Matrix power function (MPF) was first introduced in late 2000’s. This function proved to be useful for application in symmetric and asymmetric cryptography, since all actions are performed with small integers. This means that no additional co-processors have to be used to perform actions with large elements as opposed to RSA encryption or elliptic curves cryptography. Examples of these protocols can be found in Sakalauskas and Luksys (2012), Sakalauskas et al. (2008), Mihalkovich and Sakalauskas (2012), Sakalauskas and Mihalkovich (2014). The constructed protocols belong to non-commuting cryptography, which currently is of special interest to researchers. However, to our knowledge none of the protocols of this branch have been proven to be based on candidate one-way functions relying on NP-complete problems.

Formally, MPF can be defined as a function of matrix Q as a parameter and matrices ( X , Y ) as function arguments parameters denoted by F Q ( X , Y ) and expressed by the formula F Q ( X , Y ) = E where E is a matrix representing the function value. In this paper we mainly focus on papers (Sakalauskas et al., 2008; Mihalkovich and Sakalauskas, 2012; Sakalauskas et al., 2017) and (Liu et al., 2016). In the latter paper authors present an attack based on linear algebra, which can be applied to protocols, presented in Sakalauskas et al. (2008) and Mihalkovich and Sakalauskas (2012) to break them in polynomial time. Our aim is to prove that the latest version of the so-called matrix power asymmetric cipher (MPAC), presented in Sakalauskas et al. (2017), is resistant to the declared attack, thus repairing the flaw found. Also, due to provable security of the latest version of MPAC protocol, we are making a conjecture that the recovery of decryption key is a hard problem.

Let us consider a commutative multiplicative semigroup S of multiplicative order t. Hence the powers of elements of S can be defined in a commutative numeric ring Z t , where addition and multiplication are defined modulo t. Previously in Sakalauskas et al. (2017) we defined this group as Sylow subgroup Γ p , n ⊂ Z n of prime multiplicative order p combined with an ideal J p , n given by J p , n = j Γ p , n , where j is an idempotent of the semigroup Z p . Due to prime multiplicative order p of the platform semigroup Γ p , n ♯ = Γ p , n ∪ J p , n , all the powers of elements of this algebraic structure are contained in a power field Z p .

We construct a semigroup of square m × m matrices with entries defined in semigroup Γ p , n and denote it by M Γ p , n . Analogously we construct a ring of square m × m matrices M Z n with entries of these matrices defined in numerical field Z p .

The two-sided MPF (or MPF for short) for a fixed parameter matrix M Γ p , n is denoted as follows: (1) X Q Y = E , where matrices X = { x i j } and Y = { y i j } are defined in a power ring M Z p and matrix Q = { q i j } is defined in a platform semigroup M Γ p , n . The entries of matrix e = { e i j } are calculated in the following way: (2) e i j = ∏ k = 1 m ∏ l = 1 m q k l x i k y l j .

We will refer to matrices X and Y as matrix powers or power matrices, Q as a base matrix and E as a matrix power value.

The following main properties of MPF were presented and proven in Sakalauskas and Luksys (2012): (3) ( X Q ) Y = X ( Q Y ) = X Q Y , (4) X ( U Q V ) Y = ( X U ) Q ( V Y ) = X U Q V Y .

The idea of using MPF to perform asymmetric key exchange was initially proposed in Sakalauskas et al. (2008). The suggested protocol resembles a famous approach of Diffie and Hellman (1976).

According to the initial idea, two protocol parties, called Alice and Bob, agree on the public platform semigroup Z p hence implying the power ring Z p − 1 . Both parties also agree on two sets of commuting matrices ⟨ L ⟩ ⊂ M Z p and ⟨ R ⟩ ⊂ M Z p generated by matrices L and R respectively. Furthermore the base matrix Q ∈ M Z p is generated and published online.

To perform asymmetric key exchange Alice and Bob select their private keys – pairs of matrices X ∈ ⟨ L ⟩ , Y ∈ ⟨ R ⟩ for Alice and U ∈ ⟨ L ⟩ , V ∈ ⟨ R ⟩ for Bob. Their public keys are obtained using MPF, i.e. A = X Q Y for Alice and B = U Q V for Bob. Hence we have: PrK A = ( X , Y ) , PuK A = A , PrK B = ( U , V ) , PuK B = B , where PrK and PuK denote private and public key respectively.

Upon exchanging their public keys, Alice and Bob can agree on a common key K calculated as follows: K = X B Y = ( X U ) Q ( V Y ) = ( U X ) Q ( Y V ) = U A V , since matrices X, U and Y, V commute.

However, it is shown in Liu et al. (2016), that this asymmetric key exchange is vulnerable to a certain linear algebra attack. Furthermore, their idea also holds in case of asymmetric encryption proposed in Mihalkovich and Sakalauskas (2012).

We now recall an improved version of MPAC presented in Sakalauskas et al. (2017).

Alice and Bob agree on the public platform semigroup Γ p , n ♯ hence implying the power field Z p . Furthermore, the base matrix Q ∈ M Γ p , n , as well as two non-commuting power matrices Z 1 , Z 2 ∈ M Z p , are generated and published publicly for both parties to use.

