Remarks on a Tropical Key Exchange System

Dylan Rudy; Chris Monico

doi:10.1515/jmc-2019-0061

Artikel Open Access

Remarks on a Tropical Key Exchange System

Dylan Rudy und Chris Monico

Veröffentlicht/Copyright: 20. Dezember 2020

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 15 Heft 1

Abstract

We consider a key-exchange protocol based on matrices over a tropical semiring which was recently proposed in [2]. We show that a particular private parameter of that protocol can be recovered with a simple binary search, rendering it insecure.

Keywords: tropical algebra; public key exchange; cryptanalysis

MSC 2010: 15A80; 94A60

1 Introduction

Let S be any nonempty subset of ℝ which is closed under addition. Define two operations ⊕ and ⊗ on S by

a ⊕ b = min { a , b } , a ⊗ b = a + b .

Both operations are associative and commutative and ⊗ distributes over ⊕, and hence S is a commutative semiring, called a tropical semiring. The set M = Mat_k_×k(S) of k × k matrices over S is therefore a semiring with the induced operations

( a i j ) ⊕ ( b i j ) = ( a i j ⊕ b i j ) , ( a i j ) ⊗ ( b i j ) = ( c i j ) , where c i j = ( a i 1 ⊗ b 1 j ) ⊕ ( a i 2 ⊗ b 2 j ) ⊕ ⋯ ⊕ ( a i k ⊗ b k j ) .

In [1], the authors proposed two key exchange protocols based on the structure M . Shortly after, an effective attack was given on one of those protocols in [3]. Subsequently, a new key exchange protocol was proposed in [2] (in fact, two new protocols, but they are very closely related to each other). It is this protocol that we consider in this paper.

In [2], the authors give two semigroup operations on M × M each arising as a semidirect product induced by a specified action of these matrices on themselves. The two semigroup operations are given by

(1) ( M , G ) ∘ ( S , H ) = ( M ⊕ S ⊕ H ⊕ ( M ⊗ H ) , G ⊕ H ⊕ ( G ⊗ H ) ) ,

(2) ( M , G ) ∗ ( S , H ) = ( ( H ⊗ M T ) ⊕ ( M T ⊗ H ) ⊕ S , G ⊗ H ) .

Note that for each of these operations, the first component of the product does not depend on G. This fact plays a key role in the two key exchange protocols they then propose (one corresponding to each operation):

Alice and Bob agree on public matrices M, H ∈ M whose entries are integers in the range [−N, N], and they agree on a positive integer K. Alice selects a private positive integer m < 2^K and Bob selects a private positive integer n < 2^K.
Alice computes (M, H)^m = (A, P_A) and sends A to Bob.
Bob computes (M, H)ⁿ = (B, P_B) and sends B to Alice.
Alice determines the first component of (M, H)^m⁺ⁿ = (M, H)ⁿ(M, H)^m = (B, P_B)(A, P_A) from her knowledge of A, P_A, and B (knowledge of P_B is not necessary for either of the operations (1) or (2).
Bob similarly determines the first component of (M, H)^m⁺ⁿ = (M, H)^m(M, H)ⁿ = (A, P_A)(B, P_B) from his knowledge of B, P_B, and A.

In the next section, we show that an eavesdropper can find a positive integer m′ for which the first component of (M, H)^m′ is A; she can then use this m′ to compute the shared secret key in essentially the same way as Alice. Furthermore, such an m′ can be found using 𝒪(K²) operations (1) or (2).

2 The attack

Since addition of matrices in M is idempotent, i.e., G ⊕ G = G, we have a partial order on M defined by

X ≤ Y if X ⊕ Y = X .

Clearly we have that X ≤ Y iff x_ij ≤ y_ij for all i, j ∈ {1, 2, . . . , k}. Furthermore, this partial order respects both operations on M ; if X ≤ Y and Z ∈ M , then X ⊕ Z ≤ Y ⊕ Z and X ⊗ Z ≤ Y ⊗ Z.

Proposition 2.1

Consider the semigroup M × M equipped with either of the two operations defined by (1) and (2). Let (M, H) ∈ M × M , and for each positive integer ^ℓ let (M_ℓ, H_ℓ) = (M, H)^ℓ. Then the sequence {M_ℓ} is monotonically decreasing: M₁ ≥ M₂ ≥ M₃ ≥ . . . .

