Anshel–Anshel–Goldfeld protocol, also known as a commutator key exchange, is a key-exchange protocol using nonabelian groups. It was invented by Drs. Michael Anshel, Iris Anshel, and Dorian Goldfeld. Unlike other group-based protocols, it does not employ any commuting or commutative subgroups of a given platform group and can use any nonabelian group with efficiently computable normal forms. It is often discussed specifically in application of braid groups, which notably are infinite (and the group elements can take variable quantities of space to represent). The computed shared secret is an element of the group, so in practice this scheme must be accompanied with a sufficiently secure compressive hash function to normalize the group element to a usable bitstring.
Let
G
Alice's public/private information:
{\bfa}=(a1,\ldots,an)
G
{\bfa}
| \varepsilon1 | |
| a | |
| i1 |
,\ldots,
| \varepsilonL | |
| a | |
| iL |
| a | |
| ik |
\in{\bfa}
\varepsilonk=\pm1
A=
| \varepsilon1 | |
| a | |
| i1 |
\ldots
| \varepsilonL | |
| a | |
| iL |
Bob's public/private information:
{\bfb}=(b1,\ldots,bn)
G
{\bfb}
| \delta1 | |
| b | |
| j1 |
,\ldots,
| \deltaL | |
| b | |
| jL |
| b | |
| jk |
\in{\bfb}
\deltak=\pm1
B=
| \delta1 | |
| b | |
| j1 |
\ldots
| \deltaL | |
| b | |
| jL |
Transitions:
{\overline{\bfa}}=(A-1
| -1 | |
| b | |
| 1A,\ldots,A |
bnA)
{\overline{\bfb}}=(B-1
| -1 | |
| a | |
| 1B,\ldots,B |
anB)
Shared key:
The key shared by Alice and Bob is the group element
K=A-1B-1AB\inG
A
B
K
A-1 ⋅ \left(B-1
| \varepsilon1 | |
| a | |
| i1 |
B\right) … \left(B-1
| \varepsilonL | |
| a | |
| iL |
B\right)=A-1B-1AB
K
\left(A-1
| -\deltaL | |
| b | |
| jL |
A\right) … \left(A-1
| -\delta1 | |
| b | |
| j1 |
A\right) ⋅ B=A-1B-1AB
From the standpoint of an attacker trying to attack the protocol, they usually learn the public keys
\bfa
\bfb
\overline{\bfa}
\overline{\bfb}
A
\bfa
\overline{\bfa}
K
\bfa
\bfb
G
A
\bfa
Solving for a suitable
A