MAKE: A matrix action key exchange

1 Introduction

We start by recalling the classical Diffie–Hellman protocol [1]. The simplest, and original, implementation of this protocol uses the multiplicative group of integers modulo p , where p is prime and g is primitive modulo p . A more general description of the protocol uses an arbitrary finite cyclic group:

1. Alice and Bob agree on a finite cyclic group G of order q and a generating element g in G . We will write the group G multiplicatively.

2. Alice picks a random natural number m < q and sends g m to Bob.

3. Bob picks a random natural number n < q and sends g n to Alice.

4. Alice computes K A = ( g n ) m = g n m .

5. Bob computes K B = ( g m ) n = g m n .

The protocol is considered secure against eavesdropper if G and g are chosen properly. The eavesdropper must solve the Diffie–Hellman problem (recover g m n from g , g m , and g n ) to obtain the shared secret key. This is currently considered difficult for a “good” choice of parameters (see, e.g., ref. [2] for details).

In ref. [3], a new key exchange protocol was offered, based on a semidirect product of multiplicative matrix semigroups. That protocol is similar to the Diffie–Hellman protocol, but it differs in one essential detail: at the last two steps, Alice and Bob use multiplication instead of exponentiation. In other words, the equality K A = K B in that case is based on the identity m + n = n + m in the ring of integers, instead of the identity m n = n m . Also, even though the parties do compute a large power of a public element (as in the classical Diffie–Hellman protocol), they do not transmit the whole result, but rather just part of it, so no power of a public element is ever exposed.

The generic protocol in ref. [3] can be based on any (semi)group, in particular on any non-commutative (semi)group. For a particular instantiation of the generic protocol, the authors of ref. [3] used conjugation as an action of the multiplicative semigroup of matrices on itself, and matrices were considered over the group ring Z 7 [ A 5 ] . A ring of such a small size was selected to enhance efficiency; however, because of this small size, the protocol turned out to be vulnerable to a “linear algebra attack,” similar to the attack on Stickel’s protocol [4] offered in ref. [5], albeit more sophisticated, see refs [6,7]. Other instantiations of the generic protocol based on semidirect product can be found in [8] and [9].

In this article, we use matrices over Z p for a large p . The size of the exponents used in the protocol should guarantee security against brute force attacks. We also note that in our protocol, no power of any matrix is ever exposed, so standard classical attacks on Diffie–Hellman-like protocols are not applicable.

2 Semidirect products and extensions by automorphisms

We include this section to make the exposition more comprehensive. The reader who is uncomfortable with group-theoretic constructions can skip to Section 2.1.

We now recall the definition of a semidirect product:

In this article, we focus on a special case of this construction, where the group S is just a sub(semi)group of the semigroup of self-homomorphisms of G , typically a cyclic sub(semi)group. We give more details about this special case in Section 2.1.

3 Action

Our platform semigroup will be a semidirect product of two semigroups of matrices over Z p . In the notation of Section 2.1, the semigroup G will be the additive semigroup of all matrices Z p , and the semigroup S will be a cyclic multiplicative semigroup of matrices. More specifically, the semigroup S will consist of pairs of matrices over Z p , of the form ( H 1 k , H 2 k ) for some fixed matrices H 1 , H 2 and all positive exponents k .

The action of S on G will be as follows: M ( S 1 , S 2 ) = S 1 M S 2 for M ∈ G , ( S 1 , S 2 ) ∈ S . Note that this is an action only if we restrict to a commutative (in particular, cyclic) (semi)group S generated by a pair of matrices ( H 1 , H 2 ) .

Thus, in the semidirect product of the additive semigroup of matrices with the multiplicative cyclic semigroup generated by ( H 1 , H 2 ) , the multiplication looks like this (cf. formula (1)):

4 Protocol description

The protocol description is given below. Parameters are discussed separately in Section 5.

1. (key selection)

   1. Alice and Bob agree on three public matrices, M , H 1 , and H 2 , over Z p , such that M H i ≠ H i M and such that det ( H 1 ) = det ( H 2 ) = 0 .

   2. Alice selects a private integer m and Bob selects a private integer n .

2. Alice computes ( M , ( H 1 , H 2 ) ) m and sends only the first component (call it A ) of the result to Bob.

3. Bob computes ( M , ( H 1 , H 2 ) ) n and sends only the first component (call it B ) of the result to Alice.

4. Alice computes ( B , x ) ⋅ ( A , ( H 1 , H 2 ) m ) = ( H 1 m B H 2 m + A , ? ) . Her key is now K A = H 1 m B H 2 m + A .

5. Bob computes ( A , y ) ⋅ ( B , ( H 1 , H 2 ) n ) = ( H 1 n A H 2 n + B , ? ) . His key is now K B = H 1 n A H 2 n + B .

6. Since ( M , ( H 1 , H 2 ) ) m + n = ( B , x ) ⋅ ( A , ( H 1 , H 2 ) m ) = ( A , y ) ⋅ ( B , ( H 1 , H 2 ) n ) = ( K , ( H 1 , H 2 ) m + n ) , we should have K A = K B = K , the shared secret key.

5 Parameter and key sampling

The size k of matrices can be small; we suggest k = 3 .

The basic parameter p should have the same properties and the same magnitude as recommended for the classical Diffie–Hellman protocol. In particular, p should be a safe prime, i.e., a prime of the form p = 2 q + 1 .

The parameter r and the exponents s , t , m , and n should be of the same magnitude as q = p − 1 2 .

For the public matrices M , H 1 , and H 2 , we require that M H i ≠ H i M and det ( H 1 ) = det ( H 2 ) = 0 . Sampling of non-commuting singular matrices can be done as follows. First build a matrix M with entries selected uniformly at random from Z p .

Then, the matrix H 1 is built as follows. First, make a diagonal matrix D : put 0 in the upper left corner, and random nonzero elements of Z p in the remaining places on the diagonal. Then make sure that these random elements do not have order 2. If they do not, then, since p − 1 = 2 q , by Lagrange’s theorem their order is at least q , i.e., is large. Now select a matrix S all of whose entries are random elements of Z p . With high probability, this matrix will be invertible. If not, then change one of the entries of S . If S is invertible, let H 1 = S − 1 DS .

To build H 2 , use the same procedure but with fresh randomness throughout.

Then, check that M H i ≠ H i M ; this will be the case with high probability. If this is not the case for one of the H i , redo selection of M .

Finally, we address the question of how matrices X and Y are selected. Given that the matrices H 1 s and H 2 s are singular, the matrix equation H 1 s X H 2 s = O should have nonzero solutions for X . In fact, any solution of H 1 s X = O or X H 2 s = O will also be a solution of H 1 s X H 2 s = O . However, we need X to also satisfy H 1 s − 1 X H 2 s − 1 ≠ O , according to Step 1 of the protocol. Thus, what we do is we re-write the matrix equation H 1 s X H 2 s = O (where all matrices are k × k ) as a system of k 2 homogeneous linear equations in k 2 entries x i j of the matrix X . We know that this system has many nonzero solutions; we just pick one of them at random. Then we check whether H 1 s − 1 X H 2 s − 1 ≠ O is satisfied; it will be with high probability. If not, we select a different nonzero solution for the system of linear equations in x i j mentioned above.

6 Security

In this section, we address security of the protocol described in Section 4.

Our security assumption here, analogous to the computational Diffie–Hellman assumption, is that it is computationally infeasible to retrieve the shared secret key K from the five public matrices ( M , H 1 , H 2 , A , B ) . The matrices A and B are expressed in terms of the matrices M , H 1 , and H as follows:

The shared secret key K is

What makes our scheme compare favorably to, say, the scheme of ref. [3] is that in computing A and B , both operations on matrices (addition and multiplication) are employed, which is good for security because neither multiplicative (e.g., the determinant) nor additive (e.g., the trace) functions of a matrix can be used to reduce the problem to a problem in Z p .

Also, the expressions for A and B cannot be factored into products of simpler expressions. To compare, factoring would be possible if the action of (a single matrix) H on M was a one-sided multiplication. For example, if the action of H on M was given by M ⋅ H , then the matrix A would be equal to M H m + M H m − 1 + … + M H + M = M ( H m + H m − 1 + … + H + I ) . The adversary could multiply this on the right by ( H − I ) and get M ( H m + 1 − I ) . Since the matrices M and H are public, the adversary could then recover M H m + 1 or even H m + 1 if M is invertible. Then, if H is invertible, too, the adversary can recover H m , and this breaks the scheme.

However, with the action M → H 1 M H 2 , no factorization of A (or B ) is possible, and there is no visible way to recover K from ( M , H 1 , H 2 , A , B ) .

6.2 Indistinguishability from random

We have run some tests to see if the matrix K (the shared secret key) is indistinguishable from random. Figure 1 shows a histogram of values of the ( 1 , 1 ) entry of K , for a 200-bit p . Here values from 0 to p are split into ten groups (“bins”) of size p 10 and the number of values in each bin, out of 100,000 trials, is recorded. The histogram shows essentially uniform distribution of values between the bins. Histograms for values of other entries of the matrix K look the same, so K passes at least this simple randomness test.

Figure 1

Value distribution for the (1,1) entry of K .