Proof. Let ^ℓ ≥ 2. For the operation ∘ we have

( M ℓ , H ℓ ) = ( M ℓ − 1 , H ℓ − 1 ) ∘ ( M , H ) = ( M ℓ − 1 ⊕ M ⊕ H ⊕ ( M ℓ − 1 ⊗ H ) , H ℓ − 1 ⊕ H ⊕ ( H ℓ − 1 ⊗ H ) ) ,

so that M_ℓ = M_ℓ₋₁ ⊕ M ⊕ H ⊕ (M_ℓ₋₁ ⊗ H). In particular, M_ℓ ⊕ M_ℓ₋₁ = M_ℓ, and hence M_ℓ ≤ M_ℓ₋₁.

Similarly, for the operation * we have that

( M ℓ , H ℓ ) = ( M , H ) ∗ ( M ℓ − 1 , H ℓ − 1 ) = ( ( H ℓ − 1 ⊗ M T ) ⊕ ( M T ⊗ H ℓ − 1 ) ⊕ M ℓ − 1 , H ⊗ H ℓ − 1 ) ,

and hence M_ℓ = (H_ℓ₋₁ ⊗ M^T) ⊕ (M^T ⊗ H_ℓ₋₁) ⊕ M_ℓ₋₁. Again, M_ℓ ⊕ M_ℓ₋₁ = M_ℓ, so that M_ℓ ≤ M_ℓ₋₁.

The problem alluded to at the end of the introduction is now easily solved with a binary search. Let M, H ∈ M × M and (M, H)^ℓ = (M_ℓ, H_ℓ). Suppose A ∈ M × M satisfies A = M_m for some positive integer m < 2^K. First, obtain an upper bound on m by computing successive squares

M 1 , M 2 , M 4 , M 8 , …

until finding a positive integer t for which A ≤ M_2^t . Since it is then known that 1 ≤ m ≤ 2^t, a simple binary search will find an integer m′ for which M_m′ = A. The sequence M₁, M₂, . . . is generally strictly decreasing, in which case m′ = m. However, even if m′ ≠ m, finding such an integer m′ is enough for the eavesdropper to recover the shared secret key. Let π₁ : M × M ⟶ M be the map π₁(C, D) = C. Suppose (M, H)ⁿ = (B, P_B), (M, H)^m = (A, P_A) and (M, H)^m′ = (A, P_E). Then for each of the operations (1) and (2), the shared secret key satisfies

π 1 ( ( M , H ) m + n ) = π 1 ( ( M , H ) m ′ + n ) .

This is clear, since this shared secret key can be expressed in terms of A, B, and P_B only, but it may also be explicitly verified. For example, with the operation (1),

π 1 ( ( M , H ) m + n ) = π 1 ( ( A , P A ) ∘ ( B , P B ) ) = A ⊕ B ⊕ P B ⊕ ( A ⊗ P B ) = π 1 ( ( A , P E ) ∘ ( B , P B ) ) = π 1 ( ( M , H ) m ′ + n ) .

In particular, the eavesdropper may recover the shared secret key via

π 1 ( ( M , H ) m + n ) = π 1 ( ( M , H ) n ∘ ( M , H ) m ′ ) = π 1 ( ( B , P B ) ∘ ( A , P E ) ) = B ⊕ A ⊕ P E ⊕ ( B ⊗ P E ) .

Finding t as described above requires at most K semigroup operations in M × M . The binary search, done in the most obvious way, would compute K powers of (M, H), each of which requires no more than 2K semigroup operations in M × M , for a total complexity of at most 2K² + K operations in M × M . This can be reduced to K² + K by storing the successive squares (M₁, H₁), (M₂, H₂), (M₄, H₄), . . . and using them to compute each power of (M, H) during the binary search phase.

