Very recently, a key exchange scheme called HK17 was submitted to NIST as a candidate of the standard of post-quantum cryptography. The HK17 scheme employs some hypercomplex numbers as the basic objects, such as quaternions and octonions. In this paper, we show that HK17 is insecure since a passive adversary can recover the shared key in polynomial time

Haoyu Li

Renzhang Liu

Tianyuan Xie

Yanbin Pan

Cryptology ePrint Archive

Cryptanalysis of HK17Haoyu Li1,2, Renzhang Liu3, Yanbin Pan1, Tianyuan Xie1,21Key Laboratory of Mathematics Mechanization, NCMIS,Academy of Mathematics and Systems Science, Chinese Academy of SciencesBeijing 100190, China2 School of Mathematical Sciences, University of Chinese Academy of Sciences,Beijing 100049, China3 State Key Laboratory of Information Security, Institute of Information Engineering,Chinese Academy of Sciences, Beijing, China.Abstract. Very recently, a key exchange scheme called HK17 was sub-mitted to NIST as a candidate of the standard of post-quantum cryptog-raphy. The HK17 scheme employs some hypercomplex numbers as thebasic objects, such as quaternions and octonions. In this paper, we showthat HK17 is insecure since a passive adversary can recover the sharedkey in polynomial time.1 IntroductionIn December of 2017, NIST published the Round 1 submissions for the Post-Quantum Cryptography. Among all the candidate schemes, a key exchangecalled HK17 was proposed by Hecht and Kamlofsky [1]. Different from mostof the popular schemes, the HK17 scheme uses hypercomplex numbers, such asquanternions and octonions.Some strong points of HK17 were also pointed out in [1], such as: usingordinary modular arithmetic but without big number libraries, relatively fastoperation, non-associativity of products and powers, parametric security levels,no classical nor quantum attack at sight, possible resistance to side-channelattacks, easy firmware migration and conjectured semantical security IND-CCA2compliance.However, in this paper, we will show that the HK17 scheme is not secure.More precisely, any passive adversary can recover the shared key very efficiently.2 Preliminaries2.1 Quaternions and OctonionsIn mathematics, Quaternions and Octonions are generalization of the complexnumbers. Quaternions are the noncommutative generalization of the complexnumbers. In general, a quaternion can be represented in the following form:a+ bi + cj + dk2 Haoyu Li1,2, Renzhang Liu3, Yanbin Pan1, Tianyuan Xie1,2where a, b, c, d are all real numbers and i, j,k are the fundamental quaternionunits. Furthermore, the units i, j,k satisfy the following identities:i2 = j2 = k2 = ijk = −1.The octonions are nonassociative generalization of quaternions. Generallyspeaking, an octonions o can be represented as a real linear combination of theunit octonions:o = a0e0 + a1e1 + · · ·+ a7e7where e0 is the real number 1. Furthermore, the product of each pair of termscan be given by multiplication of the coefficients and a multiplication table ofthe unit octonions, like the following:eiej =ei i = 0ej j = 0− δije0 + εijkek otherwisewhere δij is the Kronecker delta and εijk = 1 when ijk = 123, 145, 176, 246,257, 357, 347, 365.2.2 HK17The HK17 Key Exchange scheme uses some hypercomplex numbers such asquaternions and octonions. We take the octonions version as an example todescribe this scheme.* Initialization:1) Alice choose two non-zero octonions oA, oB with each coordinate uniformlyin Zp with some prime p;2) Alice choose two integers m, n and a non-zero polynomial f(x) ∈ Zp[x]with degree d such that f(oA) 6= 0, and (f,m, n) is Alice’s private key;3) Alice send oA and oB to Bob;4) Bob choose two integers r, s and a non-zero polynomial h(x) ∈ Zp[x] withdegree d such that h(oA) 6= 0, and (h, r, s) is Alice’s private key.* Computing the tokens:1) Alice compute the value rA = f(oA)moBf(oA)n and send it to Bob;2) Bob compute the value rB = h(oA)roBh(oA)s and send it to Alice.