 1, whereas σ 1 i i + 1, as shown in figure 1.1. corresponds to crossing of i under Figure 1.1.: Visual representation of braid generators. We consider braid multiplication between braids b 1... b 2 B n to be the concatenation of sequences {σ i } bi for all i, and is visualized in figure 1.2.

10 Introduction 5 Figure 1.2.: Visual representation of braid multiplication. We consider braids without any inverse generators σ 1 i to be positive, such as the braid depicted in figure 1.3. Positive braids are examples of braids of minimal length as no equivalent representation exists with fewer generators. Figure 1.3.: A randomly generated positive braid in B Connection to Knot Theory The closure of a braid is formed by connecting the start and ends of strands, such that they form a knot. For instance, if the first strand ends in the fourth position, the bottom of the strand is connected to the top of the fourth strand, which in turn ends at some position n, and is subsequently connected to the top of strand n. When one reaches the starting point, one restarts with any remaining unconnected strands, until all strands are connected. The resulting curves form a knot or link, an example of which is shown in figure 1.4.

11 Introduction 6 Figure 1.4.: A closure of σ 1 σ 1 σ 1 B n to form the trefoil ( [5], [6]). Alexander s Theorem proves any knot or link is isotopic to a closed braid, allowing for problems involving knots or links to be considered on braids and vice versa. Consequently the Reidemeister moves for knots enacted on braids yield braid relations. From Reidemeister move II we find that σ i σ 1 i = 1, and from move III that σ i σ i+1 σ i = σ i+1 σ i σ i+1 for i = 1, 2,..., n 2. Reidemeister move I violates the directionality of braids, but we can view it as appending σ n ± 1 to a braid as shown in figure 1.5. While braids under this operation are not equivalent in B n, we consider them to be Markov equivalent, that is, appending σ n ± 1 link. to the braid and including a new strand before closing gives an isotopic Figure 1.5.: The Markov equivalence of σ 1 σ 1 σ 1 to σ 1 σ 1 σ 1 σ 1 2.

12 Introduction Pure braids and the Center of B n Any braid where the starting and end positions of all strands remain unchanged is classified as a pure braid, which for our purposes have some resistance versus attacks where the braid is projected onto S n. Consider the center of B n, a subgroup whose elements commute with all others. Elements of this group must necessarily be pure braids, realized by projection onto S n. Theorem If n 3, then Z(B n ) = Z(P n ) is an infinite cyclic group generated θ n = 2 n, where n = (σ 1 σ 2... σ n 1 )(σ 1 σ 2... σ n 2 ) (σ 1 σ 2 )σ 1 B n. Proof. This is proved in Kassel, pg 23 [7]. Then θ n, aptly termed the full twist, commutes with all the generators B n. That is, σ i θ n = σ i n n = n σ n i n = n n σ i = θ n σ i. Figure 1.6.: The half-twist n, where n = 4. Ultimately it is through use of n, the half-twist, that one can construct a normal form of every element in B n in polynomial time. It turns out that it is possible to construct a normal form with a similar element for any generalized braid group of finite type. However to generalize B n we first introduce Coxeter groups Coxeter Groups Given any non-empty set S, a matrix m : S S {1, 2,..., } is classified as a Coxeter matrix if (i) m(s, s ) = m(s, s) and (ii) m(s, s ) = 1 if and only if s = s. Coxeter matrix

13 Introduction 8 m determines a Coxeter group W with presentation: S (ss ) m(s,s ) = e (s s ) (S S) Starting with relation (ss ) m(s,s ) = e, we can expand the expression such that (ss ) m(s,s ) = ss ss... = ss... (ss...) 1 = e. Then ss... = s s..., where there are m(s, s ) generators on both sides. In the case of m(s, s ) = 2, the resulting relation is ss = s s meaning s and s commute. For every element w W, the word form of w is any representation of w by its generators w = s i... s j. Consequently we quantify the unreduced length of a word w by the number of generators s i... s j in its word form Coxeter Graph For each Coxeter matrix we can create a weighted adjacency graph whose nodes are the index set S and whose edges are determined by index m(i, j) 3, where indexes 4 and above are labeled. The finite coxeter groups have the following graphs shown in figure 1.8. Figure 1.7.: Coxeter graphs for W of finite type.

