Public key cryptosystems are often based on number theoretical problems, such as integer factorization as in RSA [RSA] or the discrete logarithm problem over finite fields or over elliptic curves. The latter is the base for wellknown protocols, as the ElGamal protocol [elgamal] or the Diffie-Hellman key exchange protocol [diffie]. Increasing computing powers threatens these classical cryptographic schemes and new ambient spaces are demanded, for example involving noncommutative structures (see [anshel1999algebraic, ko2007towards, ko2000new, sakalauskas2003basic, sidel1994systems]). In nonabelian groups there are two main problems which give raise to cryptographic schemes; the semigroup action problem (SAP) [maze2005public], and the decomposition problem (DP). For an overview see [groupcrypto, decomposition]. These two problems are very similar: in the SAP one is given a finite semigroup acting on a finite set , for , such that there exists an with , one wants to find , such that . Whereas in the DP one is given a nonabelian group , and , one wants to find , such that .
Based on these two problems J.J. Climent and J.A. López-Ramos proposed three protocols in [climent2016public] over a special ring of matrices involving operations modulo different powers of the same prime, called . Similar cryptosystems can be found in [doi:10.1142/S0219498817501481, Example 4.3.c]. This ring is a generalization of the ring , Climent, Navarro and Tartosa introduced in [ClimentEp]. The first cryptographic scheme based on [climent2012key], was broken in [Kamal2012]. This attack can be prevented by admitting only few invertible elements, as it is the case in the ring [climent2014extension, Corollary 1]. In addition, another nice property of such rings is that they do not admit embeddings into matrix rings over a field (see [Bergman1974]), which is often the main problem of cryptographic schemes over matrix rings (see for example [micheli2015cryptanalysis]) and it prevents a reduction to small extensions of finite fields as in [menezes1997discrete].
The first protocol proposed in [climent2016public] based on the semigroup action problem over the ring was broken by Micheli and Weger in [micheli2018cryptanalysis] using a solution sieve argument. In this paper we break the remaining two protocols proposed by Climent and López-Ramos in [climent2016public] both are based on the decomposition problem over and happen to be equivalent. They will be denoted by the Diffie-Hellman Decomposition Problem (DHDP) and the ElGamal Decomposition Problem (EGDP). For this we will also rely on a similar solution sieve argument as in [micheli2018cryptanalysis].
This paper is organized as follows: in Section 2 we recall the definitions and properties of the ring and state the DHDP and EGDP protocols over . In Section 3 we present the practical attack on the DHDP protocol, which in turn will also break the equivalent EGDP protocol. In Subsection 3.1 we show in an example how the attack works. In Subsection 3.2 we break the scheme for many practical instances of the protocol and see how the actual running time of the attack compares with the predicted one. The code we used is available at https://www.math.uzh.ch/aa/uploads/media/DHDP_attack.
Let be a subset of a (possibly non-commutative) ring . We will denote the centralizer of by
When , then is said to be the center of and will be denoted by . Let denote the natural numbers, i.e. and . For any commutative ring , and any two positive integers we will denote by the set of by matrices with coefficients in . If is an abelian group and is a ring acting on , we denote by the set of endomorphisms of as an -module. Notice that has a natural ring structure. Let , we denote by the smallest subring of which contains and .
2. Cryptography over
Let us recall the definition of the matrix ring and its center, which were first introduced in [climent2014extension, Theorem 1].
Let be the following set of matrices.
To shorten the notation we will write . This set forms a ring with the addition and multiplication defined, respectively, as follows
Let us denote by the set . The ring acts on by the usual matrix multiplication.
[climent2016public, Theorem 2] The center of is given by the set
For , let us denote by the centralizer of , i.e. the set of elements , such that . Define the set
Let us recall the Diffie-Hellman decomposition problem, proposed in [decomposition, Example 3].
Definition 3 (DH Decomposition Problem (DHDP)).
Let be a semigroup, two subsemigroups such that for every and and assume that . Given two elements and , with and , find the element .
In [climent2016public], Climent and López-Ramos proposed two protocols based on the decomposition problem over , one of the protocols is a Diffie-Hellman key exchange and the other one is an ElGamal protocol, both analogous to the Diffie-Hellman key exchange [diffie] and the ElGamal crypotosystem [elgamal] respectively.
Protocol 4 (DHDP protocol).
Alice and Bob agree on two public elements such that .
Alice chooses and sends to Bob.
Bob chooses such that and sends to Alice.
Alice computes .
Bob computes .
Since and commute for all , it is clear that Alice and Bob share a common value.
Protocol 5 (EGDP protocol).
Alice and Bob agree on a public element . Let be the secret that Bob wants to send Alice.
Alice chooses such that and two elements and publishes her public key .
