arxiv: v1 [cs.cr] 22 Oct 2018

Size: px

Start display at page:

Download "arxiv: v1 [cs.cr] 22 Oct 2018"

Edgar Wells
5 years ago
Views:

1 CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM arxv: v1 [cscr] 22 Oct 2018 VITALIĬ ROMAN KOV Abstract We show that the Modfed Matrx Modular Cryptosystem proposed by SK Rososhek s not secure aganst the attack based on the lnear decomposton method The securty of the encrypton scheme n the Rososheks system s based on the mx of the conjugacy search problem and random salt We do not solve the conjugacy search problem and we are not lookng for the exact meanng of the salt The transported secret message n the system s recovered wthout computaton the secret parameters, that have been used for ts encrypton 1 Introducton The Basc Matrx Modular Cryptosystem BMMC s a publc key cryptosystem, whch was proposed by SK Rososhek n [1] Protocol usng BMMC was developed for the key exchange n [2] BMMC realzaton needs three matrx modular exponentatons for key generaton, three exponentatons under encrypton and two exponentatons under decrypton for every data block In [3], Rososhek proposed two dfferent modfcatons of BMMC We consder them as two versons of the Modfed Matrx Modular Cryptosystem MMMC The am of [3] was to decrease the number of exponentatons and consequently to accelerate the executon of encrypton algorthm The author of [3] proposed to determne the large abelan subgroup n general lnear group over the large resdue rng and to choose the sesson keys n ths subgroup, what wll be to gve the encrypton wthout exponentatons Below we consder one of the man protocols, proposed n [3] Inths paper, weshow that MMMC s vulnerableaganst theattack based on the lnear decomposton method nvented by the author n monograph[4] and papers[5], [6] wth A Myasnkov see also monograph[7] and developed by the author et al n the papers [8] - [11] In ths paper, we descrbe the attack to MMMC n general case and llustrate the effcently of ths attack on the example of the numercal realzaton of MMMC proposed by Rososhek n [3] The securty of the encrypton scheme n the Rososheks system s basedonthemxoftheconjugacy search problemandrandom salt Wedo not solve theconjugacy search problemandwe donot seek exact valueof the salt The transported secret message s recovered wthout computaton the secret parameters, that have been used for ts encrypton 1

2 2 VITALIĬ ROMAN KOV In [4] see also [5], [6] or [7], we have shown that n many systems and schemes of the algebrac cryptography, where the platform group G s a subset of a lnear space, we can effcently compute the secret message or shared key and hence to compromse the correspondng cryptographc system We elaborated a method, that s called the lnear decomposton method In some ponts ths method s smlar to the Tsaban s span method see [12] The lnear decomposton method can be appled f the platform s part of a fnte dmensonal lnear space V over a feld F, or n the modfed form a fnte generated module M over a commutatve rng K In the applcatons of ths method we construct a bass of the correspondng subspace W In fact, we don t need n a bass It s suffcent to take a lnear generatng set for W It s well known that f F s a fnte feld of order q and dmw = n, where n s very small wth respect to q, then n random vectors of W generate W wth hgh probablty More precsely, let F be a fnte feld F q,q = p r,p - prme, of orderq Thenthereareexactly q n dfferent n-vectors over F Suppose that we take vectors n random va the unform dstrbuton on W Let we choose n random vectors n W n sequence We compute a probablty to choose n lnearly ndependent vectors The frst of them s nontrval wth the probablty gn 1 q The second s ndependent wth frst n wth probablty qn q q, and so on tll qn q n 1 n q Hence ths probablty s n n 1 =0 q n q q n > 1 1/q n > 1 n/q IfweknowthatW hasadmensonless thannthecorrespondngprobablty to choose n random elements that generate W s obvously greater than 1 n/q Thus, wecan chooserandomlyelements w 1,,w n nw andtrytopresent the gven element w W as a lnear combnaton of these elements We can take more than n elements to ncrease the mentoned probablty Sure, we need to determne what s random n each specfc case Sometmes we can use ths approach for modules Below we ll gve the correspondng example Some proposed cryptographc schemes are such that a lnear generatng set for W can be easly extracted from the scheme settng For example, a commutatve subsemgroup G of M n Z can be proposed as follows Fx a matrxa M n Z, anddefneg := Z[a] := {pa : pt Z[t]}Wthrespect to matrx multplcaton G has the structure of abelan semgroup Then Alce chooses a matrx g Z[a] and sends to Bob vector hg, where h H s the chosen vector of the protocol Bob acts n the smlar way In the cryptanalyss we need to construct a lnear generatng set for some lnear space of the form vg = {vg : g G} where v H Then n vew of the Cayley- Hamlton theorem, the space vg s generated by vectors v,va,va 2,,va n 1 In a smlar two-sded verson where v s a n n-matrx wth rows n H, there s a generatng set {a va j :,j = 0,n 1}

