Log In Sign Up

Semidirect Product Key Exchange: the State of Play

by   Christopher Battarbee, et al.

In this report we survey the various proposals of the key exchange protocol known as semidirect product key exchange (SDPKE). We discuss the various platforms proposed and give an overview of the main cryptanalytic ideas relevant to each scheme.


page 1

page 2

page 3

page 4


A remark on MAKE – a Matrix Action Key Exchange

In a recent paper [arXiv:2009.00716], Rahman and Shpilrain proposed a ne...

On the efficiency of a general attack against the MOBS cryptosystem

All instances of the semidirect key exchange protocol, a generalisation ...

Remarks on a Tropical Key Exchange System

We consider a key-exchange protocol based on matrices over a tropical se...

Infrastructure for the representation and electronic exchange of design knowledge

This paper develops the concept of knowledge and its exchange using Sema...

About constant-product automated market makers

Constant-product market making functions were first introduced by Hayden...

Four Algorithms on the Swapped Dragonfly

The Swapped Dragonfly with M routers per group and K global ports per ro...

Optimal Kidney Exchange with Immunosuppressants

Algorithms for exchange of kidneys is one of the key successful applicat...

1 Introduction

1.1 Motivation

Few fields possess a text as foundational as New Directions in Cryptography [diffie1976new], which presents a key agreement mechanism today known as the Diffie-Hellman Key Exchange (DHKE). The protocol remains relevant in modern cryptographic applications and works as follows:

  1. Suppose Alice and Bob wish to establish a shared secret key . They agree on a public, finite group and a generator .

  2. Alice picks a random integer , which she keeps secret, and calculates (here the exponentiation refers to repeated application of the group operation). She sends this latter value to Bob.

  3. Bob similarly calculates group element from his secret random integer and sends this to Alice.

  4. Upon receipt of Alice uses her private exponent to calculate ; similarly, Bob calculates . Since we have key agreement.

Since all communication is assumed to be on an insecure channel, security relies on the hardness of the so-called Diffie-Hellman problem: the recovery of from the data . The security is also related to the discrete logarithm problem (DLP), recovery of from the data , but the relationship is not fully understood. For discussion of the relationship between these problems and other problems in the class of Diffie-Hellman hardness assumptions, see, for example, [katz2020introduction].

Today, the security of DHKE is threatened by Shor’s algorithm [shor1994algorithms], which is able to efficiently solve the hidden subgroup problem in at least finite abelian groups; i.e., the platform originally proposed for use with DHKE. Since there is a reduction of DLP to a hidden subgroup problem, we consider DHKE to be extremely vulnerable to quantum attack111The difficulty of DLP and the hidden subgroup problem in various groups is beyond the scope of this report: for a survey of the state of the hidden subgroup problem in various platform groups, see [horan2018hidden].. To this end, the National Security Agency (NSA) announced plans in 2015 to upgrade security standards to so-called ‘post-quantum’ protocols. The following is a survey of the proposed instances and cryptanalysis of one such protocol.

1.2 Beyond Diffie-Hellman: A New Key Exchange

The current proposals for quantum-safe cryptosystems can be broadly grouped into six categories, one of which is known as group-based. The proposal of our interest belongs to this category. In some sense, this category is the most natural extension of DHKE; indeed, many examples have DHKE as a special case. In our case, we appeal to a similar syntax to DHKE utilising a more complex group structure.

1.2.1 The Semidirect Product

Let groups and a homomorphism into the automorphism group of . The set is a group, written , when equipped with group operation defined222Other texts may define the semidirect product differently; in fact, the various notions are equivalent up to isomorphism. Indeed, by itself this is rather a shallow definition of the semidirect product; we are actually only using it to get a a more complex but efficiently calculable notion of exponentiation. by

If embeds in the automorphism group of then the homomorphism is just the identity, and the product simplifies to

where represents function composition. In this case we have an object known as the holomorph, written : one verifies by induction that exponentiation takes the form

where means the automorphism composed with itself times.

