Attack on Kayawood protocol: Uncloaking private keys

Matvei Kotov; Anton Menshov; Alexander Ushakov

doi:10.1515/jmc-2019-0015

Attack on Kayawood protocol: Uncloaking private keys

Matvei Kotov
, Anton Menshov
, Alexander Ushakov

Department of Mathematical Sciences

Research output: Contribution to journal › Article › peer-review

Abstract

We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication). We present a heuristic algorithm that allows a passive eavesdropper to recover Alice’s private key by removing cloaking elements. Our attack has 100% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Implementation of the attack is available on GitHub.

Original language	English
Pages (from-to)	237-249
Number of pages	13
Journal	Journal of Mathematical Cryptology
Volume	15
Issue number	1
DOIs	https://doi.org/10.1515/jmc-2019-0015
State	Published - 1 Jan 2021

Keywords

Algebraic eraser
Braid group
Cloaking problem
Colored Burau presentation
E-multiplication
Group-based cryptography
Kayawood protocol
Key agreement

Access to Document

10.1515/jmc-2019-0015

Cite this

@article{1e7162b055184f7aa81ffe1535a1471a,

title = "Attack on Kayawood protocol: Uncloaking private keys",

abstract = "We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication). We present a heuristic algorithm that allows a passive eavesdropper to recover Alice{\textquoteright}s private key by removing cloaking elements. Our attack has 100\% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Implementation of the attack is available on GitHub.",

keywords = "Algebraic eraser, Braid group, Cloaking problem, Colored Burau presentation, E-multiplication, Group-based cryptography, Kayawood protocol, Key agreement",

author = "Matvei Kotov and Anton Menshov and Alexander Ushakov",

note = "Publisher Copyright: {\textcopyright} 2020 M. Kotov et al., published by De Gruyter.",

year = "2021",

month = jan,

day = "1",

doi = "10.1515/jmc-2019-0015",

language = "English",

volume = "15",

pages = "237--249",

number = "1",

}

TY - JOUR

T1 - Attack on Kayawood protocol

T2 - Uncloaking private keys

AU - Kotov, Matvei

AU - Menshov, Anton

AU - Ushakov, Alexander

PY - 2021/1/1

Y1 - 2021/1/1

N2 - We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication). We present a heuristic algorithm that allows a passive eavesdropper to recover Alice’s private key by removing cloaking elements. Our attack has 100% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Implementation of the attack is available on GitHub.

AB - We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication). We present a heuristic algorithm that allows a passive eavesdropper to recover Alice’s private key by removing cloaking elements. Our attack has 100% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Implementation of the attack is available on GitHub.

KW - Algebraic eraser

KW - Braid group

KW - Cloaking problem

KW - Colored Burau presentation

KW - E-multiplication

KW - Group-based cryptography

KW - Kayawood protocol

KW - Key agreement

UR - https://www.scopus.com/pages/publications/85097662325

UR - https://www.scopus.com/pages/publications/85097662325#tab=citedBy

U2 - 10.1515/jmc-2019-0015

DO - 10.1515/jmc-2019-0015

M3 - Article

AN - SCOPUS:85097662325

SN - 1862-2976

VL - 15

SP - 237

EP - 249

JO - Journal of Mathematical Cryptology

JF - Journal of Mathematical Cryptology

IS - 1

ER -

Attack on Kayawood protocol: Uncloaking private keys

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this