Cryptanalysis of the DHDP and EGDP protocols over E_p^(m)

In this paper we break the protocol based on the Diffie-Hellman Decomposition problem and ElGamal Decomposition problem over the matrix ring E_p^(m). Our attack terminates in a provable running time of O(m^10).



There are no comments yet.


page 1

page 2

page 3

page 4


Circle Graph Isomorphism in Almost Linear Time

Circle graphs are intersection graphs of chords of a circle. In this pap...

Cryptanalysis of Semidirect Product Key Exchange Using Matrices Over Non-Commutative Rings

It was recently demonstrated that the Matrix Action Key Exchange (MAKE) ...

Subfield Algorithms for Ideal- and Module-SVP Based on the Decomposition Group

Whilst lattice-based cryptosystems are believed to be resistant to quant...

Fast Hypergraph Regularized Nonnegative Tensor Ring Factorization Based on Low-Rank Approximation

For the high dimensional data representation, nonnegative tensor ring (N...

PQC: Extended Triple Decomposition Problem (XTDP) Applied To GL(d, Fp)-An Evolved Framework For Canonical Non-Commutative Cryptography

Post-Quantum Cryptography (PQC) attempts to find cryptographic protocols...

On the correctness of Egalitarian Paxos

This paper identifies a problem in both the TLA+ specification and the i...

Can 100 Machines Agree?

Agreement protocols have been typically deployed at small scale, e.g., u...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Public key cryptosystems are often based on number theoretical problems, such as integer factorization as in RSA [RSA] or the discrete logarithm problem over finite fields or over elliptic curves. The latter is the base for wellknown protocols, as the ElGamal protocol [elgamal] or the Diffie-Hellman key exchange protocol [diffie]. Increasing computing powers threatens these classical cryptographic schemes and new ambient spaces are demanded, for example involving noncommutative structures (see [anshel1999algebraic, ko2007towards, ko2000new, sakalauskas2003basic, sidel1994systems]). In nonabelian groups there are two main problems which give raise to cryptographic schemes; the semigroup action problem (SAP) [maze2005public], and the decomposition problem (DP). For an overview see [groupcrypto, decomposition]. These two problems are very similar: in the SAP one is given a finite semigroup acting on a finite set , for , such that there exists an with , one wants to find , such that . Whereas in the DP one is given a nonabelian group , and , one wants to find , such that .

Based on these two problems J.J. Climent and J.A. López-Ramos proposed three protocols in [climent2016public] over a special ring of matrices involving operations modulo different powers of the same prime, called . Similar cryptosystems can be found in [doi:10.1142/S0219498817501481, Example 4.3.c]. This ring is a generalization of the ring , Climent, Navarro and Tartosa introduced in [ClimentEp]. The first cryptographic scheme based on [climent2012key], was broken in [Kamal2012]. This attack can be prevented by admitting only few invertible elements, as it is the case in the ring [climent2014extension, Corollary 1]. In addition, another nice property of such rings is that they do not admit embeddings into matrix rings over a field (see [Bergman1974]), which is often the main problem of cryptographic schemes over matrix rings (see for example [micheli2015cryptanalysis]) and it prevents a reduction to small extensions of finite fields as in [menezes1997discrete].

The first protocol proposed in [climent2016public] based on the semigroup action problem over the ring was broken by Micheli and Weger in [micheli2018cryptanalysis] using a solution sieve argument. In this paper we break the remaining two protocols proposed by Climent and López-Ramos in [climent2016public] both are based on the decomposition problem over and happen to be equivalent. They will be denoted by the Diffie-Hellman Decomposition Problem (DHDP) and the ElGamal Decomposition Problem (EGDP). For this we will also rely on a similar solution sieve argument as in [micheli2018cryptanalysis].