1.2.2 Semidirect Product Key Exchange

Armed with this machinery we define a key exchange mechanism known as semidirect product key exchange (SDPKE). The proposal in its full generality first appears in [habeeb2013public], although a revised version suggesting a new platform was later published [kahrobaei2016using], and works as follows:

  1. Suppose Alice and Bob agree on a public group , as well as a group element and automorphism of , say .

  2. Alice picks a random secret integer , and calculates the holomorph exponent . She sends only to Bob.

  3. Bob similarly calculates corresponding to random, private integer , and sends only to Alice.

  4. With her private automorphism Alice can now calculate her key as the group element ; Bob similarly calculates his key .


we have . Note that the syntax is similar to that of classical DHKE; indeed, if our automorphism is the identity we have DHKE as a special case.

The generalised relevant security assumptions, each of which is a natural analogue of the classical Diffie-Hellman type assumptions, are discussed in [habeeb2013public], [kahrobaei2016using]. We do not discuss them here since the bulk of cryptanalytic work done in this area does not directly tackle these algorithmic problems, as we will see later.

1.2.3 Application to Encryption Schemes

In [elgamal1985public] a public-key encryption system based on the machinery of DHKE is proposed, now known as the ElGamal Cryptosystem. Analogously333Similarly to [elgamal1985public], a digital signature scheme is also proposed. in [moldenhauer2015group] a public-key encryption scheme is proposed, called the MR cryptosystem, which is detailed below. Note that exponentiation here refers to the semidirect product notion of exponetiation discussed above.

  1. Alice and Bob agree on a public group , as well as a fixed element and automorphism .

  2. Alice chooses a random secret integer and calculates public key via .

  3. To send a message to Alice using her public key, Bob computes , where is a random ephemeral key, then computes . The ciphertext will be the pair .

  4. Upon receipt of Bob’s ciphertext Alice computes and decrypts by calculating .

We have correctness since (we show this in exactly the same way we demonstrate key agreement in the SDPKE protocol), so . Again, if the automorphism is the identity we have the classical syntax of ElGamal as a special case.

2 Proposed Platforms

We here point out that if, in the construction of the holomorph discussed above, we allow the group to be a semigroup, then the construction is also a semigroup. Many of the proposed platforms are in fact semigroups. Moreover, if is a semigroup and is a homomorphism into the endomorphism group of the group , the construction is also a semigroup.

2.1 Matrices over Group Rings

The authors of [habeeb2013public] propose the platform semigroup

with automorphism defined as conjugation by some invertible matrix in the semigroup. Here,

denotes the group ring consisting of formal sums of the form

One can define a notion of addition and multiplication on this ring; equipped with these operations we get a ring that is at the same time an algebra over an

-dimensional vector space over

. In this case we get a closed form of the security assumption; if is the public semigroup element and is the matrix defining the conjugation, security is reduced to the problem of retrieving the quantity from the data : one must in this case be careful that the matrices and do not commute.

In [moldenhauer2015group] we use a similar automorphism; however, since we need invertibility for decryption we use platform group for some field . No specific parameters are suggested; we note that throughout the literature seems standard. The security assumptions made take the same form as those in [habeeb2013public].

2.2 Free Nilpotent p-Groups

In [kahrobaei2016using] the authors, addressing security issues in [habeeb2013public] to be addressed later on, propose nilpotent -groups as a platform. Of course, all finite -groups are nilpotent (see, for example, [rotman2012introduction]); here we explicitly generate them via factor groups of free groups; for example, consider the free group on elements . The normal subgroup is generated by all elements of the form for and some prime . With notation denoting the product and defined inductively, the normal subgroup generated by all elements of the form is denoted . Assembling these components the finite group is proposed for the platform This is done to enforce a low nilpotency class for efficient calculation, and to ensure the existence of an element of order , which as we will see later has useful security properties. The authors note that efficiency seems to depend on the values of and , which can safely be kept low if we use a very large prime .