14 Introduction Visualization In figure 1.9, we show a visualization for Coxeter group A 3 as a system of lines. Consecutive reflections across the same line reduce to identity, and reflections across multiple lines yield relations in the coxeter graph. Similarly, for any Coxeter group of finite type, we can view each element as a series of reflections. To be specific, any Coxeter group of finite type can be represented as a system of hyperplanes [8]. In particular, the families A n, B n, D n, E 6, E 7, E 8, F 4, and G 2 are Weyl groups, a subgroup of a root system s isometry group. All Weyl groups are Coxeter groups of finite type, but the reverse does not hold true. Coxeter groups such as H 3, and H 4 are not Weyl groups but are finite. Figure 1.8.: A 3 as a system of lines in R Fundamental Properties of Words in Coxeter Groups Given a Coxeter system (W, S), and w W, we use l(w) to indicate the minimal or reduced length of w. Since all length reductions in the Coxeter group require use of the relation s i s i = s 2 i = e, we can categorize all elements of W as even or odd, depending on their minimal length representation modulo 2. It is apparent that the inverse of a reduced word must be of equal length when reduced, and that the concatenation of two words is either reduced or reducible and consequently the following triangle relation is established: l(uw) l(u) + l(w). The exchange property on Coxeter groups is that if l(sw) l(w), then sw = s 1 ŝ i for some i [k]. The deletion property is that if w = s 1 s 2 s k and l(w) < k, then w = s 1 ŝ i ŝ j s k for some 1 i < j k. From these two properties, we can derive that any reduced expression of arbitrary w W is a subword of w, that all reduced

15 Introduction 10 expressions of w are re-orderings, and that no Coxeter generator can be expressed in terms of the others [9]. As shown in figure 1.9, we can construct a Bruhat graph, a directed graph whose nodes are the elements of W and whose edges connect elements where u w, pointing in the direction of w. Bruhat order is the partial order relation on the set W defined by u w. Figure 1.9.: Bruhat graph of G 2, where excluding dashed lines leaves the weak Bruhat order The top element on the Bruhat graph of a finite Coxeter group is commonly labeled as w 0. We can construct a weak order from a subset of the join and meet relations on the Bruhat graph. u R w means that w = us 1 s 2... s k, for some s i S such that l(us 1 s 2... s i ) = l(u) + i, 0 i k, and we call this relation the right weak order. Similarly the left weak order has relations u L w which mean that w = s k s k 1... s 1 u, for some s i S such that l(s i s i 1... s 1 u) = l(u) + i, 0 i k. If W is finite, then w R w 0 for all w W. The word property of Coxeter groups is that any expression s 1 s 2... s q for w can be transformed into a reduced expression, and that every two reduced expressions for w can be connected via a sequence of braid-moves, which are substitutions of the form ss ss s... = s ss ss..., as opposed to any reductions to the identity.

16 Introduction Artin Groups of Finite Type Coxeter matrix m also determines Artin group or generalized braid group B(W ) with presentation: S ss m(s,s )/2 = s s m(s,s )/2 (s, s ) (S S) If m(s, s ) is odd, then ss (m(s,s ) 1)/2 s = s s (m(s,s ) 1)/2 s. W indicates the corresponding Coxeter group for Coxeter matrix m. In essence, Artin groups include only the braid relations of Coxeter groups. Reductions only occur due to inverse elements σ 1 i, such that σ 1 i σi 1 = e. We focus on Artin groups of finite type, which we distinguish through features on the group s corresponding Coxeter graph. Finite type Coxeter graphs have (i) all edges of the same index {2,3,4,5} or at most one edge of greater than 3 but not infinite, (ii) at most one node with three edges and all others with two or less, and (iii) has no cycles. For each of the Coxeter graphs for Coxeter group W of finite type, we associate a corresponding Artin group B(W ).