3 CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM3 2 Descrpton of MMMC As usual we suppose, that there are two correspondents, Alce and Bob, and that they use a non-secure net for ther communcatons A potental ntruder, Eve, can read all ther messages In [3], Rososhek proposed a cryptographc scheme and consdered ts a numercal varant We ll analyze the scheme and ths varant and show how the shared common key can be effcently computed wthout the secret parameters that has been used for the encrypton Assumptons Alce dong the followng: 1 pcks a par of random prme numbers q p and computes n = pq, then she determnes Z n g f 2 takes the obvously abelan subgroup G = { : g,f Z f g n and g 2 f 2 = 1} 3 pcks four random ntegers a,b,c,d Z n such that a 2 b 2 = 1 and c 2 d 2 = 1 4 composes two random matrces: a b 1 V = G and W = b a c d d c G 5 AlcedefnestwocommutngnnerautomorphsmsoftherngM 2 Z n : α : D V 1 DV,β : D W 1 DW for every matrx D M 2 Z n 6 Alce computes the followng automorphsms of the rng M 2 Z n : ψ = α 2 β,ϕ = αβ 2 7 Alce pcks a random nvertble matrx L GL 2 Z n such that L does not belong to the subgroup G 8 Alce publc key s n,ϕl,ψl 1, prvate key s V,W Algorthm Bob dong the followng: 1 presents the plantext m as a sequence of 2 2-matrces over resdue rng Z n : m 1 m 2 m n 2 for every m, = 1,2,,n, chooses a random matrx Y G 3 defnes for every = 1,2,,n, the automorphsms ξ : D Y 1 DY for every D M 2 Z n 4 computes for every = 1,2,,n matrces ξ ϕl,ξ ψl 1,m ξ ϕl 5 pcks for every = 1,2,,n random unts γ Z n salt and computes the cphertext: C = C 1 C 2 C n, C = C 1,C 2, where C 1 = γ 1 ξ ψl 1,C 2 = γ m ξ ϕl, = 1,2,,n

4 4 VITALIĬ ROMAN KOV Decrypton Alce dong the followng: 1 computes for every = 1,2,,n, usng her prvate key: D = α 1 βc 1 = α 1 βγ 1 ξ ψl 1 2 computes for every = 1,2,,n matrces: C 2 D = γ m ξ ϕld = m 3 restores the plantext m from the matrx sequence m 1,m 2,,m n 3 Cryptanalyss We are gong to show that every m can be recovered by any ntruder that based only on the publc data It s suffcent to show how we can recover one of the blocks m Denote m = m, C 1 = C 1,C 2 = C 2,ξ = ξ,γ = γ, = 1,2,,n Everybody can see the followng data: n,ϕl,ψl 1 and soϕl 1,ψL,C 1 = γ 1 ξψl 1,C 2 = γmξϕl It s suffcent to compute γ 1 ξϕl 1 to swap ψ to ϕ n C 1 Let G denotes the abelan subgoup of GL 2 Z n consstng of all matrces a b of the form where a b a 2 b 2 s nvertble n Z n Let W be the set of all lnear combnatons of all matrces of the form ζψl 1, n M 2 Z n, where ζ s a conjugaton by a matrx n G We clam that there exsts a set ζ 1 ψl 1,,ζ k ψl 1,ζ G, = 1,2,,kk 4, for whch every matrx n W s a lnear combnaton of these matrces over Z n Below we ll explan ths asserton For a rng R and an R-module M, the set E M s a bass for M f: E s a generatng set for M that s to say, every element of M s a fnte sum of elements of E multpled by coeffcents n R, and E s lnearly ndependent, that s, α 1 e 1 ++α k e k = 0 for e 1,,e k dstnct elements of E mples that α 1 = = α k = 0 A free module s a module wth a bass But not each module has a bass For any submodule V of the free module Z r n, where r N and n = pq, as above, we defne a noton of a quas-bass as a mnmal subset E of V such that every element of V s a fnte sum of elements of E multpled by coeffcents n Z n Now we prove that V has a quas-bass consstng of r elements and show how such quas-bass can be obtaned Let V p be the p-mage of V, e, a homomorphc mage of V modulo p and V q s the q-mage of V modulo q Then V p s a lnear space over Z p, and V q s a lnear space over Z q Let a 1,,a k be a bass of V p and b 1,,b l be a bass of V q Snce V p and V q are subspaces of Z r p and Zr q respectvely, k,l r Suppose that k l If k l we add to the set b 1,,b l k l zero elements and get b 1,,b k We can consder elements a and b j as r-tuples of components a j and b j that are wrtten as ntegers Then by the Chnese

