1 Introduction
Since the advent of Shor’s algorithm, it has been desirable to study alternatives to the DiffieHellman key exchange [diffie1976new]. One approach to this problem appeals to a more complex group structure: recall that for (semi)groups and a homomorphism , the semidirect product of by with respect to ,
, is the set of ordered pairs
equipped with multiplicationIf and is the identity automorphism, we get the holomorph . In this case, multiplication has the form
The semidirect product can be used to generalise the DiffieHellman key exchange [habeeb2013public] via a general protocol sometimes known as the “noncommutative shift”. Originally, the semigroup of matrices over the group ring is proposed as the platform; however, this turned out to be vulnerable to the type of attack (the socalled “dimension attack”) by linear algebra described in [myasnikov2015linear],[roman2015linear]^{1}^{1}1Both of the terms noncommutative shift and dimension attack are coined by the authors of [myasnikov2015linear]. Other platforms used include tropical algebras [grigoriev2014tropical] and free nilpotent groups [kahrobaei2016using]. The former is shown to be insecure in [isaac2021closer], [kotov2018analysis].
In the MOBS protocol [rahmanmobs], one takes the platform as matrices over the semiring formed by bitstrings under Boolean operations. The hope is that the lack of additive structure in the semiring removes some of the linearity which has left other schemes of this type vulnerable [myasnikov2015linear], [roman2015linear]. In [brown2021cryptanalysis], however, one exploits an equation known as the “telescoping equality”. The equation allows recovery of a quantity that in some sense encodes information about the private exponents used in key exchange by solving a linear equations. In fact, the telescoping equality is inherent to all schemes of this type; however, the solution is not necessarily unique in the general case. In this report we present computational evidence that the number of solutions to this equation in the case of MOBS is sufficiently large to render a telescoping equalitytype attack impractical with the suggested parameters. Indeed, the level of security is considerably better than claimed in the proposal of the scheme.
2 Mobs
In the following let denote the product .
The set of bit strings under the Boolean OR and AND operations forms a semiring; the set of square matrices over this semiring therefore has a notion of multiplication. Call the semigroup of matrices under this multiplication . Note that any permutation of a bit string can be extended to a a function on , simply by applying the permutation to each entry of an element of . In fact, doing so yields an automorphism of . Let and such an automorphism, and suppose is a public holomorph element. Alice and Bob can arrive at a shared secret key as follows:

Alice picks random and calculates and sends to Bob.

Bob similarly calculates a value corresponding to random , and sends it to Alice.

Alice calculates and arrives at her key . She does not actually calculate the product explicitly since she does not know the value of ; however, it is not required to calculate the first component of the product.

Bob similarly calculates his key as .
Since , , we have
and therefore .
2.1 Parameters and Security
The designers of MOBS suggest parameters . We also require a highorder permutation; to do this we use a product of prime cycles, the order of which will be the product of the primes. is therefore used as it is the sum of the first primes.
Infeasibility of key recovery can be reduced to a cousin of the Compuational DiffieHellman assumption, which does not appear to be reducible to a discretelog type problem. We do not give the details as the attack we are interested in is unrelated to solving this security problem.
3 The Telescoping Equality
In the following suppose one round of key exchange has been observed by an eavesdropper, and is fixed corresponding to some fixed . Using a similar splitting of products as above we can show that
The data are all available to the eavesdropper; the value apparently encodes some information about the private exponent . In order for this to be useful we need to answer two questions:

Can we recover ?

Given , can we recover full or partial information about the private key ?
The answer to the latter question is yes; we can simply compare and to recover the permutation by inspection, then calculate , which is the key.
However, consider the equation . Certainly is admissible; however, since we are in a semigroup, this is not necessarily a unique solution. The purpose of this investigation is to determine how many solutions there are, thereby judging the feasibility of an attack by the telescoping equality. We also investigate the relationship between the number of solutions to a particular instance of the telescoping equality corresponding to semigroup element , and the size of the left principal semigroup ideal generated by ; that is, the size of the set .
4 Experiment Design
The matrix semigroup is just the direct sum of semigroups of matrices whose entries are single bits (socalled “Boolean matrices”). This means that we can decompose the telescoping equality into singlebit matrix equations, and ‘reassembling’ any combination of the singlebit solutions will give a solution to the telescoping equality. To find solutions to the singlebit equations we simply try all possible singlebit matrices, of which there are .
Since Python already allows AND/OR operations on its Boolean values ‘True’ and ‘False’ we represent the matrices as nested lists of ‘True’, ‘False’ values; that is, a random matrix is generated like this:
def randstring(k): string = [] for i in range(k): m = randint(0,1) if m == 0: string.append(False) if m == 1: string.append(True) return string def rand_bool_mat(n,k): matrix = [] for i in range(n): matrix.append([]) for j in range(n): matrix[i].append(randstring(k)) return matrix
We carry out three experiments, each time counting the logarithm of the number of admissible values in the telescoping equality:

Fix a public matrix and vary the private exponent

Fix the private exponent and vary the public matrix

Fix the private exponent and vary the public matrix , each time counting the size of the left principal ideal generated by
Since we will need a list of all singlebit matrices to iterate through, we generate this outside the loop for less expensive computation. The function all_matrices obtains all length bitstrings from the binary representation of the integers from to , then ‘folds’ them into singlebit matrices.
global mats mats = all_matrices(3)
In accordance with our general strategy we also need a function to count the number of solutions to singlebit matrix equations. We use the following (where prod_bool_mat is just used for the matrix multiplication):
def count_singlebit_solutions(a, b): count = 0 for x in mats: if a == prod_bool_mat(x, b): count = count + 1 else: count = count + 0 return count
We output the total number of elements in the preset global iterable mats such that , where are the input matrices. Because any reassembly of singlebit solutions gives a solution to the full equation, the number of solutions to the full equation is the product of the number of solutions to each singlebit equation:
def count_solutions(a, b): ct = 1 for i in range(len(a[0][0])): ct = ct * count_singlebit_solutions(pull(i, a), pull(i, b)) return ct
The function pull simply returns the singlebit matrix formed by the th component of each bitstring entry. We are now ready to define the first of our experiments:
def count_telescope_solutions_1(M,h): x = randint(2**n, 2**m) a = generate_A(M,h,x) b = prod_bool_mat(h(a), M) return log(count_solutions(a, b))
Since the matrix and matrix permutation are to be fixed and the exponent varied, the matrix and permutation are defined outside of the function. The range of values the exponent can be randomly selected from is defined within the function by the parameters .
For the second experiment:
def count_telescope_solutions_2(h, x, n, k): M = rand_bool_mat(n, k) a = generate_A(M,h,x) b = prod_bool_mat(h(a), M) return log(count_solutions(a, b))
This time we need to input the fixed exponent, and the parameters from which random matrices are generated. We output the logarithm for ease of data visualisation.
Finally, we need a way to count the size of the left principal ideal generated by ; that is, the size of the set . We can again exploit the fact that the matrix semigroup is a direct sum of singlebit matrix semigroups: we count the size of the ideal generated by each singlebit matrix, then multiply these numbers. To count the singlebit solutions:
def count_singlebit_orbit(M): orbit = [] for y in mats: if not check_membership(prod_bool_mat(y, M), orbit): orbit.append(prod_bool_mat(y, M)) return len(orbit)
We can then calculate the size of the full ideal:
def count_orbit(M): n = len(M) k = len(M[0][0]) orbit_count = 1 for i in range(k): orbit_count = orbit_count * count_singlebit_orbit(pull(i, M)) return orbit_count
Keeping the exponent fixed and varying the public matrix, the final experiment is assembled as follows.
def count_telescoping_solutions_orbit(m_p, m_s, b_l, exp): M = rand_bool_mat(matrix_size, bitstring_length) a = generate_A(M, matrix_permutation, exponent) b = prod_bool_mat(matrix_permutation(a), M) return (count_orbit(a), count_solutions(a, b))
5 Results
The experiments ran on matrices, with three different values of . Each value of is the sum of the first few primes. The results of the trials suggest that:

Each matrix corresponds to a fixed number of solutions to the telescoping equality, regardless of exponent

With the parameters suggested, there are sufficiently many solutions to the telescoping equation for any matrix to make an attack via the telescoping equality infeasible