2.3 Tropical Algebras

A tropical semiring is a subset of , containing , and equipped with a notion of addition (written ) and multiplication (written ) defined by

Consider matrices with entries in this semiring with the obvious component-wise definitions of addition and scalar multiplication. We can also multiply two matrices by replacing the operations in the usual definition of matrix multiplication with the semiring operations; it turns out this gives us a module over a semiring equipped with a bilinear product, which we will call the tropical algebra.

In [grigoriev2014tropical] a key exchange over this algebra was proposed; it was broken in [kotov2018analysis]. The authors therefore update their protocol to include the SDPKE syntax in [grigoriev2019tropical], using an operation called adjoint multiplication, defined by . Unlike its analogue in the usual arithmetic this operation is distributive, so the action of the algebra on the semigroup formed by the algebra considered under addition by is a semigroup action, and we can use it to define a semidirect product structure. The aim is to present a key exchange that is extremely efficient, since no multiplication is involved, and not vulnerable to the attacks against the above two schemes. A further key exchange corresponding to a public endomorphism induced by a similar action is also proposed; the two schemes are closely linked.

2.4 Matrix Action Key Exchange (MAKE)

In [rahman2022make] the authors consider the set of matrices over a finite field . This object is a monoid under the standard notion of matrix multiplication and a group under matrix addition. Call this group ; in fact, restricting to the semigroup where are non-invertible, the action of on defined by induces a homomorphism into the endomorphism group of , so we get a semidirect product of by with exponentiation

The authors are able to show that recovery of the private exponent in a transmitted value is as least as hard as private exponent recovery in classical DHKE, and posit that the improved mixing from the combination of operations is beneficial for security. Moreover, attacks that threatened other instances of the scheme do not seem to directly apply.

2.5 Matrices Over Bit Strings (MOBS)

The authors of [rahmanmobs] propose a platform of the holomorph of matrices over a semiring, serving two purposes: following [grigoriev2014tropical] we use a semiring to mitigate some of the damage done by powerful representation-type attacks, and we address a weakness of [rahman2022make]. The semiring is bitstrings where addition is given by bitwise OR and multiplication by bitwise AND; the automorphism is constructed just by permuting each bitstring in a matrix, where we use prime-order cycles to derive a high-order permutation.

3 Main Attacks

In general attacks against SDPKE fall into two broad categories, which we will detail below; however, we first turn our attention to the attacks on the tropical cryptography, which do not fit into either.

3.1 Cryptanalysis of the Tropical Cryptography

There are two attacks against the tropical cryptography, both of which achieve recovery of the private exponent by analysing the sequence of possible exchange values, which we will write . In [rudy2021remarks] the authors prove that, relative to a partial order defined on the matrix algebra, the sequence is monotone decreasing. Leaving aside some minor subtlety this effectively allows recovery of the private exponent via a simple binary search. The idea of [isaac2021closer] is similar: the authors use the fact that the above sequence of matrices has a property known as almost linear periodicity to extract the private exponent. In this case there is a small chance of algorithm failure, but the authors provide experimental evidence the the attack method is on average faster. In both cases, once the private exponent, say , corresponding to an exchange value , the key can be calculated from the other exchange value via .

3.2 A Word on Representations

The strategy of many attacks against SDPKE schemes will be to construct a representation from the proposed platform group, which is by design obfuscating and not often well-understood, into a more familiar space. For our purposes, a faithful representation of a group is an injective homomorphism into for some field . Similarly, a faithful representation of a semigroup is an injective homomorphism into for some field . These quantities will be presented as matrices depending on a particular (and usually arbitrary) choice of basis of the -dimensional vector space over ; this value is known as the dimension of the representation. As a consequence of Cayley’s theorem (and the analogue available for semigroups) all the objects we consider will admit such a representation, but such a representation may only be available for certain choices of ; we can therefore talk about the efficiency of a representation depending on the minimum size of for which we can construct a faithful representation.