5 CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM5 remander theorem we can fnd e j N such that e j = a j mod p and e j = b j mod q, respectvely We do t for all and j As result we have a quas-bass E = {e 1,,e k } Indeed, two the mages v p V p and v q V q of an arbtrary element v V have two presentatons: v p = k α e and v q = =1 k β e, respectvely, =1 where all coeffcents are wrtten as natural numbers Agan, by the Chnese remander theorem we can fnd γ such that γ = α mod p and γ = β mod q for each = 1,,k Then v = k γ e =1 s a presentaton of v as a lnear combnaton of vectors of E over Z n Obvously the sze k s mnmal for a generatng set, thus E s quas-bass The just descrbed algorthm can beappled only n the case when p and q are known In other case we only know that there s a quas-bass consstng of k r elements Now we return to the consderng protocol We have M 2 Z n that s a free Z n -module of dmenson 4, and ts submodule W We have just proved that there s a quas-bass {ζ 1 ψl 1,,ζ k ψl 1,ζ G, = 1,2,,kk 4} of W We need not exactly n quas-bass but n some generatng set A set of four such elements chosen by the random process va unform dstrbuton generates W f and only f t generates W modulo p and q smultaneously The correspondng probabltes for n < p,q as t has been showed above exceed 1 n/p and 1 n/q respectvely It follows that the probablty to generate W exceeds 1 n/p1 n/q Suppose that we fnd a generatng set {ζ 1 ψl 1,,ζ 4 ψl 1,ζ G, = 1,,4} of W Then we compute a presentaton of the form 2 ϕl 1 = 4 α ζ ψl 1,α Z n =1 Then we change n the rght hand sde of 2 ψl 1 by C 1 : α ζ C 1 = γ 1 ξ α ζ ψl 1 = γ 1 ξϕl 1 =1 =1 Now we recover the message as 4 C 2 γ 1 ξϕl 1 = m

6 6 VITALIĬ ROMAN KOV 4 Example Now we consder the numercal Example 1 n [3] and gve a cryptanalyss Assumptons Alce dong the followng: 1 pcks the prmes p = 5,q = 7 and computes n = pq = 35 2 chooses four random ntegers n the modular rng Z 35 : 7,4,6,2 3 composes the random matrces V = ,W = computes detv = 33, detw = 32 and then computes detv 1 = 17, detw 1 =23 therefore V and W are unts n the matrx rng M 2 Z 35 5 defnes two automorphsms of the rng M 2 Z 35 : α : D V 1 DV,β : D W 1 DW for every matrx D M 2 Z 35 6 computes the followng automorphsms : ψ = α 2 β,ϕ = αβ 2 7 chooses the random matrx L GL 2 Z 35 : 1 2 L = 3 5 and computes matrx L 1 = computes matrces: ϕl = VW 2 1 LVW = 6 7 ψl 1 = V 2 W 1 L 1 V W = 9 Alce publc key s n = 35,ϕL = prvate key s V = Algorthm Bob dong the followng: ,,ψL = 6 2,W = 2 6,

