# Cryptanalysis of the DHDP and EGDP protocols over E_p^(m)

In this paper we break the protocol based on the Diffie-Hellman Decomposition problem and ElGamal Decomposition problem over the matrix ring E_p^(m). Our attack terminates in a provable running time of O(m^10).

## Authors

• 8 publications
• 7 publications
• 12 publications
08/24/2019

### Circle Graph Isomorphism in Almost Linear Time

Circle graphs are intersection graphs of chords of a circle. In this pap...
05/17/2021

### Cryptanalysis of Semidirect Product Key Exchange Using Matrices Over Non-Commutative Rings

It was recently demonstrated that the Matrix Action Key Exchange (MAKE) ...
05/07/2021

### Subfield Algorithms for Ideal- and Module-SVP Based on the Decomposition Group

Whilst lattice-based cryptosystems are believed to be resistant to quant...
09/06/2021

### Fast Hypergraph Regularized Nonnegative Tensor Ring Factorization Based on Low-Rank Approximation

For the high dimensional data representation, nonnegative tensor ring (N...
11/20/2018

### PQC: Extended Triple Decomposition Problem (XTDP) Applied To GL(d, Fp)-An Evolved Framework For Canonical Non-Commutative Cryptography

Post-Quantum Cryptography (PQC) attempts to find cryptographic protocols...
06/26/2019

### On the correctness of Egalitarian Paxos

This paper identifies a problem in both the TLA+ specification and the i...
11/18/2019

### Can 100 Machines Agree?

Agreement protocols have been typically deployed at small scale, e.g., u...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1. Introduction

Public key cryptosystems are often based on number theoretical problems, such as integer factorization as in RSA [RSA] or the discrete logarithm problem over finite fields or over elliptic curves. The latter is the base for wellknown protocols, as the ElGamal protocol [elgamal] or the Diffie-Hellman key exchange protocol [diffie]. Increasing computing powers threatens these classical cryptographic schemes and new ambient spaces are demanded, for example involving noncommutative structures (see [anshel1999algebraic, ko2007towards, ko2000new, sakalauskas2003basic, sidel1994systems]). In nonabelian groups there are two main problems which give raise to cryptographic schemes; the semigroup action problem (SAP) [maze2005public], and the decomposition problem (DP). For an overview see [groupcrypto, decomposition]. These two problems are very similar: in the SAP one is given a finite semigroup acting on a finite set , for , such that there exists an with , one wants to find , such that . Whereas in the DP one is given a nonabelian group , and , one wants to find , such that .

Based on these two problems J.J. Climent and J.A. López-Ramos proposed three protocols in [climent2016public] over a special ring of matrices involving operations modulo different powers of the same prime, called . Similar cryptosystems can be found in [doi:10.1142/S0219498817501481, Example 4.3.c]. This ring is a generalization of the ring , Climent, Navarro and Tartosa introduced in [ClimentEp]. The first cryptographic scheme based on [climent2012key], was broken in [Kamal2012]. This attack can be prevented by admitting only few invertible elements, as it is the case in the ring [climent2014extension, Corollary 1]. In addition, another nice property of such rings is that they do not admit embeddings into matrix rings over a field (see [Bergman1974]), which is often the main problem of cryptographic schemes over matrix rings (see for example [micheli2015cryptanalysis]) and it prevents a reduction to small extensions of finite fields as in [menezes1997discrete].

The first protocol proposed in [climent2016public] based on the semigroup action problem over the ring was broken by Micheli and Weger in [micheli2018cryptanalysis] using a solution sieve argument. In this paper we break the remaining two protocols proposed by Climent and López-Ramos in [climent2016public] both are based on the decomposition problem over and happen to be equivalent. They will be denoted by the Diffie-Hellman Decomposition Problem (DHDP) and the ElGamal Decomposition Problem (EGDP). For this we will also rely on a similar solution sieve argument as in [micheli2018cryptanalysis].

This paper is organized as follows: in Section 2 we recall the definitions and properties of the ring and state the DHDP and EGDP protocols over . In Section 3 we present the practical attack on the DHDP protocol, which in turn will also break the equivalent EGDP protocol. In Subsection 3.1 we show in an example how the attack works. In Subsection 3.2 we break the scheme for many practical instances of the protocol and see how the actual running time of the attack compares with the predicted one. The code we used is available at https://www.math.uzh.ch/aa/uploads/media/DHDP_attack.

### 1.1. Notation

Let be a subset of a (possibly non-commutative) ring . We will denote the centralizer of by

 Cen(T)={U∈S ∣ UR=RU ∀ R∈T}.

When , then is said to be the center of and will be denoted by . Let denote the natural numbers, i.e. and . For any commutative ring , and any two positive integers we will denote by the set of by matrices with coefficients in . If is an abelian group and is a ring acting on , we denote by the set of endomorphisms of as an -module. Notice that has a natural ring structure. Let , we denote by the smallest subring of which contains and .

