Matrix Analogues of the Diffie-Hellman Protocol Alexsander Beletsky1, Anatoly Beletsky1 and Roman Kandyba1 1 Department of Electronics National Aviation University of Kiev, 1, av. Cosmonaut Komarov, 03680, Kiev, Ukraine alexander.beletsky@gmail.com, abelnau@ukr.net, romankandyba@mail.ru Abstract. This paper presents a comparative analysis of several matrix analogs of the Diffie-Hellman algorithm, namely, Yerosh-Skuratov and Megrelishvili protocols, as well as alternative protocols based on irreducible polynomials and primitive Galois or Fibonacci matrices. Binary matrix is primitive, if the se- quence of its powers in the ring of residues mod 2 forms a sequence of maxi- mum length ( m  sequence). Offer alternative protocols and discuss ways to improve the reliability of their. Keywords. Encryption key exchange protocol, the irreducible polynomials, a primitive element of Galois field, primitive binary matrix Key terms. Research, CryptographyTheory, MathematicalModelling 1 Introduction The Diffie-Hellman algorithm (DH-algorithm) [1] assumes that two subscribers – Alice and Bob both know the public keys p and q , where p is a large prime num- ber, and q is a primitive root. Subscriber Alice generates a random big number a , computes A  q a mod p and sends it to Bob. In turn, Bob generates a random big number b , computes B  qb mod p and sends it to Alice. Then subscriber Alice raises number B received from Bob to her random power a and calculates Ka  B a mod p  qba mod p . Subscriber Bob acts similarly, calculating b ab Kb  A mod p  q mod p . It is obvious that both parties receive the same number K because K a  K b . Then Alice and Bob can use this number K as a secret key, e.g. for symmetric encryption because a foe who intercepts numbers A and B faces with virtually unsolvable (in a reasonable time) the problem of calculation K , under the condition, that numbers p , a and b were chosen big enough. Matrix Analogues of the Diffie-Hellman Protocol 353 2 Yerosh-Skuratov Protocol In order to form a secret encryption key in the public network by subscribers Alice and Bob, the authors [2] propose to use DH protocol in the cyclic group of matrices M , and the matrix M is considered as public information. It is assumed that Alice generates a random index x , calculates the matrix M x and sends it to Bob. In turn, Bob generates a random index y , calculates the matrix M y and sends it to Alice. Then both subscribers raise the matrices obtained from a partner in their secret powers and calculate the sheared matrix (encryption key) K  M xy  M yx . The matrix M must be a high-order matrix (at least 100); so, the authors assert (by the way, without a proof), cracking key has invincible complexity. However, in [3] it has been proved, that Yerosh-Skuratov protocol can easily be cracked based on the generalized Chinese remainder theorem. 3 Megrelishvili Protocol The essence of the protocol [4] is following. Binary initialization vector V and primi- tive matrix M of order n are accepted as a public key. Subscriber Alice generates a random index x , calculates the vector Va  V  M x and sends it to Bob. In turn, Bob generates a random index y , calculates the vector Vb  V  M y and sends it to Alice. Then Alice computes the key K a  Vb  M x  V  M y  x , and Bob computes the key Kb  Va  M y  V  M x  y . It is quite obvious that using such data exchange protocol, both parties receive the same private key K , because K a  K b  K . The algorithm of generating the matrices in Megrelishvili protocol is fairly simple and can be explained by the following calculation scheme 1 0 1 0 1 1 0 1 0 1   M 1  1, M 3  1 M1 0 , M 5  0 М3 1  ,     (1)  0 1 0  1 0  0 1 0 1 0  As it follows from (1), the matrices M i , i  1, 2,  , are matrices of odd order only that can cause some difficulties when they are used in cryptography. This shortcom- ing was remediated by replacing matrices of type (1) by primitive matrices of an arbi- trary order that is synthesized based on the so-called generalized Gray transforms [5]. The essence of these transforms is explained below. The matrix form of direct (for simplicity denoted by number 2) and inverse (de- noted by number 3) classical Gray transforms (codes) [6] can be presented in the form 354 A. Beletsky, A. Beletsky and R. Kandyba 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 (2) 2 :  ; 3 :  ; 0 0 1 1 0 0 1 1     0 0 0 1 0 0 0 1 where as an example, the order of the matrix n is set n  4 . Matrices (2), which we call