Security analysis of key agreement protocol based on matrix power function

Key agreement protocol (KAP) using Burau braid groups representation and matrix power function (MPF) is analyzed. MPF arguments are Burau representation matrices defined over finite field or ring. It is shown that KAP security relies on the solution of matrix multivariate quadratic system of equations over the ring with additional commutation constraints for matrices to be found. We are making a conjecture that proposed KAP is a candidate one-way function since its inversion is related with the solution of known multivariate quadratic problem which is NP-complete over any field. The one of advantages of proposed KAP is its possible effective realization even in restricted computational environments by avoiding arithmetic operations with big integers.


Introduction
In general key agreement protocol (KAP) allows two or more parties negotiate a common secret key using insecure communications. Traditional KAPs are time consuming especially in restricted computational environments since they require arithmetical operations with big integers. They are based on the discrete exponent function and there security relies on the difficulty of solving discrete logarithm problem (DLP). In [12] it was shown that DLP is solvable by quantum algorithms in polynomial time both in the case of numerical cyclic groups and elliptic curve groups.
In 1993 new ideas appeared in asymmetric cryptography [15] -using known hard computational problems in infinite non-commutative groups instead of hard number theory problems such as discrete logarithm or integer factorization problems.
Nevertheless, [13] showed that conjugator search problem in braid groups does not produce sufficient security level. Moreover, authors noticed that the main problem for construction of cryptographic primitives in infinite non-commutative groups is to reliably hide the factors in group word.
The idea to use non-commutative infinitive group (e.g. braid group) representation was also used to construct other candidate one-way function as a background of both digital signature scheme and key agreement protocol [8,11]. The (semi)group representation level allows us to avoid a significant problem of hiding the factors in the publicly available group word when using its presentation level.
In this paper we present security analysis of KAP proposed in [16]. It is based on the centralizer's application in braid groups presentation level using Burau repre-sentation and MPF. KAP based on braid groups as platform groups in presentation level using centralizers is also presented in [14].
Our proposed KAP is using matrix power function which is some matrix (semi)group S action on a matrix set M . The set M is not specified as a closed set with respect to some internal operation. Both S and M are defined over two different algebraic structures. S is defined over some finite ring R and M over some finite (semi)group G. We will show that inversion of so defined MPF has some indications to be a hard problem and hence it can be a candidate one-way function (OWF). The security of presented KAP relies on the complexity of inversion of this OWF.

Mathematical backgroud
For our construction we consider infinite non-commutative general Artin braid group [5]. Given an integer n 2, the braid group on n strands, B n , is defined by following presentation: How to generate random words in braid group B n is explained in [4]. Given a group B n , the centralizer of an element x ∈ B n is the subgroup of B n consisting of all elements which commute with x. We denote it by C(x) = {γ 1 , . . . , γ k } the know set of generators of the centralizer of an element x. An algorithm how to compute a generating set for the centralizer of an element in braid group and more generally in Garside group is presented by [2]. For security reasons of our protocol we claim that k 2.
Our protocol is based on braid group reduced Burau representation [5]. To transform braid groups to matrix groups we denote representation by β : B n → GL(n − 1, Z m ) as follows: Where ⊕ is a direct matrix sum and t is an integer in Z m . Hence, our matrix group S corresponds to GL(n − 1, Z m ) and the finite ring R is Z m .
Matrix power function is defined using left and right S action on M [9,10]. Let X, Y ∈ S and Q ∈ M . Also all matrices are square and are of order r. Then left matrix X action on matrix Q yields matrix A = X Q. The elements {a ij } of matrix A are computed by formula: Analogously the right matrix Y action on matrix Q can be defined yielding the matrix B = Q Y with elements {b ij } satisfying formula: MPF is defined by both left and right actions in the following way In [9,10] the following properties of MPF are proven:

Protocol
Let the protocol be executed between two parties -Alice and Bob. 1. Parties agree on the following public parameters: braid group B n of order n, finite ring R, finite (semi)group G, element t ∈ R and matrix Q ∈ M of the (n−1)-th order.
2. Alice randomly generates braid group word x ∈ B n . After calculating C(x), X = β(x) and C(X) = β(C(x)) she stores X as her private key and makes C(X) publicly available as her public key.
3. Bob randomly generates braid group word y ∈ B n . After calculating C(y), Y = β(y) and C(Y ) = β(C(y)) he stores Y as his private key and makes C(Y ) publicly available as his public key.
4. Alice randomly generates matrix V ∈ C(Y ), calculates K a and sends it to Bob.
5. Bob randomly generates matrix U ∈ C(X), calculates K b and sends it to Alice.
6. Since matrices X, U and Y , V are commuting, both parties compute the following common secret key K.

Security analysis
To compromise the secret key K one must find any matrices X, V in (6) or U , Y in (6) satisfying commutation identities for given instances Q, K a and Q, K b respectively. Let us consider the case of finding such matrices X, V in (6). Let the elements of X, V , Q and K a be {x ij }, {v ij }, {q ij } and {a ij } correspondingly. For more clarity the matrix equation (6) is written in a form of system of equations for the matrices of second order, i.e. when n = 3 (r = 2): We will show that in our case solving (10) type system of equations is equivalent to solving matrix equation that can be written in a form of system of multivariate quadratic (MQ) equations which we name further as the matrix MQ (MMQ) problem. It is obvious that if we apply a discrete logarithm function to all equations in (10), then in the case if G is a cyclic group and due to Fermat's theorem we obtain a system of multivariate quadratic (MQ) equations (11).
Let us consider algebraic structures R and G. They both must be commutative in order for MPF to satisfy (3), (4) and (5) properties. If R is finite ring Z m then m must be equal to the highest order of elements in G. Then the elements in matrix Q will be raised by every possible power.
Let G be non-cyclic group. It is known that every finite abelian group can be expressed as a direct sum of additive cyclic subgroups [7]. This allows us to transform (10) type system to the several corresponding (11) type equations. This way we obtain more equations but with the same amount of variables.
We don't know how to construct MMQ equations directly when algebraic structure G is a semigroup. But it is known that every finite semigroup has a minimal ideal which is a group [1]. Then matrix Q would have to have at least one element from semigroups G minimal ideal I. In this case from equations (1) and (2) it is obvious that protocol matrixes K a , K b and K will consist only from elements from group I. The attacker posing as Bob and knowing matrixes K a , K b and K can transform matrix equation (6) to matrix MQ system of equations and try to find Alice's matrices X and V in the same way as we earlier discussed in the case of groups.
Hence the security of proposed KAP relies on the complexity of solution of matrix MQ problem. We can expect that this problem is easier then randomly generated MQ problem which is NP-complete [3,6]. But we can make a conjecture that matrix MQ problem together with additional constraints of commutation (9) is a hard problem.
So far we haven't found the complexity status of (11) equation over the finite field. Moreover we haven't found results concerning the complexity proof of (11) together with commutation constraints (9).

Conclusions
In this paper we present security analysis of KAP using matrix power function defined over the Burau image of infinite non-commutative braid group.
We showed that cryptanalysis of proposed KAP is based on the solution of matrix multivariate quadratic (MQ) system of equations over the ring with additional constrain equations represented by matrix commutation equation. Hence we are making a conjecture that the system of matrix MQ equations together with commutation equations is a candidate one-way function.
Possible choices of underlying algebraic structures are also discussed. This will lead to effective realization even in restricted computational environments. Because our KAP is not based on DLP and underlying algebraic structures can be small.