17 Chapter 2. Methods and Primitives Primitives currently used in Artin s braid group B n for cryptography are generalized to all Artin groups of finite type. As of present, the Algebraic Eraser appears to the be the only implementation of braid group cryptography on the market. By expanding these protocols to all Artin groups of finite type, more possibilities may arise for braid-based implementations for general use Word Problem and Normal Form The word problem refers to the ability to distinguish different elements in a group. In our case, given arbitrary elements b 1, b 2 B(W ), we wish to know if b 1 = b 2 and within polynomial time. Current methods solve the word problem by giving a unique normal form to each braid, and utilizing polynomial time algorithms to turn any braid into its normal form. For Artin groups of finite type, we utilize the quadratic-time algorithm in [10], but Sage has in recent months incorporated an implementation that is more practical for large n [11] Selection of Commutating Subgroups As selection of commutating subgroups is vital to many primitives, such as the triple-kep, we propose the following method: To select commutating subgroups on B(W), select a subset of S G S on the Coxeter graph, and eliminate any nodes in S with an edge 12

18 Methods and Primitives 13 connecting to S G. Then the largest cluster of connected nodes S H not in S G form a subgraph whose elements commute with elements of the subgraph S G Transformation of Coxeter matrix m to a Vector We propose the following method to send the Coxeter Matrix as a vector. Taking only entries above the diagonal, we eliminate redundant information. Then the remaining entries are placed row by row beside each other. Then an n n coxeter matrix is transmitted as a n(n 1)/2 length vector in V C, which we consider to be the space of all possible Coxeter vectors. Suppose that we only allow edges of index 3 in the Coxeter graph. Then the entries of v V C need only be 0 or 1, depending on whether there exists a connection or not, allowing for n(n 1)/2-bit vectors, reducing overall transmission length. Similarly, should only finite irreducible type groups be used, then naming convention can replace the need for establishing W as a vector Methods Addition (Conjugation) Simple Conjugation (b = n 1 n 2 n 1 1 ) Suppose we wish to add two words in B 5. Using even digits for generators (σ n ) and odd numbers as unique inverses (σn 1 ), we look at: We find: = = demonstrating non-commutativity. However, as visible from the example above, the braid tends to retain particular structures, and algorithms through use of the group s Garside element have been found to solve the conjugacy problem in O(2 n l 2 n 4 ) for B n, where l is maximal length of word, and n is number of generators, as defined above [12]. This time complexity is approximately polynomial for small n, meaning that braids such as the one above are insecure. Since Artin groups also fall prey to Garside attacks, we must either use large n (n > 128, for instance) or avoid simple conjugation in our primitives.

19 Methods and Primitives Triple Conjugation (b = rst, where [R, T ] = 1) Suppose we instead conjugate a braid on n generators with two different braids, each with a subset of the generators, such that they commute. This time we work on B 5 B 5 = B 11, where r, t B 5 and s B 11. Representing the additional generators as a f and their inverses as A F, we can take, a5a2c48ede + ccfbbccde where ccfbbccde = ccfbbccde We find: a5a2c48ede + ccfbbccde = 009CdcEDDCFe Extracting and ccfbbccde knowing 009CdcEDDCFe and a5a2c48ede is the triple decomposition problem, and is an unsolved problem, as methods effective for the simple conjugacy problem do not seem applicable [13]. This primitive is the basis of the triple KEP. This is preferable to large n in the conjugacy problem, since (i) a smaller key-size can be used, and (ii) the method scales better as computational power increases Cryptographic Primitives on B(W) Literature is non-existent as to implementation and testing of Artin group primitives. To this end, we introduce primitives in the context of B(W ) and in the next chapter, we provide preliminary results as to potential viability of the different groups Conjugacy Search Problem The conjugacy search problem for Artin groups is that given a triplet (x, y, W ) B(W ) B(W ) V C, find a B(W ) such that y = axa 1. The generalized version of this problem is to find a B(W ) such that a G B(W ) Protocol Alice and Bob wish to establish a private key over an insecure channel with a third party, Eve, intercepting all communications. The public key is braid x on B(W ) 1 B(W ) 2,