## 2. Cryptography over E(m)p

Let us recall the definition of the matrix ring and its center, which were first introduced in [climent2014extension, Theorem 1].

###### Definition 1.

Let be the following set of matrices.

 E(m)p={(aij)i,j∈{1,…m} ∣ aij∈Z/piZ if i≤j, and aij∈pi−jZ/piZ if i>j}.

To shorten the notation we will write . This set forms a ring with the addition and multiplication defined, respectively, as follows

 [aij]+[bij] =[(aij+bij) mod pi], ⋅[bij] =[(m∑k=1aikbkj) mod pi].

Let us denote by the set . The ring acts on by the usual matrix multiplication.

###### Theorem 2.

[climent2016public, Theorem 2] The center of is given by the set

 {[aij]∈E(m)p ∣∣ aii=i−1∑j=0pjuj, with uj∈{0,…,p−1} and aij=0 if i≠j}.

For , let us denote by the centralizer of , i.e. the set of elements , such that . Define the set

 H(M)={k∑i=0CiMi ∣∣ Ci∈Z(E(m)p),k∈N}.

Let us recall the Diffie-Hellman decomposition problem, proposed in [decomposition, Example 3].

###### Definition 3 (DH Decomposition Problem (DHDP)).

Let be a semigroup, two subsemigroups such that for every and and assume that . Given two elements and , with and , find the element .

In [climent2016public], Climent and López-Ramos proposed two protocols based on the decomposition problem over , one of the protocols is a Diffie-Hellman key exchange and the other one is an ElGamal protocol, both analogous to the Diffie-Hellman key exchange [diffie] and the ElGamal crypotosystem [elgamal] respectively.

###### Protocol 4 (DHDP protocol).

Alice and Bob agree on two public elements such that .

• Alice chooses and sends to Bob.

• Bob chooses such that and sends to Alice.

• Alice computes .

• Bob computes .

Since and commute for all , it is clear that Alice and Bob share a common value.

###### Protocol 5 (EGDP protocol).

Alice and Bob agree on a public element . Let be the secret that Bob wants to send Alice.

• Alice chooses such that and two elements and publishes her public key .

• Bob chooses randomly two elements and sends to Alice.

• Alice recovers by computing .

Since and commute for all we have that

 D−A1FA2=S+B1A1NA2B2−A1B1NB2A2=S.

As observed in [climent2016public, Theorem 4], breaking the EGDP protocol is equivalent to breaking the DHDP protocol.

## 3. The attack

In this section we provide an algorithm to break the DHDP protocol over the ring . As mentioned in Protocol 4 and Protocol 5, the two subgroups used are and for a publicly known .

###### Lemma 6.

The center of the ring is isomorphic to as rings.

###### Proof.

It is easy to see that the following map is a ring isomorphism

 ψ:Z/pmZ → Z(E(m)p) z ↦ [aij],

where and for . ∎

A direct generalization of Theorem 5 in [climent2011arithmetic] shows that if one looks at as a -module, then is isomorphic to . Using this fact and the Cayley-Hamilton Theorem, we can prove that the subring generated by a matrix in is a finite dimensional -module. To see this in detail, let us now recall the general statement of Cayley-Hamilton Theorem.

###### Theorem 7.

[atiyah, Proposition 2.4] Let be a ring, let be a finitely generated -module, let be a module morphism and let be an ideal of , such that . Let be the number of elements needed to generate . Then there exist , such that

 ϕn+an−1ϕn−1+⋯a0=0.

We now prove the corollary we are interested in.

###### Corollary 8.

For every , there exists , such that

 Am=a0+a1A+⋯am−1Am−1.
###### Proof.

In Theorem 7, set and , hence and a matrix in . It follows now immediately that has dimension less than or equal to (as a -module). ∎

###### Remark 9.

Notice that in the statement and the proof of Corollary 8, could as well be replaced by since any element in acts as the zero morphism over .

###### Lemma 10.

Let . Then the map given by is a surjective -algebra homomorphism.

###### Proof.

First, one should observe that thanks to Lemma 6 one can identify the center of with , from which it follows that the map is well defined. To see that is a surjective homomorphism, it is enough to look at as and to notice that : in fact, using Lemma 6, there exist such that each ’s of a matrix in can be written as the diagonal matrix with entries .

###### Proposition 11.

Let and for some . Then there exists such that .

###### Proof.

Combining Lemma 10 and Corollary 8, we can write and for some . Then

 GA = A1XA2 = (m−1∑i=0uiMi)X(m−1∑j=0vjMj) = m−1∑i=0m−1∑j=0uivjMiXMj = m−1∑i=0m−1∑j=0λijMiXMj,

for . ∎

We use the following lemma in order to solve a system of linear equations over , which was presented in [micheli2018cryptanalysis].

###### Lemma 12 (Lemma 14, [micheli2018cryptanalysis]).

Let for some . Let with , and . The set of solutions of

 (3.1) Bμ=c

is either empty or there exists an matrix such that all solutions have the form

 {¯μ+Pλ∣λ∈Rh}.

Also, and can be found in polynomial time.

