Cryptanalysis of “ MAKE ”

: Rahman and Shpilrain proposed a Di ﬃ e – Hellman style key exchange based on a semidirect product of × n n - matrices over a ﬁ nite ﬁ eld. We show that, using public information, an adversary can recover the agreed upon secret key by solving a system of n 2 linear equations.


Introduction
Ever since the invention in 1976 of the Diffie-Hellman key exchange [1] based on the multiplicative group of a finite field, researchers have investigated other groups and algebraic structures that can be used for similarly constructed key exchanges. A natural candidate was the general linear groups over the finite field q of q elements. However, in 1997 Menezes and Wu [2] proved that the discrete log problem in the group GL(n q , ) of invertible × n n matrices is not more difficult than the discrete log problem in q n ; therefore, a Diffie-Hellman key exchange in GL(n q , ) has no advantage over the original Diffie-Hellman construction.
Despite this result of Menezes and Wu, researchers have continued to look for ways to use matrix groups and semigroups for Diffie-Hellman style key exchange. Many of the specific constructions using such ideas have been broken, basically by exploiting an underlying linear structure. For example, Stickel's nonabelian key exchange [3] was cryptanalyzed by Shpilrain [4] 3 years later; and the instantiation of a key exchange based on semidirect products in ref. [5] was cryptanalyzed shortly later in refs [6,7].
A recent construction of this type is the MAKE key exchange of Rahman and Shpilrain [8]. We analyze the latest posted version (February 2021) and show that MAKE also succumbs to a linear algebra attackan adversary can recover the shared secret key by solving a system of n 2 linear equations. After describing the MAKE key exchange, we explain how the adversary can obtain such a linear system. We then give an alternative attack that leads to a system of n 4 linear equations that can be solved to give the entries in an ( ) × n n 2 2 -matrix from which the shared key can immediately be found. (1) and Bob computes the analogous sum B with x replaced by y. The shared key is then    The adversary first computes H MH We claim that the adversary's vector t also satisfies To see this, we set = − u t s. We apply Lemma 2 with = Y M for ℓ = … − y 0, 1, , 1, and add. We find that

Remark 3.
A similar argument is used in Section 3 of ref. [7].
We have the following identity for three matrices X Y Z , , whenever the product XYZ is defined: We also note that ( ) In particular, vec . From this and equation (2) it follows that if we can determine the unknown ( vec to get the shared private key. We find the n 4 unknown entries of H by obtaining n 4 independent linear equations that they satisfy. We do this in two ways: (1) by using a general commutativity property and (2) by simulating Bob with various choices of his secret y.
(1) The first method for finding equations uses only the parameters H H , 1 2 and not the values A B , of a particular exchange of keys. Let I n denote the × n n identity matrix. The commutation relations The MAKE key exchange is insecure; the shared key can be recovered by linear algebra in polynomial time. This shows once again that even a matrix-based protocol that seems much more complicated than a standard Diffie-Hellman key exchange may have an essential linearity that makes it vulnerable. Caution seems to be especially necessary when considering matrix-based cryptosystems.