Cryptanalysis of the Shpilrain-Ushakov protocol in Fmatucci/Francesco_Matucci_Homepage_Files/... ·...

The protocolCryptanalysis of the protocol

Cryptanalysis of the Shpilrain-Ushakov

protocol in F

Francesco Matucci

Cornell University

June 28, 2007

Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F


1 The protocolProblem and key exchangeThe platform group and choice of parameters

2 Cryptanalysis of the protocolOther representations of F

The attack and generalizations



Problem and key exchangeThe platform group and choice of parameters

Decomposition Problem





The protocol is based on the Decomposition Problem:






Given a group G , a subset X ⊆ G and w1,w2 ∈ G






Given a group G , a subset X ⊆ G and w1,w2 ∈ G find a, b ∈ X

such thataw1b = w2




Key Exchange Protocol





Public Data.





Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that

ab = ba, ∀a ∈ A, b ∈ B






ab = ba, ∀a ∈ A, b ∈ B

Private Keys.






ab = ba, ∀a ∈ A, b ∈ B

Private Keys.

Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob






ab = ba, ∀a ∈ A, b ∈ B

Private Keys.


Bob selects b2 ∈ B , a2 ∈ A and sends u2 = b2wa2 to Alice






ab = ba, ∀a ∈ A, b ∈ B

Private Keys.



Alice computes KA = a1u2b1 = a1b2wa2b1






ab = ba, ∀a ∈ A, b ∈ B

Private Keys.



Alice computes KA = a1u2b1 = a1b2wa2b1

Bob computes KB = b2u1a2 = b2a1wb1a2





Since A and B commute elementwise

KA = a1b2wa2b1 = b2a1wb1a2 = KB = K

becomes their shared secret key.








Eve’s Data.








Eve’s Data. She has all the public data and the two elementsu1, u2, observed during Alice and Bob’s exchange.




Thompson’s group F





Combinatorial group theory approach:






F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉






F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉

Advantage:






F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉

Advantage: there are normal forms and they are fast to compute.




Normal Forms in F




Normal Forms in F

F = 〈x0, x1, x2, . . . |x−1k

xnxk = xn+1,∀k < n〉




Normal Forms in F

F = 〈x0, x1, x2, . . . |x−1k


xnxk → xkxn+1 (smaller subscripts first)




Normal Forms in F

F = 〈x0, x1, x2, . . . |x−1k



x−1k xn → xn+1x

−1k (positive before negative)




Normal Forms in F

F = 〈x0, x1, x2, . . . |x−1k



x−1k xn → xn+1x


x−1n xk → xkx−1

n+1 (positive before negative)




Normal Forms in F

F = 〈x0, x1, x2, . . . |x−1k



x−1k xn → xn+1x




x−1k x−1

n → x−1n+1x

−1k (smaller subscripts last)




Normal Forms in F

F = 〈x0, x1, x2, . . . |x−1k



x−1k xn → xn+1x




x−1k x−1

n → x−1n+1x


Normal forms:




Normal Forms in F

F = 〈x0, x1, x2, . . . |x−1k



x−1k xn → xn+1x




x−1k x−1

n → x−1n+1x


Normal forms:

f = xi1xi2 . . . xiux−1jv

. . . x−1j2

x−1j1

(i1 ≤ . . . ≤ iu, j1 ≤ . . . ≤ jv )




Normal Forms in F




Normal Forms in F

Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1

i+1.




Normal Forms in F


i+1.

x0x1x1x3x−15 x−1

4 x−11 x−1

0 = x0x1x2x−14 x−1

3 x−10




Normal Forms in F


i+1.

x0x1x1x3x−15 x−1

4 x−11 x−1

0 = x0x1x2x−14 x−1

3 x−10

Theorem (Shpilrain-Ushakov, 2005)




Normal Forms in F


i+1.

x0x1x1x3x−15 x−1

4 x−11 x−1

0 = x0x1x2x−14 x−1

3 x−10

Theorem (Shpilrain-Ushakov, 2005)

If | · | denotes the word length, the normal form an element g can

be computed in time O(|g | log |g |).