This paper is organized as follows: in Section 2 we recall the definitions and properties of the ring and state the DHDP and EGDP protocols over . In Section 3 we present the practical attack on the DHDP protocol, which in turn will also break the equivalent EGDP protocol. In Subsection 3.1 we show in an example how the attack works. In Subsection 3.2 we break the scheme for many practical instances of the protocol and see how the actual running time of the attack compares with the predicted one. The code we used is available at

1.1. Notation

Let be a subset of a (possibly non-commutative) ring . We will denote the centralizer of by

When , then is said to be the center of and will be denoted by . Let denote the natural numbers, i.e. and . For any commutative ring , and any two positive integers we will denote by the set of by matrices with coefficients in . If is an abelian group and is a ring acting on , we denote by the set of endomorphisms of as an -module. Notice that has a natural ring structure. Let , we denote by the smallest subring of which contains and .

2. Cryptography over

Let us recall the definition of the matrix ring and its center, which were first introduced in [climent2014extension, Theorem 1].

Definition 1.

Let be the following set of matrices.

To shorten the notation we will write . This set forms a ring with the addition and multiplication defined, respectively, as follows

Let us denote by the set . The ring acts on by the usual matrix multiplication.

Theorem 2.

[climent2016public, Theorem 2] The center of is given by the set

For , let us denote by the centralizer of , i.e. the set of elements , such that . Define the set

Let us recall the Diffie-Hellman decomposition problem, proposed in [decomposition, Example 3].

Definition 3 (DH Decomposition Problem (DHDP)).

Let be a semigroup, two subsemigroups such that for every and and assume that . Given two elements and , with and , find the element .

In [climent2016public], Climent and López-Ramos proposed two protocols based on the decomposition problem over , one of the protocols is a Diffie-Hellman key exchange and the other one is an ElGamal protocol, both analogous to the Diffie-Hellman key exchange [diffie] and the ElGamal crypotosystem [elgamal] respectively.

Protocol 4 (DHDP protocol).

Alice and Bob agree on two public elements such that .

  • Alice chooses and sends to Bob.

  • Bob chooses such that and sends to Alice.

  • Alice computes .

  • Bob computes .

Since and commute for all , it is clear that Alice and Bob share a common value.

Protocol 5 (EGDP protocol).

Alice and Bob agree on a public element . Let be the secret that Bob wants to send Alice.

  • Alice chooses such that and two elements and publishes her public key .

  • Bob chooses randomly two elements and sends to Alice.

  • Alice recovers by computing .

Since and commute for all we have that

As observed in [climent2016public, Theorem 4], breaking the EGDP protocol is equivalent to breaking the DHDP protocol.

3. The attack

In this section we provide an algorithm to break the DHDP protocol over the ring . As mentioned in Protocol 4 and Protocol 5, the two subgroups used are and for a publicly known .

Lemma 6.

The center of the ring is isomorphic to as rings.


It is easy to see that the following map is a ring isomorphism

where and for . ∎

A direct generalization of Theorem 5 in [climent2011arithmetic] shows that if one looks at as a -module, then is isomorphic to . Using this fact and the Cayley-Hamilton Theorem, we can prove that the subring generated by a matrix in is a finite dimensional -module. To see this in detail, let us now recall the general statement of Cayley-Hamilton Theorem.

Theorem 7.

[atiyah, Proposition 2.4] Let be a ring, let be a finitely generated -module, let be a module morphism and let be an ideal of , such that . Let be the number of elements needed to generate . Then there exist , such that

We now prove the corollary we are interested in.

Corollary 8.

For every , there exists , such that


In Theorem 7, set and , hence and a matrix in . It follows now immediately that has dimension less than or equal to (as a -module). ∎

Remark 9.

Notice that in the statement and the proof of Corollary 8, could as well be replaced by since any element in acts as the zero morphism over .

Lemma 10.

Let . Then the map given by is a surjective -algebra homomorphism.


First, one should observe that thanks to Lemma 6 one can identify the center of with , from which it follows that the map is well defined. To see that is a surjective homomorphism, it is enough to look at as and to notice that : in fact, using Lemma 6, there exist such that each ’s of a matrix in can be written as the diagonal matrix with entries .

