cryptanalysis of the shpilrain-ushakov protocol in f
TRANSCRIPT
![Page 1: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/1.jpg)
The protocolCryptanalysis of the protocol
Cryptanalysis of the Shpilrain-Ushakov
protocol in F
Francesco Matucci
Cornell University
June 28, 2007
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 2: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/2.jpg)
The protocolCryptanalysis of the protocol
1 The protocolProblem and key exchangeThe platform group and choice of parameters
2 Cryptanalysis of the protocolOther representations of F
The attack and generalizations
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 3: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/3.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Decomposition Problem
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 4: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/4.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Decomposition Problem
The protocol is based on the Decomposition Problem:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 5: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/5.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Decomposition Problem
The protocol is based on the Decomposition Problem:
Given a group G , a subset X ⊆ G and w1,w2 ∈ G
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 6: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/6.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Decomposition Problem
The protocol is based on the Decomposition Problem:
Given a group G , a subset X ⊆ G and w1,w2 ∈ G find a, b ∈ X
such thataw1b = w2
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 7: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/7.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 8: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/8.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 9: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/9.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 10: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/10.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 11: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/11.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 12: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/12.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob
Bob selects b2 ∈ B , a2 ∈ A and sends u2 = b2wa2 to Alice
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 13: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/13.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob
Bob selects b2 ∈ B , a2 ∈ A and sends u2 = b2wa2 to Alice
Alice computes KA = a1u2b1 = a1b2wa2b1
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 14: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/14.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Public Data. A group G , an element w ∈ G and two subgroupsA,B of G such that
ab = ba, ∀a ∈ A, b ∈ B
Private Keys.
Alice selects a1 ∈ A, b1 ∈ B and sends u1 = a1wb1 to Bob
Bob selects b2 ∈ B , a2 ∈ A and sends u2 = b2wa2 to Alice
Alice computes KA = a1u2b1 = a1b2wa2b1
Bob computes KB = b2u1a2 = b2a1wb1a2
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 15: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/15.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 16: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/16.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Since A and B commute elementwise
KA = a1b2wa2b1 = b2a1wb1a2 = KB = K
becomes their shared secret key.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 17: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/17.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Since A and B commute elementwise
KA = a1b2wa2b1 = b2a1wb1a2 = KB = K
becomes their shared secret key.
Eve’s Data.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 18: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/18.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Key Exchange Protocol
Since A and B commute elementwise
KA = a1b2wa2b1 = b2a1wb1a2 = KB = K
becomes their shared secret key.
Eve’s Data. She has all the public data and the two elementsu1, u2, observed during Alice and Bob’s exchange.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 19: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/19.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 20: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/20.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Combinatorial group theory approach:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 21: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/21.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Combinatorial group theory approach:
F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 22: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/22.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Combinatorial group theory approach:
F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉
Advantage:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 23: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/23.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Thompson’s group F
Combinatorial group theory approach:
F = 〈x0, x1, x2, . . . |x−1i xnxi = xn+1,∀i < n〉
Advantage: there are normal forms and they are fast to compute.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 24: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/24.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 25: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/25.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 26: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/26.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 27: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/27.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 28: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/28.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
x−1n xk → xkx−1
n+1 (positive before negative)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 29: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/29.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
x−1n xk → xkx−1
n+1 (positive before negative)
x−1k x−1
n → x−1n+1x
−1k (smaller subscripts last)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 30: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/30.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
x−1n xk → xkx−1
n+1 (positive before negative)
x−1k x−1
n → x−1n+1x
−1k (smaller subscripts last)
Normal forms:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 31: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/31.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
F = 〈x0, x1, x2, . . . |x−1k
xnxk = xn+1,∀k < n〉
xnxk → xkxn+1 (smaller subscripts first)
x−1k xn → xn+1x
−1k (positive before negative)
x−1n xk → xkx−1
n+1 (positive before negative)
x−1k x−1
n → x−1n+1x
−1k (smaller subscripts last)
Normal forms:
f = xi1xi2 . . . xiux−1jv
. . . x−1j2
x−1j1
(i1 ≤ . . . ≤ iu, j1 ≤ . . . ≤ jv )
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 32: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/32.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 33: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/33.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1
i+1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 34: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/34.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1
i+1.
x0x1x1x3x−15 x−1
4 x−11 x−1
0 = x0x1x2x−14 x−1
3 x−10
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 35: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/35.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1
i+1.
x0x1x1x3x−15 x−1
4 x−11 x−1
0 = x0x1x2x−14 x−1
3 x−10
Theorem (Shpilrain-Ushakov, 2005)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 36: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/36.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Normal Forms in F
Unique, if reduced: if xi and x−1i , then so does xi+1 or x−1
i+1.
x0x1x1x3x−15 x−1
4 x−11 x−1
0 = x0x1x2x−14 x−1
3 x−10
Theorem (Shpilrain-Ushakov, 2005)
If | · | denotes the word length, the normal form an element g can
be computed in time O(|g | log |g |).