* Computing Session Keys:1) Alice compute her key: KA = f(oA)mrBf(oA)n;2) Bob compute his key: KB = h(oA)rrAh(oA)s.It can be verified thatKA = f(oA)mrBf(oA)n= f(oA)mh(oA)roBh(oA)sf(oA)n= h(oA)rf(oA)moBf(oA)nh(oA)s= h(oA)rrAh(oA)s= KBFinally, Alice and Bob share the common key KA = KB .33 Our Attack against the Octonions Version of HK173.1 The key observationWe have the following key observations.Lemma 1. For any octonion o, we can find α, β in polynomial time such thato2 + αo + β = 0.Furthermore, when all the coordinates of o are in Zp, for any polynomial g(x) ∈Zp[x], there exist a, b ∈ Zp, such thatg(o) = ao + b.Proof. Given an octonion o = a0e0 + a1e1 + · · ·+ a7e7, we have(a0e0 + a1e1 + · · ·+ a7e7)2=(a20 − a21 − · · · − a27)e0 + 2a0a1e1 + · · ·+ 2a0a7e7=2a0(a0e0 + · · ·+ a7e7)− (a20 + · · ·+ a27)e0Letα = −2a0, β = a20 + · · ·+ a27.Then o = a0e0 + a1e1 + · · ·+ a7e7 is a solution ofx2 + αx+ β = 0.Then for any polynomial g(x) ∈ Zp[x], we can writeg(x) = (x2 + αx+ β)q(x) + (ax+ b),which implies immediately thatg(o) = ao + b.Lemma 2. For HK17, given oA, oB, rA, there exists a polynomial time (inlog p) algorithm to find a, b, c, d ∈ Zp such thatrA = (aoA + b)oB(coA + d).Proof. By Lemma 1, we know that there exist a, b, c, d ∈ Zp, such thatf(oA)m = aoA + b, and f(oA)n = coA + d.Therefore, we can writerA = f(oA)moBf(oA)n= (aoA + b)oB(coA + d)= acoAoBoA + adoAoB + bcoBoA + bdoB4 Haoyu Li1,2, Renzhang Liu3, Yanbin Pan1, Tianyuan Xie1,2By comparing every corresponding coordinate of rA and acoAoBoA+adoAoB +bcoBoA + bdoB , we will have eight linear equations with four unknowns ac, ad,bc, bd. By the existence of a, b c, d, we can always solve the system of the eightlinear equations to get a solution (s1, s2, s3, s4) for (ac, ad, bc, bd).Note that since a, b can not be zero at the same time if rA 6= 0, so we cantell from which is nonzero. For example if s1 = 0 and s2 = 0, then b must notbe zero. Similarly, we can also know that if c or d is zero or not. Without loss ofgenerality, assume a 6= 0, c 6= 0, then we can set a = 1, and(1, s−11 s3, s1, s2)must be a solution, sincerA = (aoA + b)oB(coA + d)= a(oA + a−1b)oB(coA + d)= (oA + a−1b)oB(acoA + ad).Note that we can also set a to be any nonzero element in Zp and solve theother corresponding b, c, d.Lemma 3. For HK17 key exchange scheme, if we can find any two polynomialg1(x), g2(x) ∈ Zp[x], such thatrA = g1(oA)oBg2(oA),then the shared keyK = g1(oA)rBg2(oA).Proof. Note thatKB = h(oA)rrAh(oA)s= h(oA)rg1(oA)rBg2(oA)h(oA)s= g1(oA)h(oA)rrBh(oA)sg2(oA)= g1(oA)rBg2(oA)= K.The lemma follows.3.2 Our AttackBased on the lemmas above, we present our attack.Step 1 When the adversary gets oA, oB , rA by eavesdropping, he can computea, b, c, d ∈ Zp such thatrA = (aoA + b)oB(coA + d),by Lemma 2.Step 2 ComputeK = (aoA + b)rB(coA + d).By Lemma 3, we know K is exactly the shared key established by Alice andBob.53.3 Experimental ResultWe take the example on Page 11 in [1] to verify our attack. In the example, wehave– p = 251;– oA = (157, 188, 177, 188, 203, 149, 217, 148);– oB = (40, 207, 6, 33, 75, 79, 98, 54);– rA = (121, 3, 110, 243, 184, 230, 202, 171);– rB = (90, 42, 17, 119, 150, 23, 110, 182).After Step 1 in our attack, we find the solution (1, 142, 75, 187) such thatrA = (oA + 142)oB(75oA + 187).After Step 2, we recover the shared keyK = (oA + 142)rB(75oA + 187) = (84, 242, 130, 31, 84, 244, 45, 20),which is exactly the shared key established in [1].4 Our Attack against the Quaternions Version of HK17In [1], a quaternions version was also proposed, which has the same frameworkto the octonions version, but with an additional normalization. It can be easilyconcluded that our attack can be extended to the quaternions version of HK17,since for any quaternions q = a + bi + cj + dk, it also satisfied a quadraticequationx2 − 2ax+ (a2 + b2 + c2 + d2) = 0.References1. Hecht, Kamlofsky: HK17: Post Quantum Key ExchangeProtocol Based on Hypercomplex Numbers. Available athttps://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/HK17.zip

Cryptanalysis of HK17

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive