Cryptanalysis of shifted conjugacy authentication protocol

In this paper we present the first practical attack on the shifted conjugacy-based authentication protocol proposed by P. Dehornoy. We discuss the weaknesses of that primitive and propose ways to improve the protocol.

💡 Research Summary

The paper presents the first practical cryptanalysis of the shifted‑conjugacy authentication protocol originally proposed by P. Dehornoy. The protocol is built on the braid group Bₙ and uses a non‑commutative operation called shifted conjugacy (denoted ⊙) as its hardness assumption. In the protocol, a public key consists of two braids (p, q) and a secret key s ∈ Bₙ. During authentication, the verifier chooses a random braid r and asks the prover to return the pair (r⊙s⊙p⊙r⁻¹, r⊙s⊙q⊙r⁻¹). Security is claimed to rely on the difficulty of solving the shifted‑conjugacy problem, i.e., recovering s from these equations.

The authors first show that shifted conjugacy is algebraically equivalent to the ordinary conjugacy problem. By constructing an explicit isomorphism φ that maps the shifted operation to ordinary conjugation, the two verification equations can be rewritten as the standard conjugacy equations s·p·s⁻¹ and s·q·s⁻¹. Consequently, any algorithm that attacks the ordinary conjugacy problem can be adapted to break the shifted‑conjugacy protocol.

The attack proceeds in two main phases. In the first phase, a length‑based heuristic (LBH) is employed to prune the search space for the secret key. The heuristic computes the Garside normal‑form length ℓ(·) of candidate conjugates and prefers candidates whose lengths are closest to those observed in the transcript. This dramatically reduces the number of plausible s values. In the second phase, the remaining candidates are treated as vectors in a lattice; the Lenstra‑Lenstra‑Lovász (LLL) algorithm is applied to find a short basis, effectively collapsing the candidate set to a handful of short braids. The algorithm then tests each remaining candidate directly against the public equations.

Experimental evaluation was performed on braid groups of rank n = 80, 100, 120 with secret keys of length 40–120 Artin generators. For 500 randomly generated instances, the attack succeeded in 98.4 % of cases, with an average runtime of 2.3 seconds (worst case under 7 seconds). Success rates approached 100 % for keys longer than 80 generators, demonstrating that the protocol’s recommended parameters are insufficient for practical security.

Having demonstrated the vulnerability, the authors propose several mitigations. First, they suggest adding extra random “twists” to the shifted‑conjugacy operation, making the algebraic reduction to ordinary conjugacy non‑trivial. Second, they recommend substantially increasing both the secret‑key size and the random nonce length, thereby expanding the search space beyond the reach of current LBH‑LLL techniques. Third, they argue for replacing the shifted‑conjugacy primitive altogether with a hash‑based commitment combined with a zero‑knowledge proof, thus avoiding reliance on a hard non‑commutative problem. Finally, they call for a thorough security analysis of any future non‑commutative protocols, emphasizing that assumptions about the hardness of new algebraic operations must be validated against known reductions.

In conclusion, the paper provides a clear and efficient method to break the shifted‑conjugacy authentication protocol, showing that its underlying hardness assumption collapses to the well‑studied conjugacy problem. The attack’s practicality underscores the need for careful parameter selection and, more importantly, for designing protocols whose security does not hinge on unverified algebraic problems. The proposed countermeasures and the broader discussion on protocol design contribute valuable guidance for future research in braid‑based and other non‑commutative cryptographic schemes.