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 37: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/37.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Parameters and Key Generation
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 38: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/38.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Parameters and Key Generation
The proposed commuting subgroups of F are defined from theprevious presentation. Choose an s ∈ N:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 39: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/39.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Parameters and Key Generation
The proposed commuting subgroups of F are defined from theprevious presentation. Choose an s ∈ N:
As = 〈x0x−11 , . . . , x0x
−1s 〉
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 40: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/40.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Parameters and Key Generation
The proposed commuting subgroups of F are defined from theprevious presentation. Choose an s ∈ N:
As = 〈x0x−11 , . . . , x0x
−1s 〉
Bs = 〈xs+1, . . . , x2s〉
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 41: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/41.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 42: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/42.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 43: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/43.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 44: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/44.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 45: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/45.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.
Bob chooses random a2 ∈ As , b2 ∈ Bs , with |a2| = |b2| = M.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 46: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/46.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.
Bob chooses random a2 ∈ As , b2 ∈ Bs , with |a2| = |b2| = M.
They both computeK = a1b2wa2b1
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 47: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/47.jpg)
The protocolCryptanalysis of the protocol
Problem and key exchangeThe platform group and choice of parameters
Choice of the parameters
Select (randomly) s ∈ [3, 8] and an even M ∈ [256, 320].
Choose a random w ∈ 〈x0, x1, . . . , xs+2〉, with |w | = M.
Alice chooses random a1 ∈ As , b1 ∈ Bs , with |a1| = |b1| = M.
Bob chooses random a2 ∈ As , b2 ∈ Bs , with |a2| = |b2| = M.
They both computeK = a1b2wa2b1
The key space increases exponentially in M, i.e. |As(M)| ≥√
2M
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 48: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/48.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 49: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/49.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 50: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/50.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 51: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/51.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
all breakpoints have dyadic rational coordinates.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 52: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/52.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
all breakpoints have dyadic rational coordinates.
Here is the first generator x0 of F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 53: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/53.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
all breakpoints have dyadic rational coordinates.
Here is the first generator x0 of F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 54: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/54.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
F as piecewise-linear homeomorphisms
F is the group PL2(I ), with respect to composition, of allpiecewise-linear homeomorphisms of the unit interval I = [0, 1]with a finite number of breakpoints, such that
all slopes are integral powers of 2,
all breakpoints have dyadic rational coordinates.
Here is the first generator x0 of F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 55: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/55.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Generators of F as PL-homeomorphisms
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 56: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/56.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Generators of F as PL-homeomorphisms
The previous infinite generating set is given by:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 57: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/57.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Generators of F as PL-homeomorphisms
The previous infinite generating set is given by:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 58: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/58.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Generators of F as PL-homeomorphisms
The previous infinite generating set is given by:
xs acts non-trivially on the domain [ϕs−1, 1], where
ϕs := 1 − 1
2s+1
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 59: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/59.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 60: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/60.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
The subgroups As and Bs assume the following form:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 61: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/61.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
The subgroups As and Bs assume the following form:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 62: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/62.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
The subgroups As and Bs assume the following form:
Their supports live in different squares, divided by ϕs
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 63: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/63.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
As and Bs as groups of homeomorphisms
The subgroups As and Bs assume the following form:
Their supports live in different squares, divided by ϕs
Observe that Bs = PL2([ϕs , 1]).
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 64: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/64.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 65: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/65.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Elements of F send a dyadic partition of [0, 1] into another suchpartition.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 66: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/66.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Elements of F send a dyadic partition of [0, 1] into another suchpartition. This can represented by means of tree pairs.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 67: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/67.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Elements of F send a dyadic partition of [0, 1] into another suchpartition. This can represented by means of tree pairs.
The element x0 has the following diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 68: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/68.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Tree diagrams for F
Elements of F send a dyadic partition of [0, 1] into another suchpartition. This can represented by means of tree pairs.
The element x0 has the following diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 69: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/69.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Many tree pairs for the same element
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 70: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/70.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Many tree pairs for the same element
It is possible to get a reduced tree pair, by repeated application ofthe following reduction:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 71: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/71.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Many tree pairs for the same element
It is possible to get a reduced tree pair, by repeated application ofthe following reduction:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 72: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/72.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Many tree pairs for the same element
It is possible to get a reduced tree pair, by repeated application ofthe following reduction:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 73: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/73.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 74: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/74.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
To multiply fastly, we need to modify the diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 75: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/75.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
To multiply fastly, we need to modify the diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 76: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/76.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
To multiply fastly, we need to modify the diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 77: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/77.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
To multiply fastly, we need to modify the diagram:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 78: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/78.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 79: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/79.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 80: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/80.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 81: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/81.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
They also have a set of reductions
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 82: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/82.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
They also have a set of reductions
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 83: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/83.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient (digression)
These new diagrams have an input, an output, merges and splits
They also have a set of reductions
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 84: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/84.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 85: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/85.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 86: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/86.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 87: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/87.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 88: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/88.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 89: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/89.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 90: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/90.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 91: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/91.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 92: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/92.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 93: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/93.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 94: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/94.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 95: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/95.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 96: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/96.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 97: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/97.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
We need to cut the directed diagram back into a tree pair:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 98: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/98.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Multiplication of diagrams is efficient
All of the previous steps can performed fastly.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 99: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/99.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 100: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/100.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 101: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/101.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 102: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/102.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 103: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/103.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 104: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/104.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 105: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/105.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
3 If w(ϕs) > ϕs , attack Alice’s keys:
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 106: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/106.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
3 If w(ϕs) > ϕs , attack Alice’s keys:
compute the Bs -part b1 of w−1u1 ∈ AB,
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 107: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/107.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
3 If w(ϕs) > ϕs , attack Alice’s keys:
compute the Bs -part b1 of w−1u1 ∈ AB,compute a1 := u1(b1)
−1w−1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 108: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/108.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Outline of the attack
Recall: As ,Bs ,w , u1 = a1wb1, u2 = b2wa2 are public, and that
ϕs := 1 − 1
2s+1
separates the supports of As and Bs .
1 Compute w(ϕs) and see if w(ϕs) ≤ ϕs or w(ϕs) > ϕs .2 If w(ϕs) ≤ ϕs , attack Bob’s keys:
compute the As -part a2 of w−1u2 ∈ AB,compute b2 := u2(a2)
−1w−1.
3 If w(ϕs) > ϕs , attack Alice’s keys:
compute the Bs -part b1 of w−1u1 ∈ AB,compute a1 := u1(b1)
−1w−1.
The pair (ai , bi ) allows us to recover the shared key K .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 109: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/109.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 110: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/110.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 111: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/111.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Thus we have
a2(t) = w−1u2(t) t ∈ [0, ϕs ].
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 112: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/112.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Thus we have
a2(t) = w−1u2(t) t ∈ [0, ϕs ].
But a2 = id on [ϕs , 1] and so
a2(t) =
{
w−1u2(t) t ∈ [0, ϕs ]
t t ∈ [ϕs , 1]
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 113: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/113.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Thus we have
a2(t) = w−1u2(t) t ∈ [0, ϕs ].
But a2 = id on [ϕs , 1] and so
a2(t) =
{
w−1u2(t) t ∈ [0, ϕs ]
t t ∈ [ϕs , 1]
Notice w−1u2(ϕs ) = ϕs so w−1u2 ∈ AB .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 114: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/114.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
On [0, ϕs ] we have b2 = id , and so
u2(t) = b2wa2(t) = wa2(t) t ∈ [0, ϕs ]
Thus we have
a2(t) = w−1u2(t) t ∈ [0, ϕs ].
But a2 = id on [ϕs , 1] and so
a2(t) =
{
w−1u2(t) t ∈ [0, ϕs ]
t t ∈ [ϕs , 1]
Notice w−1u2(ϕs ) = ϕs so w−1u2 ∈ AB . So a2 is given by theAs-part of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 115: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/115.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 116: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/116.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 117: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/117.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 118: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/118.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 119: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/119.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 120: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/120.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 121: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/121.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 122: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/122.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 123: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/123.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Explanation of the case w(ϕs) ≤ ϕs
We want to recover the As-part of the element w−1u2 ∈ AB in anefficient way. We write the tree diagram of w−1u2.