There is negative correlation between the size of the ideal generated by a particular exchange value and the number of solutions to the corresponding telescoping equality
5.1 Independence from Exponent
When the matrix and permutation are fixed but the exponent in the calculation of the exchange value is varied, over several thousand trials we did not encounter a case where the number of solutions changed. This suggests that the number of solutions to the telescoping equality is independent of the exponent, although we do not have an explanation for this behaviour.
For our purposes, assuming that independence from exponent does indeed hold, we conclude that we can run the remaining experiments on small (arbitrarily we decide on 100) exponents for less expensive computation; that is, we do not need to use the large parameters suggested by the authors of MOBS^{2}^{2}2In fact, we find that the number of solutions is dependent on exponent for very small values of exponent, but stabilise after a while to independence of exponent; we therefore choose a fixed exponent to balance low computational cost with surpassing this boundary. However, we note a curious detail: with a small tweak to the experiment count_telescoping_solutions_1 we can output a list of the number of solutions to the singlebit equations, rather than their product (the original output). Changing the exponent seems to permute the output list; for example, consider the matrix with bit entries given by:
The following table gives the exponent used for calculation in its first column, then the number of solutions to each singlebit matrix equation in order.
494  49  72  343  343  72  216  343  49  343  216 
442  216  72  343  343  72  216  343  49  49  343 
511  49  72  343  343  72  49  343  343  216  216 
461  49  72  343  343  72  49  343  343  216  216 
423  343  72  343  343  72  49  343  216  216  49 
431  49  72  343  343  72  49  343  343  216  216 
363  343  72  343  343  72  49  343  216  216  49 
357  216  72  343  343  72  216  343  49  49  343 
349  49  72  343  343  72  216  343  49  343  216 
270  216  72  343  343  72  343  343  216  49  49 
5.2 Number of Solutions
Figure 1 shows a histogram of the logarithm of the number of solutions to the telescoping equality when the exponent and permutation are fixed and the public matrix is varied, conducted over a thousand trials. The key takeaway is that in all trials there are far too many solutions to make recovering the correct one a viable strategy; for the suggested parameter even the smallest number of solutions is in the range of
, and this number of solutions did not occur frequently. The histograms also seem to suggest that the number of solutions are roughly normally distributed within their range.
5.3 Number of Solutions vs. Ideal Size
Figure 2 shows the logarithm of the number of solutions against the logarithm of the size of the principal ideal generated by the corresponding value of . The tests were conducted over a thousand trials with matrices; for each trial, the matrix permutation and exponent are kept constant. The graphs exhibit reasonably strong negative correlation, which one would naively expect  a larger ideal means that lands on the quantity in the telescoping equality less frequently. The vertical lines in graph (a) show that for two matrices whose corresponding exchange value has the same ideal size, their corresponding telescoping equality does not necessarily have the same number of solutions. Indeed, these vertical lines would be present on the other two graphs at higher resolution. We also point out that experiments into ideal size when exponent was varied and other parameters fixed yield similar results to those when number of solutions is counted.
6 Conclusions
6.1 Security Implications
We know of no better way of identifying which of the quantities satisfying the telescoping equality is the correct value to conduct an attack than simply guessing. The large number of solutions in our results suggest that the probability of choosing the correct value is vanishingly small. Moreover, the technique of decomposition and reassembly reduces the number of matrix multiplications from
to . As far as we know, then, the methods described above are the optimal method of conducting an attack by the telescoping equality. We conclude that the basic attack by the telescoping equality will not work against this scheme.However, given that there appears to be negative correlation between ideal size and number of solutions, one should be careful to choose a public matrix such that the corresponding exchange values generate small ideals. This is more pertinent should one wish to use smaller parameter sizes.
6.2 Relationship to Monico Attack
In [cryptoeprint:2021:1114] a polynomialtime attack on the MOBS protocol related to our discussion is given. The strategy is to find an integer such that ; one certainly exists by the telescoping equality. It turns out that such an will satisfy . One can effectively find such an by combining the fact that the permutation is made up of disjoint primeorder cycles, and that the matrix group decomposes as a direct sum in the way we have discussed throughout this report.
Towards generalising the attack, for any public automorphism Monico points out that one need only find an automorphism such that commutes with , and the equality holds. It is not clear that MOBS has any inherent vulnerability to recovery of such a ; rather, we exploit the structure of to find an example of such a . Should a different automorphism be used, therefore, the methods of [cryptoeprint:2021:1114] do not immediately guarantee an effective method of key recovery. However, as our experimental results suggest that a public pair corresponding to an exchange value with large ideal size is bad for security, one must be careful to balance these considerations.
7 Acknowledgement
We thank Vladimir Shpilrain for helpful comments and discussions.
Comments
There are no comments yet.