1. Introduction
Public key cryptosystems are often based on number theoretical problems, such as integer factorization as in RSA [RSA] or the discrete logarithm problem over finite fields or over elliptic curves. The latter is the base for wellknown protocols, as the ElGamal protocol [elgamal] or the DiffieHellman key exchange protocol [diffie]. Increasing computing powers threatens these classical cryptographic schemes and new ambient spaces are demanded, for example involving noncommutative structures (see [anshel1999algebraic, ko2007towards, ko2000new, sakalauskas2003basic, sidel1994systems]). In nonabelian groups there are two main problems which give raise to cryptographic schemes; the semigroup action problem (SAP) [maze2005public], and the decomposition problem (DP). For an overview see [groupcrypto, decomposition]. These two problems are very similar: in the SAP one is given a finite semigroup acting on a finite set , for , such that there exists an with , one wants to find , such that . Whereas in the DP one is given a nonabelian group , and , one wants to find , such that .
Based on these two problems J.J. Climent and J.A. LópezRamos proposed three protocols in [climent2016public] over a special ring of matrices involving operations modulo different powers of the same prime, called . Similar cryptosystems can be found in [doi:10.1142/S0219498817501481, Example 4.3.c]. This ring is a generalization of the ring , Climent, Navarro and Tartosa introduced in [ClimentEp]. The first cryptographic scheme based on [climent2012key], was broken in [Kamal2012]. This attack can be prevented by admitting only few invertible elements, as it is the case in the ring [climent2014extension, Corollary 1]. In addition, another nice property of such rings is that they do not admit embeddings into matrix rings over a field (see [Bergman1974]), which is often the main problem of cryptographic schemes over matrix rings (see for example [micheli2015cryptanalysis]) and it prevents a reduction to small extensions of finite fields as in [menezes1997discrete].
The first protocol proposed in [climent2016public] based on the semigroup action problem over the ring was broken by Micheli and Weger in [micheli2018cryptanalysis] using a solution sieve argument. In this paper we break the remaining two protocols proposed by Climent and LópezRamos in [climent2016public] both are based on the decomposition problem over and happen to be equivalent. They will be denoted by the DiffieHellman Decomposition Problem (DHDP) and the ElGamal Decomposition Problem (EGDP). For this we will also rely on a similar solution sieve argument as in [micheli2018cryptanalysis].
This paper is organized as follows: in Section 2 we recall the definitions and properties of the ring and state the DHDP and EGDP protocols over . In Section 3 we present the practical attack on the DHDP protocol, which in turn will also break the equivalent EGDP protocol. In Subsection 3.1 we show in an example how the attack works. In Subsection 3.2 we break the scheme for many practical instances of the protocol and see how the actual running time of the attack compares with the predicted one. The code we used is available at https://www.math.uzh.ch/aa/uploads/media/DHDP_attack.
1.1. Notation
Let be a subset of a (possibly noncommutative) ring . We will denote the centralizer of by
When , then is said to be the center of and will be denoted by . Let denote the natural numbers, i.e. and . For any commutative ring , and any two positive integers we will denote by the set of by matrices with coefficients in . If is an abelian group and is a ring acting on , we denote by the set of endomorphisms of as an module. Notice that has a natural ring structure. Let , we denote by the smallest subring of which contains and .
2. Cryptography over
Let us recall the definition of the matrix ring and its center, which were first introduced in [climent2014extension, Theorem 1].
Definition 1.
Let be the following set of matrices.
To shorten the notation we will write . This set forms a ring with the addition and multiplication defined, respectively, as follows
Let us denote by the set . The ring acts on by the usual matrix multiplication.
Theorem 2.
[climent2016public, Theorem 2] The center of is given by the set
For , let us denote by the centralizer of , i.e. the set of elements , such that . Define the set
Let us recall the DiffieHellman decomposition problem, proposed in [decomposition, Example 3].
Definition 3 (DH Decomposition Problem (DHDP)).
Let be a semigroup, two subsemigroups such that for every and and assume that . Given two elements and , with and , find the element .
In [climent2016public], Climent and LópezRamos proposed two protocols based on the decomposition problem over , one of the protocols is a DiffieHellman key exchange and the other one is an ElGamal protocol, both analogous to the DiffieHellman key exchange [diffie] and the ElGamal crypotosystem [elgamal] respectively.
Protocol 4 (DHDP protocol).
Alice and Bob agree on two public elements such that .

Alice chooses and sends to Bob.

Bob chooses such that and sends to Alice.

Alice computes .

Bob computes .
Since and commute for all , it is clear that Alice and Bob share a common value.
Protocol 5 (EGDP protocol).
Alice and Bob agree on a public element . Let be the secret that Bob wants to send Alice.

Alice chooses such that and two elements and publishes her public key .

Bob chooses randomly two elements and sends to Alice.

Alice recovers by computing .
Since and commute for all we have that
As observed in [climent2016public, Theorem 4], breaking the EGDP protocol is equivalent to breaking the DHDP protocol.
3. The attack
In this section we provide an algorithm to break the DHDP protocol over the ring . As mentioned in Protocol 4 and Protocol 5, the two subgroups used are and for a publicly known .
Lemma 6.
The center of the ring is isomorphic to as rings.
Proof.
It is easy to see that the following map is a ring isomorphism
where and for . ∎
A direct generalization of Theorem 5 in [climent2011arithmetic] shows that if one looks at as a module, then is isomorphic to . Using this fact and the CayleyHamilton Theorem, we can prove that the subring generated by a matrix in is a finite dimensional module. To see this in detail, let us now recall the general statement of CayleyHamilton Theorem.
Theorem 7.
[atiyah, Proposition 2.4] Let be a ring, let be a finitely generated module, let be a module morphism and let be an ideal of , such that . Let be the number of elements needed to generate . Then there exist , such that
We now prove the corollary we are interested in.
Corollary 8.
For every , there exists , such that
Proof.
In Theorem 7, set and , hence and a matrix in . It follows now immediately that has dimension less than or equal to (as a module). ∎
Remark 9.
Notice that in the statement and the proof of Corollary 8, could as well be replaced by since any element in acts as the zero morphism over .
Lemma 10.
Let . Then the map given by is a surjective algebra homomorphism.
Proof.
First, one should observe that thanks to Lemma 6 one can identify the center of with , from which it follows that the map is well defined. To see that is a surjective homomorphism, it is enough to look at as and to notice that : in fact, using Lemma 6, there exist such that each ’s of a matrix in can be written as the diagonal matrix with entries .
∎
Proposition 11.
Let and for some . Then there exists such that .
We use the following lemma in order to solve a system of linear equations over , which was presented in [micheli2018cryptanalysis].
Lemma 12 (Lemma 14, [micheli2018cryptanalysis]).
Let for some . Let with , and . The set of solutions of
(3.1) 
is either empty or there exists an matrix such that all solutions have the form
Also, and can be found in polynomial time.
Now we are ready for the main result.
Theorem 13.
DHDP protocol over can be broken in polynomial time.
Proof.
Let such that , and let and . Given and , we have to find .
Using Proposition 11, we know that there exist such that . We use Lemma 12 to solve this system of linear equations for . Then the exchanged secret is given by
Algorithm 1 provides a formal way to solve the DHDP protocol over .
Input:
Output: the exchanged secret
(i) 
∎
Remark 14.
Observe that, in the proof of Theorem 13, Lemma 12 is applied after partitioning the congruences according to their moduli. Applied on the congruences modulo , it ensures the existence of a particular solution and a kernel matrix over . Using this data and the data of the congruences modulo we obtain a new set of solutions, which now solves the congruences modulo and modulo . Iterating this procedure we get the final set of solutions (all equivalent to break the scheme), exactly as in the proof of [micheli2018cryptanalysis, Proposition 15].
Running time. Let us analyse the running time of Algorithm 1. Observe that in the th step we apply Lemma 12 to an matrix. By the running time of Lemma 12 we have operations (which is bit operations) in the th step. Since we repeat this step times, we get that to run Algorithm 1 we need bit operations.
3.1. A example
Let and let and be public elements.
Alice chooses
and publishes . Bob chooses
and publishes . The shared secret is then
This partitions into the following system of equations
and
Setting
and
we get that the final system is
As first step we want to solve with Lemma 12 the system We obtain the following solution set
As second step we want to sieve the solutions. Hence we set in the new system the solution of and get
which is
Apply again Lemma 12 to find the particular solution and hence if we define
we get the exchanged secret
3.2. Implementation of the attack
In [climent2014extension], Climent et. al. proposed to use the DHDP protocol and EGDP protocol for the parameters and . Table 1 shows the average running time in hours required to break the DHDP protocol over for and different values for , upto . The results of this table were obtained by a MAGMA [MR1484478] implementation using a personal computer with processor Intel Core 6C i78700K at 3.7 GHz and 64 GB RAM.
time (in hours)  

32  0.062 
36  0.197 
40  0.537 
44  1.145 
48  2.394 
52  6.368 
56  16.532 
60  28.990 
From the running time analysis, we expect the time to be . This implies should be a linear function of having slope . In this experiment, we observe that the plot of vs is linear with the slope 9.98 (see Figure 1).
Notice that in Algorithm 1 solving a linear system over using Lemma 12 is the dominant part of the running time. This is done by transforming the matrix representing the linear system into its Smith normal form. In our implementation we used inbuilt MAGMA function to compute the Smith normal form, where Magma [MR1484478] first uses the sparse techniques to reduce the input matrix to a dense submatrix. Due to which the running time of the algorithm varies from instance to instance, and hence we do not get the slope exactly equal to 10.
With regard to this implementation and the processor we used, it would take around 1700 days to break the proposed parameters, that is and . The code we used is available at https://www.math.uzh.ch/aa/uploads/media/DHDP_attack.
Acknowledgment
The second author is thankful to the Swiss National Science Foundation under grant number 171248. This work has also been supported partly by the Swiss National Science Foundation under grant number 169510.
Comments
There are no comments yet.