From the diagram of a2 ∈ As there is a fast algorithm to write itwith the generators of F .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 124: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/124.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Attacking the other secret word.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 125: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/125.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Attacking the other secret word.
Depending on w(ϕs), we chose to attack either Alice or Bob.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 126: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/126.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Attacking the other secret word.
Depending on w(ϕs), we chose to attack either Alice or Bob.
We can also look for the other keys.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 127: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/127.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Attacking the other secret word.
Depending on w(ϕs), we chose to attack either Alice or Bob.
We can also look for the other keys.
Similar techniques and the fact that
As = PL2([0, ϕs ])
Bs = PL2([ϕs , 1])
allow us to recover an approximation for the other key.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 128: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/128.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 129: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/129.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 130: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/130.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 131: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/131.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
so thata1(t) = u1w
−1(t) t ∈ [0,w(ϕs )].
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 132: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/132.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
so thata1(t) = u1w
−1(t) t ∈ [0,w(ϕs )].
This is the only requirement for a1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 133: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/133.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
so thata1(t) = u1w
−1(t) t ∈ [0,w(ϕs )].
This is the only requirement for a1.
Since As = PL2([0, ϕs ]), we can find an aσ ∈ As such that
aσ = a1 t ∈ [0,w(ϕs )].
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 134: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/134.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Sketch of the attack to the other word
We attack Alice’s word, for w(ϕs) ≤ ϕs :
u1(t) = a1w(t) t ∈ [0, ϕs ]
so thata1(t) = u1w
−1(t) t ∈ [0,w(ϕs )].
This is the only requirement for a1.
Since As = PL2([0, ϕs ]), we can find an aσ ∈ As such that
aσ = a1 t ∈ [0,w(ϕs )].
Then continue as before.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 135: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/135.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 136: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/136.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 137: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/137.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 138: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/138.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
The F -terms correspond to the intervals where g is trivial.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 139: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/139.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
The F -terms correspond to the intervals where g is trivial.The Z-terms correspond to the intervals where g is non-trivial.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 140: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/140.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Changing the subgroups A and B
Theorem (Guba-Sapir, 1997-Kassabov-M, 2006)
CF (g) ∼= Fm × Zn, ∀g ∈ F .
The F -terms correspond to the intervals where g is trivial.The Z-terms correspond to the intervals where g is non-trivial.
If A is a subgroup, and b ∈ F commutes with A elementwise, thesupport of A and b must be “disjoint”.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 141: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/141.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 142: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/142.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 143: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/143.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.
What requires attention is an “extension problem”.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 144: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/144.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.
What requires attention is an “extension problem”.
Example: given a1 on [0,w(ϕs )], find aσ ∈ A with aσ = a1.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 145: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/145.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Choosing a different group
If instead of F we consider a larger group ofPL-homemomorphisms of the unit interval, then two commutingsubgroups still must have “disjoint” support.
What requires attention is an “extension problem”.
Example: given a1 on [0,w(ϕs )], find aσ ∈ A with aσ = a1.
More generally, if we choose a group G acting on some space, andhave A,B commuting elementwise so that their support is disjoint,a similar technique may apply.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 146: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/146.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Conclusions
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 147: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/147.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Conclusions
Good: we are always able to recover the secret key.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 148: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/148.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Conclusions
Good: we are always able to recover the secret key.
Limits: Our methods depend strongly on the fact that commutingsubgroups have disjoint supports.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 149: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/149.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Conclusions
Good: we are always able to recover the secret key.
Limits: Our methods depend strongly on the fact that commutingsubgroups have disjoint supports.
They still apply using the same protocol (or some variation of it)on other groups, but they cannot be used in a general contextwhere no other representation is given.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 150: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/150.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Related work
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 151: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/151.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Related work
In 2006, Ruisnkiy-Shamir-Tsaban have developed some moregeneral length-based attacks which recover the secret key in mostinstances.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F
![Page 152: Cryptanalysis of the Shpilrain-Ushakov protocol in F](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb28fb2e268c58cd5adc91/html5/thumbnails/152.jpg)
The protocolCryptanalysis of the protocol
Other representations of F
The attack and generalizations
Related work
In 2006, Ruisnkiy-Shamir-Tsaban have developed some moregeneral length-based attacks which recover the secret key in mostinstances.
In May 2007, Runskiy-Shamir-Tsaban have uploaded a paper onthe arXiv with new general type of attacks based on the “subgroupdistance function” and they tested it yet again on this protocol.
Francesco Matucci Cryptanalysis of the Shpilrain-Ushakov protocol in F