left-sided Gray transform matrices, are in correspon- dence with the right-sided transform matrix defined by the following relations: 4 : 121  2T ; 5 : 131  3T , (3) where 0 0 0 1 0 0 1 0 (4) 1 :   0 1 0 0   1 0 0 0 is the matrix (operator) of the inverse permutation. The set of operators (2) – (4), supplemented by the operator 0, or e (identity ma- trix), forms a complete set of simple Gray operators. From the elements of simple Gray operators, one can form so-called composed Gray codes (CGC) generated by the product of simple (elementary) Gray codes. The simplest examples of CGC 121 and 131 can be seen in (3). Both simple and composed Gray codes have a number of re- markable properties. Firstly, the corresponding transformation matrices are nonde- generate and, therefore, are reversible. Secondly, there are simple inversing algo- rithms for CGC. And, finally, there are “crypto-order” CGC which have the property of primitiveness. Examples of such codes are given in Tab. 1. Table 1. Gray Composite codes delivering binary matrices property of primitiveness The order of the matrix (n) 32 64 128 256 2244424 22533435 2425535 22533435 2442224 22534335 2433534 22534335 12242253 24334225 2435334 24334225 12242443 25224334 22524224 25224334 12252242 222524424 22533334 2222535224 Suppose M is a primitive binary matrix generated by the CGC G . With respect to such matrices, the following assertion can be easily proved by the test method. Assertion. The primitiveness of matrices M is invariant to the group of linear transformations  of the CGC G generating matrix M and transformations of similarity  over these matrices. Matrix Analogues of the Diffie-Hellman Protocol 355 The   group includes the following operators: cyclical shift, assess statement, inversion and conjugation as well as arbitrary combinations of these operators. Trans- formation  forms matrix M p , which is similar to M and determined by the rela- tion M p = P  M  P 1 , where P is a permutation matrix. 4 Alternative Protocols This section proposes two options for alternative matrix protocols of secret key ex- change on the open channel of communications. The procedure for the formation of the encryption key K in the first version of the protocol is based on the use of two public and one private key for both subscribers. As a public key a binary initialization vector V of n order and any irreducible polynomial (IP) n of n order are chosen. Private keys are primitive (forming) elements  of the Galois field GF (2n ) over the IP n , from which the subscribers (Alisa and Bob) form the primitive secret trans- ( ) formation matrices Gn a and G( b ) respectively. The element  of the field n GF (2n ) is primitive over IP n , if the minimum rate e , at which (e  1) mod  assumes the value e  2 n  1 . Matrix G( n ) we call Galois matrices. The synthesis of algorithm for such matrices is explained on a concrete example. Let’s IP 8  100101101 , and the generating element (GE) of subscriber Alisa a  111 . We obtain 1 1 1 1 0 1 1 1 1 1 1 0 1 1 0 1   1 1 1 0 0 0 0 0  . 0 1 1 1 0 0 0 0 A  Ga   0 0 1 1 1 0 0 0   0 0 0 1 1 1 0 0 (5) 0 0 0 0 1 1 1 0    0 0 0 0 0 1 1 1  According to (5), the procedure of filling in the matrix Ga is carried out under the following scheme. First, the GE a is arranged in the bottom row of the matrix. The elements of this row in the left from the GE elements are filled with zeros. Subse- quent rows of the matrix (in the direction from bottom to top) are produced by a shift of previous lines. If left element of shifted line is 0, then the cyclical shift by one bit to the left (circular scrolling clockwise). In the case where the left element of shifted line is 1, the conventional shift of the line on one bit to the left and 0 is written to the vacant right element in line. Digit capacity of these lines is one bit more than the or- der of the matrix. The vectors corresponding to these lines are given to the residue 356 A. Beletsky, A. Beletsky and R. Kandyba modulo IP n that returns them the capacity, which coincides with the order of the matrix n . Subscriber Bob forms similarly the Galois matrix B  Gb using his primi- tive element b . The introduced Galois matrices have some interesting properties. First, the matrix product is commutative, i.e. A  B  B  A . At the same time, secondly, if at least one of the GE is not a primitive of the IP, the commutative property of matrices is lost. Based on the above properties of Galois matrices a key exchange protocol was pro- posed. We