20 Methods and Primitives 15 where B(W ) 1 and B(W ) 2 commute. Alice selects braid a B(W ) 1, and transmits axa 1. Bob selects braid b B(W ) 2, and transmits bxb 1. As a, b commute, Alice computes a(bxb 1 )a 1 = abxb 1 a 1 = s, and Bob computes b(axa 1 )b 1 = baxa 1 b 1 = abxba 1 = s. Then both have established shared secret s. Since generating a random braid of length n has complexity O(n log(n)) and generating axa 1, bxb 1, and abxba 1 is O(n 2 ), the overall complexity is O(n 2 ) Simultaneous Conjugacy Search Problem The simultaneous conjugacy search problem (SCP) relies on the difficulty of finding the common conjugating factor given two lists of conjugates. Then one has to both determine which element of the second list are conjugate for a particular element on the first list, and find element z B(W ) that conjugates all elements of one list to the other. To be specific, the problem is that given ({x 1, x 2,..., x n }, {y 1, y 2,..., y n }, W ), where x i, y i B(W ) for all i, find z B(W ) such that zxz 1 = y Shift Conjugacy Problem The Shift Conjugacy Problem was introduced by Dehornoy as a primitive on braids similar to the Fiat-Shamir authenticaton [14]. We generalize the problem to Artin groups as follows. Given triplet (x, y, W V ) B(W ) B(W ) V C, find v B(W ) such that y = (xd(v)ad(x) 1 ). d(v) acts by shifting the sequence of generators on v from σ i to σ i+1. It is unknown as to how such a scheme would act on groups where relations significantly for different generators, such as on B(E 6 ). We view such shifts as a one-way function, and as such, one can prove their identity by providing the initial braid v, such that the shift conjugate of v by public braid u yields the known result. The potential use of such one-way primitives is to hash shared keys in protocols such as RSA or to verify identity in signature protocols. For this reason we wish to explore this primitive in finite-type Artin groups. For the simultaneous conjugacy search problem, generating random braid of length n has complexity O(n log(n)) and performing up to n calculations of a i xa 1 i is O(n 3 ). Then the overall complexity is O(n 3 ). For the shift conjugacy problem, linear shifts on generators is O(n log(n)) and calculations of (xd(v)ad(x) 1 ) is O(n 2 ). Then the overall complexity is O(n 2 ).

21 Methods and Primitives Triple Decomposition Problem The triple decomposition problem is given (a, x, W ) such that a = rxs, and retrieve r, s fulfilling property X. Since any braid a can be formed by concatenating rst = axx 1, property X serves to specify r, t. In particular, protocols such as the triple key exchange protocol define X to be the membership of r, t to commutative subgroups Protocol Using the process mentioned previously to select commutating subgroups, R and S are chosen from B(W ) 1 B(W ) 2. Then Alice chooses r 1 R, s 1 S and sends x = r 1 as 1. Bob similarly chooses r 2 R, s 2 S and sends y = r 2 as 2. Alice calculates r 1 xs 1 = r 1 r 2 xs 2 s 1 = s and Bob similarly calculates r 2 xs 2 = r 2 r 1 xs 1 s 2 = r 1 r 2 xs 2 s 1 = s, and both have shared secret s. Since generating a random braid is of length n has complexity O(n log(n)) and reducing concatenations is O(n 2 ), the overall complexity of the triple-kep is O(n 2 ) Root Extraction Problem We exponentiate a braid by taking the concatenation of the braid with itself multiple times. For instance, a 3 B(W ) is equivalent to a 2 a = aaa = aa 2. Let x = a r for some element a in B(W). Given triplet (x, r, W V ) B(W ) Z V C, find z B(W ) such that z r = x. This is the root extraction problem (or root problem). Note that the braid x must be padded, otherwise one can simply take inverses of x from x k until the identity is reached. While such padding may not be needed if extremely large k is used, it is the computational inefficiency in current reduction algorithms and resultant sizes of braids that ultimately limits viability of using large k Protocol Predetermined braid a B(W ) is made public. Alice calculates x = ba r b 1 for private r Z and private B B(W ). Bob chooses y = b 2 a s b 1 2 for large private s Z. These are exchanged. Alice calculates y r = bb 2 a rs b 1 2 b 1 = s and Bob calculates x s = b 2 ba rs b 1 b 1 2 = s. Eve knows a, ba r b 1, ba s b 1, but has difficulty calculating a rs. We

22 Methods and Primitives 17 note that the security ultimately reduces to the triple decomposition problem. Since generating random braid is of length n has complexity O(n log(n)) and performing calculations of ax r a 1 is O(n r ), we find that the overall complexity is O(n r ).