7 CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM7 1 presents the plantext as a matrx 11 2 m = M Z 35 2 pcks the random matrx and computes Y = Y 1 = G defnes automorphsm ξ of the rng M 2 Z 35 : ξ : D Y 1 DY for every D M 2 Z 35 3 computes matrces: ξϕl = Y ϕly = pcks random unt ξψl 1 = Y 1 ψl 1 Y = γ Z 35,γ = 9,γ 1 = 4, computes the cphertext C = C 1,C 2 : C 1 = γ 1 ξψl = C 2 = γmξϕl = Decrypton Alce dong the followng: 1 computes matrx z, usng her prvate key: 2 computes then z = α 1 βc 1 = C 2 z = Cryptanalyss Frstly we compute ϕl 1 = ϕl 1 = = m, By the way we can compute γ 1 2 Indeed, detψl 1 = 34, detc 1 = detψl 1 = 19, then γ 1 2 = 16

8 8 VITALIĬ ROMAN KOV We choose four random matrces of the form ζψl 1, where ζ G n fact four matrces wth smplest conjugators: e 1 = ψl =, e 2 = 1 =, e 3 = 12 =, e 4 = 23 = Then we are to solve the equaton namely: ϕl 1 = 4 α e, = = α α α α By drect computaton va the Gauss elmnaton process we obtan the unque soluton: α 1 = 7,α 2 = 0,α 3 = 1,α 4 = 28 We have = 7 Then we swap ψl = n the rght hand sde of the last equalty wth C 1 = and compute =

9 CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM = At last we multply C 2 to the just computed matrx: = = m, and we succeeded References [1] Rososhek SK New practcal algebrac publc-key cryptosystem and some related algebrac and computatonal aspects Appled Mathematcs 2013 Vol 4, 7 P [2] Rososhek SK, Gorbunov ES Non-commutatve analogue of Dffe-Hellman protocol n matrx rng over the resdue rng Internatonal Journal of Computers and Technology 2013 Vol 11, 10 P Vol 5, 5 P Artcle no BJMCS [3] Rososhek SK Modfed Matrx Modular Cryptosystems Brtsh Journal of Mathematcs & Computer Scence 2015 Vol 5 P Artcle no BJMCS [4] Roman kov VA Algebrac cryptography Omsk, Omsk State Unversty, 2013, 135 p n Russan [5] Roman kov VA Cryptanalyss of some schemes applyng automorphsms Appled Dscrete Math, No 21, 2013, n Russan [6] Myasnkov A and Roman kov V A lnear decomposton attack Groups Complexty Cryptology, Vol 7, 2015, [7] Romankov VA Essays n algebra and cryptology Algebrac cryptanalyss Omsk Omsk State Unversty Publshng House, p [8] Roman kov VA and Menshov AV Cryptanalyss of Andrecut s publc key cryptosystem arxv math: v1 [mathgr], 6 Jul, 2015, 1 5 [9] Gornova MN, Kukna EG and Roman kov VA Cryptographc analyss of the autentfcaton protocol by Ushakov-Shplran, based on the bnary-twsted conjugacy problem Appled Dscrete Mathematcs, No 28, 2015, n Russan [10] Roman kov VA A polynomal tme algorthm for the brad double shelded publc key cryptosystems Bulletn of the Karaganda Unversty Mathematcs Seres, No 4 84, 2016, [11] Roman kov VA and Obzor AA General algebrac cryptographc key exchange scheme and ts cryptanalyss Appled Dscrete Math, No 37, 2017, n Russan [12] Ben-Zv A, Kalka A and Tsaban B Cryptanalyss va algebrac spans Cryptology eprnt Archve: Report 2014/041, 2014, 1 20 Insttute of Mathematcs and Informaton Technologes, Dostoevsky Omsk State Unversty E-mal address: romankov48@malru

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0 MODULE 2 Topcs: Lnear ndependence, bass and dmenson We have seen that f n a set of vectors one vector s a lnear combnaton of the remanng vectors n the set then the span of the set s unchanged f that vector