Polynomial-time solutions of computational problems in noncommutative-algebraic cryptography

TL;DR

This paper presents a polynomial-time method called the linear centralizer method to break the security of two important noncommutative-algebraic cryptographic protocols, providing the first provable cryptanalysis of these protocols.

Contribution

The paper introduces the linear centralizer method and applies it to solve the Commutator and Centralizer key exchange problems in polynomial time, breaking their security assumptions.

Findings

First polynomial-time cryptanalysis of the Commutator protocol

First cryptanalysis of the Centralizer protocol

Cryptanalyses are robust against distribution changes

Abstract

We introduce the \emph{linear centralizer method}, and use it to devise a provable polynomial time solution of the Commutator Key Exchange Problem, the computational problem on which, in the passive adversary model, the security of the Anshel--Anshel--Goldfeld 1999 \emph{Commutator} key exchange protocol is based. We also apply this method to the computational problem underlying the \emph{Centralizer} key exchange protocol, introduced by Shpilrain and Ushakov in 2006. This is the first provable polynomial time cryptanalysis of the Commutator key exchange protocol, hitherto the most important key exchange protocol in the realm of noncommutative-algebraic cryptography, and the first cryptanalysis (of any kind) of the Centralizer key exchange protocol. Unlike earlier cryptanalyses of the Commutator key exchange protocol, our cryptanalyses cannot be foiled by changing the distributions used in the protocol.