23 Chapter 3. Analysis and Attacks We implement the above primitives and run numerical simulations on tens of millions of randomly constructed braids in finite-type Artin groups to discover cryptographic implications Preliminary Security We start by using r, t > 256-bit possibilities. This is easily accomplished with B 11 with minimum reduced length 30 for r,s, and t each. The resultant shared key can subsequently be hashed to 256-bits for use in symmetric protocols. Additional security can be implemented by appending symmetric elements (S 1, S 2 ) to the ends of rst such that the resultant braid is a pure braid of particular length. That is, the underlying permutation of the braid in the symmetric group reduces to the identity. The class of public keys that reduce minimally with public braid, should not be large, meaning the public braid should be tested beforehand. In particular, subsequences of the public key remaining in the resultant triple KEP should be non-existent Subsequence Attack Consider the the following randomly generated public key from the Triple-KEP on B 11, where lower-case letters represent positive generators: 18

24 Analysis and Attacks 19 k = bfbaabafjcfcffceieccffeigagiaijbaechbaagdhhjjebjcfbahcgcchbaadjk The reduction reveals: k = ABaaaaaaaacbaaDcFEdccbaGGfjIIhgFhgjk. The repeating aaaaaaaa impedes reducibility, and consequently, when a random rst is transmitted: abadcbeeddededdcbabbeeddcbabaaaaaaabaabcbaadcfedcbcbdcb aaggfjiihgfeddcbadddccbbbbadccchgjk We find that the subsequence remains. One can proceed with brute force to find the specific r and t from the sequences before and after the repeating sequence. To thwart this attack, the conjugating element should include parts of the public key itself, or the public key should be chosen as to not include such structures Length Analysis Reduction Efficiency It is simple to generate and use random strings of letters to signify a word b B(W ). However use of the random string as-is neglects the inherent reducibility of b under the relations of the underlying Artin group, meaning that we can conserve space by reducing the random string to normal form. On the other hand, by reducing to normal form first, we increase the time of protocol. Then to find whether or not to reduce our initial random keys, we compare starting lengths of randomly generated words to their reduced lengths, the results of which are in figure 3.1. We note that this analysis is regarding random production of words. In the case of concatenating words, such as in conjugacy-based primitives, reduction of words is necessary for obfuscation of the original words.

25 Analysis and Attacks Figure 3.1.: Proportion of Word to Reduced Word in B(W) We find that (i) reducibility based on word length is highly predictable, and (ii) a significant proportion of the word (40-55%) may be extraneous if the unreduced form is used. Therefore, we suggest using the reduced form of the word for key generation. From figure 3.2, we find that the standard deviation of the length of the reduced word tends to increase on the order of the square root of the original word, meaning that the variance is approximately linear (for all groups but B(G 2 )). This indicates that the structure of these various groups allows for increase in length without changing reducibility Figure 3.2.: Standard Deviation as u increases.

26 Analysis and Attacks Intermediate reductions when calculating a k We note that the time limiting factor is the quadratic time word reduction. When calculating a k for word a B(W ), the maximal length is k l(a) Z. Then if k l(a) (3/2), we find l(a) 3 k l(a), and the reduction is slower at the of exponentiation than intermediately. However, use of a large k also leads to slower computation times. In table A.4, we find that the lengths tend to several thousand generators when words are exponentiated with k as small as 10. Faster reduction implementations need to be found due to the rapid size increase of words under small exponents for all groups. We find in figure 3.10 that about half of the length is preserved under reduction for k = Figure 3.3.: Triangle Inequality for Concatenation Prediction of the length of v in vuv 1 Should one determine a small range for the length of v in vuv 1, then a more targeted brute-force attack can be launched. In figure 3.3, we look at the word triangle inequality, which is that l(u) + l(v) l(uv). We do this through evaluating the triangle ratio (l(u) + l(v))/l(uv). We find that (i) for small l(u), the length of uv differs significantly from the component lengths, and that (ii) as l(u) increases past 10 l(v), the length of the concatenation is similar to l(u), and as a result, the length of v is more difficult to determine. Then viewing l(u) = 500 as a secure length, we vary l(v) to produce figure 3.4.

