Cryptanalysis of Kowada-Machado key exchange protocol

A non-interactive key exchange (NIKE) protocol allows N parties who know each other’s public key to agree on a symmetric shared key without requiring any interaction. A classic example of such protocol for N = 2 is the Diffie-Hellman key exchange. Recently, some techniques were proposed to obtain a NIKE protocol for N parties, however, it is still considered an open problem since the security of these protocols must be confirmed. In a recent work, Kowada and Machado [1] proposed a protocol that solves the NIKE problem for N parties. However, this work found security problems in the proposed solution and implemented an efficient attack to their protocol demonstrating that their key-exchange scheme is insecure. Keywords—Key exchange, Cryptography, Cryptanalysis.


I. INTRODUCTION Key exchange schemes are very important in cryptography.
A non-interactive key exchange (NIKE) protocol is designed to allow N parties to agree on a shared secret without requiring any interaction.Usually, N parties publish their public keys and then agree on a shared key k that is secret from any eavesdropper who only sees the public keys.
In 1976, Diffie and Hellman [2] revolutionized the field with a non-interactive key exchange protocol (NIKE) for 2 parties (N = 2).Since then, several other schemes were proposed for N = 2 using different techniques such as Elliptic Curves [3] and El-Gamal [4].In 2004, Joux [5] was the first author who solved the problem for N = 3 using bilinear maps.
The development of NIKE protocols for an arbitrary number of parties N has been a research topic for several years in the cryptographic field and some of the greatest researches of the area have tried to solve this problem.
In 2013, Coron et.al. [6], introduced the first implementation of a key exchange for N parties using multi-linear maps and lattices, which requires an initial setup between all parties.In 2017, Boneh et.al. [7] used indistinguishability obfuscation to propose the first technique that seems to solve the NIKE problem for N parties.
In this context, Kowada and Machado [1] proposed a new protocol to solve the NIKE problem for N parties.Unfortunately, as this paper will show, their scheme is insecure as This paper is organized as follows: in section II, presents the Kowada-Machado (KM) protocol.In section III, some number theory results used in the construction of the attack, are presented.In section IV the proposed attack is described, an actual implementation is presented and practical results are given.Finally, in section V the conclusions are presented.

II. KOWADA-MACHADO KEY EXCHANGE
Kowada and Machado [1] proposed a NIKE protocol involving N parties.The idea is similar to the Diffie-Hellman protocol [2].Namely, it uses the exponentiation in a finite field and relies on the difficulty of the discrete logarithm problem.The difference is that the exponent is a quadratic function inspired on diophantine equations [8].
Basically, the public parameters α, β ∈ N define the quadratic equation for all parties, δ ∈ N is a dimension parameter and y ∈ N is a base.All these parameters are generated by one of the N parties or by a trusted third party.Considering ϕ(x) as Euler's phi function and (x, y) as the greatest common divisor (GCD) of x and y, the Kowada-Machado protocol is described in Algorithm 1.

Algorithm 1 Key establishment
• Key generation for each party 1) Each party i chooses a pair (x ai , x bi ), such that (x bi , α) = 1.This defines the private key.2) Each party calculates γ i = αx 2 ai + βx bi .3) Each party publishes its public key γ i .
• Computing a shared secret 1) Each party i computes a shared secret using his private key x bi and multiplying by the public keys of all other parties: All parties can calculate the same secret using the fact that y αx ≡ 1 mod δ since ϕ(δ) | α.In their paper [1], the authors also define two ways of generating the public parameters.
However, we will not address that here since it does not affect the proposed attack.