Parameters and Key Generation





The proposed commuting subgroups of F are defined from theprevious presentation. Choose an s ∈ N:






As = 〈x0x−11 , . . . , x0x

−1s 〉






As = 〈x0x−11 , . . . , x0x

−1s 〉

Bs = 〈xs+1, . . . , x2s〉




Choice of the parameters





Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].






Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.







Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.








Bob chooses random a2 ∈ As , b2 ∈ Bs , with |a2| = |b2| = M.









They both computeK = a1b2wa2b1









They both computeK = a1b2wa2b1

The key space increases exponentially in M, i.e. |As(M)| ≥√

2M



Other representations of F


F as piecewise-linear homeomorphisms






F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that







all slopes are integral powers of 2,








all breakpoints have dyadic rational coordinates.








all breakpoints have dyadic rational coordinates.

Here is the first generator x0 of F





Generators of F as PL-homeomorphisms






The previous infinite generating set is given by:






The previous infinite generating set is given by:

xs acts non-trivially on the domain [ϕs−1, 1], where

ϕs := 1 − 1

2s+1





As and Bs as groups of homeomorphisms






The subgroups As and Bs assume the following form:







Their supports live in different squares, divided by ϕs







Their supports live in different squares, divided by ϕs

Observe that Bs = PL2([ϕs , 1]).





Tree diagrams for F





Tree diagrams for F

Elements of F send a dyadic partition of [0, 1] into another suchpartition.





Tree diagrams for F

Elements of F send a dyadic partition of [0, 1] into another suchpartition. This can represented by means of tree pairs.





Tree diagrams for F

Elements of F send a dyadic partition of [0, 1] into another suchpartition. This can represented by means of tree pairs.

The element x0 has the following diagram:





Many tree pairs for the same element





Many tree pairs for the same element

It is possible to get a reduced tree pair, by repeated application ofthe following reduction:





Multiplication of diagrams is efficient






To multiply fastly, we need to modify the diagram:





Multiplication of diagrams is efficient (digression)






These new diagrams have an input, an output, merges and splits






These new diagrams have an input, an output, merges and splits

They also have a set of reductions






We need to cut the directed diagram back into a tree pair:






All of the previous steps can performed fastly.





Outline of the attack






Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that

ϕs := 1 − 1

2s+1

separates the supports of As and Bs .







ϕs := 1 − 1

2s+1


1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .







ϕs := 1 − 1

2s+1


1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:







ϕs := 1 − 1

2s+1



compute the As -part a2 of w−1u2 ∈ AB,







ϕs := 1 − 1

2s+1



compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)

−1w−1.







ϕs := 1 − 1

2s+1




−1w−1.

3 If w(ϕs) > ϕs , attack Alice’s keys:







ϕs := 1 − 1

2s+1




−1w−1.


compute the Bs -part b1 of w−1u1 ∈ AB,







ϕs := 1 − 1

2s+1




−1w−1.


compute the Bs -part b1 of w−1u1 ∈ AB,compute a1 := u1(b1)

−1w−1.







ϕs := 1 − 1

2s+1




−1w−1.


compute the Bs -part b1 of w−1u1 ∈ AB,compute a1 := u1(b1)

−1w−1.

The pair (ai , bi ) allows us to recover the shared key K .





Explanation of the case w(ϕs) ≤ ϕs






On [0, ϕs ] we have b2 = id , and so

u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]







u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]

Thus we have

a2(t) = w−1u2(t) t ∈ [0, ϕs ].







u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]

Thus we have

a2(t) = w−1u2(t) t ∈ [0, ϕs ].

But a2 = id on [ϕs , 1] and so

a2(t) =

{

w−1u2(t) t ∈ [0, ϕs ]

t t ∈ [ϕs , 1]







u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]

Thus we have

a2(t) = w−1u2(t) t ∈ [0, ϕs ].


a2(t) =

{

w−1u2(t) t ∈ [0, ϕs ]

t t ∈ [ϕs , 1]

Notice w−1u2(ϕs ) = ϕs so w−1u2 ∈ AB .







u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]

Thus we have

a2(t) = w−1u2(t) t ∈ [0, ϕs ].


a2(t) =

{

w−1u2(t) t ∈ [0, ϕs ]

t t ∈ [ϕs , 1]

Notice w−1u2(ϕs ) = ϕs so w−1u2 ∈ AB . So a2 is given by theAs-part of w−1u2.