Addition of k × k matrices can be accomplished with 𝒪(k²) integer max operations, and multiplication accomplished using 𝒪(k³) integer addition and max operations. Therefore this attack requires 𝒪(K²k³) integer operations. We argue below that the typical entry of A has about K bits. In that case, each integer addition and max operation requires no more than K bit operations, for a total of 𝒪(K³k³) bit operations. If we let α denote the number of bits required to represent A (i.e., the key size) it follows that α ≈ Kk², and this attack requires 𝒪(α³) bit operations, a polynomial-time function of the input size. If K is fixed, as in our experiments, then it requires 𝒪(α¹.5) bit operations.

We coded this method in C, and performed some experiments on a single core of an i7 CPU at 3.10GHz. Using M = Mat_k_×k(S) for various values of k, and the parameters N = 1000, K = 200 suggested in [2], we performed 40 experiments for each value of k. In each experiment, we generated random matrices M, H and chose random positive integers m, n < 2^K and measured the time to recover an m′ as described above. The results of these experiments are summarized in Table 1. For reference, we also report the average number of bits α in the matrix A that would be shared by Alice, and the values t/k³ and t/α^1.5 for comparison with the asymptotic runtime estimates given above.

Table 1

Average number of bits α to represent A (Alice’s matrix, from Section 1), and average time t (in seconds) to recover m′ for various sized (k × k) matrices, with N = 1000 and K = 200.

k	α	t	t/k³	t/α^1.5
5	5222	0.12	0.00096	3.2e−7
10	20885	0.66	0.00066	2.2e−7
15	47025	2.43	0.00072	2.4e−7
20	83710	4.76	0.00060	2.0e−7
25	130594	10.53	0.00067	2.2e−7
30	188145	17.75	0.00066	2.2e−7
35	256484	24.05	0.00056	1.9e−7
40	334040	40.92	0.00064	2.1e−7
45	422111	45.80	0.00050	1.7e−7
50	523312	78.33	0.00063	2.1e−7
55	631091	98.19	0.00059	2.0e−7
60	752490	122.57	0.00057	1.9e−7

We would like to make one final remark about the key sizes in this system. With the notation as above and the operation (1), for example, we have

M ℓ + 1 = M ℓ ⊕ M ⊕ H ⊕ ( M l ⊗ H ) .

Since M₂ ≤ M and M₂ ≤ H and M_ℓ₊₁ ≤ M₂ for all ^ℓ ≥ 2, it follows that

M ℓ + 1 = M ℓ ⊕ ( M ℓ ⊗ H ) , for ℓ ≥ 2.

This means that, on average, the entries of M_ℓ₊₁ decrease from those of M_ℓ by an approximately constant amount, proportional to the size of the entries of H. With Alice’s m ≈ 2^K, this means that the entries of A are on the order of −c × 2^K, or about K bits each. With the parameter sizes K = 200, k = 30, N ≈ 1000 suggested in [2], one would have M and H consisting of about 9000 bits each and A with about 30×30×200 = 180, 000 bits.

3 Conclusion

The attack presented here exploits the fact that the sequence {(M, H)^ℓ} is linearly ordered. It is quite effective and practical against the protocols described in [2]. For those protocols, Alice and Bob must do approximately 𝒪(K) operations in the semigroup M × M . and this attack requires about 𝒪(K²) operations in that same semi-group, so an increase of parameter sizes does not help.

We thank the referees for their thoughtful reading of this manuscript and their feedback.

References

[1] Dima Grigoriev and Vladimir Shpilrain. Tropical cryptography. Comm. Algebra 42(6):2624–2632, 2014.10.1080/00927872.2013.766827Suche in Google Scholar

[2] Dima Grigoriev and Vladimir Shpilrain. Tropical cryptography II: extensions by homomorphisms. Comm. Algebra 47(10):4224–4229, 2019.10.1080/00927872.2019.1581213Suche in Google Scholar

[3] Matvei Kotov and Alexander Ushakov. Analysis of a key exchange protocol based on tropical matrix algebra. J. Math. Cryptol. 12(3):137–141, 2018.10.1515/jmc-2016-0064Suche in Google Scholar

Received: 2019-11-22

Accepted: 2020-09-08

Published Online: 2020-12-20

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2019-0061

Schlagwörter für diesen Artikel

tropical algebra; public key exchange; cryptanalysis

Creative Commons

BY 4.0