The Algebraic Eraser™

Simon R. Blackburn

Royal Holloway University of London

5th January 2016

Simon R. Blackburn (RHUL) The Algebraic Eraser 1 / 16 Overview

1 The Discrete Log Problem and Diffie-Hellman

2 Group-theoretic analogues of DLP

3 The Algebraic Eraser

4 More ideas

Simon R. Blackburn (RHUL) The Algebraic Eraser 2 / 16 problem (DLP)

∗ Let p be a prime and let g, h ∈ Zp. Find an integer x (if it exists) such that h ≡ g x mod p.

In general, this is a hard computational problem (for large p).

Example: Let p = 11, g = 2 and h = 9. Solve the DLP.

x 0 1 2 3 4 5 6 7 8 9 g x 1 2 4 8 5 10 9 7 3 6

Simon R. Blackburn (RHUL) The Algebraic Eraser 3 / 16 Diffie-Hellman exchange

Alice and Bob want to agree on a random key K. ∗ They decide upon a large prime p and some g ∈ Zp, then: a Alice chooses a random integer 1 ≤ a < p − 1 and sends c1 = g mod p to Bob. b Bob chooses a random integer 1 ≤ b < p − 1 and sends c2 = g mod p to Alice. a On receiving c2 Alice computes K = c2 mod p. b On receiving c1 Bob computes K = c1 mod p. both share the same key K = g ab mod p.

It works because( g a)b = (g b)a.

Simon R. Blackburn (RHUL) The Algebraic Eraser 4 / 16 What does security mean?

a b An adversary Eve knows p and g, and sees c1 = g and c2 = g . Eve aims to compute the common key K = g ab. A minimum level of security: secure if she can’t do this. If she can solve the DLP, the system is insecure. The problem Eve wants to solve is the Diffie–Hellman problem: given c1 and c2, compute K.

Simon R. Blackburn (RHUL) The Algebraic Eraser 5 / 16 How hard is the DLP?

∗ The DLP in Zp is thought to be hard, but there are subexponential algorithms to solve it. The DLP makes sense for any cyclic group. The group of points on an elliptic curve is thought to be more secure. Are there other good examples? Note: Integers mod n under addition is a bad choice. There is an efficient quantum algorithm for the DLP due to Shor. What about non-abelian groups? Motivation: Useful against quantum computer adversaries?

Simon R. Blackburn (RHUL) The Algebraic Eraser 6 / 16 Ko Lee Cheon Han Kang Park

Let G be a (non-abelian) group. For a, g ∈ G define

g a = a−1ga.

Problem:( g a)b 6= (g b)a, in general. Solution: Choose a ∈ A ≤ G and b ∈ B ≤ G where [A, B] = {1}. The analogue of the DLP is the conjugacy search problem: given g and g a, find a. How do you choose a group G and subgroups A and B? Ko et al. suggest using a .

Simon R. Blackburn (RHUL) The Algebraic Eraser 7 / 16 The braid group (in pictures)

Three equivalent braids:

−1 −1 a1a3a2 a2 a3a1a2 a2 a3a1

Simon R. Blackburn (RHUL) The Algebraic Eraser 8 / 16 Why are braid groups attractive?

A nice presentation:

Bn = ha1,..., an−1 | ai aj = aj ai when |i − j| ≥ 2 and

ai ai+1ai = ai+1ai ai+1 for i ≤ n − 2i

For n even we can take

A = ha1,..., a(n−2)/2i and

B = han/2,... an−1i.

Bn has solvable word problem. The conjugacy search problem is thought to be hard.

Simon R. Blackburn (RHUL) The Algebraic Eraser 9 / 16 The security of Ko et al.

How difficult is the conjugacy search problem? There’s a nice survey of some of the older work: ‘Braid based ’ by Patrick Dehornoy. Cheon and Jun (2003) gave a (high degree) polynomial-time attack, using representation theory.