Now we are ready for the main result.

###### Theorem 13.

DHDP protocol over can be broken in polynomial time.

###### Proof.

Let such that , and let and . Given and , we have to find .

Using Proposition 11, we know that there exist such that . We use Lemma 12 to solve this system of linear equations for . Then the exchanged secret is given by

 m−1∑i,j=0λijMiGBMj = m−1∑i,j=0λijMiB1XB2Mj = m−1∑i,j=0λijB1MiXMjB2 = B1(m−1∑i,j=0λijMiXMj)B2 = A1GBA2=B1GAB2

Algorithm 1 provides a formal way to solve the DHDP protocol over .

###### Remark 14.

Observe that, in the proof of Theorem 13, Lemma 12 is applied after partitioning the congruences according to their moduli. Applied on the congruences modulo , it ensures the existence of a particular solution and a kernel matrix over . Using this data and the data of the congruences modulo we obtain a new set of solutions, which now solves the congruences modulo and modulo . Iterating this procedure we get the final set of solutions (all equivalent to break the scheme), exactly as in the proof of [micheli2018cryptanalysis, Proposition 15].

Running time. Let us analyse the running time of Algorithm 1. Observe that in the -th step we apply Lemma 12 to an matrix. By the running time of Lemma 12 we have -operations (which is bit operations) in the -th step. Since we repeat this step times, we get that to run Algorithm 1 we need bit operations.

### 3.1. A 2×2 example

Let and let and be public elements.

Alice chooses

 A1=[0103]A2=[1102]

and publishes . Bob chooses

 B1=[0103]B2=[0101]

and publishes . The shared secret is then

 A1GBA2=B1GAB2=[0202].

The attacker sees only

 M=[1102], X=[1121], GA=[0020], GB=[0101],

and wants to find .
In Step 1 of Algorithm 1, the attacker constructs

 C=m∑i,j=1λijMiXMj=[λ11+λ12+3λ21+3λ22λ11+3λ12+2λ21+3λ22\par2λ11+2λ12λ11+2λ21].

This partitions into the following system of equations

 λ11+λ12+3λ21+3λ22 ≡0mod2, λ11+3λ12+2λ21+3λ22 ≡0mod2

and

 2λ11+2λ12 ≡2mod4, λ11+2λ21 ≡0mod4.

Setting

 A(1) =[11331323], g1=[00], A(2) =[22001020], g2=[20]

and

 λ=⎡⎢ ⎢ ⎢⎣λ11λ12λ21λ22⎤⎥ ⎥ ⎥⎦,

we get that the final system is

 A(1)λ≡g1mod2, A(2)λ≡g2mod4.

As first step we want to solve with Lemma 12 the system We obtain the following solution set

 ⎧⎪ ⎪ ⎪⎨⎪ ⎪ ⎪⎩¯λ+Sμ ∣∣ μ∈Z4,S=⎡⎢ ⎢ ⎢⎣2000020010200001⎤⎥ ⎥ ⎥⎦ and ¯λ=⎡⎢ ⎢ ⎢⎣0300⎤⎥ ⎥ ⎥⎦⎫⎪ ⎪ ⎪⎬⎪ ⎪ ⎪⎭.

As second step we want to sieve the solutions. Hence we set in the new system the solution of and get

 A(1)Sμ≡g1−A(1)¯λmod2,

which is

 [52634643]μ≡[−3−9]mod2.

Apply again Lemma 12 to find the particular solution and hence if we define

 ¯λ←¯λ+S¯μ=⎡⎢ ⎢ ⎢⎣0301⎤⎥ ⎥ ⎥⎦

we get the exchanged secret

### 3.2. Implementation of the attack

In [climent2014extension], Climent et. al. proposed to use the DHDP protocol and EGDP protocol for the parameters and . Table 1 shows the average running time in hours required to break the DHDP protocol over for and different values for , upto . The results of this table were obtained by a MAGMA [MR1484478] implementation using a personal computer with processor Intel Core 6C i7-8700K at 3.7 GHz and 64 GB RAM.

From the running time analysis, we expect the time to be . This implies should be a linear function of having slope . In this experiment, we observe that the plot of vs is linear with the slope 9.98 (see Figure 1).

Notice that in Algorithm 1 solving a linear system over using Lemma 12 is the dominant part of the running time. This is done by transforming the matrix representing the linear system into its Smith normal form. In our implementation we used in-built MAGMA function to compute the Smith normal form, where Magma [MR1484478] first uses the sparse techniques to reduce the input matrix to a dense submatrix. Due to which the running time of the algorithm varies from instance to instance, and hence we do not get the slope exactly equal to 10.

With regard to this implementation and the processor we used, it would take around 1700 days to break the proposed parameters, that is and . The code we used is available at https://www.math.uzh.ch/aa/uploads/media/DHDP_attack.

## Acknowledgment

The second author is thankful to the Swiss National Science Foundation under grant number 171248. This work has also been supported partly by the Swiss National Science Foundation under grant number 169510.