Since the advent of Shor’s algorithm, it has been desirable to study alternatives to the Diffie-Hellman key exchange [diffie1976new]. One approach to this problem appeals to a more complex group structure: recall that for (semi)groups and a homomorphism , the semidirect product of by with respect to ,
, is the set of ordered pairsequipped with multiplication
If and is the identity automorphism, we get the holomorph . In this case, multiplication has the form
The semidirect product can be used to generalise the Diffie-Hellman key exchange [habeeb2013public] via a general protocol sometimes known as the “non-commutative shift”. Originally, the semigroup of matrices over the group ring is proposed as the platform; however, this turned out to be vulnerable to the type of attack (the so-called “dimension attack”) by linear algebra described in [myasnikov2015linear],[roman2015linear]111Both of the terms non-commutative shift and dimension attack are coined by the authors of [myasnikov2015linear]. Other platforms used include tropical algebras [grigoriev2014tropical] and free nilpotent -groups [kahrobaei2016using]. The former is shown to be insecure in [isaac2021closer], [kotov2018analysis].
In the MOBS protocol [rahmanmobs], one takes the platform as matrices over the semiring formed by bitstrings under Boolean operations. The hope is that the lack of additive structure in the semiring removes some of the linearity which has left other schemes of this type vulnerable [myasnikov2015linear], [roman2015linear]. In [brown2021cryptanalysis], however, one exploits an equation known as the “telescoping equality”. The equation allows recovery of a quantity that in some sense encodes information about the private exponents used in key exchange by solving a linear equations. In fact, the telescoping equality is inherent to all schemes of this type; however, the solution is not necessarily unique in the general case. In this report we present computational evidence that the number of solutions to this equation in the case of MOBS is sufficiently large to render a telescoping equality-type attack impractical with the suggested parameters. Indeed, the level of security is considerably better than claimed in the proposal of the scheme.
In the following let denote the product .
The set of -bit strings under the Boolean OR and AND operations forms a semiring; the set of square matrices over this semiring therefore has a notion of multiplication. Call the semigroup of matrices under this multiplication . Note that any permutation of a -bit string can be extended to a a function on , simply by applying the permutation to each entry of an element of . In fact, doing so yields an automorphism of . Let and such an automorphism, and suppose is a public holomorph element. Alice and Bob can arrive at a shared secret key as follows:
Alice picks random and calculates and sends to Bob.
Bob similarly calculates a value corresponding to random , and sends it to Alice.
Alice calculates and arrives at her key . She does not actually calculate the product explicitly since she does not know the value of ; however, it is not required to calculate the first component of the product.
Bob similarly calculates his key as .
Since , , we have
and therefore .
2.1 Parameters and Security
The designers of MOBS suggest parameters . We also require a high-order permutation; to do this we use a product of prime cycles, the order of which will be the product of the primes. is therefore used as it is the sum of the first primes.
Infeasibility of key recovery can be reduced to a cousin of the Compuational Diffie-Hellman assumption, which does not appear to be reducible to a discrete-log type problem. We do not give the details as the attack we are interested in is unrelated to solving this security problem.
3 The Telescoping Equality
In the following suppose one round of key exchange has been observed by an eavesdropper, and is fixed corresponding to some fixed . Using a similar splitting of products as above we can show that
The data are all available to the eavesdropper; the value apparently encodes some information about the private exponent . In order for this to be useful we need to answer two questions:
Can we recover ?
Given , can we recover full or partial information about the private key ?
The answer to the latter question is yes; we can simply compare and to recover the permutation by inspection, then calculate , which is the key.
However, consider the equation . Certainly is admissible; however, since we are in a semigroup, this is not necessarily a unique solution. The purpose of this investigation is to determine how many solutions there are, thereby judging the feasibility of an attack by the telescoping equality. We also investigate the relationship between the number of solutions to a particular instance of the telescoping equality corresponding to semigroup element , and the size of the left principal semigroup ideal generated by ; that is, the size of the set .