3.3 The Dimension Attack

In [roman2015linear], following work in [myasnikov2015linear], the authors demonstrate that for SDPKE over a platform with public parameters , one can compute the shared secret key directly using only public information if is a multiplicative subgroup of a finite dimensional algebra over a field , and the endomorphism is extended to the underlying vector space of the algebra. By conditions in [myasnikov2015linear], provided operations in the underlying field are efficient, we can efficiently find a finite maximal linearly independent subset of the set , where are the exchange values corresponding to all possible private exponents. Note that in this notation the exchange values are such that , and the key is such that . Suppose is this maximal linearly independent subset. It is shown that one can find coefficients such that

so that, since is extended to an endomorphism of the algebra, we have

Since all the data in this latter sum is known to the attacker we have achieved key recovery. We will refer to this strategy as the dimension attack.

For our purposes the algebras in question will almost always be a finite matrix algebra; that is, matrices which we can add, scale and multiply. In this case finding the above coefficients amounts to solving linear equations where is the size of the matrix, which will dominate the complexity of the algorithm.

It is for this reason we are interested in faithful representations of the various platforms - it allows us to embed the platform as a multiplicative subgroup of a matrix algebra and thereby carry out the dimension attack. In the case of [habeeb2013public], the candidate platform is already a matrix algebra, so in a sense we consider a trivial, identity representation. We conclude that is not a good choice of platform for the scheme, since it is a low-dimension matrix algebra and we expect the dimension attack to perform efficiently.

The situation is more complicated for the platform suggested to address these issues in [kahrobaei2016using]. This is because the platform group is no longer a matrix algebra by default so we must consider a non-trivial representation into a space where the dimension attack applies. In [janusz1971faithful] it is shown that -groups with at least one element of order for some have lower bound on the dimension of admissible faithful representation in the requisite matrix algebra. Recall that in [kahrobaei2016using] a group with an element of order , so while the attack is still polynomial time it is polynomial in and is thus infeasible for very large primes. This is the useful security property of the proposed free nilpotent -groups alluded to earlier; the authors of [myasnikov2015linear] point out that it remains an interesting question to characterise the efficiency of suitable representations of various linear groups to give a picture of suitable choices of platform group for SDPKE.

Finally, we make the rather obvious, though as far as we know original, observation that this attack will also break the MR cryptosystem proposed in [moldenhauer2015group]. This is because one has , so one only needs to recover the blinding ‘key’ factor to allow for complete message recovery. Since and are transmitted in the clear, we can think of these values as the exchange values in the SDPKE protocol and apply the same attack.

3.4 The Telescoping Equality

3.4.1 Cryptanalysis of MAKE

As well as the improved mixing posited by the authors of MAKE [rahman2022make], the platform group is an additive subgroup of a matrix algebra and so does not naturally embed as a multiplicative subgroup as per the requirements of the dimension attack. There has therefore been an effort to develop alternative methods of key recovery; it turns out this new strategy is similar to the dimension attack in that it bypasses the proposed hardness assumptions.

Remarking upon an earlier version of MAKE in which and is invertible, the authors of [monico2020remark] are the first to point out the identity

However, the method of key recovery proposed relies on the invertibility of the matrix . Following this work and the update to the current version of MAKE [rahman2022make], the authors of [brown2021cryptanalysis] achieve key recovery by noting that

All terms in this equation can be calculated by an eavesdropper except , which in this case can be uniquely recovered since we have an additive inverse. Upon recovery of this quantity one uses a consequence of the Cayley-Hamilton theorem to prove the existence of a vector dependent only on that solves the equation

for any , where is a function defined by the authors, and stacks columns of a matrix to get a vector. Using known data we can solve the above system of equations to get a vector , so defining we must have . By a technical intermediary lemma and the fact that is an additive homomorphism we have that , so . Since and is known to an eavesdropper we conclude that, since the complexity of the attack is dominated by the polynomial time process of recovering the vector , there is a polynomial time algorithm to achieve key recovery.

In fact, even in some situations where the Cayley-Hamilton theorem does not apply we are able to achieve key recovery, again by constructing a representation [battarbee2021cryptanalysis]. A notable example of a platform for which the Cayley-Hamilton theorem does not immediately apply but key recovery is still possible are group rings of the type used in [habeeb2013public]; such group rings, having a group as a basis, can be embedded in a matrix algebra over a commutative ring. It turns out replacing the group ring entries of each matrix with their matrix representations gives a ring homomorphism, so we can embed injectively into a matrix algebra over a commutative ring and carry out the attack using Cayley-Hamilton in this latter space. Note that in contrast with the dimension attack, in this case the goal of the representation is not to embed the platform as a multiplicative subgroup, but to embed the platform into a space where the Cayley-Hamilton theorem applies.

3.4.2 The Telescoping Attack

The authors of [brown2021cryptanalysis] are basically exploiting a particular instance of the general fact relevant to all SDKPE schemes that

We call this equation the telescoping equality; it arises by splitting up a certain product in two different ways. Suppose some eavesdropping party has observed one round of the protocol; the data are all available to this party, and the quantity may be recovered by the telescoping equality. Moreover, appears to encode some information about the private exponent . We will refer to this general strategy as the telescoping attack; in general an attacker following this strategy will be required to overcome two main problems: unique recovery of the quantity , and use of this quantity to recover information about the secret key.

The telescoping attack succeeds against the MAKE scheme (which we are now writing as in the general case) partly because we do not have to worry about non-unique solutions to the telescoping equality. This is because the platform object is a full group, and the action of a group on itself by left multiplication is transitive; that is, if we know the quantity satisfies , then any satisfying must be such that . Indeed, this line of argument applies to all groups; in a semigroup we are no longer guaranteed a unique admissible value of in the equation .

To address the second problem we note also that recovery of in the MAKE scheme essentially allows recovery of for free. This is not the case in general; the function defined in [brown2021cryptanalysis] is not a multiplicative homomorphism, so the strategy will only work against additive schemes. Moreover, the existence of a constant vector solving an equation for all platform elements is crucial, and its existence is derived through the Cayley-Hamilton theorem which only applies to a few of the proposed platforms. For other schemes the best strategy seems to be to recover the endomorphism from , which gives us a reduction to semigroup DLP in the endomorphism semigroup of . It is known that the semigroup DLP is essentially no worse than the classical DLP [banin2016reduction], [childs2014quantum].

3.4.3 Cryptanalysis of MOBS

We first note that in [monico2021remarks] a successful attack against the MOBS cryptosystem is presented. However, the attack depends on the construction of the public automorphism; that is, it does not apply in general. The author also notes a generalised version of the telescoping attack; in particular, for key recovery it suffices to find an endomorphism commuting with the public endomorphism such that

where is the public platform element and is an observed transmitted value in the protocol corresponding to private exponent . When we have the telescoping equality; indeed, recovery of the endomorphism would allow calculation of .

In the following let denote the platform semigroup of matrices, a public matrix and the automorphism derived by applying a permutation to each bitstring element of a matrix. Proceeding with the original telescoping attack, the telescoping equality in the case of MOBS takes the form

Recalling that the endomorphism applies a high-order permutation to each bitstring entry of the matrix , we do not have difficulty recovering the key having recovered : we can just recover the permutation of a single bitstring by observation and therefore recover the endomorphism , from which can be calculated by . However, since we have a matrix semigroup, the value is not necessarily uniquely admissible in the telescoping equality. In [battarbee2021efficiency] we count the number of satisfying ; in this way computational evidence is presented that for the suggested parameters for use with MOBS, there are far too many solutions to the telescoping equality for an attack by this method to be feasible. Also noted is the apparent negative correlation between the size of the left principal semigroup ideal generated by ; that is, the size of the set .

4 Conclusion

In summary the SDPKE protocol is promising but still faces challenges. Perhaps the most plausible looking schemes are MOBS, should its public automorphism be tweaked, or the original scheme over a semigroup admitting inefficient representations. We point out that no attacks in the literature approach the proposed hardness problems, or offer a reduction from these problems to quantum-vulnerable hardness problems. In fact, the attacks are in general linear algebraic; if we can find a way to remove these linear algebraic vulnerabilities we can have confidence in the viability of SDPKE as a viable form of post-quantum key exchange.

Acknowledgement We wish to thank Vladimir Shpilrain for reading this manuscript and provided helpful comments.