Cryptanalysis of a non-commutative key exchange protocol

In the papers by Alvarez et al. and Pathak and Sanghi a non-commutative based public key exchange is described. A similiar version of it has also been patented (US7184551). In this paper we present a polynomial time attack that breaks the variants of the protocol presented in the two papers. Moreover we show that breaking the patented cryptosystem US7184551 can be easily reduced to factoring. We also give some examples to show how efficiently the attack works.


Introduction
We first describe the noncommutative key exchange presented in [1] and [5]. Consider the group G = GL(n, F q ) of invertible matrices over the finite field F q and M 1 , M 2 ∈ G. Let the triple (G, M 1 , M 2 ) be public, with M 1 , M 2 ∈ GL(n, F q ). Let M 1 , M 2 be elements in G such that M 1 M 2 = M 2 M 1 . Let the public key be (G, M 1 , M 2 ).
• Alice chooses (a 1 , a 2 ) ∈ Z 2 and sends C 1 = M a1 1 M a2 2 to Bob • Bob chooses (b 1 , b 2 ) ∈ Z 2 and sends C 2 = M b1 1 C 1 M b2 2 to Alice As a result Alice and Bob can compute the secret key K = M b1 1 M b2 2 . The purpose of this paper is to show that K can be computed in O(n 3 ) field operations from C 1 and C 2 . 2.2 Solving homogeneous "mixed" multivariate polynomial equations of degree 2 In general solving multivariate polynomial equations is NP-complete [2]. In situations where the number of variables is much smaller than the number of equations there exists a polynomial time algorithm. To be precise: [2] proposes an "expected" polynomial time algorithm to solve overdefined polynomial equations when the number of unknowns k and the number of equations m satisfy the inequality m ≥ εk 2 where ε ∈ (0, 1 2 ]. The expected running time is ap- . The aim of the paper is to use a specialized version of this algorithm that can be proved to lead to a polynomial time algorithm that breaks the protocols described in [1] and [5] in the generic condition. For all other cases we refer to the euristic result in [2] that, for cryptanalytic purposes, will be enough.

Commutative rings of matrices
Let T be an invertible matrix and define F q [T ] to be the F q -algebra generated by T . In other words it will be the image of the evaluation map By Cayley Hamilton theorem it follows that F q [T ] is a finite dimensional algebra over F q . The following short lemma will be useful for our purposes: The attack described in the following sections makes use of the elementary tools mentioned above and this is intended to show the structural vulnerabilities of the system. Suppose Eve is observing the key exchange, she is then able to get the following information: Then, we are able to write M a1 where x i , y j are indeterminates. Observe that the system is solvable in polynomial time with m = n 2 , k = 2n and ε = 1 4 and expected running time O(n 2 ). We pick now any solution and write down p(M 1 ) and q(M 2 ).

Remark
The system given by Equation 1 is easy to solve, again even without the knowledge of the algorithm presented in [2] since they consist of n 2 homogeneous equations of degree 2 in 2n unknowns where we can perform a Gaussian elimination-like computation on the variables u i,j := x i y j . We will show those equations with an explicit example in the next subsection. It is also elementary to observe that when the n 2 by n 2 matrix of the linear system is invertible, the attack can be proven to be polynomial by the observation that the u i,j are unique and the system x i y j = u i,j admits a solution by construction (that can be found just by substitutions). In particular this happens when we have the non degenerate case, in the sense that the k-vector space generated by the M i N j is the whole matrix ring.

Remark
• We have at least one solution by the observation M a1 1 M a2 2 ∈ Imϕ.
Eve gets the key thanks to the computation where the second equality is due to lemma 2.1 and the very last one by the solution of the system 1.

Brief description
In this section we cryptanalise the patent U S7184551. Observe that the patented protocol is roughly k times computationally more expensive than RSA, where k is the order of the matrices we are using.
Public key • Alice chooses A, C ∈ GL k (Z n ) for n = pq and p, q prime numbers

Cryptanalysis
The idea behind this cryptanalysis is the same as in the previous sections, we just need to make a revision of what we did before. In this section we prove that the problem of breaking the protocol above can be reduced to factoring a modulus. If M ∈ M k×k (Z n ), let M p and M q denote its two reductions modulo p and q respectively. We reduce G, E and A modulo p and write the system in k unknowns and k 2 homogeneous degree 2 equations over F k p . We can assure at least one solution by the construction of E p = D p A p D p , since D p can be written in terms of low powers of G. We apply again the algorithm presented in [2] getting one solution for the system in polynomial time with ε = 1/2. This solution identifies a matrix D ′ ∈ M k×k (F p ) such that Observe that we get the partial secret key K p = K mod p by multiplying B p on both sides by We perform the same procedure modulo q getting D ′′ M k×k (F q ) such that D ′′ B q D ′′ = K q . Since we have the computable isomorphism of rings given by the Chinese Remainder Theorem we are able to recover the secret key K just by taking the preimage of the pair (K p , K q ) through ψ. Note that ψ −1 (K p , K q ) is exactly K by observing that K p and K q are necessarily the reductions of K modulo p and q (by the homomorphism properties of ψ) and then that K = ψ −1 (K p , K q ) since ψ is a bijection.
Remark Observe that the equations in (2) are even easier then the ones in (1) since they have the same structure but half of the unknowns. What is again important to observe is that Cayley Hamilton theorem always assures us a solution. In the next subsection we give an example to show how they look like.

Example
Let n = 6133 = 541 · 113 and Alice's public key constructed as follow: let C be She has now to solve the system (x1 + yG 541 )A 541 (x1 + yG 541 ) = E 541 getting for example the solution (x 0 , y 0 ) = (220, 159), so we get K 541 = (x 0 1 + y 0 G 541 )B 541 (x 0 1 + y 0 G 541 ) and then We have presented a polynomial time attack to the noncommutative protocol proposed in [1] and [5]. Moreover we have shown the weakness of such a protocol over any subgroup of matrices over any finite field. We have also made the attack work on the protocol presented in the patent [6] showing that breaking the cryptosystem can be reduced to factoring. It would be very interesting to find analogous noncommutative schemes that are resistant to the attack we presented. In particular the key point is that the vector space structure of matrix rings over fields is a major weakness of such kind of protocols. We would like to thank Gerard Maze and Davide Schipani for their very helpful ideas and suggestions.