Open Access Published by De Gruyter July 7, 2018

Analysis of a key exchange protocol based on tropical matrix algebra

Matvei Kotov and Alexander Ushakov

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2016-0064

Abstract

In this paper, we consider a two party key-exchange protocol proposed in [D. Grigoriev and V. Shpilrain, Tropical cryptography, Comm. Algebra 43 (2014), 2624–2632, Section 2], which uses tropical matrix algebra as the platform. Our analysis shows that the scheme is not secure.

Keywords: Tropical algebra; cryptography; key-exchange; min-plus systems

MSC 2010: 94A60; 68W30

1 Introduction

In this paper, we analyze a key-exchange protocol based on tropical matrix algebra proposed in [3, Section 2]. Ideas similar to [3] were used before in the “classic” case, i.e., for algebras with familiar addition and multiplication. However, in the classic case, these schemes were shown to be vulnerable to various linear algebra attacks. The idea to use an algebra with another addition and multiplication came as an attempt to avoid those attacks, as there are no known algorithms for solving systems of linear equations in tropical sense (it is an active field of research currently).

1.1 Tropical algebra

Consider the extended set of real numbers ℝ∪{∞} and binary operations ⊕,⊗ defined by

x⊕y=min⁡(x,y),

x⊗y=x+y.

A set S⊆ℝ∪{∞} closed under + and containing 0 and ∞ is called a tropical semi-ring. It is straightforward to check that (S,⊕,⊗) satisfies all the axioms of a commutative ring with unity 0 except for existence of additive inverses. In this paper S=ℤ∪{∞}.

The set of all n×n matrices Mn⁢(S) with entries in S can be equipped with operations ⊕ and ⊗ as well, as defined below:

(ai⁢j)⊕(bi⁢j)=(ai⁢j⊕bi⁢j),

(ai⁢j)⊗(bi⁢j)=(ai⁢1⊗b1⁢j⊕…⊕ai⁢n⊗bn⁢j).

The obtained algebra R=(Mn⁢(S),⊕,⊗) is called a tropical matrix algebra.

The identity matrix is the matrix that has 0 on the diagonal and ∞ elsewhere. A scalar matrix is a matrix that has c∈S on the diagonal and ∞ elsewhere. To multiply a matrix by a scalar is to multiply the matrix by the corresponding scalar matrix. If p⁢(x)=⊕i=0dci⊗x⊗i is a polynomial and A∈Mn⁢(S), then we can define p⁢(A) in the obvious way:

p⁢(A)=⊕i=0dci⊗A⊗i.

For more information on tropical algebras see [1], and for more information on non-commutative algebraic structures used in cryptography see [6].

1.2 The protocol

Here we describe a two party key-exchange protocol proposed in [3, Section 2]. Let A,B∈R be matrices satisfying A⊗B≠B⊗A, called public base matrices.

Alice generates random polynomials p1⁢(x),p2⁢(x)∈ℤ⁢[x] and sends U=p1⁢(A)⊗p2⁢(B) to Bob.
Bob generates random polynomials q1⁢(x),q2⁢(x)∈ℤ⁢[x] and sends V=q1⁢(A)⊗q2⁢(B) to Alice.
Alice computes KA=p1⁢(A)⊗V⊗p2⁢(B).
Bob computes KB=q1⁢(A)⊗U⊗q2⁢(B).

It is easy to check that Alice and Bob finally compute the same matrix K=KA=KB, called the shared key.

The following key generation method is suggested in [3, Section 2.5].

The size of matrices n=10.
The entries of matrices A and B are integers, selected randomly in [-1010,1010].
The degrees of the four polynomials p1⁢(x),p2⁢(x),q1⁢(x),q2⁢(x) are selected uniformly randomly in the range [1,10].
The coefficients of p1⁢(x),p2⁢(x),q1⁢(x),q2⁢(x) are selected uniformly randomly in [-1000,1000].

1.3 Computational assumption

For a passive eavesdropper to break the protocol means to be able to compute the value of K based on the values of A,B,U,V. For that it clearly suffices to find a pair of matrices X,Y satisfying the following conditions:

(1){X⊗A=A⊗X,Y⊗B=B⊗Y,X⊗Y=U,

or to solve a similar system for Bob’s public key. Indeed, if X,Y satisfy the conditions above, then the product X⊗V⊗Y is equal to K. In the case of matrix algebra over (ℤ,+,⋅) one would reduce the system above to a system of linear equations (as in [7, 5]). The same approach does not seem to work with tropical algebra as explained in [3].

2 Simple heuristic for original key generation method

In this section we argue that one can find a solution of system (1) by a very simple heuristic when the public information is generated as proposed in [3].

Consider a particular 3×3 matrix A with entries chosen uniformly randomly in the range [-100,100]

A=(-4213-96-281665-8531-75)

and its tropical powers

A⊗2=(-181-65-171-70-15-124-160-72-181),A⊗3=(-256-168-277-209-93-199-266-150-256),

A⊗4=(-362-246-352-284-196-305-341-253-362),A⊗5=(-437-349-458-390-274-380-447-331-437).

As we can see the entries in A⊗i very soon become negative and decrease linearly with i. In a linear combination of the matrices A⊗i with sufficiently small coefficients xi, say -10≤xi≤10, smaller monomials are irrelevant compared with the leading monomial, i.e., for any choice of the coefficients -10≤xi≤10 we have

⊕i=05xi⊗A⊗i=x5⊗A⊗5.

This is precisely the case for key generation proposed in [3]. Half of the entries in A and B have negative value. The entries in the tropical-powers A⊗i and B⊗i become all negative very fast (when i≥2) and decrease faster than the range for coefficients which makes lower monomials in the polynomials p1,p2 irrelevant. Based on that observation one can expect that system (1) has a solution of the form

X=c⊗A⊗i and Y=B⊗j

for some i,j∈[1,D] and c∈ℤ, where D is the upper bound for degrees of polynomials in the protocol.

This gives us the following simple heuristic attack. For each i,j∈[1,D] we compute the matrix

Ti⁢j=U-A⊗i⊗B⊗j.

If Ti⁢j=(c)k⁢l for some constant c, then X=c⊗A⊗i, Y=B⊗j is a required solution to (1), and the algorithm successfully stops. If there are not such i and j, then the algorithm fails.

Table 1 shows success rates of the described algorithm for different key-generation strategies. If the keys are generated as originally proposed, then the success rate is 97%. Success rate decreases to 71% if we allow a larger range for coefficients in polynomials p1,p2. It becomes negligible if we allow only non-negative entries in A and B. Below we suggest an attack which works well in this case.

Table 1

Experimental results of the simple heuristical algorithm.

Range for of polynomials	[-103,103]	[-1010,1010]	[0,1010]
Range for entries of matrices	[-1010,1010]	[-1010,1010]	[0,1010]
Average time	0.5 sec	0.6 sec	1.2 sec
Success rate	97 %	71 %	2 %

3 General attack

In this section we discuss a general attack on the protocol. The success rate of this attack does not depend on parameters of key generation and equals 100 %. We find matrices X and Y of the form

X=⊕i=0Dxi⊗A⊗i,Y=⊕j=0Dyj⊗B⊗j

with unknown coefficients xi,yj∈ℤ. Clearly for such matrices the first and the second equality in (1) are satisfied. Notice that

X⊗Y=⊕i,j=0Dxi⊗yj⊗A⊗i⊗B⊗j.

Therefore, to break the protocol, we need to find x0,…,xD,y0,…,yD∈ℤ such that

⊕i,j=0Dxi⊗yj⊗Vi⁢j=U,

where Vi⁢j=A⊗i⊗B⊗j. Using the definition of ⊕ and ⊗, we get a system of equations

mini,j⁡(xi+yj+Vk⁢li⁢j)=Uk⁢l for each ⁢k,l∈[1,n].

This system is equivalent to the following system:

(2)mini,j⁡(xi+yj+Tk⁢li⁢j)=0 for each ⁢k,l∈[1,n],

where Ti⁢j=Vi⁢j-U. Solving system (2) is the main goal of this section.

Denote by mi⁢j the least entry in the matrix Ti⁢j and by Pi⁢j the set of entries where the minimum is achieved:

mi⁢j=mink,l⁡Tk⁢li⁢j,Pi⁢j={(k,l):Tk⁢li⁢j=mi⁢j}.

Notice that any solution xi,yj, 0≤i,j≤D, of (2) satisfies the following conditions:

xi+yj≥-mi⁢j.
For every k,l there exist i,j such that (k,l)∈Pi⁢j and xi+yj=-mi⁢j.

Therefore, to solve (2), we need to find a cover C⊆{P00,P01,…,PD⁢D} of the set [1,n]×[1,n] and values xi,yj, 0≤i,j≤D, satisfying

(3){xi+yj=-mi⁢jif ⁢Pi⁢j∈C,xi+yi≥-mi⁢jotherwise.