Another test we have run was computing the mean of the entries of K in each single row and each single column, as well as the mean of all entries of the matrix K . Figure 2 shows a histogram of the means of the entries of the first column, out of 100,000 trials. Figure 3 shows a histogram of the means of all entries of the matrix K . Again, values from 0 to p are split into ten groups (“bins”) of size p 10 . By the central limit theorem, if several random variables are independent and identically distributed, then their mean is approximately normally distributed. Thus, Figures 2 and 3 are, though indirect, still an evidence of different entries of K being independent.

Figure 2

Mean distribution of the first column entries of K .

Figure 3

Mean distribution of all entries of K .

Another evidence of the matrix K being indistinguishable from random is independent distribution of values of different entries of K . This is illustrated by Figure 4. It shows that joint distribution of values of a pair of different entries of K is very close to uniform, i.e., for any two possible values ( x , y ) of the entries in such a pair, the probability to occur is 1 p 2 = 1 p ⋅ 1 p , evidencing independence of x and y . The ticks on the x -axis of the histogram in Figure 4 split p possible values of the first entry in a pair into ten bins corresponding to sets of values with an increment of h = p 10 . Each of these ten bins is split again into ten bins of equal size to accommodate possible values of the second entry in a pair.

Figure 4

Distribution of values of a pair of entries of K .

7 “Telescoping” attack

The following “telescoping” trick is the crucial part of the attack in ref. [10], and it seems to be the main threat to most key exchange schemes based on a semidirect product.

One can multiply equation (2) by H 1 on the left and by H 2 on the right to get

This, together with (2), yields

Since H 1 A H 2 , M , and A are public, the attacker now knows H 1 m M H 2 m and can use a linear algebra attack from there.

We also note that the “telescoping” attack was recently analyzed in ref. [11] in reference to our other key exchange scheme [12] based on a semidirect product of semigroups of matrices over a semiring, and in that setting, an attack similar to that in ref. [10] was shown to be much less successful, upon appropriate choice of parameters of the scheme.

8 Implementation and performance

The scheme of this article was implemented using Python, except for Step 1(iii) since Python does not seem to be able to solve systems of linear equations over Z p . The code is available online, along with a challenge, see ref. [13].

We note that formulas (2) and (3) may create an impression that to compute the matrices A and B , Alice and Bob have to compute all powers of the matrices H 1 and H 2 , from 1 to ( m − 1 ) or ( n − 1 ) . However, this is not the case; a large power of ( M , ( H 1 , H 2 ) ) can be computed with the usual square-and-multiply method, and this will produce A or B as the corresponding first component.

The number of multiplications in Z p needed to compute H i n is, of course, larger than that to compute g n for g ∈ Z p . To compute the square of a 3 × 3 matrix, one needs 24 multiplications of elements of Z p , so one can expect our protocol to run at least 24 times slower than the classical Diffie–Hellman protocol. This is still fast enough to be practical; with a 2000-bit p the run time of the protocol is about 2 s on a very basic computer. Besides, given that at this time there are no visible approaches whatsoever (other than brute force) to attack the protocol in this article, the basic parameter p can probably be taken smaller than what is recommended for standard Diffie–Hellman protocols, and this will reduce the run time.

A particular 2000-bit safe prime p that we used in our computer simulations was 10045850546888 5003633418577656224333902553170484436983273607309963845847739507115860865964753239939027972338834707903941940188314348678981808910413754306718965087266944429878241410578991733762502442817585765598816431431108282071433256273345939973526837788093199292557721204590554061504359121574222368307048919809010489980961017706729222034791017130925070426893349814057145812995340991548906078333104951440614482037356443864699967124299012034397810342312642333550598174454039699165710636052240583294703998189114479917657125270697086234200442489544474659560583354052797579309573507121265302226528942789519.

9 Conclusion

• We have offered a key exchange protocol, resembling the classical Diffie–Hellman protocol, based on a semidirect product of two cyclic semigroups of matrices over Z p . One of the semigroups is additive, and the other one is multiplicative.

• In our protocol, no power of any matrix or any element of Z p is ever exposed, so all standard attacks on Diffie–Hellman-like protocols are not applicable.

• Security assumption, analogous to the computational Diffie–Hellman assumption, is computational infeasibility of recovering the value of a polynomial (of unknown degree) of a special form on three given matrices, from the values of two other polynomials (also of unknown degrees) on the same three matrices. A weaker security assumption is analogous to the discrete log assumption in Z p and is provably at least as hard.

• Brown et al. [10] have cryptanalyzed the scheme in this article. By using the “telescoping” trick and tools of linear algebra, they have recovered the shared secret key without recovering the parties’ private keys. At the time of this writing, it is not clear whether the MAKE scheme can be adjusted to be resistant to this kind of attacks.