Unfortunately, many of the proposed schemes are at a rather conceptual level, ignore efficiency questions or turned out to be insecure. Often modern security guarantees in the sense of provable security are not taken intoaccount and no detailed security analysis is available. On the other hand, a recently proposed non-abelian variant of the Cramer-Shoup methodology for deriving IND-CCA secure public key encryption schemes so far lacks an

efficient instantiation. At the moment, the question of deriving practical cryptographic schemes from problems related to non-abelian groups is far from being settled.

Two encouraging examples of "non-abelian cryptography" which led to fruitful interaction between the cryptographic and the mathematical community are offered by constructions based on braid groups and on factorizations of finite groups. The talk discusses the relation between minimal factorizations of finite groups and the public key encryption scheme MST_1. The latter proposal (by Magliveras et al.) is motivated by the symmetric PGM cipher and based on the idea of deriving a one-way permutation from a suitable factorization of a

(possibly non-abelian) finite group. The question of finding short keys for MST_1 naturally leads to the question of identifying "minimal factorizations" of finite groups, and so far it is unclear whether each finite group allows for such a factorization. It is known, however, that for proving the general existence of this kind of factorization, it is sufficient to establish the result for all finite simple groups, and for several types of simple groups such a proof is known. Finally, the talk discusses the question of attacking braid group based encryption schemes through a differential power analysis. Interestingly, mounting such an attack seems to be more involved than one may expect: even attacking a naive implementation in an idealized theoretical model, where no specific countermeasures have been implemented, does not seem to be that straightforward.