cryptanalysis of the shpilrain-ushakov protocol in f
TRANSCRIPT
The protocolCryptanalysis of the protocol
Cryptanalysis of the Shpilrain-Ushakov
protocol in F
Francesco Matucci
Cornell University
June 28, 2007
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
1 The protocolProblem and key exchangeThe platform group and choice of parameters
2 Cryptanalysis of the protocolOther representations of F
The attack and generalizations
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Decomposition Problem
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Decomposition Problem
The protocol is based on the Decomposition Problem:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Decomposition Problem
The protocol is based on the Decomposition Problem:
Given a group G , a subset X ⊆ G and w1,w2 ∈ G
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Decomposition Problem
The protocol is based on the Decomposition Problem:
Given a group G , a subset X ⊆ G and w1,w2 ∈ G find a, b ∈ X
such thataw1b = w2
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob
Bob selects b2 ∈ B , a2 ∈ A and sends u2 = b2wa2 to Alice
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob
Bob selects b2 ∈ B , a2 ∈ A and sends u2 = b2wa2 to Alice
Alice computes KA = a1u2b1 = a1b2wa2b1
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob
Bob selects b2 ∈ B , a2 ∈ A and sends u2 = b2wa2 to Alice
Alice computes KA = a1u2b1 = a1b2wa2b1
Bob computes KB = b2u1a2 = b2a1wb1a2
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Since A and B commute elementwise
KA = a1b2wa2b1 = b2a1wb1a2 = KB = K
becomes their shared secret key.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Since A and B commute elementwise
KA = a1b2wa2b1 = b2a1wb1a2 = KB = K
becomes their shared secret key.
Eve’s Data.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Since A and B commute elementwise
KA = a1b2wa2b1 = b2a1wb1a2 = KB = K
becomes their shared secret key.
Eve’s Data. She has all the public data and the two elementsu1, u2, observed during Alice and Bob’s exchange.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Combinatorial group theory approach:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Combinatorial group theory approach:
F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Combinatorial group theory approach:
F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉
Advantage:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Combinatorial group theory approach:
F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉
Advantage: there are normal forms and they are fast to compute.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
x−1n xk → xkx−1
n+1 (positive before negative)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
x−1n xk → xkx−1
n+1 (positive before negative)
x−1k x−1
n → x−1n+1x
−1k (smaller subscripts last)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
x−1n xk → xkx−1
n+1 (positive before negative)
x−1k x−1
n → x−1n+1x
−1k (smaller subscripts last)
Normal forms:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
x−1n xk → xkx−1
n+1 (positive before negative)
x−1k x−1
n → x−1n+1x
−1k (smaller subscripts last)
Normal forms:
f = xi1xi2 . . . xiux−1jv
. . . x−1j2
x−1j1
(i1 ≤ . . . ≤ iu, j1 ≤ . . . ≤ jv )
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1
i+1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1
i+1.
x0x1x1x3x−15 x−1
4 x−11 x−1
0 = x0x1x2x−14 x−1
3 x−10
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1
i+1.
x0x1x1x3x−15 x−1
4 x−11 x−1
0 = x0x1x2x−14 x−1
3 x−10
Theorem (Shpilrain-Ushakov, 2005)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1
i+1.
x0x1x1x3x−15 x−1
4 x−11 x−1
0 = x0x1x2x−14 x−1
3 x−10
Theorem (Shpilrain-Ushakov, 2005)
If | · | denotes the word length, the normal form an element g can
be computed in time O(|g | log |g |).
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Parameters and Key Generation
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Parameters and Key Generation
The proposed commuting subgroups of F are defined from theprevious presentation. Choose an s ∈ N:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Parameters and Key Generation
The proposed commuting subgroups of F are defined from theprevious presentation. Choose an s ∈ N:
As = 〈x0x−11 , . . . , x0x
−1s 〉
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Parameters and Key Generation
The proposed commuting subgroups of F are defined from theprevious presentation. Choose an s ∈ N:
As = 〈x0x−11 , . . . , x0x
−1s 〉
Bs = 〈xs+1, . . . , x2s〉
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.
Bob chooses random a2 ∈ As , b2 ∈ Bs , with |a2| = |b2| = M.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.
Bob chooses random a2 ∈ As , b2 ∈ Bs , with |a2| = |b2| = M.
They both computeK = a1b2wa2b1
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.
Bob chooses random a2 ∈ As , b2 ∈ Bs , with |a2| = |b2| = M.
They both computeK = a1b2wa2b1
The key space increases exponentially in M, i.e. |As(M)| ≥√
2M
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
all breakpoints have dyadic rational coordinates.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
all breakpoints have dyadic rational coordinates.
Here is the first generator x0 of F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
all breakpoints have dyadic rational coordinates.
Here is the first generator x0 of F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
all breakpoints have dyadic rational coordinates.
Here is the first generator x0 of F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Generators of F as PL-homeomorphisms
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Generators of F as PL-homeomorphisms
The previous infinite generating set is given by:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Generators of F as PL-homeomorphisms
The previous infinite generating set is given by:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Generators of F as PL-homeomorphisms
The previous infinite generating set is given by:
xs acts non-trivially on the domain [ϕs−1, 1], where
ϕs := 1 − 1
2s+1
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
The subgroups As and Bs assume the following form:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
The subgroups As and Bs assume the following form:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
The subgroups As and Bs assume the following form:
Their supports live in different squares, divided by ϕs
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
The subgroups As and Bs assume the following form:
Their supports live in different squares, divided by ϕs
Observe that Bs = PL2([ϕs , 1]).
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Elements of F send a dyadic partition of [0, 1] into another suchpartition.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Elements of F send a dyadic partition of [0, 1] into another suchpartition. This can represented by means of tree pairs.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Elements of F send a dyadic partition of [0, 1] into another suchpartition. This can represented by means of tree pairs.
