Recently, the class of non-abelian infinite groups known as the braid groups,
B
n
, has
attracted attention as a possible source of cryptographic schemes, including key exchange
and user verification.
The braid groups have very complicated structure, yet have a very
nice geometrical interpretation.
There are well known solutions to the word problem, and
fast algorithms for implementation on digital computers.
Though the braid groups have
been known and studied for many years, the first braid group cryptosystems appeared in
2000.
Shortly thereafter, a polynomial time attack to existing systems was discovered.
Despite this attack, there may be some hope for braid groups.
There may be some
problems that are still hard and some application specific schemes that are still good
enough for large enough
n
.
This report will cover an introduction to braid groups
including solutions to the word problem, theoretical advantages, computational
advantages, proposed systems, and attacks.
In order to examine these cryptosystems, it is
first necessary to define and introduce the braid groups.
1. Introduction to Braid Groups
The natural way to think about the braid groups is through their geometric interpretation.
Picture a set of
n
parallel strings hanging in a line.
Number the strings
1
,
2
,…,
n
starting
on the left.
An
n-braid
is obtained by intertwining the strings and fixing the lower ends
in a line.
Notice that a pair of strings can be intertwined in two ways: by passing the
string on the left over or under the string on the right.
Figure 1 illustrates a few braids.
Braids will be considered to start at the top and end at the bottom throughout.
Figure 1:
A few braids.
For a given
n
, called the
braid index
, the set of all possible
n
-braids forms a group called
the
n
-braid group,
B
n
.
The law of composition for two braids is to match up the ends of
the strings on the first braid to the beginnings of strings on the second braid.
The identity
element is simply the braid formed by letting all strings run parallel with no crossings.
The inverse of any braid is its mirror image with the face of the mirror perpendicular to
the strings.
Two braids are considered equal if one can be obtained from the other by
sliding crossings past one another and canceling inverses without adding or removing any
other crossings.
Examples of composition, inverse, and equality are given in Figure 2.
Figure 2:
Composition, inversion, and equality.
With this basic understanding, some remarks about braid groups can immediately be
made.
First, the 1-braid group is isomorphic to the trivial group.
Also, the 2-braids are
isomorphic to the integers under addition, where a positive integer
k
is equivalent to
k
half-twists of the pair of strings.
Likewise
–k
e
is equivalent to
k
half-twist with the
opposite string crossing over the top of each half-twist.
For any