4 Experiment Design
The matrix semigroup is just the direct sum of semigroups of matrices whose entries are single bits (so-called “Boolean matrices”). This means that we can decompose the telescoping equality into single-bit matrix equations, and ‘reassembling’ any combination of the single-bit solutions will give a solution to the telescoping equality. To find solutions to the single-bit equations we simply try all possible single-bit matrices, of which there are .
Since Python already allows AND/OR operations on its Boolean values ‘True’ and ‘False’ we represent the matrices as nested lists of ‘True’, ‘False’ values; that is, a random matrix is generated like this:
def randstring(k): string =  for i in range(k): m = randint(0,1) if m == 0: string.append(False) if m == 1: string.append(True) return string def rand_bool_mat(n,k): matrix =  for i in range(n): matrix.append() for j in range(n): matrix[i].append(randstring(k)) return matrix
We carry out three experiments, each time counting the logarithm of the number of admissible values in the telescoping equality:
Fix a public matrix and vary the private exponent
Fix the private exponent and vary the public matrix
Fix the private exponent and vary the public matrix , each time counting the size of the left principal ideal generated by
Since we will need a list of all single-bit matrices to iterate through, we generate this outside the loop for less expensive computation. The function all_matrices obtains all length bitstrings from the binary representation of the integers from to , then ‘folds’ them into single-bit matrices.
global mats mats = all_matrices(3)
In accordance with our general strategy we also need a function to count the number of solutions to single-bit matrix equations. We use the following (where prod_bool_mat is just used for the matrix multiplication):
def count_singlebit_solutions(a, b): count = 0 for x in mats: if a == prod_bool_mat(x, b): count = count + 1 else: count = count + 0 return count
We output the total number of elements in the preset global iterable mats such that , where are the input matrices. Because any reassembly of single-bit solutions gives a solution to the full equation, the number of solutions to the full equation is the product of the number of solutions to each single-bit equation:
def count_solutions(a, b): ct = 1 for i in range(len(a)): ct = ct * count_singlebit_solutions(pull(i, a), pull(i, b)) return ct
The function pull simply returns the single-bit matrix formed by the -th component of each bitstring entry. We are now ready to define the first of our experiments:
def count_telescope_solutions_1(M,h): x = randint(2**n, 2**m) a = generate_A(M,h,x) b = prod_bool_mat(h(a), M) return log(count_solutions(a, b))
Since the matrix and matrix permutation are to be fixed and the exponent varied, the matrix and permutation are defined outside of the function. The range of values the exponent can be randomly selected from is defined within the function by the parameters .
For the second experiment:
def count_telescope_solutions_2(h, x, n, k): M = rand_bool_mat(n, k) a = generate_A(M,h,x) b = prod_bool_mat(h(a), M) return log(count_solutions(a, b))
This time we need to input the fixed exponent, and the parameters from which random matrices are generated. We output the logarithm for ease of data visualisation.
Finally, we need a way to count the size of the left principal ideal generated by ; that is, the size of the set . We can again exploit the fact that the matrix semigroup is a direct sum of single-bit matrix semigroups: we count the size of the ideal generated by each single-bit matrix, then multiply these numbers. To count the single-bit solutions:
def count_singlebit_orbit(M): orbit =  for y in mats: if not check_membership(prod_bool_mat(y, M), orbit): orbit.append(prod_bool_mat(y, M)) return len(orbit)
We can then calculate the size of the full ideal:
def count_orbit(M): n = len(M) k = len(M) orbit_count = 1 for i in range(k): orbit_count = orbit_count * count_singlebit_orbit(pull(i, M)) return orbit_count
Keeping the exponent fixed and varying the public matrix, the final experiment is assembled as follows.
def count_telescoping_solutions_orbit(m_p, m_s, b_l, exp): M = rand_bool_mat(matrix_size, bitstring_length) a = generate_A(M, matrix_permutation, exponent) b = prod_bool_mat(matrix_permutation(a), M) return (count_orbit(a), count_solutions(a, b))
The experiments ran on matrices, with three different values of . Each value of is the sum of the first few primes. The results of the trials suggest that:
Each matrix corresponds to a fixed number of solutions to the telescoping equality, regardless of exponent
With the parameters suggested, there are sufficiently many solutions to the telescoping equation for any matrix to make an attack via the telescoping equality infeasible
There is negative correlation between the size of the ideal generated by a particular exchange value and the number of solutions to the corresponding telescoping equality
5.1 Independence from Exponent
When the matrix and permutation are fixed but the exponent in the calculation of the exchange value is varied, over several thousand trials we did not encounter a case where the number of solutions changed. This suggests that the number of solutions to the telescoping equality is independent of the exponent, although we do not have an explanation for this behaviour.