The element x0 has the following diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Elements of F send a dyadic partition of [0, 1] into another suchpartition. This can represented by means of tree pairs.
The element x0 has the following diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Many tree pairs for the same element
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Many tree pairs for the same element
It is possible to get a reduced tree pair, by repeated application ofthe following reduction:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Many tree pairs for the same element
It is possible to get a reduced tree pair, by repeated application ofthe following reduction:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Many tree pairs for the same element
It is possible to get a reduced tree pair, by repeated application ofthe following reduction:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
To multiply fastly, we need to modify the diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
To multiply fastly, we need to modify the diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
To multiply fastly, we need to modify the diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
To multiply fastly, we need to modify the diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
They also have a set of reductions
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
They also have a set of reductions
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
They also have a set of reductions
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
All of the previous steps can performed fastly.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
3 If w(ϕs) > ϕs , attack Alice’s keys:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
3 If w(ϕs) > ϕs , attack Alice’s keys:
compute the Bs -part b1 of w−1u1 ∈ AB,
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
3 If w(ϕs) > ϕs , attack Alice’s keys:
compute the Bs -part b1 of w−1u1 ∈ AB,compute a1 := u1(b1)
−1w−1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
3 If w(ϕs) > ϕs , attack Alice’s keys:
compute the Bs -part b1 of w−1u1 ∈ AB,compute a1 := u1(b1)
−1w−1.
The pair (ai , bi ) allows us to recover the shared key K .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Thus we have
a2(t) = w−1u2(t) t ∈ [0, ϕs ].
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Thus we have
a2(t) = w−1u2(t) t ∈ [0, ϕs ].
But a2 = id on [ϕs , 1] and so
a2(t) =
{
w−1u2(t) t ∈ [0, ϕs ]
t t ∈ [ϕs , 1]
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Thus we have
a2(t) = w−1u2(t) t ∈ [0, ϕs ].
But a2 = id on [ϕs , 1] and so
a2(t) =
{
w−1u2(t) t ∈ [0, ϕs ]
t t ∈ [ϕs , 1]
Notice w−1u2(ϕs ) = ϕs so w−1u2 ∈ AB .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Thus we have
a2(t) = w−1u2(t) t ∈ [0, ϕs ].
But a2 = id on [ϕs , 1] and so
a2(t) =
{
w−1u2(t) t ∈ [0, ϕs ]
t t ∈ [ϕs , 1]
Notice w−1u2(ϕs ) = ϕs so w−1u2 ∈ AB . So a2 is given by theAs-part of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
From the diagram of a2 ∈ As there is a fast algorithm to write itwith the generators of F .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Attacking the other secret word.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Attacking the other secret word.
Depending on w(ϕs), we chose to attack either Alice or Bob.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Attacking the other secret word.
Depending on w(ϕs), we chose to attack either Alice or Bob.
We can also look for the other keys.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Attacking the other secret word.
Depending on w(ϕs), we chose to attack either Alice or Bob.
We can also look for the other keys.
Similar techniques and the fact that
As = PL2([0, ϕs ])
Bs = PL2([ϕs , 1])
allow us to recover an approximation for the other key.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
so thata1(t) = u1w
−1(t) t ∈ [0,w(ϕs )].
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
so thata1(t) = u1w
−1(t) t ∈ [0,w(ϕs )].
This is the only requirement for a1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
so thata1(t) = u1w
−1(t) t ∈ [0,w(ϕs )].
This is the only requirement for a1.
Since As = PL2([0, ϕs ]), we can find an aσ ∈ As such that
aσ = a1 t ∈ [0,w(ϕs )].
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
so thata1(t) = u1w
−1(t) t ∈ [0,w(ϕs )].
This is the only requirement for a1.
Since As = PL2([0, ϕs ]), we can find an aσ ∈ As such that
aσ = a1 t ∈ [0,w(ϕs )].
Then continue as before.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
The F -terms correspond to the intervals where g is trivial.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
The F -terms correspond to the intervals where g is trivial.The Z-terms correspond to the intervals where g is non-trivial.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
The F -terms correspond to the intervals where g is trivial.The Z-terms correspond to the intervals where g is non-trivial.
If A is a subgroup, and b ∈ F commutes with A elementwise, thesupport of A and b must be “disjoint”.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.
What requires attention is an “extension problem”.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.
What requires attention is an “extension problem”.
Example: given a1 on [0,w(ϕs )], find aσ ∈ A with aσ = a1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.
What requires attention is an “extension problem”.
Example: given a1 on [0,w(ϕs )], find aσ ∈ A with aσ = a1.
More generally, if we choose a group G acting on some space, andhave A,B commuting elementwise so that their support is disjoint,a similar technique may apply.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Conclusions
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Conclusions
Good: we are always able to recover the secret key.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Conclusions
Good: we are always able to recover the secret key.
Limits: Our methods depend strongly on the fact that commutingsubgroups have disjoint supports.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Conclusions
Good: we are always able to recover the secret key.
Limits: Our methods depend strongly on the fact that commutingsubgroups have disjoint supports.
They still apply using the same protocol (or some variation of it)on other groups, but they cannot be used in a general contextwhere no other representation is given.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Related work
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Related work
In 2006, Ruisnkiy-Shamir-Tsaban have developed some moregeneral length-based attacks which recover the secret key in mostinstances.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Related work
In 2006, Ruisnkiy-Shamir-Tsaban have developed some moregeneral length-based attacks which recover the secret key in mostinstances.
In May 2007, Runskiy-Shamir-Tsaban have uploaded a paper onthe arXiv with new general type of attacks based on the “subgroupdistance function” and they tested it yet again on this protocol.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F