We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way.






We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.






We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.

From the diagram of a2 ∈ As there is a fast algorithm to write itwith the generators of F .





Attacking the other secret word.






Depending on w(ϕs), we chose to attack either Alice or Bob.







We can also look for the other keys.







We can also look for the other keys.

Similar techniques and the fact that

As = PL2([0, ϕs ])

Bs = PL2([ϕs , 1])

allow us to recover an approximation for the other key.





Sketch of the attack to the other word






We attack Alice’s word, for w(ϕs) ≤ ϕs :







u1(t) = a1w(t) t ∈ [0, ϕs ]







u1(t) = a1w(t) t ∈ [0, ϕs ]

so thata1(t) = u1w

−1(t) t ∈ [0,w(ϕs )].







u1(t) = a1w(t) t ∈ [0, ϕs ]

so thata1(t) = u1w

−1(t) t ∈ [0,w(ϕs )].

This is the only requirement for a1.







u1(t) = a1w(t) t ∈ [0, ϕs ]

so thata1(t) = u1w

−1(t) t ∈ [0,w(ϕs )].


Since As = PL2([0, ϕs ]), we can find an aσ ∈ As such that

aσ = a1 t ∈ [0,w(ϕs )].







u1(t) = a1w(t) t ∈ [0, ϕs ]

so thata1(t) = u1w

−1(t) t ∈ [0,w(ϕs )].


Since As = PL2([0, ϕs ]), we can find an aσ ∈ As such that

aσ = a1 t ∈ [0,w(ϕs )].

Then continue as before.





Changing the subgroups A and B






Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)

CF (g) ∼= Fm × Zn, ∀g ∈ F .







CF (g) ∼= Fm × Zn, ∀g ∈ F .

The F -terms correspond to the intervals where g is trivial.







CF (g) ∼= Fm × Zn, ∀g ∈ F .

The F -terms correspond to the intervals where g is trivial.The Z-terms correspond to the intervals where g is non-trivial.







CF (g) ∼= Fm × Zn, ∀g ∈ F .

The F -terms correspond to the intervals where g is trivial.The Z-terms correspond to the intervals where g is non-trivial.

If A is a subgroup, and b ∈ F commutes with A elementwise, thesupport of A and b must be “disjoint”.





Choosing a different group






If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.







What requires attention is an “extension problem”.








Example: given a1 on [0,w(ϕs )], find aσ ∈ A with aσ = a1.








Example: given a1 on [0,w(ϕs )], find aσ ∈ A with aσ = a1.

More generally, if we choose a group G acting on some space, andhave A,B commuting elementwise so that their support is disjoint,a similar technique may apply.





Conclusions





Conclusions

Good: we are always able to recover the secret key.





Conclusions


Limits: Our methods depend strongly on the fact that commutingsubgroups have disjoint supports.





Conclusions


Limits: Our methods depend strongly on the fact that commutingsubgroups have disjoint supports.

They still apply using the same protocol (or some variation of it)on other groups, but they cannot be used in a general contextwhere no other representation is given.





Related work





Related work

In 2006, Ruisnkiy-Shamir-Tsaban have developed some moregeneral length-based attacks which recover the secret key in mostinstances.





Related work

In 2006, Ruisnkiy-Shamir-Tsaban have developed some moregeneral length-based attacks which recover the secret key in mostinstances.

In May 2007, Runskiy-Shamir-Tsaban have uploaded a paper onthe arXiv with new general type of attacks based on the “subgroupdistance function” and they tested it yet again on this protocol.


Cryptanalysis of the Shpilrain-Ushakov protocol in Fmatucci/Francesco_Matucci_Homepage_Files/... ·...

Documents

Transcript of Cryptanalysis of the Shpilrain-Ushakov protocol in Fmatucci/Francesco_Matucci_Homepage_Files/... ·...