Bob chooses randomly two elements and sends to Alice.
Alice recovers by computing .
Since and commute for all we have that
As observed in [climent2016public, Theorem 4], breaking the EGDP protocol is equivalent to breaking the DHDP protocol.
3. The attack
The center of the ring is isomorphic to as rings.
It is easy to see that the following map is a ring isomorphism
where and for . ∎
A direct generalization of Theorem 5 in [climent2011arithmetic] shows that if one looks at as a -module, then is isomorphic to . Using this fact and the Cayley-Hamilton Theorem, we can prove that the subring generated by a matrix in is a finite dimensional -module. To see this in detail, let us now recall the general statement of Cayley-Hamilton Theorem.
[atiyah, Proposition 2.4] Let be a ring, let be a finitely generated -module, let be a module morphism and let be an ideal of , such that . Let be the number of elements needed to generate . Then there exist , such that
We now prove the corollary we are interested in.
For every , there exists , such that
In Theorem 7, set and , hence and a matrix in . It follows now immediately that has dimension less than or equal to (as a -module). ∎
Notice that in the statement and the proof of Corollary 8, could as well be replaced by since any element in acts as the zero morphism over .
Let . Then the map given by is a surjective -algebra homomorphism.
First, one should observe that thanks to Lemma 6 one can identify the center of with , from which it follows that the map is well defined. To see that is a surjective homomorphism, it is enough to look at as and to notice that : in fact, using Lemma 6, there exist such that each ’s of a matrix in can be written as the diagonal matrix with entries .
Let and for some . Then there exists such that .
We use the following lemma in order to solve a system of linear equations over , which was presented in [micheli2018cryptanalysis].
Lemma 12 (Lemma 14, [micheli2018cryptanalysis]).
Let for some . Let with , and . The set of solutions of
is either empty or there exists an matrix such that all solutions have the form
Also, and can be found in polynomial time.
Now we are ready for the main result.
DHDP protocol over can be broken in polynomial time.
Let such that , and let and . Given and , we have to find .
Algorithm 1 provides a formal way to solve the DHDP protocol over .
Output: the exchanged secret
Observe that, in the proof of Theorem 13, Lemma 12 is applied after partitioning the congruences according to their moduli. Applied on the congruences modulo , it ensures the existence of a particular solution and a kernel matrix over . Using this data and the data of the congruences modulo we obtain a new set of solutions, which now solves the congruences modulo and modulo . Iterating this procedure we get the final set of solutions (all equivalent to break the scheme), exactly as in the proof of [micheli2018cryptanalysis, Proposition 15].
Running time. Let us analyse the running time of Algorithm 1. Observe that in the -th step we apply Lemma 12 to an matrix. By the running time of Lemma 12 we have -operations (which is bit operations) in the -th step. Since we repeat this step times, we get that to run Algorithm 1 we need bit operations.
3.1. A example
Let and let and be public elements.
and publishes . Bob chooses
and publishes . The shared secret is then
The attacker sees only
and wants to find .
In Step 1 of Algorithm 1, the attacker constructs
This partitions into the following system of equations
we get that the final system is
As first step we want to solve with Lemma 12 the system We obtain the following solution set
As second step we want to sieve the solutions. Hence we set in the new system the solution of and get
Apply again Lemma 12 to find the particular solution and hence if we define
we get the exchanged secret
3.2. Implementation of the attack
In [climent2014extension], Climent et. al. proposed to use the DHDP protocol and EGDP protocol for the parameters and . Table 1 shows the average running time in hours required to break the DHDP protocol over for and different values for , upto . The results of this table were obtained by a MAGMA [MR1484478] implementation using a personal computer with processor Intel Core 6C i7-8700K at 3.7 GHz and 64 GB RAM.
|time (in hours)|
From the running time analysis, we expect the time to be . This implies should be a linear function of having slope . In this experiment, we observe that the plot of vs is linear with the slope 9.98 (see Figure 1).
Notice that in Algorithm 1 solving a linear system over using Lemma 12 is the dominant part of the running time. This is done by transforming the matrix representing the linear system into its Smith normal form. In our implementation we used in-built MAGMA function to compute the Smith normal form, where Magma [MR1484478] first uses the sparse techniques to reduce the input matrix to a dense submatrix. Due to which the running time of the algorithm varies from instance to instance, and hence we do not get the slope exactly equal to 10.
With regard to this implementation and the processor we used, it would take around 1700 days to break the proposed parameters, that is and . The code we used is available at https://www.math.uzh.ch/aa/uploads/media/DHDP_attack.
The second author is thankful to the Swiss National Science Foundation under grant number 171248. This work has also been supported partly by the Swiss National Science Foundation under grant number 169510.