Proposition 11.

Let and for some . Then there exists such that .


Combining Lemma 10 and Corollary 8, we can write and for some . Then

for . ∎

We use the following lemma in order to solve a system of linear equations over , which was presented in [micheli2018cryptanalysis].

Lemma 12 (Lemma 14, [micheli2018cryptanalysis]).

Let for some . Let with , and . The set of solutions of


is either empty or there exists an matrix such that all solutions have the form

Also, and can be found in polynomial time.

Now we are ready for the main result.

Theorem 13.

DHDP protocol over can be broken in polynomial time.


Let such that , and let and . Given and , we have to find .

Using Proposition 11, we know that there exist such that . We use Lemma 12 to solve this system of linear equations for . Then the exchanged secret is given by

Algorithm 1 provides a formal way to solve the DHDP protocol over .


Output: the exchanged secret

1:Construct the matrix of linear equations arising from using Proposition 11, given by
2:Partition the congruences according to their moduli obtaining the equations
for all .
6:while  do
7:     In the equation replace with
8:     Apply Lemma 12 to solve this system, i.e. , and , getting the particular solution and the kernel matrix .
Algorithm 1 Break protocol based on DHDP over

Remark 14.

Observe that, in the proof of Theorem 13, Lemma 12 is applied after partitioning the congruences according to their moduli. Applied on the congruences modulo , it ensures the existence of a particular solution and a kernel matrix over . Using this data and the data of the congruences modulo we obtain a new set of solutions, which now solves the congruences modulo and modulo . Iterating this procedure we get the final set of solutions (all equivalent to break the scheme), exactly as in the proof of [micheli2018cryptanalysis, Proposition 15].

Running time. Let us analyse the running time of Algorithm 1. Observe that in the -th step we apply Lemma 12 to an matrix. By the running time of Lemma 12 we have -operations (which is bit operations) in the -th step. Since we repeat this step times, we get that to run Algorithm 1 we need bit operations.

3.1. A example

Let and let and be public elements.

Alice chooses

and publishes . Bob chooses

and publishes . The shared secret is then

The attacker sees only

and wants to find .
In Step 1 of Algorithm 1, the attacker constructs

This partitions into the following system of equations




we get that the final system is

As first step we want to solve with Lemma 12 the system We obtain the following solution set

As second step we want to sieve the solutions. Hence we set in the new system the solution of and get

which is

Apply again Lemma 12 to find the particular solution and hence if we define

we get the exchanged secret

3.2. Implementation of the attack

In [climent2014extension], Climent et. al. proposed to use the DHDP protocol and EGDP protocol for the parameters and . Table 1 shows the average running time in hours required to break the DHDP protocol over for and different values for , upto . The results of this table were obtained by a MAGMA [MR1484478] implementation using a personal computer with processor Intel Core 6C i7-8700K at 3.7 GHz and 64 GB RAM.

time (in hours)
32 0.062
36 0.197
40 0.537
44 1.145
48 2.394
52 6.368
56 16.532
60 28.990
Table 1. Running time (in hours) of the attack for and different values for .

From the running time analysis, we expect the time to be . This implies should be a linear function of having slope . In this experiment, we observe that the plot of vs is linear with the slope 9.98 (see Figure 1).

Figure 1. vs

Notice that in Algorithm 1 solving a linear system over using Lemma 12 is the dominant part of the running time. This is done by transforming the matrix representing the linear system into its Smith normal form. In our implementation we used in-built MAGMA function to compute the Smith normal form, where Magma [MR1484478] first uses the sparse techniques to reduce the input matrix to a dense submatrix. Due to which the running time of the algorithm varies from instance to instance, and hence we do not get the slope exactly equal to 10.

With regard to this implementation and the processor we used, it would take around 1700 days to break the proposed parameters, that is and . The code we used is available at


The second author is thankful to the Swiss National Science Foundation under grant number 171248. This work has also been supported partly by the Swiss National Science Foundation under grant number 169510.