To perform MPAC protocol Alice generates her private and public data using the following steps: •

She randomly selects non-singular secret matrix X ∈ M Z p ;

To encrypt a secret message M Bob takes Alice’s public key PuK A and performs the following actions:

Upon receiving the encryptor ε Alice performs the following actions to decrypt Bob’s message:

The essential modification of the protocol suggested in Mihalkovich and Sakalauskas (2012) is an extra matrix Z 2 , which is published as a public parameter. In the next section we will show that this improvement of the initial protocol is enough to protect secret key from linear algebra cryptanalysis.

Let us briefly recall the attack presented in Liu et al. (2016).

To break the asymmetric key exchange proposed in Sakalauskas et al. (2008) an attacker has to solve the following system of equations: (5) X Q Y = A , X L = L X , Y R = R Y , where matrices Q, L, R, A are publicly known. Using convenient discrete logarithm function this system can be transformed to the following system: (6) ( l d g Q ) Y = X − 1 l d g A , X − 1 L = L X − 1 , Y R = R Y . The latter system can be solved in polynomial time if at least one of matrices X, Y has an inverse. The algorithm for solving system (6) uses Kronecker product of matrices and stacking matrices X, Y into one long vector. Hence an extra restriction on private matrices has to be added. Namely, matrices X, Y, U, V have to be singular.

Another way to avoid revealing of private keys in protocol (Sakalauskas et al., 2008) is to escape the discrete logarithm transformation of system (5). Hence the choice of the platform semigroup is vital to keep the protocol secure. As of now the platform group Γ p , n ♯ seems to be a safe choice to avoid linear algebra attack since, in general, there is no common generator of this semigroup, nor is this semigroup isomorphic to the Cartesian or free product of several cyclic semigroups. For more information on this semigroup the reader can turn to Sakalauskas et al. (2017), where the security of MPAC is considered.

In their paper (Liu et al., 2016) have also suggested an idea of using non-commuting (semi)group to define a platform structure, i.e. the entries of base matrix Q should not commute. While this idea is interesting, it has to be thoroughly studied.

Furthermore, in Mihalkovich and Sakalauskas (2012) we presented an asymmetric encryption protocol, which unfortunately is not resistant to linear algebra attack described in Liu et al. (2016). The key-point of this attack is eliminating matrix U by replacing it with its polynomial expression. Hence the following system of equations has to be solved: (7) Z X − 1 = X − 1 A , Z Y = Y B , ( l d g Q ) · ∑ i = 0 m − 1 a i Z i = X − 1 · ( l d g E ) .

The authors of the attack have shown that this can be done in polynomial time.

However, in Sakalauskas and Mihalkovich (2014) and Sakalauskas et al. (2017) we have improved our protocol by choosing a safer platform semigroup and adding an extra public parameter, namely a power matrix Z 2 . The latter improvement is useful since the matrix U can now be calculated using an abstract random function u ( x 1 , x 2 ). This comes from the structure of public data, namely matrices A 1 , A 2 , B 1 , B 2 of both parties of the protocol, since X Z 1 X − 1 = A 1 , X Z 2 X − 1 = A 2 , Y − 1 Z 1 Y = B 1 , Y − 1 Z 2 Y = B 2 and hence u ( B 1 , B 2 ) = Y − 1 u ( Z 1 , Z 2 ) Y = Y − 1 U Y , v ( A 1 , A 2 ) = X v ( Z 1 , Z 2 ) X − 1 = X V X − 1 regardless of functions u ( x 1 , x 2 ) and v ( x 1 , x 2 ) respectively. An important moment here is the arbitrary structure of these private functions, i.e. these functions can be obtained using any combination of additions and multiplications of scalar non-commuting variables x 1 , x 2 . For more clarity let us present several examples of these functions: x 1 x 2 + 2 x 2 x 1 ; 3 x 1 x 2 x 1 + x 1 + 2 x 2 + x 2 x 1 ; ( x 1 2 + 3 x 1 + 2 ) ( x 2 3 − 2 x 2 2 − 1 ) . As we can see the exact expressions of private functions are limited only by imagination of Alice and Bob and play no part in the execution of the MPAC protocol. However, on the attacker’s side this unknown structure of private functions is an obstacle, which keeps him from eliminating matrix U. Furthermore, the length of coefficients vector in now unbounded since the space of all possible private functions is infinite, i.e. functions like x 1 x 2 x 1 , x 2 x 1 x 2 , x 1 x 2 2 x 1 3 x 2 4 x 1 as well as their combinations are a legitimate choice.

Note that the suggestion of using singular matrices X, Y, U, V as private key is not valid in case of MPAC protocol due to conjugation constrains, i.e. matrices X and Y have to be invertible. Hence the security of MPAC protocol now relies on the correct choice of platform semigroup and the unknown structure of the private functions u ( x 1 , x 2 ) and v ( x 1 , x 2 ) respectively.

In our paper we presented an analysis of a certain attack suggested in Liu et al. (2016). While avoidance of this attack for asymmetric key exchange was suggested by authors themselves, the case of asymmetric encryption is more complicated. The essence of linear algebra attack on the early version of MPAC is elimination of the private matrix U due to its polynomial structure, which is publicly known.

We also analysed the resistance to this attack of improved version of Matrix Power Asymmetric Cipher (MPAC) suggested in Sakalauskas et al. (2017). Based on performed analysis we can see that the security of this protocol relies on the following facts:

So far we do not know the methods of the solution of systems defined by initial MPF equations, since they are not custom systems of algebraic equations. It is rather a system of power equations, where unknown variables are the powers of certain elements in semigroup. Furthermore, the unknown structure of private function is an extra factor, which has to be considered as well.