For our purposes, assuming that independence from exponent does indeed hold, we conclude that we can run the remaining experiments on small (arbitrarily we decide on 100) exponents for less expensive computation; that is, we do not need to use the large parameters suggested by the authors of MOBS222In fact, we find that the number of solutions is dependent on exponent for very small values of exponent, but stabilise after a while to independence of exponent; we therefore choose a fixed exponent to balance low computational cost with surpassing this boundary. However, we note a curious detail: with a small tweak to the experiment count_telescoping_solutions_1 we can output a list of the number of solutions to the single-bit equations, rather than their product (the original output). Changing the exponent seems to permute the output list; for example, consider the matrix with -bit entries given by:
The following table gives the exponent used for calculation in its first column, then the number of solutions to each single-bit matrix equation in order.
5.2 Number of Solutions
Figure 1 shows a histogram of the logarithm of the number of solutions to the telescoping equality when the exponent and permutation are fixed and the public matrix is varied, conducted over a thousand trials. The key takeaway is that in all trials there are far too many solutions to make recovering the correct one a viable strategy; for the suggested parameter even the smallest number of solutions is in the range of
, and this number of solutions did not occur frequently. The histograms also seem to suggest that the number of solutions are roughly normally distributed within their range.
5.3 Number of Solutions vs. Ideal Size
Figure 2 shows the logarithm of the number of solutions against the logarithm of the size of the principal ideal generated by the corresponding value of . The tests were conducted over a thousand trials with matrices; for each trial, the matrix permutation and exponent are kept constant. The graphs exhibit reasonably strong negative correlation, which one would naively expect - a larger ideal means that lands on the quantity in the telescoping equality less frequently. The vertical lines in graph (a) show that for two matrices whose corresponding exchange value has the same ideal size, their corresponding telescoping equality does not necessarily have the same number of solutions. Indeed, these vertical lines would be present on the other two graphs at higher resolution. We also point out that experiments into ideal size when exponent was varied and other parameters fixed yield similar results to those when number of solutions is counted.
6.1 Security Implications
We know of no better way of identifying which of the quantities satisfying the telescoping equality is the correct value to conduct an attack than simply guessing. The large number of solutions in our results suggest that the probability of choosing the correct value is vanishingly small. Moreover, the technique of decomposition and reassembly reduces the number of matrix multiplications fromto . As far as we know, then, the methods described above are the optimal method of conducting an attack by the telescoping equality. We conclude that the basic attack by the telescoping equality will not work against this scheme.
However, given that there appears to be negative correlation between ideal size and number of solutions, one should be careful to choose a public matrix such that the corresponding exchange values generate small ideals. This is more pertinent should one wish to use smaller parameter sizes.
6.2 Relationship to Monico Attack
In [cryptoeprint:2021:1114] a polynomial-time attack on the MOBS protocol related to our discussion is given. The strategy is to find an integer such that ; one certainly exists by the telescoping equality. It turns out that such an will satisfy . One can effectively find such an by combining the fact that the permutation is made up of disjoint prime-order cycles, and that the matrix group decomposes as a direct sum in the way we have discussed throughout this report.
Towards generalising the attack, for any public automorphism Monico points out that one need only find an automorphism such that commutes with , and the equality holds. It is not clear that MOBS has any inherent vulnerability to recovery of such a ; rather, we exploit the structure of to find an example of such a . Should a different automorphism be used, therefore, the methods of [cryptoeprint:2021:1114] do not immediately guarantee an effective method of key recovery. However, as our experimental results suggest that a public pair corresponding to an exchange value with large ideal size is bad for security, one must be careful to balance these considerations.
We thank Vladimir Shpilrain for helpful comments and discussions.