Hence, in order to solve (2), we need to enumerate all minimal covers for [1,n]×[1,n] and then find those that define consistent systems of equalities and inequalities (3).

Recall that finding a minimal set cover problem is one of Karp’s 21 problems shown to be NP-complete in 1972. Nevertheless, for all randomly generated instances of the protocol it was relatively easy to enumerate all possible minimal covers.

We generate a set containing all the minimal covers using simple recursive procedure. As one can see in Table 2, often the number of covers is small, and rarely it is greater than 10,000. In every experiment we were able to enumerate them in a few seconds.

Table 2

Experimental results of the general attack.

Range for coefficients of polynomials	[-103,103]	[-1010,1010]	[0,1010]
Range for entries of matrices	[-1010,1010]	[-1010,1010]	[0,1010]
Maximal number of covers	102	296	20736
Average number of covers	4.2	16.52	705.5
Median of number of covers	1	1	7.5
Average number of tested covers	1	1.03	1.57
Median of number of tested covers	1	1	1
Average time	1.9 sec	2.0 sec	2.5 sec
Success rate	100 %	100 %	100 %

Also, we noticed that often an appropriate cover (a cover defining a consistent system (3)) is smaller than most other covers produced by our algorithm. Furthermore, for covers of the same size an appropriate cover often has smaller value of

|{i:there exists an j such that ⁢Pi⁢j∈C}|⋅|{j:there exists an i such that ⁢Pi⁢j∈C}|

than others. Therefore, to speed up computations, we sort the covers using these heuristic criteria. This strategy works very well, as shown in Table 2, on average we have to test only one or two covers to find a solution.

Finally, to determine if a system (3) is consistent for a particular cover C, we use the simplex method, see [2].

The described attacks were implemented in GAP [8]. The implementation can be found in [4]. Our tests were run on Intel Core i3 1.50 GHz computer with 4 GB of RAM, Ubuntu 14.04, GAP 4.7. We generated 100 random instances for every set of parameters presented in the tables.

4 Conclusion

The protocol described in [3, Section 2] is not secure when used with the proposed parameter values. It is not clear how to modify key generation to provide a sufficient level of security. We encourage an interested reader to use our code [4] and perform their computational experiments over the tropical algebra.

Communicated by Spyros Magliveras

Funding source: Russian Foundation for Basic Research

Award Identifier / Grant number: 14-01-00068

Funding source: National Science Foundation

Award Identifier / Grant number: DMS-1318716

Funding statement: The first author has been partially supported by RFBR, project No. 14-01-00068. The second author has been partially supported by NSF grant DMS-1318716.

References

[1] P. Butkovič, Max-linear Systems: Theory and Algorithms, Springer Monogr. Math., Springer, London, 2010. 10.1007/978-1-84996-299-5Search in Google Scholar

[2] T. H. Cormen, C. E. Leiserson, R. L. Rivest and C. Stein, Introduction to Algorithms, 3rd ed., MIT Press, Cambridge, MA, 2009. Search in Google Scholar

[3] D. Grigoriev and V. Shpilrain, Tropical cryptography, Comm. Algebra 42 (2014), no. 6, 2624–2632. 10.1080/00927872.2013.766827Search in Google Scholar

[4] M. Kotov and A. Ushakov, Implementation of FBA, available at https://github.com/mkotov/polycyclic. Search in Google Scholar

[5] C. Mullan, Cryptanalysing variants of Stickel’s key agreement scheme, J. Math. Cryptol. 4 (2011), no. 4, 365–373. 10.1515/jmc.2011.003Search in Google Scholar

[6] A. Myasnikov, V. Shpilrain And A. Ushakov, Non-Commutative Cryptography and Complexity of Group-Theoretic Problems, Math. Surveys Monogr. 177, American Mathematical Society, Providence, 2011, 10.1090/surv/177Search in Google Scholar

[7] V. Shpilrain, Cryptanalysis of Stickel’s key exchange scheme, Computer Science in Russia – CSR 2008, Lecture Notes in Comput. Sci. 5010, Springer, Berlin (2008), 283–288. 10.1007/978-3-540-79709-8_29Search in Google Scholar

[8] The GAP Group, GAP – Groups, Algorithms, and Programming, Version 4.7.7, 2015, http://www.gap-system.org. Search in Google Scholar

Received: 2016-11-14

Revised: 2018-05-16

Accepted: 2018-06-26

Published Online: 2018-07-07

Published in Print: 2018-09-01

This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.