International Journal of Computer Applications (0975 – 8887) Volume 31– No.1, October 2011 1 Tripartite Key Agreement Protocol using Conjugacy Problem in Braid Groups Atul Chaturvedi Department of Mathematics Pranveer Singh Institute of Technology Varun Shukla Department of Electronics & Communication Pranveer Singh Institute of Technology ABSTRACT Braid groups were first introduced by Emil Artin in 1925. First cryptosystem, using Braid groups as a platform was discovered by Anshel et al in 2001. After the publication of this paper several cryptosystems on Braid groups had been designed. In this paper we have proposed a tripartite authenticated key agreement protocol using conjugacy problem which works in a braid group. We have proved that our protocol meet the security attributes under the assumption that the Braid Decomposition Problem (BDP) and the Conjugacy Search Problem (CSP) are hard in braid group. Keywords Braid group, Braid Decomposition Problem, Conjugacy Search Problem, authentication, tripartite key agreement, 1. INTRODUCTION Recent years in cryptological research have witnessed several proposals for secure cryptographic schemes using noncommutative groups; in particular Artin’s braid groups [1, 2, 5, 7, 9, 10, 11, 12, 13, 14, 15, 18, 19, 20, and 21]. The idea of applying braid group as a platform for cryptosystems was introduced by Anshel et al [2]. Braid groups, are more complicated than Abelian groups and, on the other hand, are not too complicated to work with. These two characteristics make braid group a convenient and useful choice to attract the attention of researchers. We make use of Braid Decomposition Problem (BDP) and Conjugacy Search Problem (CSP) to suggest a new tripartite authenticated key agreement scheme. The BDP and CSP in braid groups are algorithmically difficult and consequently provide one-way functions. We use this characteristic of BDP and CSP to propose a tripartite authenticated key agreement protocol using braid groups which meets security attributes. The rest of the paper is organized as follows: We present a brief introduction of braid groups in section 2. In section 3, we define authenticated key agreement protocol. In section 4, we present our protocol, and we give a proof of security for our scheme. The paper ends with conclusion. 2. BRAID GROUPS Emil Artin [3] in 1925 defined B n , the braid group of index n, using following generators and relations: Consider the generators 1 2 1 ,..., ,  n    , where  i represents the braid in which the (i+1) st string crosses over the i th string while all other strings remain uncrossed. The definining relations are 1. j i for i j j i       >1, 2. 1    j i for j i j i j i       . The reader may consult any textbook on braids for a geometrical interpretation of elements of the group B n by an n-strand braid in the usual sense [4]. The braid ) )( )....... ( ......... )( .......... ( 1 2 1 2 2 1 1 2 1              n n is called the fundamental braid.  nearly commutes with any braid b. In fact     b b  , where : : n n B B     i n i      is an automorphism. Since τ 2 is the identity map, Δ 2 truly commutes with any braid. A subword of the fundamental braid Δ is called a permutation braid and the set of all permutation braids is in one- to-one correspondence with the set  n of permutations on   1 ,..., 1 , 0  n . For example, Δ is the permutation sending i to n-i. The word length of a permutation n-braid is 2 ) 1 (   n n . The descant set   D of a permutation π is defined by       1    i i i D    . Any braid b can be written uniquely as l u b    ... 2 1   where u is an integer, i  are permutation braids different from  and   1  i D     1  i D  . This unique decomposition of a braid b is called a left canonical form. All the braids in this paper are assumed to be in the left-canonical form. For example, for a,b  B n , ab means the left-canonical form of ab and so it is hard to guess its factors a or b from ab. In B n , we say that two elements x and y are conjugate to each other if y = axa -1 for some a in B n and we write x ~ y. Here a or a -1 is called a conjugator and the pair (x,y) is said to be conjugate. The Conjugacy Decision Problem (CDP) asks to determine whether x ~ y for a given (x, y). Equivalently, we may ask that given two group words x and y in B n , can we decide in a finite number of steps whether or not x and y are conjugate in B n ? In other words, does there exist an element a in B n such that y = axa -1 ? In [8], Garside proved that the CDP for braid groups is solvable, but the algorithm he proposed, as well as all improvements proposed thereafter, has a high cost that is exponential in the length of the considered words and the number of strands. The Conjugacy Search Problem (CSP) asks to find a in B n satisfying y = ax a -1 for a given instance (x, y) in B n such that x ~ y. In other words, given two elements x, y  B n and the information that y = axa -1 for some a in B n , CSP asks to find at least one particular element a like that. It is considered infeasible to solve CSP for sufficiently large braids. The probability for a random conjugate of x to be equal to y is negligible. For B n , a pair (x,y)  B n  B n is said to be CSP-hard