Cryptology ePrint Archive: Report 2018/604

Attack on Kayawood Protocol: Uncloaking Private Keys

Matvei Kotov and Anton Menshov and Alexander Ushakov

Abstract: We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication).

We present a heuristic algorithm that allows a passive eavesdropper to recover Alice's private key by removing cloaking elements. Our attack has 100% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Our implementation of the attack is available on GitHub.

Category / Keywords: public-key cryptography / Kayawood protocol, group-based cryptography, key agreement, algebraic eraser, braid group, colored Burau presentation, E-multiplication, cloaking problem

Date: received 14 Jun 2018

Contact author: menshov a v at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20180618:193233 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]