III. MODULAR EQUATIONS
In this section, we present some number theory results that we will use as a basis of the attack.The interested reader can find more details on [9] or [10].
Consider the linear equation Let d = (a, m).It is known that if d|b, then this equation has d incongruent solutions modulo m.Additionally, given a solution to Eq. ( 1), it is possible to compute the remaining d − 1 solutions from the first.Indeed, we have the following: Lemma 3.1: Let x 0 be a solution to Eq. ( 1).Then is also a solution of Eq. ( 1) for all i = 0, ..., d − 1.
Proof: By definition, we have ax 0 ≡ b mod m.Then, for each i ∈ {0, . . ., d − 1}, we have Since d|a, it follows that a m d i is a multiple of m and therefore Under the hypothesis of Lemma (3.1), it is said that x 0 is a fundamental solution of Eq. ( 1).Next, we will show how to find a fundamental solution to Eq. (1).To do so, consider the following lemmas: Proof: We can write a = kϕ(m) + b, for some integer k.Hence, from Euler's Theorem, IV. ATTACK This section will define the proposed attack.Additionally, practical results are presented.
Note that the attacker has access to the public keys γ i for i = 1, ..., N and can compute From now on, we will consider that d = (β, ϕ(δ)).Lemma 4.1: The solution to the system has the form where j i = 0, 1, . . ., d − 1 for all i ∈ {1, . . ., N } and x 0i is a fundamental solution of σ i ≡ βx bi mod ϕ(δ).
Proof: It follows directly from Lemma 3.1.Lemma 4.2: The exponent is invariant under the choice of the fundamental solution.
Proof: Let x 0i + ϕ(δ) d j i be any solution of σ i ≡ βx bi mod ϕ(δ).Then That is, Note that since d | β and d | ϕ(δ) then all terms, except the first, are multiples of ϕ(δ).Therefore, it follows that This result is the cryptanalysis of KM key exchange protocol since the attacker can calculate the shared secret from the public parameters and keys in a very efficient way.In the next section we will define specifically the attack as an algorithm and will show an actual implementation and its performance.

B. Algorithm
Algorithm 2 details the proposed algorithm for the cryptanalysis of the KM protocol.The attack is based on the results of Lemmas 4.1 and 4.2.The algorithm is extremely efficient since it only uses basic modular operations, the Euclidean algorithm to compute d, and the Extended Euclidean algorithm to compute I.

Algorithm 2 Cryptanalysis of KM protocol
• Definitions 1) The attacker has access to δ, α, β, since they are all public parameters 2) The attacker has access to the public key of each one of the N parties γ 1 , . . ., γ N • Finding the fundamental solutions 1) Compute σ i = γ i mod ϕ(δ) for i = 1, ..., N obtaining the system Compute the fundamental solutions from The attacker computes 2) Calculate the shared secret k = y S mod δ The attack was implemented using the RELIC tool-kit [11], a cryptographic library with emphasis on efficiency and flexibility.The source code is given in Appendix A.

C. Practical example
To illustrate the attack we will use the example provided in the original work [1].Let δ = 33, α = 20, β = 455, y = 10 and ϕ(δ) = 20.Suppose there are two parties with public keys γ 1 = 20755 and γ 2 = 12885.In their work, the authors compute the shared secret as k = 10.Now, we will show how the attacker can compute this shared secret using Algorithm 2.

D. Computational complexity
The proposed attack was tested in a single machine against big keys.It was verified that the attack is extremely fast, the results are presented in Table I.The key sizes of 1024, 2048 and 4096 were used because these are common values for the DH protocol being infeasible to calculate the discrete log problem as an attack as discussed in [1].
Note that the attack is extremely fast, demanding less than 1 second even for keys of 4096 bits.In fact, the algorithm only uses the Euclidean algorithm, which is known to have polynomial complexity [12].In Figure 1 is possible to note that the proposed algorithm has polynomial complexity in the number of bits of the key.

V. CONCLUSION
In this work we presented the cryptanalysis of the Kowada-Machado key exchange protocol.Although the KM scheme solves the non-interactive key exchange problem for N parties, it does so in an insecure way.
Using the proposed attack and its implementation it is possible to recover the shared secret based only on the public keys in a very efficient way.Effectively, the attack can recover the shared secret in a few seconds even for keys of a very large size.

Lemma 3 . 2 : 1 .
Let x 0 be a solution of the equation a Thus, x 0 is a solution of Eq.(1).Proof: By definition, there is a integer k such that a Thus, ax 0 = b + km and therefore x 0 is a solution of ax ≡ b mod m.Lemma 3.3: Since d = (m, a), it follows that m d , a d = Consequently, a d has a inverse modulo m d .A straightforward calculation concludes the proof.We still need another important result that defines a way to work with exponents of modular equations.Lemma 3.4: If a ≡ b mod ϕ(m), then x a ≡ x b mod m

Figure 1 .
Figure 1.The complexity of the attack.In black, the execution times obtained for different key sizes.In red, polynomial y = 1.610 −12 x 3 + 3.610 −10 x 2 + 4.210 −6 x − 7.9 * 10 −4 , showing that the complexity is polynomial in the number of bits.