consider that initialization vector V and the IP  are known. Alice chooses a secret primitive over  GE a , forms a Galois matrix A , calculates the vector Va  V  A and sends it to Bob. In turn, the subscriber Bob selects a primitive GE b , forms a matrix B that calculates the vector Vb  V  B and sends it to Alice. After that, both parties multiply vectors obtained from the partner, in own secret Galois matrix. Thus, a shared secret key K will be formed by the fact that the product of primitive Galois matrices over the same IP  is commutative, and this implies the identity K a  Vb  A  V  B  A  K b  Va  B  V  A  B . Instead of Galois matrices G , Fibonacci matrices F can be used in the protocol with the same success. Fibonacci matrices are associated with Galois matrices by equation  F   G, or F = G  ; G  F  , where   means the operator of right transposition, i.e. transposition with respect to the auxiliary diagonal matrix. In the second alternative embodiment of the protocol the secret key K is com- puted in two rounds. In the first round, which repeats the above-considered first ver- sion of the protocol, a common to both subscribers secret binary vector of n  th or- der V p is formed. On the basis of this vector, Alice and Bob compute the common permutation matrix P . One can propose different ways of constructing matrices P . Let us consider one of them. Let’s n  8 and N is the decimal equivalent of the vec- tor V p . The task is to create permutation matrix P8 of order eight for value N . Choose one or another way of numbering elements of matrices P8 from 0 to 63. Cal- culate the value n8  N mod 64 and write 1 in that element of the matrix, whose number is equal n8 . After that, delete from the matrix P8 the row and column, which contains 1. We obtain a matrix P7 of 7-th order, whose elements are numbered from 0 to 48. Find the value n7  N mod 49 , which is determined by the location 1 of the matrix P7 and, consequently, in the matrix P8 . Following the proposed method, one can simply construct a permutation matrix P of any order. Let proceed to the second variant of the encryption keys protocol. This protocol uses two public keys, which are the initialization vector V , and the irreducible poly- Matrix Analogues of the Diffie-Hellman Protocol 357 nomial  , and also two private keys. These keys are generated by Alice and Bob as a random primitive over IP  Gees  and  . The protocol runs in two rounds. In the first round based on public keys V ,  and secret GE  network operators calculate the total permutation matrix P . The second round is performed in the following or- der. Alice chooses a primitive over  GE a , forms Galois matrix A , then similar matrix Ap  P  A  P 1 , computes a vector Va  V  Ap , and sends it to Bob. In turn, Bob chooses a primitive over  GE b , forms Galois matrix B , then similar ma- trix B p  P  B  P 1 , computes a vector Vb  V  B p and sends it to Alice. After that, both parties multiply vectors obtained from partners on their secret similar Galois matrix. Thus, the shared key K will be generated due to the fact that the matrices Ap and B p maintain the properties of primitiveness and commutatively of primary ma- trices A and B , respectively. 5 Protocol of Vagus Keys One of the major drawbacks of alternative algorithms key generation algorithms for open key cipher infrastructure, in particular the mentioned above the way of synthesis Galois matrix (by the diagonal fill method), is that it could be easily compromised. To prove that, let's see the vector Va  V  G (fn a ) , (6) created by Alice. By the theory of polynomials of one variable x , we know that product of any polynomial n  x  power of n by x is equivalently either simple shift of polynomial for one bit left or incrementing the power of polynomial, x  n  x   n 1  x  . (7) Taking formula (7), let's represent the Galois matrix G (fn a ) the power of n by,  x n 1     x n 1   n2   n2  x  x  G (f  ) (m od f n )     (m od f )       E   , (8) n   n     x   x          1  where E  the unit matrix. From formulas (6) and (8) we can get, 358 A. Beletsky, A. Beletsky and R. Kandyba Va  V  a (mod f n ) , (9) where all parts are known, except a . Solving the equation (9), we found: a  Va V 1  mod f n  . (10) For example, let's use the matrix G (fn a ) , given by expression (5), where n  8 , a  101101 , f8  101001101 , so f8  is public, a  is private keys of protocol. As initialization vector we choose V  11010010 , that corresponds to invert by modulus