Simon R. Blackburn (RHUL) The Algebraic Eraser 10 / 16 The problem with matrix groups

Let A, B be commuting subgroups of GLn(Fq). Let G ∈ GLn(Fq). Eve is given

−1 C1 = M GM for unknown M ∈ A and −1 C2 = N GN for unknown N ∈ B.

She finds invertible M˜ such that

MC˜ 1 = GM˜ and M˜ commutes with B.

Then M M N M˜ N N M˜ M˜ K = (C2) = (G ) = (G ) = (G ) = C2 .

Simon R. Blackburn (RHUL) The Algebraic Eraser 11 / 16 The Algebraic Eraser Proposed by Anshel, Anshel, Goldfeld and Lemieux about 10 years ago. Based on the coloured Burau group GL(n, Fq(t1,..., tn)) o Sym(n). Define φ : Bn → GL(n, Fq(t1,..., tn)) o Sym(n) by    −t1 1  0 1   a 7→   , (12) 1  ..    .   1 1    ..    .       1 0 0      ai 7→  ti −ti 1  , (i, i + 1) .     0 0 1       ..    .   1

Simon R. Blackburn (RHUL) The Algebraic Eraser 12 / 16 The Algebraic Eraser

Produce a map Bn → GL(n, q) × Sym(n) by replacing each variable ti by some non-zero element τi ∈ Fq. This gives rise to an action ψ of Bn on GL(n, q) × Sym(n).

Choose commuting subgroups A and B of Bn in some way. Choose commuting subgroups C and D of GL(n, q) in some way. Alice picks c ∈ C, a ∈ A and sends cψ(a) to Bob. Bob picks d ∈ D, b ∈ B and sends dψ(b) to Alice. Common key is

dcψ(a)ψ(b) = cdψ(b)ψ(a).

Simon R. Blackburn (RHUL) The Algebraic Eraser 13 / 16 History of the security of the Algebraic Eraser The Algebraic Eraser was made public in 2002. January 2008: Myasnikov and Ushakov posted a length-based attack: the parameters were too small. May 2011: Gunnells confirms these results, and recommends increasing parameters. January 2008 (independently): Kalka, Tsaban and Teicher break the scheme for generic parameters: a (heuristic) linearisation attack to find the secret matrix c, then a (heuristic) permutation group algorithm to find common keys. February 2012: Goldfeld and Gunnells show how a careful choice of parameters can avoid this attack. July 2015: Sample keys provided to SRB by SecureRF, after request. October 2015: Ben-Zvi, SRB, Tsaban cryptanalyse the scheme by deriving the common key without finding c. A novel form of linearisation is used. SecureRF are informed. November 2015: The attack is posted.

Simon R. Blackburn (RHUL) The Algebraic Eraser 14 / 16 Other ideas

Finite groups are problematic: quotient attacks and linear attacks. Using commutators rather than conjugation (Anshel, Anshel, Goldfeld) is another way to generalise the DLP. Cryptanalysed by Tsaban for braid groups, using representation theory and double centralisers.

Logarithmic signatures (the MST3 ) is another idea. Cryptanalysed by Blackburn, Cid, Mullen. There are currently no group-based that have stood up to long term scrutiny. Other Post-Quantum cryptosystems have more potential. Any other ideas? (Any hard discrete problems that become easy with extra info?)

Simon R. Blackburn (RHUL) The Algebraic Eraser 15 / 16 Some Links

This talk will appear soon on my home page:

http://www.ma.rhul.ac.uk/sblackburn

S.R. Blackburn, C. Cid, C. Mullan, ‘Group theory in cryptography’:

http://arxiv.org/abs/0906.5545

A. Ben-Zvi, S.R. Blackburn and B. Tsaban, ’A practical of the Algebraic Eraser’:

http://eprint.iacr.org/2015/1102

See http://tinyurl.com/oqu2q2b for an Ars Technica article on this research.

Simon R. Blackburn (RHUL) The Algebraic Eraser 16 / 16