27 Analysis and Attacks Figure 3.4.: Concatenation as v increases Figure 3.5.: Triangle Inequality for Conjugacy

28 Analysis and Attacks 23 Using large u, we find that the triangle ratio approaches 1 for very large v and very small v. Increasing the size of v, the conjugator, causes decreases in overall length due to the braid relations for groups B(A n ), B(B n ), B(D n ), and most noticeably B(G 2 ). This is likely due to group relations allowing for v to interact with v 1 for the sizes listed. However, as the v continues to increase, the irreducible components of v dominate. Moving onto conjugacy itself, in figure 3.5 and figure 3.6, we show the triangle ratio for conjugacy when increasing l(u) and l(v) respectively Figure 3.6.: Triangle Inequality for Conjugacy as v increases. Ultimately, v appears to be less predictable when it is within a fifth of the size of u. As before B(A n ), B(B n ), B(D n ), and B(G 2 ) tend to decrease in length during initials increases in the size of v, likely due to reduction of generators in v with v 1. The magnitude appears to be on the other of 1-2%, but this reduction warrants further study on the physical effect itself. Since 1-2% is very small, we see in figure 3.7, figure 3.9, and figure 3.10, that when simply taking the ratio of the conjugate length to the word length, we can predict the average length for all groups.

29 Analysis and Attacks Figure 3.7.: Length of Conjugate versus Reduced Word Length Figure 3.8.: Standard deviation of Conjugate Length.

30 Analysis and Attacks Figure 3.9.: Proportion of v in Conjugacy Figure 3.10.: Standard Deviation of Conjugates.

31 Analysis and Attacks Prediction of the length of u k for large k Figure 3.11.: Triangle Inequality for Root Problem. From figure 3.11, we find that the reduced length of u k is very predictable allowing for length predictions for large k. This poses a problem for the simple guess of k Z of u k. Because of the predictability of k, u may need to be specially chosen to offset this attack, or to pad transmissions in ways to standardize length. Due to the predictability of conjugation lengths, the padding of a root by a conjugator z such that zu k z 1 is transmitted must also be studied to determine methods of crafting z to offset length-based attacks.

32 Analysis and Attacks Figure 3.12.: Triangle Inequality for u k as k increases Relationship between l(u) and k in l(u k ) Figure 3.13.: Multivariate Analysis of u k in B(E 6 ) as k,u increases. Suppose one had multiple values of l(u k ). Knowing either l(u) or k, one can use the distribution of lengths to target the unknown value. In figure 3.13, the contour plot of B(E 6 ) could be matched with a dataset of l(u k ) to predict k from l(u) or vice versa,

33 Analysis and Attacks 28 providing another length-based weakness to the root-extractor problem without further modification Viability of Shift Conjugacy in B(W ) In figure 3.14 and figure 3.15, we find that shift conjugacy affects particular B(W ) differently than others. In particular, B(H 3 ), B(H 4 ), B(F 4 ) and B(G 2 ) appear to be unaffected by the operation for small word lengths and deviate from the triangle equality for large v. Shift conjugacy on groups like B(E 6 ) have asymmetry in relations of intermediate generators that make its similar behavior with B(A n ), B(B n ), and B(D n ) more intriguing. As a result we conclude it is either high order of the relations or fewer nodes that makes the difference. As the reducibility fractions were similar for all groups, it is more likely that the high order of the relations is the cause of the disparity Figure 3.14.: Triangle Inequality for Shift Conjugacy as v increases Promising families of B(W ) B(G 2 ) appears less predictable and has higher variance, allowing it to mask lengths more effectively than other groups. As such, the root extractor problem may be more effective on B(G 2 ) versus other groups such as Artin s braid group. Shift conjugacy appears viable in all groups. However, it affects B(H 2 ), B(H 3 ), and B(G 2 ) differently from the rest. B(E 6 ), B(E 7 ) and B(E 8 ) have elements with three connections, which cause the reduced

34 Analysis and Attacks Figure 3.15.: Triangle Inequality for Shift Conjugation. words to be different in composition in proportion of generators to reduced words of other groups Analog to Burau Matrices for Artin Groups The Burau representation allows for representation of any element of Artin s braid group as a Burau matrix. This allows for reduction of conjugacy problems to systems of equations and has opened the braid group to attacks utilizing linear algebra. There already exists a method in [15] in which an analog to Burau Matrices can be created for Artin groups. Moreover, it reduces to the Burau Matrix in the case that the group chosen is B n. It is known that the Burau representation is unfaithful for n 5. However, the cases in which the representation fails are difficult to find, and do not deter attacks in nearly all cases Random Attack and Brute Force Attack We consider a random attack to be an attempt to guess the key without relying on information of past guesses, such that the same guess may occur more than once. Then probability of success with the random attack is 1 N, where N is the total number of possible words the key could be. A brute force attack keeps track of past guesses to

35 Analysis and Attacks 30 1 run through all possible keys with probability of success, where n is the amount N n of attempts already made. A 128-bit key is considered computationally secure versus brute-force attack, due to practical limitations in checking all possibilities. Upper Bound For our purposes, there is a simple upper bound on the number of possible keys for a braid in B(W ). This is the twice the number of nodes in S (since we include inverses), taken to the exponent l max, the maximum length of the braid for the protocol. Consider a word of unreduced length 100 in B(B 25 ). Then the upper bound for number of elements is > , or 560-bit security. We propose getting an estimate much closer to the actual security by using the reduced length instead. For the previous example of a key of 100 unreduced length in B(B 25 ), we use the average in Table A.3 of 65.5 reduced length to calculate > , which is closer to 350-bit security. In practice, one can launch a more targeted brute-force attack by eliminating classes of braids that the key cannot be part of, or by focusing on a specific class of braids that the key must lie in. It is for this reason that pure braids are heavily recommended, since the underlying permutation of a braid may be a point of attack Collision Attack The collision attack, also known as the birthday attack, can be used to break an n-bit key in O(2 n/2 ) time, as compared to brute force which has time complexity O(2 n ). In practice, it often requires brute force on a local region of the key-space, and at intervals over the entire global key-space and finding matches, or collisions. For this reason, 256-bit keys are recommended over 128-bits for theoretical security Further Questions While we have provided preliminary results regarding Artin groups of finite type in cryptographic applications, further research is required on specific groups. In particular, a more thorough analysis of keys and conjugators best for use in protocols that withstand subsequence and length-based attacks is needed. In implementation, efficient reduction

36 Analysis and Attacks 31 algorithms need to be developed to speed up root-based protocols. Next, attacks on protocols should be run from latest Garside theory research and using modern computing power, and the necessary security parameters as a result will determine the true efficacy of current protocols. Another topic of interest is multi-group protocols which combine elements of different groups. It is known that there exists a unique word for elements in Artin groups of finite type. Subsequent or parallel reductions of a word in different Artin groups may prove to be a new primitive. Further analysis on linear algebraic attacks through use of the generalized Burau matrix representation can be studied for the conjugacy problem. While attacks on the triple-kep are not currently known, implementation and tests may lead to its downfall, or verification of the triple-kep as a viable modern protocol.

37 Appendix A. Data Tables Table A.1.: Length Analysis: Changing l(u) init in B(W ), where W is finite irreducible Word (µ ± σ), l(u) init = 50, l(v) init = 25, k = 10, N = 1000 G l(u) l(v) l(uv) l(vuv 1 ) l(u k ) l(u d(v) σ 1 d(u) 1 ) B(A n ) 35 ± ± ± ± ± ± 10.8 B(B n ) 35.1 ± ± ± 6 64 ± ± ± 10.2 B(D n ) 35 ± ± ± ± ± ± 10.2 B(E 6 ) 29 ± ± ± ± ± ± 10.8 B(E 7 ) 29.5 ± ± ± ± ± ± 11.6 B(E 8 ) 30.2 ± ± ± ± ± ± 11.4 B(F 4 ) 27.7 ± ± ± ± ± ± 11.7 B(G 2 ) 24.4 ± ± ± ± ± ± 10.9 B(H 3 ) 26.6 ± ± ± ± ± ± 11.6 B(H 4 ) 28.2 ± ± ± ± ± ± 12.2 l(u) init = 100 B(A n ) 64.6 ± ± ± ± ± ± 14.6 B(B n ) 65.4 ± ± ± ± ± ± 14.6 B(D n ) 64.7 ± ± ± ± ± ± 14.8 B(E 6 ) 56.1 ± ± ± ± ± ± 15.7 B(E 7 ) 57.1 ± ± ± ± ± ± 15.6 B(E 8 ) 58.0 ± ± ± ± ± ± 15.7 B(F 4 ) 54.6 ± ± ± ± ± ± 16.5 B(G 2 ) 46.8 ± ± ± ± ± ± 15.2 B(H 3 ) 52.5 ± ± ± ± ± ± 16.6 B(H 4 ) 55.1 ± ± ± ± ± ±

38 Data Tables 33 l(u) init = 150 G l(u) l(v) l(uv) l(vuv 1 ) l(u k ) l(u d(v) a d(u) 1 ) B(A n ) 93.6 ± ± ± ± ± ± 19.5 B(B n ) 94.5 ± ± ± ± ± ± 19.1 B(D n ) 94.1 ± ± ± ± ± ± 18.3 B(E 6 ) 83.4 ± ± ± ± ± ± 19.0 B(E 7 ) 85.1 ± ± ± ± ± ± 19.0 B(E 8 ) 85.7 ± ± ± ± ± ± 19.0 B(F 4 ) 80.3 ± ± ± ± ± ± 20.5 B(G 2 ) 67.3 ± ± ± ± ± ± 18.4 B(H 3 ) 78.9 ± ± ± ± ± ± 20.3 B(H 4 ) 82.3 ± ± ± ± ± ± 19.8 l(u) init = 200 B(A n ) ± ± ± ± ± ± 20.5 B(B n ) ± ± ± ± ± ± 22.2 B(D n ) ± ± ± ± ± ± 21.4 B(E 6 ) ± ± ± ± ± ± 23.1 B(E 7 ) ± ± ± ± ± ± 22.5 B(E 8 ) ± ± ± ± ± ± 22.2 B(F 4 ) ± ± ± ± ± ± 23.5 B(G 2 ) 88.1 ± ± ± ± ± ± 23.0 B(H 3 ) ± ± ± ± ± ± 23.6 B(H 4 ) ± ± ± ± ± ± 23.1 l(u) init = 300 B(A n ) ± ± ± ± ± ± 27.0 B(B n ) ± ± ± ± ± ± 26.2 B(D n ) ± ± ± ± ± ± 27.1 B(E 6 ) ± ± ± ± ± ± 26.5 B(E 7 ) ± ± ± ± ± ± 28.3 B(E 8 ) ± ± ± ± ± ± 26.0 B(F 4 ) ± ± ± ± ± ± 27.6 B(G 2 ) ± ± ± ± ± ± 29.2 B(H 3 ) ± ± ± ± ± ± 28.3 B(H 4 ) ± ± ± ± ± ± 27.6

39 Data Tables 34 l(u) init = 500 G l(u) l(v) l(uv) l(vuv 1 ) l(u k ) l(u d(v) a d(u) 1 ) B(A n ) ± ± ± ± ± ± 34.1 B(B n ) ± ± ± ± ± ± 36.1 B(D n ) ± ± ± ± ± ± 34.5 B(E 6 ) ± ± ± ± ± ± 34.3 B(E 7 ) ± ± ± ± ± ± 35.6 B(E 8 ) ± ± ± ± ± ± 35.1 B(F 4 ) ± ± ± ± ± ± 37.9 B(G 2 ) ± ± ± ± ± ± 42.5 B(H 3 ) ± ± ± ± ± ± 35.3 B(H 4 ) ± ± ± ± ± ± 37.6 l(u) init = 750 B(A n ) ± ± ± ± ± ± 42.5 B(B n ) ± ± ± ± ± ± 42.4 B(D n ) ± ± ± ± ± ± 42.9 B(E 6 ) ± ± ± ± ± ± 43.0 B(E 7 ) ± ± ± ± ± ± 41.7 B(E 8 ) ± ± ± ± ± ± 43.6 B(F 4 ) ± ± ± ± ± ± 44.1 B(G 2 ) ± ± ± ± ± ± 55.2 B(H 3 ) ± ± ± ± ± ± 44.9 B(H 4 ) ± ± ± ± ± ± 45.0 l(u) init = 1000 B(A n ) ± ± ± ± ± ± 50.3 B(B n ) ± ± ± ± ± ± 49.0 B(D n ) ± ± ± ± ± ± 49.4 B(E 6 ) ± ± ± ± ± ± 48.0 B(E 7 ) ± ± ± ± ± ± 50.2 B(E 8 ) ± ± ± ± ± ± 48.6 B(F 4 ) ± ± ± ± ± ± 51.3 B(G 2 ) ± ± ± ± ± ± 67.7 B(H 3 ) ± ± ± ± ± ± 51.8 B(H 4 ) ± ± ± ± ± ± 53.0