f8 vector V 1  110010 . By formula (9) we get Va  10111111 . Putting the Va and V 1 is the right side of expression (10) and taking modulus f8 of vectors multiplica- tion results, enemy (Eva) is getting private key a of Alice. The same way, Eva could found secret key b of Bob. After secret keys a and b are found it's trivial to calculate secret key K . The security of alternative protocols could be increased up to security level of algo- rithms based on problem of factorization of modular multiplication of big numbers if we assume that there is secret parameter  , both known to Bob and Alice. The modification of protocol [6] is the be following. Assume, there are authorized subscribers that have secret parameter  as binary vector of n  order. Parameter  could be transported from Alice to Bon (or otherwise), e.g. by RSA protocol. Alice is generating random of n  order number a and computing generating element a  a    mod f n  , (11) by means of generating element Alice is forming Galois matrix G f a  , calculating  n vector Va  V  G (fn a ) and sends it to Bob. In the same way, Bob send to Alice vector Vb  V  G (fb ) , where b  b    mod f n  . n As it shown above, generating elements a and b could be easily computed, so authorized subscribers Alice and Bob, but not Eva, could calculate secret parameter  of partner. As example, by formula (11) Bob calculates a  a  1  mod f n  , that gives him and Alice ability to calculate secret key K  a  b  mod f n  . Key K as well as any function of it, could be taken as a secret parameter   K for session key generation for public key cipher channels. We call that way of key generation – protocol (algorithm) of vagus keys. Vagus keys algorithm could be used in both motioned above protocols. The major benefit of vagus key generation algorithm is protection from "man in a middle" type of attack. It's been archived by including in Galois matrices key generation elements of secret element  , known only by Bob and Alice. In case of secret element  is changed Matrix Analogues of the Diffie-Hellman Protocol 359 by element e of Eva, makes it impossible to Eva to calculate parameters a , b as well as general cipher key K . 6 Conclusions The article analyzes the known matrix algorithms for exchanging encryption keys between subscribers of a network of open communication channels. The algorithms are based on the modified asymmetric Diffie-Hellman protocol. The essence of the modification is reduced to replacing the large prime numbers of Diffie-Hellman algo- rithm by assurance nondegenerate primitive binary matrices of high order. Methods of synthesis of these matrices are proposed based on both the generalized Gray codes, and irreducible polynomials. New key exchange matrix protocols have been devel- oped. The protocols developed are superior for cryptographic strength to known cryp- tographic protocols, particularly Yerosh-Skuratov and Megrelishvili protocols de- scribed in this paper. The proposed variants of vector-matrix protocols for exchanging by cryptographic keys on open communication channels have a good prospect to be applied for sym- metric encryption in computer networks protected from the substitution of data, pro- viding the necessary level of protection of private keys from unauthorized access. These protocols can make a strong competition to more resource-intensive RSA pro- tocol. References 1. Diffie, W., Hellman, M. E.: New Directions in Cryptography.IEEE Transactions on Infor- mation Theory, IT-22(6), 644–654 (1976) 2. Eros, I. L., Skuratov, V. V.: Addressing Message Transmitting Using Matrices Over GF (2). Problems of Information Security. Computer Systems, 1, 72–78 (2004) (In Russian) 3. Rostovtsev, A. G.: On the Matrix Encryption (Criticism Yerosh-Skuratov Cryptosystem), http: www.ssl.stu.neva.ru/psw/crypto/rostovtsev/Erosh_Skuratov.pdf (In Russian) 4. Megrelishvili, R. P., Chelidze, M. A., Besiashvili, G. M.: Unidirectional Matrix Function - High-Speed Diffie – Hellman’s Analog. In: Proc. 7-th Int. Conf. Іnternet - Education - Sci- ence 2010. VNTU, Vіnnitsya, 341–344 (2010) (In Russian) 5. Beletsky, A. Ja., Beletsky, A. A., Beletsky, E. A.: Gray Transformations.V.1. Fundamen- tals of the theory. V. 2. Applied aspects. NAU Publishing House, Kiev (2007) (In Russian) 6. Beletsky, A. Y., Beletsky, A. A.: Synthesis of Primitive Matrices over a Finite Galois Fields and their Applications. Information Technology in Education: Collected Works, 13. Kherson: KSU, 23–43 (2012) (In Russian)