1. 1 Signature scheme based on the root extraction problem over braid groups B.C. Wang, Y.P. Hu IET Information security 2009, Vol 3, Iss 2, pp. 53-59

2. 2 Outline  Induction  Preliminaries  The proposed signature scheme  Performance and parameter specification  Security analysis  Conclusion

3. 3 Induction  Artin’s braid group Infinite non-commutative group Word problem is solvable  RP and CSP are intractable over braid group CSP has an exponential computational complexity at least in the worst case The braid-based cryptography has been a hot issue

4. 4 Induction  Anshel et al. 1999 - 2003 The commutator key agreement protocol Generalised and axiomatically  Ko et al. 2000 The key exchange protocol PKC based on the computational DHCP

5. 5 Induction  Cha et al. 2001 The cryptosystem can be modified based on DP  Ko et al. 2002 The signature scheme based on k-simultaneous CSP  Dehornoy The authentication protocol based on shifted CP  Some other The authentication protocol based on PR

6. 6 Induction  Hughes and Myasnikov et al. The k-simultaneous CSP always provides the attackers sufficient information about the common comjugator braid  The Burau represenation The sufficiently many equations derived from the k- simultaneous CSP allow the attacker to lift the Burau matrix rep. back to the Artin form

7. 7 Induction  Linear algebraic problem  Diffie-Hellman type problem  DP  Shifted CSP  Some authors even announced the death of the subject  It is hoped that cryptographic algorithm constructed based on the RP should be more secure

8. 8 Induction  Two reasons to illustrate the insecurities of previous braid PKC algorithm The security of these schemes is not tightly related to the underlying intractable problem The public keys of some schemes reveal too much information about the construction of the crpytographic algorithm  The attacker can obtain many equations with respect to the public and secret keys

9. 9 Outline  Induction  Preliminaries  The proposed signature scheme  Performance and parameter specification  Security analysis  Conclusion

10. 10 Preliminaries  Let len(u) = p, len(v) = q Compute the LCF of uv = O(pqnlogn) Compute the inverse u -1 of u = O(pn) 0 ≦ len(uv) ≦ p + q len(u) ≒ len(u -1 )

11. 11 Preliminaries  Conjugancy search problem, CSP Given x ~ y, find a conjugator z s.t. y = zxz -1  Root problem, RP Given y ∈ B n, integer e ≧ 2 s.t. y = x e for some unknow braid x

12. 12 Outline  Induction  Preliminaries  The proposed signature scheme  Performance and parameter specification  Security analysis  Conclusion

13. 13 The proposed signature scheme  n : braid index  e : integer, e ≧ 2  H : a collision-free one-way hash function H : {0, 1} * → {0, 1} k

14. 14 The proposed signature scheme  Key generation Randomly chooses k + 1 non-trivial braids b 1, …, b k, r ∈ B n, s.t. b i and b j commutate, i, j = 1, …, k. Computes a i = rb i e r -1, i = 1, …, k The public key is (a 1, …, a k ) The secret key is (b 1, …, b k, r)

15. 15 The proposed signature scheme  Signing a message To sign a given message m, Alice randomly choose a braid s ∈ B n. She calculates   The signature for the message m is (u, t)

16. 16 The proposed signature scheme  Verification Bob computes Verifies the equation If the equation holds, he accepts the signature (u, t) as a valid signature for m. Otherwise, he rejects it.

17. 17 The proposed signature scheme  Verification

18. 18 Outline  Induction  Preliminaries  The proposed signature scheme  Performance and parameter specification  Security analysis  Conclusion

19. 19 Performance and parameter specification  Parameter specifications How to find the b i and b j commutative, i, j = 1, …, k. Randomly choose commutative braids c 1, …,c s, where s << k, e.g. s ≒ k / 10. Randomly choose k s-dimensional vectors v 1, …, v k, where v i = (v i1, …, v is ), i = 1, …, k, and v ij are small integers. Computes we have k commutative braids b 1, …, b k.

20. 20 Performance and parameter specification  Parameter specifications c i in the subgroup ⊂ B n satisfy the requirement that for arbitrary ju and jv, ju ≠ jv, |ju - jv| ≧ 2. The subgroup is a commutative group.

21. 21 Performance and parameter specification  Suggested parameters n = 90, e = 2, k = 80, s = k / 10 = 8, len(c i ) = 2 v i = ∈ {0, 1} 8, and 1 ≦ v i1 + … + v is ≦ 3 b i has 8 + 28 + 56 = 92 > 80 choices len(b i ) ≦ 3len(c i ) = 6 len(r) = 8, len(s) = 8 len(a i ) = len(r) + e × len(b i ) + len(r -1 ) = 28 The public key size = 80 × 28 = 2240 bits The secret key size = k × len(b i ) + len(r) = 488 bits

22. 22 Performance and parameter specification  Computational complexity and comparison 1024-RSA modular multiplication = 2.1 × 10 6 bit operation Total computational cost to sign a message = 6.2×10 6 ≒ 3 1024-RSA modular multiplication The verifier need 3.7×10 7 ≒ 17 1024-RSA modular multiplication

23. 23 Outline  Induction  Preliminaries  The proposed signature scheme  Performance and parameter specification  Security analysis  Conclusion

24. 24 Security analysis  Key recovery attack Attacker can not lift the Burau matrix rep. back to the Artin braids. Attacker can not know the secret key by the public key.

25. 25 Security analysis  On forging a signature For a given message m, an attacker can forge a valid signature (u, t) iff he can extract the e th root for the braid v ∈ B n  On extracting the e th root The attacker can not use the knowledge of the signature to solve the RP.

26. 26 Security analysis  Security comparison and remarks

27. 27 Outline  Induction  Preliminaries  The proposed signature scheme  Performance and parameter specification  Security analysis  Conclusion

28. 28 Conclusions  詳細介紹 braid group 的興衰  提出前人的不足 Loosely dependent on the hard problem Public key leak too much information  提出簡單的証明方式